What is does HIPAA consider an incidental disclosure? Typical practices in health care communication, like doctor-to-patient data sharing and in-person or over-the-phone communication to patients by healthcare providers, serve a critical role in ensuring that patients receive effective and timely health care.
Due to the circumstances in which people receive healthcare and treatment from Covered Entities, there is often a possibility of an individual’s health information to be disclosed incidentally. For example, doctors might have conversations with patients or other health care team members that can be overheard by unauthorized individuals. Since this disclosure was not intentional, it is considered “incidental”.
The HIPAA Privacy Rule and Incidental Disclosure
The HIPAA Privacy Rule is not intended to impede patient care and therefore does not mandate that all risk of these incidental disclosures be removed to maintain compliance. Instead, the HIPAA Privacy Rule allows for certain incidental disclosures protected health information (PHI) when a Covered Entity is maintaining all other elements of compliance, including necessary safeguards and policies and procedures that reflect the minimum necessary standard to privacy.
Definition of an Allowable Incidental Disclosure
The HHS defines an incidental disclosure as the following:
“An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.”
To summarize, an incidental disclosure is allowed when it is unavoidable and occurs during compliant activity. When it is a result of anything that violates the Privacy Rule, it is not allowed, and is considered a breach in compliance.
For example, a HIPAA incidental disclosure may occur when a staff member for a Business Associate vendor walks into a treatment facility and sees a patient in the waiting room. Although the vendor does not need to know the identity of any patients at the facility, the vendor does have a compliant BAA in place and is visiting the facility to carry-out work described in the BAA. Their exposure to PHI is incidental to the compliant work that they are doing.
An example of a disclosure that is not incidental might be a treatment facility that performs diagnostic activities in the waiting room where other individuals can hear the conversation between the doctor and the patient. Unless there are unusual limitations due to the physical set up or the budget of the facility, the practice would be expected to be able to avoid disclosing patient information to others in the waiting room. You can imagine that if this was a mass casualty incident in which all treatment rooms were full and patients needed immediate triage that perhaps diagnosing in the waiting room could not reasonably be avoided.
Examples of HIPAA Incidental Disclosures:
- Someone at a hospital overhears a confidential conversation between a provider and a patient, or another provider.
- A patient may see a glimpse of another patient’s information on a whiteboard or sign-in sheet.
- An individual may see another person’s x-ray on an x-ray board at a hospital.
- Conversations between nurses may be overheard by those walking past a nurses’ station.
What are reasonable safeguards for incidental disclosures?
Reasonable safeguards will vary within different organizations/Covered Entities depending on the size of an organization and the type of services being provided. It is not expected or required that a Covered Entity’s safeguards guarantee that PHI is protected from all potential risks. What is required is that a Covered Entity must have suitable administrative, physical, and technical safeguards in place in accordance with the Privacy Rule and identify and document reasonably anticipated threats to PHI and ePHI.
Examples of Reasonable Safeguards:
- Having quiet conversations, whether to patients or co-workers, about sensitive health information.
- Avoiding sensitive or private conversations in public or semi-public areas.
- Keeping whiteboards in private areas.
- Using a white-out sign-in sheet in your office to maintain patient privacy.
- Ensuring that confidential conversations do not take place in front of other patients or patient families.
- Locking computers with passwords so data is not left on the screen.
- Keeping files and other paperwork in locked areas.
The Minimum Necessary Standard for Incidental Disclosures
From “The HIPAA Minimum Necessary Standard“:
The HIPAA law states that “when using or disclosing PHI (Protected Health Information) or when requesting PHI from another Covered Entity or Business Associate, the entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
The minimum necessary standard does NOT apply to disclosures among healthcare providers for treatment purposes, including oral disclosures. This means that a physician is not required to implement the minimum necessary standard when talking through a patient’s medical information with a specialist at another hospital.
However, a disclosure that is the explicit result of a lack of reasonable safeguards or failure to apply the minimum necessary standard is not allowed under the HIPAA Privacy Rule.
For example, if a hospital allows an employee to have uninhibited, unnecessary access to patient data, this would be a failure in applying the minimum necessary standard. If this employee then disclosed this information as a result of this lack of security, this would be an unlawful disclosure that could have been avoided by the requirements outlined in the Privacy Rule.
Takeaways
- Incidental Disclosures can occur as a result of typical health care communication practices.
- The HIPAA Privacy Rule allows for these types of disclosures, as long as the minimum necessary standard and reasonable safeguards are applied, where applicable.
- It is best to implement practices that prevent against these disclosures, such as speaking in private areas and in hushed tones to maintain patient privacy.
Still not sure if your disclosures are considered incidental? Worried about hefty fines by the OCR? Gazelle Consulting is here to help!
Contact us today at info@gazelleconsulting.org or 503-389-5666!
