HIPAA and Incidental Disclosures - What’s That and Why is it Incidental? What Won’t Get You in Trouble

Description

HIPAA establishes a federal standard to protect individuals’ protected health information (PHI) from unauthorized use or disclosure.  While many uses and disclosures of PHI require patient authorization or must fit within specific permitted categories (like treatment, payment, and health care operations), the Privacy Rule also recognizes that some disclosures will inevitably occur in the course of everyday health care activities.  These are known as incidental uses and disclosures.
 
An incidental disclosure occurs when PHI is unintentionally revealed as a by-product of a permitted use or disclosure, even though the covered entity has implemented reasonable safeguards.  Importantly, these disclosures are not separate permitted disclosures under HIPAA; rather, they are secondary exposures that cannot reasonably be prevented and are limited in nature.

For example, a patient’s name might be overheard in a waiting room when called for an appointment or a visitor may see a name on a sign-in sheet. In these cases, the primary use or disclosure (treating the patient, checking in for an appointment) is itself permitted, and the incidental exposure of limited PHI is allowed as long as proper privacy protections are in place.
 
HIPAA does not require covered entities to eliminate all risks of incidental disclosures.  Instead, it requires them to implement reasonable safeguards such as physical, administrative, and technical protections that limit unnecessary exposure of PHI.  Examples of reasonable safeguards include private check-in areas, controlled access to records, and training staff on privacy practices. Covered entities must also adhere to the minimum necessary standard, releasing only the least amount of PHI needed to accomplish the purpose of a use or disclosure.

Incidental disclosures are not treated the same as other reportable disclosures; they do not need to be included in an accounting of disclosures provided to a patient because they are expected, limited, and tied to an otherwise permitted use or disclosure.  Additionally, incidental disclosures are not confined to clinical treatment settings; they may occur in administrative, billing, or operational contexts as long as the primary activity is permitted by the Privacy Rule.
 
Understanding incidental disclosures is crucial because many common health care practices—calling out patient names, using sign-in sheets, leaving messages, placing charts by doors—can result in minor exposures of PHI.  These practices are permissible under HIPAA when appropriate safeguards are used, but they can also easily cross the line into violations if excessive information is disclosed or reasonable protections are not followed.  For instance, sign-in sheets must be limited to essential identifiers (like name and appointment time) to avoid unnecessary PHI exposure.
 
In sum, incidental disclosures reflect the reality that health care settings cannot be completely free of all inadvertent exposures of PHI.  What matters under HIPAA is whether the covered entity has designed processes and safeguards that limit such disclosures to those that are truly unavoidable and incidental to a permitted use or activity.

Areas Covered in the Session

• What is an incidental disclosure and how does it happen?
• How incidental disclosures differ from unauthorized disclosures
• Minimum necessary standards and acting in the best interest of patient
• Application beyond clinical care
• Safeguards and compliance
• Is the incidental disclosure a defense in any legal action, such as a social media violation?

Why should you Attend?
You should attend to gain a better understanding of how mistakes can happen in a health care context and whether such a mistake constitutes a HIPAA violation or not.

Who will Benefit?

• Health care attorneys
• Administrators
• Health care workers