As the name suggests, HIPAA incidental disclosure refers to any patient’s health information that gets disclosed incidentally. It can happen between two doctors or between a doctor and other healthcare staff who are not authorized to access a patient’s protected information. For example, if doctors are talking about a patient and other unauthorized staff get to hear the patient’s information, such protected healthcare information is considered an incidental disclosure.
HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act (HIPAA) prohibits covered entities or healthcare providers and businesses from disclosing protected information to anyone other than the patient. The HIPAA Privacy Rule allows for a specific level of incidental disclosures of protected health information as long as the Covered Entity maintains all other elements of compliance. These elements of compliance include having the necessary policies, procedures, and safeguards that reflect the minimum necessary standard for patient privacy.
The HIPAA Privacy Rule is in place to support patient care. It is not an impediment to the sharing of information between patients and doctors, which explains why it does not make it mandatory that anyone who risks incidental disclosures be removed to guarantee compliance.
When Incidental Disclosure Is Allowed
HIPAA incidental disclosure is allowed when it occurs in the provision of a compliant activity and when the disclosure is inevitable.
On the other hand, incidental disclosure is not allowed when it occurs as a result of any action that violates the Privacy Rule and when the activity is considered a breach of compliance.
How Healthcare Institutions Can Safeguard Incidental Disclosures
Even though HIPAA incidental disclosures are seemingly unintended, healthcare institutions should put in place measures to safeguard the frequency of their occurrences. Depending on the size of your organization and the services you render, you should have physical, administrative, and technical safeguards for incidental disclosures as required by the Privacy Rule. Your organization should also have identified and documented all potential threats to Private Health Information.
Here’s a list of identified reasonable safeguards to HIPAA incidental disclosures:
- If patients or co-workers must talk about sensitive health information, they should hold such information quietly.
- Conversations revolving around sensitive or private information should not take place in public or semi-public areas.
- All whiteboards should be kept in private areas.
- Maintain patient privacy by using white-outs in sign-in sheets.
- Do not allow confidential conversations to take place in the presence of patient families or other patients.
- Use passwords on computers to prevent easy access by unauthorized persons.
- All patient files and paperwork should remain under lock and key.
Still Not Sure Which Disclosures Are Considered Incidental?
ComplyAssistant offers HIPAA compliance software[A1] to manage all your incidental disclosure requirements. As a security and compliance consulting company, we specialize in managing HIPAA compliance for various healthcare organizations. Our software tools are fully compliant with HIPAA regulations.
[A1]HIPAA compliant software means our software tool is compliant with the HIPAA regulations. This sentence is referencing the managing of HIPAA compliance for an organization. I believe that would be HIPAA compliance software. Please review and let us know what’s best.