section 13402(e)(3), 500 or less people involved in a breach without having to notify people is to great a loss to go unreported. Please consider lowering this to a more resonable number (100) to encourage medical facilities to improve security rather than just under-report the numbers involved.
This is also a hinderance to rural America where many breaches occur but are less than 500 records involved. Since HIPAA hasn't really protected our records yet, giving a 500 person breach free ride does not solve the problem of security.
Only local pressure of revealing a breach is making medical facilites improve security. PLEASE lower this limit to 100.
Brad Smith, RN,CISSP,NSA-IAM