incidental uses and disclosures (HIPAA)
Rule permits incidental uses and disclosures of protected
health information (PHI), which it defines as "secondary
use[s] or disclosure[s] that cannot reasonably be prevented,
[are] limited in nature, and that occur as a byproduct of
an otherwise permitted use or disclosure."
mandates that covered entities
make "reasonable efforts" to limit the use or disclosure
of (and requests for) PHI to the minimum
necessary to accomplish the intended purpose.
are also required to implement "appropriate administrative,
technical, and physical safeguards" to reasonably safeguard
PHI from any intentional or unintentional use or disclosure
that violates HIPAA rules. (For more details, see the Security
Many common health
care practices can produce such "incidentals": sign-in
sheets for waiting rooms (or names called out in waiting rooms),
"white board" postings of patient names, overheard
conversations and telephone calls, etc.
DHHS has been clear
that it does not intend to impede communications that are
reasonably required for the provision of health care services,
nor to impose undue burdens on covered entities to alter daily
procedures. Hence this exception.
Note that incidental
uses and disclosures are permitted only when the covered entity
has made efforts to implement reasonable
safeguards, including policies and procedures which put
in place appropriate role- and situation-based limitations
on use and disclosure to meet the minimum necessary standard.
does not excuse uses and disclosures of PHI that arise in
an institution where these basics have been neglected, nor
any erroneous uses and disclosures that arise from mistakes
or failure to exercise reasonable diligence.