If the information in question was rendered unusable, unreadable, or indecipherable to unauthorized individuals through an approved process of encryption or through destruction of the information through shredding, burning, purging, or other approved method, then no breach occurred.
Additionally, the unauthorized acquisition, access, use, or disclosure is not a breach if the information meets the following criteria:
1. It is individually identifiable health information held by the covered entity or business associate in its capacity as an employer.
2. It is PHI that does not include any of the following:
o the identifiers listed at 45 C.F.R. § 164.514(e)(2) ((1) names; (2) postal address information, other than town or city, State, and zip code; (3) telephone numbers; (4) fax numbers; (5) e-mail addresses; (6) social security numbers; (7) medical record numbers; (8) health plan beneficiary numbers; (9) account numbers; (10) certificate/ license plate numbers; (11) vehicle identifiers and serial numbers; (12) device identifiers and serial numbers; (13) Web URLs; (14) Internet Protocol (IP) address numbers; (15) biometric identifiers, including finger and voice prints; and (16) full face photographic images and any comparable images );
o the patient’s date of birth; and
o the patient’s zip code.
3. It is information that has been “de-identified” in accordance with the HIPAA Privacy Rule.