(From my EMRapproved HIT Security weekly blog)

Proof of harm no longer required for a reportable HIPAA data breach

The release of the HIPAA Omnibus package of regulations removes proof of ‘harm’ as a HIPAA data breach standard, now making it harder for a covered entity or business associate to avoid reporting a data breach.  This was based on the previous guidance for the interim data breach rule by the US Department of Health and Human Services (HHS) that a HIPAA data breach was only reportable if the unauthorized release of protected health information caused harm— “a use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” More