What are Incidental Uses and Disclosures of PHI Under HIPAA?

Modified on Tue, 15 Jul at 4:30 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses what constitutes incidental uses and disclosures of PHI under HIPAA, and whether incidental uses and disclosures are permitted under the HIPAA Privacy Rule.

What Is An Incidental Use or Disclosure?

An incidental use or disclosure of PHI is a secondary use or disclosure that:


1. Cannot reasonably be prevented; 
2. Is limited in nature; and that
3. Occurs as a result of another use or disclosure that is permitted by the Privacy Rule.

What are Examples of Incidental Uses And Disclosures?

For example, a hospital visitor may overhear a provider’s confidential conversation with another provider regarding the care of another hospital patient. In such instances, the primary use or disclosure of PHI is the communication between the providers.  A secondary, or incidental disclosure, happens to have been made to the hospital visitor who overhears the conversation.


What is the Rule on Incidental Uses and Disclosures?

The HIPAA Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has (1) applied reasonable safeguards with respect to the primary use or disclosure, and (2) implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. Incidental uses and disclosures are generally permitted if they cannot reasonably be prevented (even with exercising reasonable safeguards, and, when necessary, observing the minimum necessary standard), is limited in nature, and if they occurs as a result of another (primary) use or disclosure that is permitted by the HIPAA Privacy Rule.  

When are Incidental Uses and Disclosures NOT Permitted?

Incidental uses and disclosures are not permitted if they are a by-product of an underlying use or disclosure that violates the Privacy Rule. Say that a doctor is discussing a patient's care with someone not authorized to receive PHI about that patient, whether in writing or verbally.  Another patient overhears the conversation. The initial or primary disclosure here is not permitted by the Privacy Rule. Therefore, the incidental or secondary disclosure is not permitted.


What Reasonable Safeguards Must be Implemented for an Incidental Use or Disclosure to be Acceptable?

A covered entity must have in place appropriate administrative, technical, and physical safeguards that limit incidental uses or disclosures. See 45 CFR 164.530(c). It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable and appropriate safeguards will vary from covered entity to covered entity depending on factors such as the size of the covered entity and the nature of its business. 

How Can a Covered Entity Determine What Safeguards are Reasonable and Appropriate?

In deciding what safeguards are reasonable and appropriate, covered entities should analyze their own needs and circumstances, such as the nature (type, volume, and sensitivity) of the PHI they hold, and assess the potential risks to patients’ privacy. When determining what safeguards to implement, covered entities should also take into account the potential effects on patient care. Covered entities may also take into account the financial and administrative burden of a particular safeguard before deciding whether to implement it. 

What are Specific Examples of Reasonable and Appropriate Safeguards?

Many healthcare providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information – for instance:

  • By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
  • By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;
  • By isolating or locking file cabinets or records rooms; or
  • By providing additional security, such as passwords, on computers maintaining personal information.






Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article