If you’re not familiar with bankruptcy proceedings, you may be as confused by this breach notice by Duke University Health System as I was.
After reading it a few times, I finally thought I may have understood what happened, but then I read Jeff Drummond’s blog post as to why the DUHS never called this notice a “breach” and whether it even was a breach under HIPAA.
Go read both and see what you think. If the “risk of harm” standard is/was eliminated by the final regulations, I think this would be considered a breach under HIPAA, but as the law stands now? I don’t know.
Updated July 21, 2012: This breach was reported to HHS and now appears on its breach tool:
Duke University Health System,NC,,"1,961",04/21/2004-02/16/2012,Unauthorized Access/Disclosure,Other,7/3/2012,,