Understanding "Unsecured PHI": When the HIPAA Breach Notification Rule Applies (45 CFR 164.402)
Executive Summary
The HIPAA Breach Notification Rule only applies when there’s a compromise of unsecured protected health information (PHI). But what exactly does “unsecured” mean? According to § 164.402, PHI is considered unsecured when it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through specific technologies or methodologies. For small healthcare practices and business associates, understanding this definition is critical—it determines whether an incident must be reported to patients, the U.S. Department of Health and Human Services (HHS), and possibly the media. This article offers a clear breakdown of the “unsecured PHI” standard, including common mistakes, examples, and actionable guidance to remain compliant and avoid unnecessary breach notifications.
Introduction
A laptop is stolen. An email is misdirected. A cloud storage folder is accidentally shared publicly.
All of these are potential breaches, but not all require notification under HIPAA.
That’s because HIPAA’s Breach Notification
Rule, found in 45 CFR Part 164, Subpart D, only applies when there is a breach of unsecured PHI. If the data was properly encrypted or destroyed, a covered entity or business associate is not obligated to notify
individuals or the government.
Section 164.402 of the HIPAA regulations defines unsecured PHI and provides the foundation for breach notification decisions. For small practices without dedicated compliance departments,
misinterpreting this rule can lead to either unnecessary panic or costly noncompliance.
This article aims to clarify what constitutes unsecured PHI, how to apply the standard, and how to protect your practice with the right
safeguards.
What is "Unsecured PHI"?
Section 164.402 defines unsecured PHI as:
“Protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.”
In plain terms: if the PHI is accessible and understandable to someone without permission, and it hasn’t been properly encrypted or destroyed, it is unsecured and thus subject to the Breach Notification Rule.
How Does HHS Define Proper Protection of PHI?
The Department of Health and Human Services (HHS) publishes guidance on what qualifies as “secure” PHI. As of the most recent update, HHS recognizes two methods for securing PHI:
1. Encryption
To be considered secure, ePHI must be encrypted using NIST-approved standards, such as:
- Advanced Encryption Standard (AES) with 128-bit or higher keys
- Transport Layer Security (TLS) 1.2 or higher for data in transit
- Full disk encryption for laptops and mobile devices
- Email encryption solutions that ensure end-to-end protection
Example: If a stolen laptop contains encrypted ePHI with full disk encryption and strong password protection, it is not considered a breach of unsecured PHI.
2. Destruction
For PHI to be secured through destruction, it must be:
- Paper records: Shredded, pulped, burned, or pulverized so they cannot be reconstructed
- Electronic media: Cleared, purged, or destroyed consistent with NIST SP 800-88 guidelines
Example: A decommissioned hard drive that was wiped using DoD-standard software before disposal is not considered unsecured PHI.
When the Breach Notification Rule Applies
If PHI is not encrypted or properly destroyed, and there is an unauthorized acquisition, access, use, or disclosure, the Breach Notification Rule under § 164.404 is triggered.
The rule requires:
- Notification to affected individuals within 60 days
- Notification to HHS via the Breach Portal
- Notification to the media if more than 500 individuals in one jurisdiction are affected
The covered entity or business associate must also maintain documentation, conduct a breach risk assessment, and potentially implement a corrective action plan.
Common Situations Where PHI Is Considered Unsecured
| Scenario | Is PHI Secured? | Notification Required? |
|---|---|---|
| Stolen unencrypted USB drive with patient files | No | Yes |
| Lost phone with encrypted PHI and secure lock screen | Yes | No |
| Mis-sent email containing patient records, no encryption | No | Yes |
| Fax sent to wrong provider but destroyed immediately | Possibly | Risk assessment required |
| Paper records left in public dumpster, not shredded | No | Yes |
Case Study: Unencrypted Email Leads to Notification
In 2022, a small dermatology clinic experienced a breach of protected health information (PHI) when it attempted to send biopsy results to an external specialist via email. The message included sensitive PHI directly in the body of the email and was transmitted
without encryption. Unfortunately, a typographical error in the recipient’s email address resulted in the message being delivered to the wrong individual, someone with no treatment relationship to the patient.
Upon discovery, the clinic launched an internal investigation. It confirmed that the email was not encrypted and that the PHI it contained was accessible and clearly understandable by an unauthorized recipient. Under the HIPAA Breach
Notification Rule, this met the definition of a disclosure of unsecured PHI under 45 CFR 164.402, triggering mandatory breach notification requirements.
In response to the incident, the clinic promptly notified the affected
patient within the required 30-day window. It also reported the breach to the U.S. Department of Health and Human Services (HHS) through the official breach portal, as mandated for breaches involving unsecured PHI.
As part
of its corrective actions, the clinic implemented end-to-end encryption for all outbound email communications and retrained staff on secure email handling practices. This case highlights the importance of both technical safeguards
and human accuracy in protecting patient information.
Lesson: A simple typo + lack of encryption = reportable breach. But had the clinic used end-to-end encryption, the breach rule wouldn’t have applied.
How to Minimize the Risk of Unsecured PHI Breaches
- Encrypt All ePHI – Make encryption a default setting for emails, devices, cloud storage, and backups using NIST-compliant tools.
- Train Staff on What Counts as “Unsecured” – Include encryption, secure communication, destruction, and incident reporting in training.
- Use Secure Communication Tools – Deploy HIPAA-compliant platforms for referrals, messaging, and patient communications.
- Establish a Clear Breach Response Protocol – Have a plan for incident investigation, risk assessment, reporting, and documentation.
Quick Reference: Is It a Breach?
| Question | Answer |
|---|---|
| Was PHI involved? | If no, not a breach. If yes, proceed. |
| Was it unauthorized access/use/disclosure? | If no, not a breach. If yes, proceed. |
| Was the PHI unsecured (not encrypted or destroyed)? | If no, not a breach. If yes, proceed. |
| Do any breach exceptions apply? (e.g., good faith access, recipient couldn’t retain info) | If yes, may not be a breach. If no, notification is required. |
Regulatory Resources and Trusted Guidance
Common Pitfalls: Understanding "Unsecured PHI" (§ 164.402)
- Good Intentions ≠ Secure PHI: Passwords alone don’t protect data; encryption or destruction per HIPAA is required.
- Limited PHI View: PHI isn’t just medical records—also includes billing, schedules, and IDs.
- Patchy Encryption: Incomplete or outdated encryption weakens security. Use strong, consistent encryption everywhere.
- Poor Disposal: Throwing out paper or deleting files without proper destruction risks breaches. Use certified shredding and data wiping.
- Ignoring Mobile Risks: Personal and remote devices need encryption and secure access controls.
- Misreading Breach Rules: Don’t confuse incidents with breaches; when unsure, report.
- Waiting for Problems: Regular risk assessments and updates prevent breaches before they happen.
Final Takeaways and Recommendations
Knowing what qualifies as unsecured PHI is the first step in determining whether the Breach Notification Rule applies to your practice. By default, if ePHI is not encrypted or paper PHI is not destroyed, and there’s
unauthorized access, it is considered unsecured and you must report the breach.
To stay compliant and reduce risk:
- Encrypt all systems and communications that touch PHI
- Destroy paper and devices according to NIST guidelines
- Educate your staff to recognize and report security events
- Document your actions and decisions during incidents
- Review HHS and NIST guidance annually
With the right protections in place, you can not only minimize the impact of data loss but also avoid the burden of breach reporting altogether.