Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is an incidental disclosure of PHI?

What is an incidental disclosure of PHI?

An incidental disclosure occurs when patient information is unintentionally shared during a permissible activity under HIPAA. These are not HIPAA violations if the organization has implemented reasonable safeguards to protect the information. 

 

Incidental disclosures according to HIPAA

An incidental disclosure occurs when protected health information (PHI) is unintentionally shared while a healthcare provider does something the law allows. An example of this is a doctor talking to a patient in a semi private hospital room and someone nearby overhears a small part of the conversation. Because the conversation was in due course of the provider's treatment of the patient and there were means taken to provide privacy, it is an incidental disclosure. 

45 CFR § 164.502(a)(1)(iii) introduces the idea that incidental disclosures are permitted. The section specifically states that these disclosures are allowed as long as there is anIncident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§ 164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure…”

HHS guidance goes on to interpret this as...the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.”

 

How incidental disclosures can occur in email

Incidental exposures through email occur when staff unintentionally expose PHI while sending an email for a legitimate purpose. An example is a healthcare provider sending a HIPAA compliant email containing PHI to the correct recipient but including a misdirectedccorbccto someone who shouldn't access that information. 

Another common example is an email containing PHI being left open on a shared computer or displayed on a screen that others can see. These incidents are considered incidental disclosures under HIPAA if the organization has taken reasonable steps to protect the information and despite this protection. 

 

Are there consequences to incidental disclosures?

Incidental disclosures that fall under the definition outlined in 45 CFR § 164.502(a)(1)(iii) do not have consequences. The reason for this stems from the fact that the healthcare provider or organization has taken every reasonable step to set in place adequate protection and adhere to the minimum necessary standard. 

The key is that the disclosure is unintentional while performing a permissible action. If a provider sends an email using his email or discusses patient information in a public waiting room, this disclosure would no longer meet the requirements of an incidental disclosure. 

Related: What is PHI disclosure?

 

FAQs

What is an example of an intentional disclosure? 

When a healthcare provider deliberately shares a patient's health information with another doctor for treatment purposes. 

 

What constitutes a breach under HIPAA? 

When PHI is accessed, used, or disclosed in a way that compromises its security or privacy. 

 

Why do the size and scale of a breach matter?

It determines the potential harm to patients and the organization's compliance with regulatory requirements for information privacy. 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.