HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



With no harm threshold, nearly all breaches substantiated in CA

Email This Post Print This Post

California, the state that signed a precedent-setting privacy law, fields more than 220 notifications of potential breaches from licensed facilities per month, according to numbers released by the state’s Department of Public Health.

From January 1, 2009, when law AB 211 went into effect, through May 31, 2010, entities have reported a total of 3,766 breaches. The law calls for health providers to prevent unlawful access, use, or disclosure of patients’ medical information and to report violations to DPH and the individuals affected.

The California Department of Public Health (CDPH), which enforces the law, receives notification of a little more than seven breaches a day. While California law calls for licensed entities to report any and all potential breaches, federal regulation currently allows providers a backdoor out.

In the HITECH interim final rule on breach notification, providers through the “harm threshold” provision may conduct a risk assessment to see if the potential breach causes a significant risk of financial, reputational or other harm to the patient.

If it doesn’t, no notification is required.

Congress did not write this into the HITECH Act. But the Office for Civil Rights (OCR), which on the federal level enforces the HIPAA privacy and security rules, included it through regulation.

In that regulation, published in the Federal Register August 24, 2009,  many commenters suggested OCR add a “harm threshold such that an unauthorized use or disclosure of [personal health information] is considered a breach only if the use or disclosure poses some harm to the individual.”

Today, one year later, that rule is in effect, but on an interim basis. OCR submitted a final rule on breach notification for review by the Office of Management and Budget (OMB) but withdrew it earlier this month.

OCR did not specify why it withdrew the final rule, but some speculate OCR may remove the “harm threshold” and be more like California, where all breaches are reported.

Of those 3,766 breaches reported in the Golden State, California’s investigations team has completed reviews of 1,953. It found that 98.7% of those breaches were found to be “substantiated medical breaches.”

One California attorney says a harm threshold would help avoid the need to report innocuous breaches such as a fax going to the wrong provider.

“You add a huge expense and worry people” by reporting harmless breaches, said Paul Smith, partner with Davis Wright Tremaine LLP of San Francisco and co-chair of its health information privacy practice.

Most healthcare entities handle breaches in a “conscientious” way, Smith says.  
“They understand that if there is a risk to the patient, it’s in everyone’s interests to provide notification.”

Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, agrees that sending notification upon notification can unnecessarily panic people “who really are at no risk of harm.”  “Secondly,” he says, “getting breach notifications every time a truly low-risk potential disclosure occurs will result in ‘warning fatigue.'”

It’s like the boy who cried wolf, and “people will ignore notices they get when there really is something to worry about,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”

“Some things we do out of an abundance of caution, because there’s really little or no downside to doing so,” Drummond adds. “Here, there really is a potential downside for giving warnings that aren’t really necessary.”

However, Drummond said he would not be surprised if the harm threshold were eliminated because Congress did not intend for it to be included in the final breach notification structure.  
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.

According to the interim final rule, the important questions are:

  • In whose hands did the PHI land?
  • Can the information disclosed cause “significant risk of financial, reputational, or other harm to the individual”?
  • Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer’s data was not accessed?

When asked this week by HIPAA Update if it were considering removing the harm threshold, OCR deferred to its earlier statement posted on its website.

“This is a complex issue, and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR said of its reason to further review the breach notification final rule.

California, meanwhile, continues to operate without a harm threshold and as of May 31, the state has been able to investigate 51.8 percent of the cases reported.

The reported breaches break down as such:

  • 2,914: Unintentional breach to person outside facility/healthcare system. Example: A patient’s prescription is faxed to the wrong number and ends up in a lawyer’s office instead of the corner pharmacy.
  • 559: Unintentional breach by healthcare worker within the facility/healthcare system. Example: A nurse faxes a patient record to cardiology instead of radiology.
  • 147: Malicious breach by healthcare worker. A healthcare worker looks at the medical record of a patient without any medical reason to do so.
  • 125: Breach of computer system theft, loss of electronic device/ medical records. Example: A hospital laptop is stolen from an employee’s personal car.
  • 21: Malicious breach by person other than a healthcare worker. Example: Someone visiting the hospital sees a medical file on a desk and decides to pick it up and start reading.


  1. Frank Ruelas says:

    In my opinion, we will see the harm threshold removed and the floodgates will be opened as to the number of incidents reported.


  2. Stephanie says:

    Removing the harm threshold on this unfunded mandate will require large health care organizations to take on the burden of an FTE to keep up with all of the notification letters for all the “harmless” misdialed faxes and will result in public alarm.
    Recent polls indicate that most Privacy Officers/Officials in health care organizations are functioning on their own and are responsible for the development and ongoing review of policy and procedure, training the workforce, providing review and oversight of BAA implementation, conducting routine audits, investigating allegations of privacy violations and serving as a resource for their organization.

  3. Dom Nicastro says:

    Great points! It seems to be a matter of who OCR wants to listen to — providers or Congress.

  4. Erika says:

    Having just gone through the process of notifying >100,000 persons after the theft of an unencrypted computer containing limited information (determined only to be able to cause reputational or ‘other’ harm as no financial information was compromised), I can’t imagine the impact if we were not able to perform a risk assessment for other incidents. During our process, we witnessed the entire range of human emotions — from anger and frustration, to paranoia and guilt. We had people sending us their information in the mail, as we told them that it had been “lost” via theft. We had others taking trains and busses to show up in our lobby and make us explain in person what had happened to their information. We had people calling us to tell us that they knew who had taken the information. Mostly, people were afraid, and they expressed this emotion with all types of outward and inward anger. To have to go through this process and put our patient population through all of this for each mis-sent fax or incident of information sent to the wrong covered entity, would, in my opinion, be a nightmare for all involved — most especially for the patients whose rights we are trying to uphold and protect.

  5. Dom Nicastro says:

    Wow, Erika. That is one heck of a story.

    Think you can single-handedly make the case for keeping in the harm threshold.

    I would love to touch base with you to perhaps go on record for a HIPAA column — or even just to chat informally off the record. I’m at dnicastro@hcpro.com.

  6. Frank Ruelas says:

    Erika, et al.,

    Let’s not forget the other option to the consequences which people have presented: additional FTEs, the volume of notifications, etc.

    That option is to make the data unusable, unreadable, or indecipherable.

    After studying over 100 of the reported breaches to the OCR website in detail, it is easy to see that some of the breaches are outright headscratchers due to carelessness (donating a filing cabinet containing documents with PHI…Doink!) and those where encryption could have saved the day…such as encrypting data on lost or stolen laptops or computers (the largest contributors to the list with respect to the location of the breached information), flashdrives, or other data transporting media.


Leave a Reply