New details on HIPAA Breach Notification
On Friday, the Dept of Health and Human Services released new details on breach notification and the protection of personal health information.
There are two acceptable methods: encryption and destruction.
Encryption is the obvious method provided for securing ePHI, and the acceptable encryption methods were expectedly referencing NIST standards.
Using encryption may help organizations prevent public embarrassment and costly settlements.
Breach notifications only need to be made for what falls under "unsecured" PHI. So, if someone gets hold of PHI that is encrypted using the referenced NIST encryption standards, then notification is not required.