The HIPAA Guide - Celebrating Over 15 Years Online

HIPAA and Incidental Disclosures of PHI

January 15, 2025HIPAA Advice Articles0

HIPAA permits incidental disclosures of PHI provided that HIPAA covered entities implement reasonable safeguards to protect individuals’ privacy, and that both the primary disclosures of PHI and incidental disclosures of PHI comply with the minimum necessary standard when applicable.

Incidental disclosures of PHI are secondary disclosures of Protected Health Information (PHI) that are unavoidable in the circumstances. For example, when a patient’s name is called in a busy hospital waiting room, the primary disclosure is to alert the patient that their healthcare provider is ready to see them. In this scenario, calling the patient’s name is a disclosure of PHI because the patient’s presence in the hospital waiting room implies a treatment relationship.

Because other patients are waiting in the hospital waiting room, they will hear the patient’s name being called. This is a secondary disclosure of PHI that cannot be avoided in the circumstances – unless a more private way to alert the patient existed and was not used. For example, some healthcare organizations assign each patient a code when they sign in, and display the code on a waiting room screen when their healthcare provider is ready to see them.

The secondary disclosure only qualifies as an incidental disclosure if the minimum necessary PHI is disclosed to achieve the purpose of the primary disclosure (i.e., in this scenario, the patient’s name is disclosed to alert them that their healthcare provider is ready to see them). If any further PHI is disclosed that is not relevant to the purpose of the primary disclosure, the secondary disclosure would be impermissible. For example:

“Mr. Jones, your healthcare provider will see you now” is an incidental disclosure of PHI.

“Mr. Jones, your healthcare provider will see you now about your diabetes diagnosis” is an impermissible disclosure of PHI because it is not necessary to disclose the nature of Mr. Jones’ medical condition in order to alert him that his healthcare provider is ready to see him.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Further Examples of Incidental Disclosures of PHI

Further examples of incidental disclosures of PHI include when family members, friends, or translators are present during a medical consultation (either in-person or online), and when PHI is disclosed during a group therapy session. In both these examples, it can be assumed that the subjects of the PHI being disclosed for a primary purpose have consented to the secondary, incidental disclosure of PHI, unless there is reason to believe otherwise.

Other scenarios in which secondary disclosures of PHI do not violate the HIPAA Privacy Rule include when answerphone messages are left on an answerphone which could be accessed by other family members or workplace colleagues. In such circumstances, the healthcare provider must be careful to disclose only the minimum necessary PHI in the answerphone message – for example, the minimum necessary information to confirm an appointment.

One scenario over which compliance professionals are divided is when a conversation between two healthcare providers is overheard by a third. While some compliance professionals feel this would qualify as an incidental disclosure of PHI if it was not possible to have the conversation privately at the time and in the circumstances, other suggest it is necessary to conduct a risk assessment to determine whether a notifiable impermissible disclosure has occurred.

Incidental Disclosures should be Explained in HIPAA Training

Due to the potential for misunderstanding when secondary disclosures of PHI qualify as incidental disclosures of PHI, and when they qualify as notifiable impermissible disclosures, it is important that incidental disclosures of PHI are covered in HIPAA training. This is so that members of the workforce understand how the distinction is interpreted in the workplace in order to prevent avoidable impermissible disclosures due to a lack of HIPAA knowledge.

Understanding how the distinction is interpreted in the workplace can also help prevent complaints from patients who believe their privacy has been compromised, and reports of impermissible disclosures being made by workforce members against colleagues. Covered entities that explain incidental disclosures in HIPAA training can reduce the likelihood of patient complaints and workplace allegations – and potentially compliance investigations by HHS’ Office for Civil Rights.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.