Health care providers are now required to notify patients of breaches of unsecured protected health information (PHI).
In general, unsecured PHI includes paper records and unencrypted electronic PHI. PHI refers to individually identifiable information about past, present, or future health care services. Electronic PHI exists in computerized billing systems and electronic medical record systems, as well as computerized diagnostic equipment, email, cell phones, and PDAs
Although the HIPAA Security Rule required that practices take steps to secure their electronic PHI, it came short of requiring encryption. As a result, most physician practices currently do not encrypt their electronic data.
This regulation is the first in a series that will be implemented under the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the economic stimulus package passed in early 2009.
Any entity covered by HIPAA must notify patients promptly when their paper or unencrypted health information is breached. Patients do not need to be notified if encrypted electronic information is accessed.