The change allows health-care companies to do a self-assessment of the potential privacy and fraud risks stemming from a data breach and leaves it up to them to decide if a notification is justified. If a breached company decides there is no harm, it will have no obligation to disclose the breach to anyone -- even if it had taken no measures previously to protect the data. "The harm standard completely undermines the purpose of mandatory notification, which is that covered entities protect their patient data with strong safeguards," said Harley Geiger, legal counsel at the Center for Democracy and Technology (CDT), a Washington-based think tank. "Now an entity can avoid both encryption and notification because they can decide that any information that was released poses no risk," he said.