Comment on FR Doc # E9-20169

This is a request for clarification regarding an impermissible use or disclosure of PHI when the risk of harm varies substantially within the population of individuals whose PHI was used or disclosed. The definition of “breach” excludes an impermissible use or disclosure of PHI that poses no significant risk of harm to the individual. Within a population of individuals whose PHI was used or disclosed in a manner not permitted under the Privacy Rule, the impermissible use or disclosure may cause a significant risk to some individuals but not to others. For example, the risk to a health plan subscriber might be significant while the risk to other enrolled family members is insignificant. (a) In such instances, may a Covered Entity treat individuals for whom the risk of harm is insignificant as not being individuals with respect to the breach for purposes related to notifying individuals, the media, and the Secretary? (b) In such instances, may a Business Associate treat individuals for whom the risk of harm is insignificant as not being individuals with respect to the breach for purposes related to notifying the Covered Entity?