Incidental Disclosures and HIPAA: A Guide for Small Practices

Estimated reading time: 12 minutes

As a small healthcare practice, you're no stranger to handling sensitive information. But sometimes, despite your best efforts, client information can slip out unintentionally. This is what's called an incidental disclosure.

Incidental disclosures happen when confidential client information is accidentally revealed in your practice. For example, this could happen if a conversation is overheard in your waiting room or a therapist leaves a client's file unattended, allowing another client to glimpse confidential information. These seemingly "minor" slip-ups can risk your client's privacy and your practice's HIPAA compliance.

We understand that navigating HIPAA as a small practice can be overwhelming, so we've created this guide to help you understand, prevent, and address incidental disclosures.

Because we know you're busy, we'll also introduce a simple tool you can use in your practice to help prevent incidental disclosures more easily!

HIPAA incidental disclosures: What are they?

The HIPAA Privacy Rule recognizes that it's not always possible to completely prevent accidental or secondary disclosures of PHI (protected health information).

For instance, let's say you're wrapping up a session with a client when your next client arrives early, overhearing a few words through your slightly open door. Or maybe you're jotting down notes in a bustling coffee shop, and someone glances over your shoulder, spotting a client's name.

These are everyday occurrences in a small practice – those little moments when client information slips out unexpectedly. HIPAA calls these incidental disclosures. These things happen, especially in a small practice like yours. You're juggling a lot, and it's not always possible to control every conversation or piece of paper.

The good news is that HIPAA doesn't expect perfection. As stated in the Incidental Uses and Disclosures Guidance Material, the HIPAA Privacy Rule generally allows for incidental disclosures, meaning accidental or unavoidable sharing of health information, as long as the disclosure meets a few conditions:

1. It’s secondary: It happens as a side effect of an otherwise allowed use or sharing of information.
2. It’s unavoidable: Reasonable steps have been taken to protect the information, but the disclosure couldn't realistically be prevented.
3. It’s limited: Only a small amount of information is exposed.

However, if the original action violated HIPAA, any accidental disclosures resulting from it are also considered violations.

Here’s an example scenario of an incidental disclosure:

A nurse and doctor urgently discuss a patient's critical lab results in the hallway outside the patient's room. A visitor walks by and overhears snippets of their conversation.

This is an example of an incidental disclosure under HIPAA because:

• The disclosure is secondary: The overheard information is a secondary consequence of an otherwise allowed use: the doctor and the nurse are permitted to share the PHI, which is essential to the patient's care.
• It's unavoidable: While the healthcare providers could have lowered their voices or moved to a more private location, it may not have been feasible in this urgent situation. Given the circumstances, some level of disclosure was unavoidable.
• It's limited: The visitor likely overheard only fragments of the conversation, not the full details of the patient's condition or treatment plan.

Here's another example highlighting where a scenario could be an incidental disclosure or a HIPAA violation:

In a busy mental health clinic, a therapist accidentally puts a client's file down on the reception desk while briefly stepping away to answer an urgent phone call. Another client waiting in the reception area glances at the file and sees the client's name and home address.

This could be allowed under HIPAA if:

• The therapist couldn't have reasonably prevented the brief moment where the file was unattended (e.g., there was an urgent phone call to attend to)
• The information seen was limited to just the name and home address. It was also “limited” because only the other client waiting in the reception area saw it.
• Having the file is a normal part of the therapist's workflow when preparing for the session.

⚠️ However, if the therapist habitually leaves files open and unattended or if the file is left open in a public area for an extended period, the disclosure would be considered a violation, particularly if the file contains sensitive details about the client's therapy.

Incidental disclosure vs. HIPAA violation

Speaking of HIPAA violations, let’s take a closer look at the difference between a HIPAA violation and an incidental disclosure.

HIPAA Violation

A HIPAA violation is a serious, often intentional or negligent, misuse of protected health information that could cause a significant risk of harm.

Examples of HIPAA violations

• A nurse tells a friend about a client's medical condition.
• A therapist's unencrypted laptop containing client records gets stolen.
• A sign-in sheet that asks for the name and medical reason for the visit to the clinic

Consequences

• Can lead to significant fines and penalties.
• Your practice may have to enter a corrective action plan and be subject to OCR oversight for one to three years
• May require notification to affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media.
• The practice could end up in the HIPAA Wall of Shame.

Incidental Disclosure

An incidental disclosure is a minor, accidental disclosure that occurs during an otherwise allowed action and poses minimal risk.

Examples of incidental disclosures

We’ve shared some incidental disclosure scenarios earlier. Here are more examples:

1. A lab technician unintentionally sees a client's name on a sign-in sheet while retrieving a sample collection kit from a clinic.

This scenario could be considered a HIPAA incidental disclosure for the following reasons:

• The disclosure is secondary: The lab technician's primary action was to retrieve the sample collection kit, an essential step in the lab's workflow. Seeing the patient's name on the sign-in sheet was a secondary effect of this permissible action.
• It's unavoidable: Sign-in sheets are a common and necessary part of many healthcare settings to track patient arrivals and manage appointments.
• It's limited: The disclosure is limited to the client's name. More sensitive details about the patient's health condition or treatment are not revealed.

2. A therapist calls out a client's first name in a crowded waiting room to indicate it's their turn for a session. Other individuals in the waiting room overhear the name and become aware that the individual is receiving therapy.

This could be considered an incidental disclosure under HIPAA due to the following:

• The disclosure is secondary: The therapist's primary action was to notify the client that their session was beginning, a necessary part of providing care. The unintended revelation of the client's status as a therapy patient was a secondary effect of this permissible action.
• It's unavoidable: While the therapist could have used a more discreet method, such as a text message or a numbered system, calling out names might be a common practice in some settings.
• It's limited in nature: The disclosure is limited to the client's first name and the implication that they are receiving therapy. No specific details about their treatment or reasons for seeking therapy were revealed.

Consequences

There are no adverse consequences for your practice as long as the disclosure meets the criteria of being unavoidable, limited in nature, and occurring as part of a permitted use or disclosure. In a nutshell, HIPAA violations often involve intentional or negligent actions, while incidental disclosures are always unintentional.

How about breaches of HIPAA rules due to mistakes, oversights, or lack of awareness rather than deliberate actions? You can't call these incidental disclosures. They are still violations and can result in penalties.

👉 Recommended reading: 5 unintentional HIPAA violations that might surprise you

How to minimize incidental disclosures in your small healthcare practice

While incidental disclosures are sometimes unavoidable, you can take proactive steps to minimize their occurrence and protect client privacy. HIPAA refers to these steps as “reasonable safeguards”. Here’s the OCR’s take:

“Reasonable safeguards will vary from covered entity to covered entity depending on factors such as the size of the covered entity and the nature of its business.

In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information they hold, and assess the potential risks to patients’ privacy.

Covered entities should also consider the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards."

Based on these guidelines, here are some reasonable safeguards you can implement in your practice

1. Designate private spaces in your practice

• Create private spaces for confidential conversations. Ideally, this would be a dedicated, soundproof room, but if unavailable, quiet corners or temporary barriers can be used.
• When discussing sensitive information in an office or exam room, close the door for added privacy.
• Ensure computer screens and client documents are not visible to others. Use privacy screens to block computers and paperwork out of sight.
• Be mindful of your voice. Speak softly when discussing PHI with a client or a co-worker.
• For more privacy, access your computer’s security settings and enable automatic screen locking after a short period of inactivity (e.g. 5-10 minutes).

2. Optimize your waiting area

• Arrange seating to face away from reception or check-in areas where confidential information might be discussed.
• Use a white noise machine or play soft music to mask conversations and create a more private atmosphere.
• Post gentle reminders or signage for clients to respect others' privacy by speaking softly and avoiding sharing personal details in public areas.

3. Secure physical records

• Keep paper records in locked cabinets or drawers.
• Don't leave charts, client files, or other documents containing PHI unattended in open areas.
• Dispose of PHI properly by shredding documents before discarding them.

4. Train your staff about incidental disclosures and HIPAA guidelines

• As required by HIPAA, ensure all staff members understand the basics of HIPAA and the importance of protecting client privacy.
• Discuss common situations where incidental disclosures might occur and brainstorm ways to handle them.
• Provide regular refreshers on HIPAA compliance and address any new challenges as they arise.

5. Implement the “Minimum Necessary” principle

The "Minimum Necessary" rule means that less is more when it comes to health information.

• Only the people who NEED to see the information for their job should have access to it.
• Even then, they should only have access to the PARTS of the information that they need to do their job.

With these in mind, you can take the following steps in your practice:

• Limit access to PHI. Only grant access to PHI to those employees who need it to perform their job duties.
• Share only what's necessary.  When sharing PHI, disclose only the minimum amount of information needed for the specific purpose.

HIPAA incidental disclosures FAQs for small healthcare practices

As a small practice, use this FAQ section as a guide to help reduce the risk of incidental disclosures:

1. Can I discuss PHI with other healthcare providers or my clients?

Yes, HIPAA allows healthcare providers to discuss PHI with other providers involved in their care and with the clients themselves. Reasonable safeguards should be used to protect privacy, but these conversations are essential for proper treatment.

2. Can I leave appointment reminder messages for clients at home?

Yes, you can communicate with clients about their healthcare, including leaving appointment reminders, as long as you take reasonable steps to protect their privacy and meet the minimum necessary standard.

3. Can I use sign-in sheets or call out clients' first names in the waiting room?

Yes, these practices are allowed as long as the information disclosed is limited to what's necessary. For example, a sign-in sheet should only ask for basic information like first name and arrival time, not the reason for the visit.

4. Can I leave client charts outside exam rooms?

Yes, this is allowed if you take reasonable measures to protect client privacy. This could include using covers for charts or ensuring sensitive information is not visible.

5. Can I provide group therapy?

Yes, HIPAA allows the sharing of PHI in group therapy sessions because it is considered a treatment disclosure.

6. Do I need to document incidental disclosures in client records?

No, you don't need to document incidental disclosures permitted by HIPAA. These are minor, unavoidable disclosures that occur as a byproduct of normal healthcare operations.

How Hush™ Secure Forms can help prevent incidental disclosures in your practice

Small healthcare practices like yours may lack the resources of larger organizations to implement complex safeguards against incidental disclosures.

The good news is that Hushmail for Healthcare's secure forms offer a simple and HIPAA-compliant way to minimize incidental disclosures in your practice through the following:

1. Enable secure file uploads

Secure forms allow clients to submit medical records or other sensitive documents through encrypted channels, reducing the risk of accidental exposure during faxing.

2. Controlled access

Hush™ Secure Forms deliver completed forms directly to your secure Hushmail inbox. This means that only authorized personnel have access to PHI.

3. Pre-screening and targeted information collection

Hushmail’s pre-screening questionnaires help you collect relevant client information securely before the initial consultation. As a result, you are more prepared for the client’s appointment and can tailor your services.

The self-assessment tools available also allow your clients to complete standardized questionnaires like the PHQ-9 or GAD-7 remotely. These forms can minimize incidental disclosures by allowing clients to share sensitive information privately and securely before their appointment. It also reduces the need for potentially sensitive conversations in the waiting room or over the phone, where information could be unintentionally overheard.

For example, a client can complete a PHQ-9 depression screening online, eliminating the need to discuss their symptoms in a shared space. This proactive approach enhances client privacy and improves the efficiency of the intake process.

4. Secure file exchange with colleagues

You can share client information with other healthcare providers securely through encrypted channels, eliminating the need for unsecured faxing or emailing.

5. Reduce the need for paper forms

Using online forms reduces the need for physical paperwork, which unauthorized individuals can easily misplace or view. This eliminates potential points of incidental disclosure in waiting rooms or during file handling.

6. Customizable templates

You can create tailored secure forms that collect only the necessary information.  This adheres to the minimum necessary principle and reduces the risk of incidental disclosures.

Get Hushmail for Healthcare and steer clear of incidental disclosures

Secure Forms make it easy for small practices like yours to keep PHI private and safe. They're like a digital lockbox for sensitive information like medical records and appointment requests.

Give Hush™ Secure Forms a spin by signing up for Hushmail for Healthcare. All of our plans come with a 60-day money-back guarantee.