What are Incidental Uses and Disclosures of PHI Under HIPAA?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

This article discusses what constitutes incidental uses and disclosures of PHI under HIPAA, and whether incidental uses and disclosures are permitted under the HIPAA Privacy Rule.

The Rule on Incidental Uses and Disclosures
The HIPAA Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has (1) applied reasonable safeguards with respect to the primary use or disclosure, and (2) implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. 

What Is An Incidental Use or Disclosure?
An incidental use or disclosure of PHI is a secondary use or disclosure that:

1. Cannot reasonably be prevented; 
2. Is limited in nature; and that
3. Occurs as a result of another use or disclosure that is permitted by the Rule. 

What are Examples of Incidental Uses And Disclosures?
For example, a hospital visitor may overhear a provider’s confidential conversation with another provider regarding the care of another hospital patient. In such instances, the primary use or disclosure of PHI is the communication between the providers.  A secondary, or incidental disclosure, happens to have been made to the hospital visitor who overhears the conversation. 

When are Incidental Uses and Disclosures Permitted?
An incidental disclosure is permitted if it is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and if it occurs as a result of another (primary) use or disclosure that is permitted by the HIPAA Rule.  Disclosures from a covered entity to a healthcare provider for treatment purposes - that is, disclosures the purpose of which is to facilitate treatment, are permitted by HIPAA. These disclosures can be made, that is, without having to obtain patient consent or authorization.

When are Incidental Uses and Disclosures NOT Permitted?
Incidental uses and disclosures are not permitted if they are a by-product of an underlying use or disclosure that violates the Privacy Rule. Say that the doctor in the above example is discussing the patient's care with someone not authorized to receive PHI about that patient, whether in writing or verbally.  Another patient overhears the conversation. The initial or primary disclosure here is not permitted by the Privacy Rule. Therefore, the incidental or secondary disclosure is not permitted.

Must Reasonable Safeguards Must be Implemented for an Incidental Use or Disclosure to be Acceptable?
Yes. A covered entity must have in place appropriate administrative, technical, and physical safeguards that limit incidental uses or disclosures. See 45 CFR 164.530(c). It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable and appropriate safeguards will vary from covered entity to covered entity depending on factors such as the size of the covered entity and the nature of its business. 

How Can a Covered Entity Determine What Safeguards are Reasonable and Appropriate?
In deciding what safeguards are reasonable and appropriate, covered entities should analyze their own needs and circumstances, such as the nature (type, volume, and sensitivity) of the PHI they hold, and assess the potential risks to patients’ privacy. When determining what safeguards to implement, covered entities should also take into account the potential effects on patient care. Covered entities may also take into account the financial and administrative burden of a particular safeguard before deciding whether to implement it. 

What are Specific Examples of Reasonable and Appropriate Safeguards?
Many healthcare providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information – for instance:

• By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
• By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;
• By isolating or locking file cabinets or records rooms; or
• By providing additional security, such as passwords, on computers maintaining personal information.

What Does Implementing the Minimum Necessary Standard Involve?

As noted above, incidental disclosure is permitted only when covered entities have both developed reasonable safeguards AND implemented the minimum necessary standard (where applicable).

Covered entities must implement the minimum necessary standard by implementing reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. 

Note that the minimum necessary standard does not apply to disclosures, including oral disclosures, from a covered entity to a healthcare provider for treatment purposes (that is, disclosures, the purpose of which is to facilitate treatment). For example, a covered entity physician is not required to adhere to the minimum necessary standard when discussing a patient’s medical chart information with a specialist at another hospital to facilitate the treatment of the patient. The doctors are nonetheless obligated to use reasonable safeguards to protect the confidentiality of the information. While discussions to facilitate treatment are not subject to the minimum necessary rule, the doctors do not have license to engage in those discussions at the top of their voices. 

When is there a Violation of the Minimum Necessary Standard?
If a physician is providing treatment (and performing no other function), their access to the patient's medical history is appropriate. Their accessing a database of patient social security numbers would not be, as that access is not needed for treatment activities. The minimum necessary standard is violated in such situations.

Sometimes, the minimum necessary standard is violated by making verbal PHI disclosures that go beyond the scope of a "disclosure, the purpose of which is to facilitate treatment."
Assume a patient is about to undergo a procedure. The procedure is one during which it is standard practice for physicians to wear gloves - to prevent the spread of infectious diseases. The nurse may inform the patient of what the procedure entails. Say that the nurse does this. Say that the nurse also, while in the presence of the physician, technicians, other patients, and staff, tells the physician, "Remember to wear gloves. The patient has hepatitis C." The hepatitis C disclosure was not necessary to facilitate treatment. treatment purposes. In other words, the nurse could have described the procedure, and the doctor could have rendered the treatment, without that detail having been disclosed. A visitor overhears the remark. Could these secondary disclosures have been reasonably prevented? Yes. The nurse should not have made the primary disclosure that caused the secondary disclosure. Whether a disclosure that "sounds" like a "treatment disclosure" that "goes beyond the scope" is an issue that should be discussed with qualified legal counsel.