A number of customers contacted me recently concerning possible breaches and what they should do. After reviewing their situations, these were actually incidental exposures. What is an incidental exposure? It is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. Typical examples of such in the healthcare setting include conversations between patients and doctors where complete privacy is not practical, or patients’ charts visible to unauthorized people during transfer between areas.
The Privacy Rule does not require elimination of all incidental exposures. That is just not practical. In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information (PHI) is used and disclosed. (note 45 CFR 164.502(a)(1)(iii)) If the incidental exposure is a by-product of an underlying use or disclosure which violates the Privacy Rule, then incidental exposure is a violation as well.
Whether an incidental exposure is a violation primarily depends on if you have “policies which reasonably safeguard and appropriately limit how PHI is used and disclosed.” What does that mean? A covered entity must have the appropriate administrative, technical and physical safeguards in place. Appropriate means reasonable for the size of your organization. If your organization has performed a security risk assessment yet is not practicing risk management, you are not there. Covered entities must also implement reasonable minimum necessary policies and procedures that limit how much PHI is used, disclosed, and requested for certain purposes. Like before, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, is a violation of the Privacy Rule.
In summary, if your organization is actively engaged in HIPAA compliance, has adopted the proper policies and procedures, you probably don’t have to worry about incidental exposures. Take time to document them and make them “teachable moments” for the workforce. This will improve your processes, compliance, and security. On the other hand, if you aren’t taking HIPAA compliance seriously, an incidental exposure can result in an audit and significant fines if reported by an unhappy patient or disgruntled employee.
If you have any questions about incidental disclosures or HIPAA, please contact us at: compliance@thirdrock.com
Protect Your Patients. Protect Your Practice. Protect Yourself.™