The interim final rule, which was issued last month, states that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to individual." In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.

The language was not handed down as part of the $19 billion health IT section of the economic stimulus package and was expressly rejected by House staffers who helped craft the measure, McGraw said. She noted its inclusion by HHS is likely the result of lobbying on the part of the healthcare industry. CDT and its allies favor the approach taken by the Federal Trade Commission in its own data breach mandate, which takes effect the same day as the HHS rule. The FTC version stipulates that if an individual authorized the discharge of data, its release is not considered a breach.