Guest Post: Small Breaches Still Reportable – Current State of HIPAA Breach Notification

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • My sister-in-law who works at the hospital I was treated at for an injury and the offender was my husband who was charged with a felony, gave him info. while I was still being treated in the ER at the time on my injury. I absolutely filed out Hippa paperwork that NO ONE was to be informed of this and she is currently looking at my records and releases info on my medical info. to him while we are being divorced. CAN I SUE THE HOSPITAL or what?

  • Trish,
    I’m not a lawyer and that’s who you’d want to talk to for this. Although, from what you said, I think you’ll have plenty of things to talk about with that lawyer.

Click here to post a comment