HIPAA Harm Threshold Works, Say Providers

Without a risk assessment and determination of harm, patients would be "inundated with so many letters that the letter of the law would be meaningless," Mikels said. "I'm kind of leaning toward I think it makes sense to do a risk analysis if we do it well and with the intent of the law. We tend to err on the side of caution and notify patients. Down the road, we wouldn't want patients to say, 'OK, my identity was stolen,' and we didn't do anything about it."

At the last HIPAA Summit—in September—Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, called the harm threshold a "huge weakness." He said if he's a patient, he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm—and not the covered entity. Some also say it allows organizations to choose at their own discretion their own breaches.

"I don't think this is a get-out-of-jail-free card," Hofman of Cascade Healthcare Community said Friday. "With legal, compliance and with ethics, you would hope most organizations would have a higher standard of ethics, and that we'd do our best for our patients."