With No Harm Threshold, Nearly All Breaches Substantiated in CA

"Some things we do out of an abundance of caution, because there's really little or no downside to doing so," Drummond adds. "Here, there really is a potential downside for giving warnings that aren't really necessary."

However, Drummond said he would not be surprised if the harm threshold were eliminated because Congress did not intend for it to be included in the final breach notification structure.  
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.

According to the interim final rule, the important questions are:

• In whose hands did the PHI land?
• Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
• Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?

When asked this week by HealthLeaders Media if it were considering removing the harm threshold, OCR deferred to its earlier statement posted on its website.

"This is a complex issue, and the administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," OCR said of its reason to further review the breach notification final rule.

California, meanwhile, continues to operate without a harm threshold and as of May 31, the state has been able to investigate 51.8 percent of the cases reported.