Breach notification requirements apply to which type of PHI?

Breach notification requirements specifically apply to unsecured PHI, which refers to protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through encryption or other means. This includes both electronic and physical forms of records as long as they have not been adequately protected.

The importance of this distinction lies in the regulations under the Health Insurance Portability and Accountability Act (HIPAA). The intent is to prioritise patient protection by ensuring that individuals are informed when their health information has been compromised in a manner that could lead to unauthorized access. Consequently, when PHI is encrypted or otherwise made secure, it is excluded from breach notification requirements since the information remains protected despite any breaches.

Understanding that not all forms of PHI trigger breach notifications emphasizes the need for proper data security measures, particularly with how organizations manage and protect health information.