incidental uses and disclosures (HIPAA)

HIPAA's Privacy Rule permits incidental uses and disclosures of protected health information (PHI), which it defines as "secondary use[s] or disclosure[s] that cannot reasonably be prevented, [are] limited in nature, and that occur as a byproduct of an otherwise permitted use or disclosure."

HIPAA generally mandates that covered entities make "reasonable efforts" to limit the use or disclosure of (and requests for) PHI to the minimum necessary to accomplish the intended purpose.

Covered entities are also required to implement "appropriate administrative, technical, and physical safeguards" to reasonably safeguard PHI from any intentional or unintentional use or disclosure that violates HIPAA rules. (For more details, see the Security Rule.)

Many common health care practices can produce such "incidentals": sign-in sheets for waiting rooms (or names called out in waiting rooms), "white board" postings of patient names, overheard conversations and telephone calls, etc.

DHHS has been clear that it does not intend to impede communications that are reasonably required for the provision of health care services, nor to impose undue burdens on covered entities to alter daily procedures. Hence this exception.

Note that incidental uses and disclosures are permitted only when the covered entity has made efforts to implement reasonable safeguards, including policies and procedures which put in place appropriate role- and situation-based limitations on use and disclosure to meet the minimum necessary standard.

This provision does not excuse uses and disclosures of PHI that arise in an institution where these basics have been neglected, nor any erroneous uses and disclosures that arise from mistakes or failure to exercise reasonable diligence.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine