What is “unsecured protected health information”?
“Unsecured protected health information” is defined as protected health information that is not secured using a technology or methodology specified by the secretary of HHS, for example encryption or destruction of material. HHS originally published guidance on this in April 2009, and the new rule updates that guidance. (Please see our Health Law practice’s May 11, 2009, advisory, HHS Guidance Describes Safe Harbor from Data Breach Notification Requirements.) What are the notice requirements? The new rule provides detailed requirements regarding the timing, method and content of notification in the event of a breach of unsecured protected health information. Notice must be provided to the affected individuals without unreasonable delay, but not later than 60 days after the breach has been (or reasonably should have been) discovered. Generally, notice may be provided by first-class mail, or by e-mail in situations where the participants have previously agreed to e-mail notification. If t
