TRICARE, the U.S. military health program, has reported a massive breach affecting protected health information for 4.9 million patients in 10 states treated in San Antonio military facilities between 1992 and Sept. 7, 2011.
Despite the fact that the PHI of 4.9 million patients has potentially been compromised, Tricare is apparently not treating this incident as a breach that requires notification because:
judged to be low despite the data
The is the very thing that consumer groups (and some legislators) feared would happen when HHS introduced the "harm threshold" analysis into the breach notification decision. At least some legislators (and apparently the White House) had a problem with the "harm threshold" issue (i.e. determined solely by the covered entity) and others claimed that this "harm threshold" was NEVER the intent of the law and that HHS went too far in introducing it into the regulations.
Looks like TRICARE has elected to add fuel to the fire. We believe that this is likely to backfire and to strengthen the hand of those pushing for regulations that could not so readily be side stepped. The State Attorney General in Texas may have the last word on this one and it is likely that HHS will be pushed to do an investigation.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.