An incidental disclosure occurs when patient information is unintentionally shared during a permissible activity under HIPAA. These are not HIPAA violations if the organization has implemented reasonable safeguards to protect the information.
An incidental disclosure occurs when protected health information (PHI) is unintentionally shared while a healthcare provider does something the law allows. An example of this is a doctor talking to a patient in a semi private hospital room and someone nearby overhears a small part of the conversation. Because the conversation was in due course of the provider's treatment of the patient and there were means taken to provide privacy, it is an incidental disclosure.
45 CFR § 164.502(a)(1)(iii) introduces the idea that incidental disclosures are permitted. The section specifically states that these disclosures are allowed as long as there is an “Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§ 164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure…”
HHS guidance goes on to interpret this as “...the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.”
Incidental exposures through email occur when staff unintentionally expose PHI while sending an email for a legitimate purpose. An example is a healthcare provider sending a HIPAA compliant email containing PHI to the correct recipient but including a misdirected “cc” or “bcc” to someone who shouldn't access that information.
Another common example is an email containing PHI being left open on a shared computer or displayed on a screen that others can see. These incidents are considered incidental disclosures under HIPAA if the organization has taken reasonable steps to protect the information and despite this protection.
Incidental disclosures that fall under the definition outlined in 45 CFR § 164.502(a)(1)(iii) do not have consequences. The reason for this stems from the fact that the healthcare provider or organization has taken every reasonable step to set in place adequate protection and adhere to the minimum necessary standard.
The key is that the disclosure is unintentional while performing a permissible action. If a provider sends an email using his email or discusses patient information in a public waiting room, this disclosure would no longer meet the requirements of an incidental disclosure.
Related: What is PHI disclosure?
When a healthcare provider deliberately shares a patient's health information with another doctor for treatment purposes.
When PHI is accessed, used, or disclosed in a way that compromises its security or privacy.
It determines the potential harm to patients and the organization's compliance with regulatory requirements for information privacy.