As extensively documented in other articles on the site, the HIPAA privacy rule has highly detailed regulations regarding what patient health information (PHI) is, how it needs to be protected and transferred, and the excessive fines that could result from a violation. That being said, there are some instances where slight deviations from the privacy rule cannot be avoided.
To 100% secure PHI would be arduous, bordering on impossible. Any attempt to do so would painfully slow care, bog down health systems, add to provider burnout, and significantly increase costs. To compensate for this, the HIPAA privacy rule has language that explains what an incidental disclosure is so as not to impede care.
According to the Department of Health and Human Services, an incidental disclosure is: 1
In the following paragraphs, this article will give examples of allowable incidental disclosures vs. violations and explain types of reasonable safeguards.
A business associate, like an attorney, walks into a doctor’s office (entity) for business purposes and sees patients in the waiting room. While the patients’ identities technically haven’t been exposed, a business associate agreement (BAA) is in place. She complies with her work that day, so it’s an incidental disclosure.
As the attorney walks through the hallway, she overhears a conversation about a patient between the doctor and nurse. They were speaking quietly and professionally, but there was no way to avoid overhearing the conversation. They had this conversation at the computer station, away from other patients.
The nurse finishes speaking with the doctor and returns to the waiting room to collect the next patient. She calls for them, saying their name, and others in the waiting room can hear.
As the nurse leads the patient to the exam room, the patient sees a whiteboard on the wall with a list of patients waiting to be seen.
All of these are normal, unavoidable incidental disclosures. 2 Let’s change the story a bit to make these violations.
A business associate, like an attorney, walkings into a doctor’s office for work she must complete that day. As she walks through the waiting room, everyone can overhear a conversation between a doctor and a patient regarding their care. This is a violation.
In the other corner, an ultrasonographer is going over images of an ultrasound she just completed on a patient. Everyone can hear their conversation and see the images. This is a violation, as these conversations need to be done in a private room.
As the attorney walks through the hallway, patient charts are open - strewn everywhere - and computer screens displaying PHI are readily visible and accessible at the computer station, where other patients who walk through the hallway can also view them. There isn’t a password-protected feature on the computer. The attorney spends some time reading one of the charts and makes a note of the patient’s name. This is a breach, as all information should be respectfully hidden unless being used.
When the nurse enters the waiting room to collect the next patient, instead of just saying their name, he calls for the next patient with congestive heart failure. Revealing information like that isn’t necessary and doesn’t qualify as an incidental disclosure.
For information on how to stay HIPAA compliant, sign up for one of our HIPAA courses or head to the US Department of Health and Human Services (HHS) website.
As stated above, some things are just unavoidable. That being said, simple steps can be taken to prevent violations. These include:
Sources: