To put it mildly, there’s no shortage of attention being paid to protecting the privacy of patient information.

But are all patient data breaches really as bad as they’re made out to be?

That’s the question this privacy consultant is asking, and his take on the matter is at least worth considering.

After succinctly laying out the history of data protection regulations, he takes a look at the breaches that have been reported in recent years. And he suggests that perhaps policymakers and privacy advocates are overreacting.

“More than a handful of incidents,” he points out, “don't appear to involve malicious intent or easy-to-use media. A number of entries cite ‘other,’ ‘loss’ or ‘improper disposal’ for the type of breach, instead of ‘theft’ or ‘unauthorized access.’ A large share also cites ‘paper’ as the medium, instead of easier-to-manipulate electronic media. On the wide spectrum of data breaches, these often fall on the low-impact side.”

In view of these observations, he doesn’t dismiss privacy concerns outright, but he does “think companies are either afraid to be caught not reporting a low-grade breach after the fact, or they don't know about the ‘significant risk of harm’ exemption in the interim final rule.

“This exemption allows organizations that have suffered a medical-data breach to determine if that breach poses a significant risk of harm to the persons whose information was included in the incident.”

He goes on to lay out how he thinks companies should incorporate the “significant risk of harm” determination into their treatment of health-data breaches, and we’ll leave it to readers to let us know if you think he’s onto something.

Are concerns about data privacy a bit over the top? And will his suggestion enable both healthcare providers and policymakers to strike a more reasonable balance when it comes to reporting breaches?

Let us know what you think.