What is an Incidental Disclosure Under the HIPAA Privacy Rule?Danielle Kelvas, MD
As extensively documented in other articles on the site, the HIPAA privacy rule has highly detailed regulations regarding what patient health information (PHI) is, how it needs to be protected and transferred, and the excessive fines that could result from a violation. That being said, there are some instances where slight deviations from the privacy rule cannot be avoided.
To 100% secure PHI would be arduous, bordering on impossible. Any attempt to do so would painfully slow care, bog down health systems, add to provider burnout, and significantly increase costs. To compensate for this, the HIPAA privacy rule has language that explains what an incidental disclosure is so as not to impede care.
According to the Department of Health and Human Services, an incidental disclosure is:1
- It cannot be reasonably prevented.
- Results from a secondary use.
- It is limited in nature.
- Occurs in a covered entity with proper administrative, physical, and technical safeguards already securely in place (occurs during compliant activity).
- It does not occur as a consequence of a direct violation of the privacy rule (technically a breach).
In the following paragraphs, this article will give examples of allowable incidental disclosures vs. violations and explain types of reasonable safeguards.
Allowable Incidental Disclosures
A business associate, like an attorney, walks into a doctor’s office (entity) for business purposes and sees patients in the waiting room. While the patients’ identities technically haven’t been exposed, a business associate agreement (BAA) is in place. She complies with her work that day, so it’s an incidental disclosure.
As the attorney walks through the hallway, she overhears a conversation about a patient between the doctor and nurse. They were speaking quietly and professionally, but there was no way to avoid overhearing the conversation. They had this conversation at the computer station, away from other patients.
The nurse finishes speaking with the doctor and returns to the waiting room to collect the next patient. She calls for them, saying their name, and others in the waiting room can hear.
As the nurse leads the patient to the exam room, the patient sees a whiteboard on the wall with a list of patients waiting to be seen.
All of these are normal, unavoidable incidental disclosures.2 Let’s change the story a bit to make these violations.
A business associate, like an attorney, walkings into a doctor’s office for work she must complete that day. As she walks through the waiting room, everyone can overhear a conversation between a doctor and a patient regarding their care. This is a violation.
In the other corner, an ultrasonographer is going over images of an ultrasound she just completed on a patient. Everyone can hear their conversation and see the images. This is a violation, as these conversations need to be done in a private room.
As the attorney walks through the hallway, patient charts are open – strewn everywhere – and computer screens displaying PHI are readily visible and accessible at the computer station, where other patients who walk through the hallway can also view them. There isn’t a password-protected feature on the computer. The attorney spends some time reading one of the charts and makes a note of the patient’s name. This is a breach, as all information should be respectfully hidden unless being used.
When the nurse enters the waiting room to collect the next patient, instead of just saying their name, he calls for the next patient with congestive heart failure. Revealing information like that isn’t necessary and doesn’t qualify as an incidental disclosure.
What are Important Safeguards?
As stated above, some things are just unavoidable. That being said, simple steps can be taken to prevent violations. These include:
- Speak to patients about their care in a secluded room.
- If one must speak publicly in a hallway, even between providers, do so quietly and try not to use the patient’s name.
- Never leave papers with PHI lying around.
- All computers should be password protected with screen savers that quickly activate upon leaving the station.
- Lock unattended file cabinets and drawers.
- Keep whiteboards, or lists of patients, in an area where other patients can’t see.
- If patients must sign in at the front desk, use whiteout to cover their names once they’ve been checked in.
- Incidental Uses and Disclosures. HHS.gov. Last updated July 26, 2013. Retrieved Jan 5, 2023, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/incidental-uses-and-disclosures/index.html.
- What is a HIPAA incidental disclosure? Gazelle Consulting LLC. Published Oct 8, 2019. Retrieved Jan 5, 2023, from https://gazelleconsulting.org/what-is-a-hipaa-incidental-disclosure.