An incidental disclosure of PHI is a secondary disclosure of PHI relating to a primary disclosure of PHI when the secondary disclosure is unavoidable at the time and in the circumstances without impacting the provision of prompt and effective healthcare.
Incidental disclosures of PHI are permitted by the HIPAA Privacy Rule provided covered entities have appropriate safeguards in place to limit the frequency of incidental disclosures and to limit the amount of PHI disclosed in a secondary disclosure to achieve the purpose of the primary disclosure (the “minimum necessary” standard).
A good example of an incidental disclosure of PHI is when Patient A’s name is visible to other patients in a physician’s waiting room or when Patient A’s name is called. In this scenario, the primary disclosures of Patient A’s name are necessary for the physician to know the patient has arrived for an appointment and for the patient to know when the physician is ready to see them.
However, there are also secondary disclosures of Patient A’s name to other patients in the physician’s waiting room. Because these disclosures are unavoidable at the time and in the circumstances, they are considered to be incidental rather than impermissible – unless there is another way to monitor the arrival of Patient A and advise them when the physician is ready to see them.
The other condition that has to be fulfilled for a secondary disclosure of PHI to be considered incidental is that disclosures of PHI are limited to the minimum necessary. In this scenario, if only Patient A’s name is disclosed, the secondary disclosure is incidental. However, if Patient A’s medical condition is revealed in a disclosure (for example, if a sign-in sheet reveals medical information that is not necessary for the purpose of signing in) the disclosure is impermissible.
Other Examples of an Incidental Disclosure of PHI
Other examples of an incidental disclosure of PHI include group therapy sessions, consultations with patients when friends, family members, or translators are present, and telephone messages left on answerphones that could be heard by other members of a patient’s family or workplace colleagues when the telephone number has been provided by the patient. .
In these scenarios, it is reasonable to infer from the circumstances that the individual does not object to the incidental disclosure. However, when a private conversation between physicians – or between a patient and physician – is overheard by a third party, the question of whether the disclosure of PHI is incidental or impermissible is a fact-specific determination.
If the disclosure could have been avoided by holding the conversation in a private room or private area, it was not unavoidable at the time and in the circumstances and qualifies as an impermissible disclosure. In this case, the disclosure would have to be notified to the subject of the conversation and HHS’ Office for Civil Rights unless a risk assessment identified a low probability of a data breach.
With regards to the minimum necessary standard, disclosures of PHI between physicians – or between a physician and a patient – are not subject to the minimum necessary standard when the disclosure is for treatment purposes. In most scenarios of this nature it would be difficult to determine whether an overheard conversation violated the minimum necessary standard.
Why Training on Incidental Disclosures is Important
It is important for incidental disclosures of PHI to be included in HIPAA training to ensure workforce members understand the scenarios in which incidental disclosures are permitted by the HIPAA Privacy Rule. This is not only to ensure the frequency of incidental disclosures is limited, but also to avoid scenarios in which one workforce member reports a colleague for an impermissible disclosure when only an incidental disclosure of PHI has occurred.
Workforce members who require further information about what is an incidental disclosure of PHI are advised to speak with their HIPAA Privacy Officers or a member of their employer’s compliance team. HIPAA covered entities who require advice about how to include incidental disclosure of PHI in HIPAA training are advised to speak with a HIPAA compliance professional.