Incidental uses and disclosures of protected health information under HIPAA

Sometimes during normal healthcare activities, patient information might accidentally be seen or heard by others, even when following proper procedures. These unplanned exposures of patient information are called "incidental uses and disclosures of protected health information (PHI)." Think of them as unavoidable side effects of providing regular healthcare services.

Healthcare providers need some flexibility to do their jobs effectively. HIPAA recognizes this by allowing incidental disclosures, but only when reasonable safeguards are in place and the sharing is truly incidental to permitted activities.

Related: What is an incidental disclosure of PHI?

Types of protected health information (PHI)

An article by Western Governors University defines PHI as, “Any identifiable information that appears in medical records as well as conversations between healthcare staff (such as doctors and nurses) regarding a patient’s treatment. It also includes billing information and any information that could be used to identify an individual in a company’s health insurance records.”

Identifiable personal identifiers

The blog provides the identifiers that make health information PHI:

• Patient Name (full or last name and initial)
• Date of birth
• Address (anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes)
• Social security number
• Phone/fax number
• Email address
• MAC address of the network card on a device
• IP address of a device
• Drivers license number
• License plate numbers
• Biometric data (fingerprints, retina scans, etc)
• Medical record numbers
• Medical device serial numbers
• Health plan account numbers
• Dates of visits, admission, discharge, and treatment
• Payments/bills
• Photographs
• Diagnostic codes
  
  

What is NOT considered PHI

The University blog further explains that PHI only relates to information on patients or health plan members. It doesn’t include information created or maintained for employment records, such as an employee’s health records. Health data that’s not shared with a covered entity or can’t be used to identify someone doesn’t qualify as PHI either. 

Common examples 

In hospital and clinical settings, several common scenarios are considered incidental use and disclosure of PHI. For instance, when a nurse calls out "John Smith" in a crowded waiting room to notify him it's his turn for treatment, this brief disclosure of his name is considered an acceptable incidental disclosure. 

Administrative practices may also result in incidental disclosures during normal operations. For example, when laboratory specimens are labeled with patient names and placed in designated areas for processing, other healthcare workers might briefly see this information. Another common scenario involves scheduling boards visible to staff members that display patient names and appointment times.

When are incidental disclosures permissible? 

According to an article by the Department of Health and Human Services (HHS), “The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.”

Furthermore, “A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.”

The article further provides that, “Many customary healthcare communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective healthcare. Due to the nature of these communications and practices, as well as the various environments in which individuals receive healthcare or other services from covered entities, the potential exists for an individual’s health information to be disclosed incidentally.” 

Therefore, disclosures are permitted;

• During routine healthcare activities: Healthcare providers can share information when it's necessary for treatment. A nurse might discuss a patients care with a doctor in a semi-private hospital room, even if another patient can overhear. 
• In emergencies: During emergencies, healthcare workers might need to shout medical information across a room or discuss a patients condition where others can hear. 
• For hospital operations: Hospitals can use sign-in sheets and patient directories. They can call out names in waiting rooms and post patient names outside hospital rooms. These practices help hospitals run efficiently and are allowed under HIPAA.

Boundaries and Limitations

However, not all disclosures can be justified as incidental. The Shasta Regional Medical Center (SRMC) case from 2013 displays the boundaries between acceptable incidental disclosures and improper sharing of PHI. The case emerged when senior leaders at SRMC responded to a news article about hospital billing practices by disclosing a patient's medical information to multiple media outlets without authorization. Not only did hospital leadership meet with media representatives to discuss the patient's specific medical condition and treatment details, but they also distributed emails containing the patient's medical information to their entire workforce. The hospital attempted to justify these disclosures as necessary for defending themselves against media allegations. However, the Office for Civil Rights (OCR) determined that these actions far exceeded permissible incidental disclosures and violated HIPAA privacy rules. As a result, SRMC was required to pay a $275,000 settlement. 

The disclosure of patient information in public areas such as elevators, cafeterias, or nurse stations can lead to serious HIPAA violations. According to an article in Scrubs Magazine, "one of the more common Health Insurance Portability and Accountability Act (HIPAA) violations is the discussion of a patient between two nurses. Should that patient – or anyone who knows the patient – overhear you and your co-workers discussing something related to their health, it can result in hefty fines for both you and the hospital. In general, nurses should use extreme caution when it comes to what they discuss at the nurse's station. You never know who is listening to the conversation."

The importance of proper authorization for any form of patient information sharing is highlighted in the case of New York Presbyterian Hospital (NYP), which agreed to pay $2.2 million to settle HIPAA violations after allowing ABC film crews to film "NY Med" without obtaining prior authorization from patients. The case involved the filming of two patients - one who was dying and another in significant distress. The film crew was given virtually unrestricted access to the hospital's facilities, which led to patients' health information being disclosed to film crews and aired without authorization. 

In an online post, the HHS emphasized that "it is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained." This extends to social media posts, leaving medical records in public view, and any other form of unauthorized disclosure of patient information.

What safeguards should be in place?

HHS outlines that healthcare providers should still try to protect patient information by speaking in hushed tones to prevent others from overhearing private conversations and using privacy screens on computer monitors to add an extra layer of protection against visual eavesdropping. Additionally, being mindful of how computer screens are positioned in relation to public areas or high-traffic zones can reduce the risk of unauthorized viewing of sensitive data.

Taking conversations to private areas whenever possible is another practice for maintaining confidentiality, as this eliminates the risk of being overheard by unauthorized individuals. In shared spaces where private rooms aren't readily available, using curtains or portable screens can create temporary private areas for sensitive discussions or work. These physical barriers are effective tools for maintaining privacy in otherwise open environments.

Learn more: What are administrative, physical and technical safeguards?

Best practices for managing incidental disclosures 

To maintain HIPAA compliance, healthcare organizations should:

1. Document all reasonable safeguards implemented
2. Regularly review and update privacy policies
3. Conduct periodic risk assessments
4. Provide ongoing staff training
5. Monitor compliance with established procedures

The minimum necessary standard

The HHS article linked above states, “Covered entities also must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes. For example, a physician is not required to apply the minimum necessary standard when discussing a patient’s medical chart information with a specialist at another hospital. An incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not permitted under the Privacy Rule.”

Learn more: A guide to HIPAA’s minimum necessary standard

FAQs

What's the difference between an acceptable incidental disclosure and a HIPAA violation? 

An acceptable incidental disclosure is an unplanned, limited exposure of PHI that occurs as a byproduct of necessary healthcare operations while following proper safeguards. A HIPAA violation occurs when PHI is deliberately or carelessly shared beyond what's necessary for healthcare operations.

Do healthcare providers need to prevent all incidental disclosures to comply with HIPAA? 

No, HIPAA recognizes that some incidental disclosures are unavoidable in healthcare settings. 

When does the "minimum necessary standard" not apply to healthcare providers? 

The minimum necessary standard does not apply to disclosures among healthcare providers for treatment purposes.

What should I do if I see my medical records left unattended in a public area of the hospital?

If you notice unsecured medical records, you should immediately notify the hospital's privacy officer or nurse manager.

Can I request special privacy arrangements for how my healthcare provider communicates with me?

Yes, you have the right to request specific communication methods to protect your privacy.