Duke University Health System notifies patients of breach-that's-not-called-a-breach? (updated)

If you’re not familiar with bankruptcy proceedings, you may be as confused by this breach notice by Duke University Health System as I was.

After reading it a few times, I finally thought I may have understood what happened, but then I read Jeff Drummond’s blog post as to why the DUHS never called this notice a “breach” and whether it even was a breach under HIPAA.

Go read both and see what you think. If the “risk of harm” standard is/was eliminated by the final regulations, I think this would be considered a breach under HIPAA, but as the law stands now? I don’t know.

Updated July 21, 2012:  This breach was reported to HHS and now appears on its breach tool:

Duke University Health System,NC,,"1,961",04/21/2004-02/16/2012,Unauthorized Access/Disclosure,Other,7/3/2012,,

About the author: Dissent

Comments are closed.