Health Information Management

HITECH UPDATE: HHS misses deadline for definition of unsecured PHI

HIM-HIPAA Insider, April 20, 2009

Congress gave the Department of Health & Human Services (HHS) 60 days from the February 17 signing of the American Recovery and Reinvestment Act— or Friday, April 17— to define “unsecured protected health information.”

And HHS apparently has missed that deadline.

HHS had not provided a definition as of press time Friday. So by default, the definition  includes all protected health information that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology (NIST). For the record, the general default definition of unsecured PHI in the Health Information Technology Economic and Clinical Health (HITECH) Act is:

  • “Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.”

When can HHS change the default definition? That’s unclear now.

“As long as you're buying products that use known algorithms, you really should be fine,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA. “… I don’t think HHS or Congress expect organizations to throw out what they’ve done so far."

Read an analysis on unsecured PHI on

Most Popular