Sometimes, information not intended to be public knowledge is inadvertently shared with others. Just as easily as it can happen in a casual conversation with a friend, it can also happen in the workplace. So, what is an incidental disclosure? The incidental disclosure definition, according to the U.S. Department of Health and Human Services (HHS), is a, "disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule." What happens when there is an incidental disclosure in a healthcare setting? There is not a clear-cut answer. It simply depends on the magnitude of the situation. In general, healthcare settings are fluid environments. That means that a patient overhearing another patient's diagnosis or a visitor catching a glimpse of a screen with some personal health information (PHI) is not common grounds to facilitate a HIPAA violation.
According to the HHS document linked above, "The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure." Despite this, incidental disclosures can still result in HIPAA violations and therefore penalties against an organization. We will look at this topic and ways to further safeguard your organization throughout this piece.
Incidental Disclosure Examples
With technology advancing at an incredible pace, patients are receiving care in many ways. No longer is an in-person visit the only way to see your healthcare provider. These services are also taking place over the phone, video, and even live text chat. Although these new options provide all parties with greater flexibility to render and receive care, it also opens up the door for the vulnerability of PHI. Incidental disclosures may become more common, despite an organization being compliant with HIPAA.
It is important to remember that the HIPAA Privacy Rule does allow for incidental disclosures to occur, as long as a covered entity is compliant with the policies outlined regarding PHI protection.
What is an incidental disclosure? Let's take a look at a few common examples that can occur in the workplace.
Example 1: In the waiting room of a doctor's office, other patients and even a front-desk employee overhear a conversation between a healthcare provider and their patient. Being around the corner and down the hall from the waiting room, both the patient and provider believe they are safe from any eavesdropping. Unfortunately, many people, including the front-desk employee, hear their discussion.
Example 2: While signing in for treatment at the hospital, a patient notices someone else's PHI on a second computer monitor. The computer monitor may have been moved by another employee or an after-hours cleaning crew - it is not normally positioned this way.
Example 3: A healthcare provider has allowed the secretary to call out patient names into the waiting room when it is their turn. It is suggested that the information called out is kept to a minimum - for example, call out first names only instead of full names, where possible.
What are HIPAA Permitted Disclosures?
Information is at the center of a healthcare organization's operation. In order to provide patients with optimal care, providers may need to quickly share information with other covered entities to improve their protocols, gather second opinions, order supplies, create referrals, or to get paid by health plans. In a nutshell, privacy rules associated with HIPAA were enacted to ensure that PHI remains safe in the face of things like data sharing. In most cases, PHI can only be shared when a provider obtains authorization from a patient to do so.
However, there are instances when PHI can be shared without patient authorization. In a permitted uses and disclosures fact sheet, put together by the HHS, they note several scenarios where PHI can be shared without patient consent. Here are a few notable examples:
- Conducting quality assessment and improvement activities
- Developing protocols
- Contacting healthcare providers and patients with information about treatment alternatives
- Conducting training programs or credentialing activities
- Supporting fraud and abuse detection and compliance programs
In order for a covered entity (CE) to share information with another CE, in scenarios as outlined above, there are a few prerequisites to be aware of:
- Both CEs must have a current or past relationship with the patient
- The PHI requested should be related to the relationship between CE's
- The CE who is disclosing information should share only what is necessary for the situation, and nothing more
How to Prevent Incidental Disclosures
There is always more a healthcare organization could be doing to prevent incidental disclosures. Here are some basic steps that all organizations should be employing:
- Cover PHI in patient care areas. Do not leave this information 'laying around' when you are not in close proximity
- If you use paper files that include PHI, it is best to keep those locked away to avoid them being lost or stolen. You may also consider a sign-in/out system for these documents as well
- Do not discuss PHI or anything else about your patients in public spaces like waiting rooms. If you must, do so in a lower tone, perhaps even covering your mouth to avoid those trying to read lips
- Lock computer screens whenever you leave your workspace
- Avoid the use of patient sign-in sheets. If you want to use one, consider a white-out sign-in sheet instead
No matter how safe an organization tries to be, there are bound to be times when things slip and an incidental disclosure is imminent. Private conversations that were louder than expected and computer screens tilted close to wandering eyes are a couple of examples of typical incidental disclosures. When it comes to PHI, HIPAA is quite strict on its protocols, but it does allow for a generous amount of leniency. Remember, leniency related to an incidental disclosure only applies when an organization follows HIPAA privacy rules without issue. Yet, despite the best safeguards, the occurrence of small disclosures is not a question of if, but rather a question of when.