When privacy meets reality: HIPAA incidental disclosures in action

[author: Velvet Mitchell]

A recent, otherwise typical, Friday evening took an unexpected turn when I found myself in the emergency department (ED) after a family member lost their footing down a flight of stairs. Inside our room, which was just outside the nurses’ station, the controlled chaos of a crowded ED was immediately apparent. I was instantly struck by the constant noise from beeping intravenous pumps, ringing monitors, flashing call lights, and the steady movements of medical staff in urgency mode.

Even amidst a family emergency, it was impossible not to view the scene around me through the lens of a compliance professional. A number of activities taking place made my compliance hackles rise. Doctors called patients by name, reviewed labs and diagnostic imaging via the computer system, then openly discussed the findings within easy earshot of others. At a shared workstation, nurses hashed out physician orders aloud, while beyond a thin curtain in the trauma bay, paramedics delivered a handoff report on an injured patient. As I listened, I realized these are everyday moments in the delivery of healthcare in a crowded ED, where staff navigate a thin line between urgency and preserving a patient’s right to privacy.

While these events made me take notice, they did not strike me as a HIPAA violation, at least not necessarily. I knew what I was observing was the real-life application of a concept that frequently confuses both patients and healthcare professionals: HIPAA incidental disclosures. These often unavoidable disclosures arise naturally within the framework of providing care in a busy, real-world environment. Recognizing these practical realities, HIPAA includes allowances for incidental disclosures, so long as reasonable safeguards and the minimum necessary standards are upheld.

In this article, we’ll delve into the foundational components of HIPAA’s provisions for incidental disclosures, the necessary safeguards, and effective strategies for training and oversight, particularly within a high-volume, high-risk setting, such as an ED.

The HIPAA Privacy Rule acknowledges that, in certain healthcare settings, the conditions under which individuals receive healthcare or other services from covered entities (CEs) create a potential for protected health information (PHI) to be disclosed incidentally.^[i] The environment I found myself in (a large, crowded ED) is the perfect example.

High patient volume and the lack of physical privacy are pervasive issues in the ED. On this Friday evening, I observed patients crowded into hallway beds, inside makeshift waiting rooms, and behind thin curtains. Family members and caregivers waited nearby, making efforts to stay out of the way of the chaos. Under optimal conditions, patients are assessed and treated in a quiet, closed room. However, during periods of increased demand and limited ED space, it is often not possible to provide a private setting for treatment. Additionally, in larger EDs, the sheer volume of patients, the presence of trauma cases, and the need to quickly care for critically ill individuals in small spaces can further compromise privacy.^[ii] The number of bystanders and, to some extent, nonemergent patients occupying beds within earshot of the activity makes it even more important to have and be mindful of privacy rules, since confidentiality and dignity are essential to quality care. These unplanned exposures of patient information are incidental disclosures of PHI.^[iii]

When are incidental disclosures permissible?

An incidental disclosure is a secondary or unintended sharing of information that occurs as a by-product of a legitimate and permitted use or disclosure and is generally allowable under the Privacy Rule — but only under specific conditions. To be considered permissible, an incidental disclosure must:

• Be limited in nature.
• Occur as a consequence of an otherwise allowable use or disclosure.
• Not reasonably preventable, even with safeguards in place.

The Privacy Rule is not intended to impede vital, customary communications and practices necessary for effective care delivery. Additionally, the Privacy Rule does not mandate the complete elimination of all incidental uses and disclosures. Instead, the rule allows such disclosures when the CE has implemented reasonable safeguards, adheres to the minimum necessary standard, and ensures that the sharing of PHI is truly incidental to a permitted activity. However, it’s crucial to note that not all incidental disclosures are acceptable. If the primary or “underlying” use or disclosure violates the Privacy Rule, then any incidental disclosure resulting from it is also considered impermissible.

A layer of complexity often noted in the ED is the frequent reliance on family members or companions who accompany an individual to the ED, but may not be the patient’s next of kin or their legally designated representative. In a fast-paced environment like the ED — especially when the patient is elderly, unable to communicate, and/or has limited English skills — staff may end up sharing health information with whoever is present, whether this person is a neighbor, a friend, or a distant relative. HIPAA allows providers to share relevant health information with individuals likely to be involved in a patient’s care or payment for care; however, the potential for misunderstanding is possible.^[iv] Staff should use caution when sharing information with specific individuals if the provider has not obtained clear consent from the patient, especially if no power of attorney exists that points to the authorized individual with whom to share the information.

Reasonable safeguards

In situations where a disclosure must happen in a semi-public or shared space, such as when providing test results in the ED, providers should take reasonable steps to reduce the risk of unintended exposure. This might include limiting the content of the disclosure to what is necessary for the patient or caregiver’s understanding or asking the patient or their representative to move to a more private area for the conversation.

The Privacy Rule requires a CE to impose reasonable and appropriate safeguards to protect against unauthorized uses and disclosures of PHI. Implementing administrative, technical, and physical safeguards should help minimize the likelihood of incidental disclosures, ensuring that any such disclosure remains limited in scope and is consistent with the rule’s requirements.^[v] That said, the standard is one of reasonableness—not perfection. In many EDs, complete auditory and visual privacy is impossible, even during less busy times. The physical layout of these spaces, combined with high patient turnover, often results in situations where others will likely overhear discussions with patients, family members, and caregivers in close proximity.^[vi] Relaying health information promptly is essential to ensuring patients receive effective care. Recognizing this need, the Privacy Rule does not require entities to eliminate all possible risks to satisfy the standard. Instead, it acknowledges that some incidental disclosures may still occur, even with proper safeguards in place. However, these safeguards must be designed and maintained in a way that patient privacy is reasonably protected.^[vii]

Take caution that incidental disclosures are not mistaken for accidental disclosures. For example, a provider may be using a reasonable safeguard by taking a patient or caregiver aside to discuss a treatment plan. While discussing the plan, the provider then hands off a prescription that must be picked up at the patient’s pharmacy of choice. But if the provider failed to properly identify the patient and discussed PHI with the wrong patient and inadvertently handed off the prescription to the patient as well, that event now becomes an accidental disclosure and a privacy violation that is potentially reportable to the patient who is the victim and the U.S. Department of Health and Human Services Office for Civil Rights.

Healthcare organizations should conduct an assessment and analyze their needs based on factors such as size, type of services offered, and unique circumstances. Based on the results of that analysis, the organization can implement best practices and reasonable safeguards that are compliant with the Privacy Rule. A hospital with a large, crowded ED could recommend the following:

1. Train staff to use quiet, low tones/voices when discussing PHI in open or shared spaces.
2. Design physical spaces with privacy in mind (e.g., angled computer screens, soundproof shields, or private consultation rooms).
3. Implement access controls to limit the view of patient records to only staff who are involved in the patient’s care.
4. Monitor high-risk areas, such as shared workstations, waiting rooms, or elevators, for compliance.
5. Train staff to sign off computers when not in use and not leave paper PHI in view of others.

These safeguards don’t have to be expensive or burdensome; they should merely be practical and consistently enforced. The compliance team should document all reasonable safeguards implemented and regularly review and update privacy policies. The team should also periodically conduct risk assessments to identify any vulnerabilities, allowing safeguards to be put in place to ensure compliance. Additionally, provide ongoing privacy training specific to issues staff encounter most often, and monitor compliance with established procedures and policies. In particular, emphasize that HIPAA is not about perfection; it’s about doing what’s reasonably expected to protect patient privacy in a real-world environment.

Conclusion

My experience reminded me that compliance isn’t just something learned by memorizing regulatory requirements; it is about daily actions and the careful development of practices that affect us and our patients in stressful situations where hurt, fear, and urgency meet policy. Incidental disclosures are not a failure of compliance, but a reality of clinical practice and operations. And, while perfection isn’t attainable, with vigilance and continued focus on the dignity of our patients, we can provide high-quality care quickly while protecting their privacy.

Takeaways

• Incidental disclosures are unintentional, limited disclosures that occur as a by-product of a permitted use or disclosure and cannot be reasonably prevented—even with safeguards in place.
• The HIPAA Privacy Rule allows incidental disclosures if reasonable safeguards are implemented and the minimum necessary standard is applied.
• The Privacy Rule does not require the complete elimination of all risks associated with an incidental disclosure; however, covered entities must take reasonable steps to minimize the likelihood of unintended exposure.
• To help minimize incidental disclosures, organizations should train staff to use low voices when discussing protected health information in shared spaces.
• Design physical spaces with privacy in mind, and remind staff to sign off computer workstations when not in use.