Sometimes during normal healthcare activities, patient information might accidentally be seen or heard by others, even when following proper procedures. These unplanned exposures of patient information are called "incidental uses and disclosures of protected health information (PHI)." Think of them as unavoidable side effects of providing regular healthcare services.
Healthcare providers need some flexibility to do their jobs effectively. HIPAA recognizes this by allowing incidental disclosures, but only when reasonable safeguards are in place and the sharing is truly incidental to permitted activities.
Related: What is an incidental disclosure of PHI?
An article by Western Governors University defines PHI as, “Any identifiable information that appears in medical records as well as conversations between healthcare staff (such as doctors and nurses) regarding a patient’s treatment. It also includes billing information and any information that could be used to identify an individual in a company’s health insurance records.”
The blog provides the identifiers that make health information PHI:
The University blog further explains that PHI only relates to information on patients or health plan members. It doesn’t include information created or maintained for employment records, such as an employee’s health records. Health data that’s not shared with a covered entity or can’t be used to identify someone doesn’t qualify as PHI either.
In hospital and clinical settings, several common scenarios are considered incidental use and disclosure of PHI. For instance, when a nurse calls out "John Smith" in a crowded waiting room to notify him it's his turn for treatment, this brief disclosure of his name is considered an acceptable incidental disclosure.
Administrative practices may also result in incidental disclosures during normal operations. For example, when laboratory specimens are labeled with patient names and placed in designated areas for processing, other healthcare workers might briefly see this information. Another common scenario involves scheduling boards visible to staff members that display patient names and appointment times.
According to an article by the Department of Health and Human Services (HHS), “The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.”
Furthermore, “A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.”
The article further provides that, “Many customary healthcare communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective healthcare. Due to the nature of these communications and practices, as well as the various environments in which individuals receive healthcare or other services from covered entities, the potential exists for an individual’s health information to be disclosed incidentally.”
Therefore, disclosures are permitted;
However, not all disclosures can be justified as incidental. The Shasta Regional Medical Center (SRMC) case from 2013 displays the boundaries between acceptable incidental disclosures and improper sharing of PHI. The case emerged when senior leaders at SRMC responded to a news article about hospital billing practices by disclosing a patient's medical information to multiple media outlets without authorization. Not only did hospital leadership meet with media representatives to discuss the patient's specific medical condition and treatment details, but they also distributed emails containing the patient's medical information to their entire workforce. The hospital attempted to justify these disclosures as necessary for defending themselves against media allegations. However, the Office for Civil Rights (OCR) determined that these actions far exceeded permissible incidental disclosures and violated HIPAA privacy rules. As a result, SRMC was required to pay a $275,000 settlement.
The disclosure of patient information in public areas such as elevators, cafeterias, or nurse stations can lead to serious HIPAA violations. According to an article in Scrubs Magazine, "one of the more common Health Insurance Portability and Accountability Act (HIPAA) violations is the discussion of a patient between two nurses. Should that patient – or anyone who knows the patient – overhear you and your co-workers discussing something related to their health, it can result in hefty fines for both you and the hospital. In general, nurses should use extreme caution when it comes to what they discuss at the nurse's station. You never know who is listening to the conversation."
The importance of proper authorization for any form of patient information sharing is highlighted in the case of New York Presbyterian Hospital (NYP), which agreed to pay $2.2 million to settle HIPAA violations after allowing ABC film crews to film "NY Med" without obtaining prior authorization from patients. The case involved the filming of two patients - one who was dying and another in significant distress. The film crew was given virtually unrestricted access to the hospital's facilities, which led to patients' health information being disclosed to film crews and aired without authorization.
In an online post, the HHS emphasized that "it is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained." This extends to social media posts, leaving medical records in public view, and any other form of unauthorized disclosure of patient information.
HHS outlines that healthcare providers should still try to protect patient information by speaking in hushed tones to prevent others from overhearing private conversations and using privacy screens on computer monitors to add an extra layer of protection against visual eavesdropping. Additionally, being mindful of how computer screens are positioned in relation to public areas or high-traffic zones can reduce the risk of unauthorized viewing of sensitive data.
Taking conversations to private areas whenever possible is another practice for maintaining confidentiality, as this eliminates the risk of being overheard by unauthorized individuals. In shared spaces where private rooms aren't readily available, using curtains or portable screens can create temporary private areas for sensitive discussions or work. These physical barriers are effective tools for maintaining privacy in otherwise open environments.
Learn more: What are administrative, physical and technical safeguards?
To maintain HIPAA compliance, healthcare organizations should:
The HHS article linked above states, “Covered entities also must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes. For example, a physician is not required to apply the minimum necessary standard when discussing a patient’s medical chart information with a specialist at another hospital. An incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not permitted under the Privacy Rule.”
Learn more: A guide to HIPAA’s minimum necessary standard
An acceptable incidental disclosure is an unplanned, limited exposure of PHI that occurs as a byproduct of necessary healthcare operations while following proper safeguards. A HIPAA violation occurs when PHI is deliberately or carelessly shared beyond what's necessary for healthcare operations.
No, HIPAA recognizes that some incidental disclosures are unavoidable in healthcare settings.
The minimum necessary standard does not apply to disclosures among healthcare providers for treatment purposes.
If you notice unsecured medical records, you should immediately notify the hospital's privacy officer or nurse manager.
Yes, you have the right to request specific communication methods to protect your privacy.