Incidental Disclosure of Protected Health Information

Healthcare provider staff providers routinely communicate with other staff members and with patients, to facilitate patient treatment. Since such communication is so frequent and commonplace, the potential exists for incidental disclosure of protected information (PHI). Under the HIPAA Privacy Rule, covered entities must have in place appropriate administrative, technical, and physical safeguards that limit incidental disclosure. 

Incidental Disclosure of Protected Health Information

What is Incidental Disclosure of Protected Health Information?

Incidental disclosure of PHI is defined as:

  • Secondary disclosure, that
  • Cannot reasonably be prevented, and
  • Is limited in nature, and that 
  • Occurs as a result of another, primary use or disclosure that is permitted by the HIPAA Privacy Rule.

For example, a hospital visitor may overhear a provider’s confidential conversation with another provider regarding care of a patient whom they care both treating. In such instances, the primary use or disclosure of PHI is the communication between the providers. Such communication is permitted under the HIPAA Privacy Rule since it relates to patient treatment. A secondary, or incidental disclosure, happens to have been made to the hospital visitor who overhears the conversation. Assuming that this incidental disclosure is limited in nature, and could not have been reasonably prevened, the HIPAA Privacy Rule permits it.

To state the general rule, an incidental disclosure is permitted if it is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and if it occurs as a result of another (primary) use or disclosure that is permitted by the HIPAA Rule. However, an incidental disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.

What Must a Covered Entity Do to Minimize the Risk of Incidental Disclosure?

The HIPAA Privacy Rule, in a nod to reality, does not require that all risk of incidental disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits incidental disclosures of protected health information to occur, so long as the covered entity has:

  • Developed reasonable safeguards protect an individual’s privacy; and
  • Implemented the minimum necessary standard, where applicable

With respect to the primary use or disclosure.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

What Safeguards are Required?

A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the HIPAA Privacy Rule, as well as that limit incidental uses or disclosures. It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks.

Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information they hold, and assess the potential risks to patients’ privacy. 

Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.

What are Specific Examples of Reasonable Safeguards?

Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information – for instance:

  • By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
  • By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;
  • By isolating or locking file cabinets or records rooms; or
  • By providing additional security, such as passwords, on computers maintaining personal information.

What Does Implementing the Minimum Necessary Standard Involve?

As noted above, incidental disclosure is permitted only when covered entities have both developed reasonable safeguards AND implemented the minimum necessary standard.

Covered entities must implement the minimum necessary standard by implementing reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also must limit whom within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. 

Note that the minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes. For example, a physician is not required to apply the minimum necessary standard when discussing a patient’s medical chart information with a specialist at another hospital. 

An incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not permitted under the HIPAA Privacy Rule.

For example:  The minimum necessary standard requires that a covered entity limit whom within the entity has access to protected health information, based on who needs access to perform their job duties. If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records (and thus, access to PHI), where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard. Therefore, any incidental use or disclosure that results from this practice, such as another worker overhearing the hospital employee’s conversation about a patient’s condition, would be an unlawful use or disclosure under the HIPAA Privacy Rule.

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM  their HIPAA compliance.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image