What is considered an incidental disclosure?
|
In a recent Kentucky court case, a hospital fired a nurse for an alleged HIPAA privacy violation. The nurse had been helping a technician and physician prepare for a medical procedure, telling them to wear gloves because the patient had Hepatitis C. After the patient filed a complaint, the hospital decided that the nurse had violated HIPAA and fired her. What did she do wrong? In this case, we see the fine line between incidental disclosures and privacy violations. Show
What are Incidental Disclosures?Let’s say a patient checks in at the front desk. Even though there’s a partition, the patient hears a name and date of birth as the clerk talks quietly on the phone. This is an incidental disclosure and not a HIPAA violation because reasonable safeguards were in place: a partition and the clerk speaking quietly. In the Kentucky case, the nurse sued the hospital for firing her, claiming that the disclosure was incidental. But did she reasonably safeguard the patient’s privacy? The nurse didn’t lower her voice or take any other protective measure, even though others were present, so it wasn’t incidental. Furthermore, healthcare staff must also use the minimum necessary standard to protect patient privacy. This means they may only use the minimum amount of information they need to get the job done. In this case, the nurse didn’t need to tell the technician or physician to wear gloves, and she certainly didn’t need to name the patient’s condition. Because she didn’t take reasonable safeguards or use the minimum necessary standard, the nurse’s disclosure was not incidental but violated HIPAA’s privacy rule. How Do I Avoid a Privacy Violation?Train your staff. Staff members should be able to protect patient privacy as they carry out their work. Train them to recognize the difference between incidental disclosures and privacy violations. Well-trained staff members will not only protect patient privacy but also protect your organization from litigation. HIPAAtrek software helps you manage staff training and leaves an auditable trail of compliance. Request a demo or contact us to learn how you can simplify your HIPAA compliance program.
 Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today! Request a Demo Search for:Search Button You Might Also Like
Proposed Modifications to the HIPAA Privacy Rule 2023: What to Know and How to PrepareHIPAA changes are coming in 2023—is your organization prepared? You may have heard rumors circulating over the last year that changes are coming to HIPAA. It’s true: the Office for Read More »10 Common HIPAA Misconceptions Our Compliance Experts Are Ready to QuashWe get it—HIPAA compliance is complicated, dynamic, and ever-changing. Which means that it can be hard to stay on top of what is a misconception and what is fact, when Read More »Is the Telehealth you’ve adopted secure?Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure. Sometimes, information not intended to be public knowledge is inadvertently shared with others. Just as easily as it can happen in a casual conversation with a friend, it can also happen in the workplace. So, what is an incidental disclosure? The incidental disclosure definition, according to the U.S. Department of Health and Human Services (HHS), is a, "disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule." What happens when there is an incidental disclosure in a healthcare setting? There is not a clear-cut answer. It simply depends on the magnitude of the situation. In general, healthcare settings are fluid environments. That means that a patient overhearing another patient's diagnosis or a visitor catching a glimpse of a screen with some personal health information (PHI) is not common grounds to facilitate a HIPAA violation. According to the HHS document linked above, "The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure." Despite this, incidental disclosures can still result in HIPAA violations and therefore penalties against an organization. We will look at this topic and ways to further safeguard your organization throughout this piece. Incidental Disclosure ExamplesWith technology advancing at an incredible pace, patients are receiving care in many ways. No longer is an in-person visit the only way to see your healthcare provider. These services are also taking place over the phone, video, and even live text chat. Although these new options provide all parties with greater flexibility to render and receive care, it also opens up the door for the vulnerability of PHI. Incidental disclosures may become more common, despite an organization being compliant with HIPAA. It is important to remember that the HIPAA Privacy Rule does allow for incidental disclosures to occur, as long as a covered entity is compliant with the policies outlined regarding PHI protection. What is an incidental disclosure? Let's take a look at a few common examples that can occur in the workplace. Example 1: In the waiting room of a doctor's office, other patients and even a front-desk employee overhear a conversation between a healthcare provider and their patient. Being around the corner and down the hall from the waiting room, both the patient and provider believe they are safe from any eavesdropping. Unfortunately, many people, including the front-desk employee, hear their discussion. Example 2: While signing in for treatment at the hospital, a patient notices someone else's PHI on a second computer monitor. The computer monitor may have been moved by another employee or an after-hours cleaning crew - it is not normally positioned this way. Example 3: A healthcare provider has allowed the secretary to call out patient names into the waiting room when it is their turn. It is suggested that the information called out is kept to a minimum - for example, call out first names only instead of full names, where possible. What are HIPAA Permitted Disclosures?Information is at the center of a healthcare organization's operation. In order to provide patients with optimal care, providers may need to quickly share information with other covered entities to improve their protocols, gather second opinions, order supplies, create referrals, or to get paid by health plans. In a nutshell, privacy rules associated with HIPAA were enacted to ensure that PHI remains safe in the face of things like data sharing. In most cases, PHI can only be shared when a provider obtains authorization from a patient to do so. However, there are instances when PHI can be shared without patient authorization. In a permitted uses and disclosures fact sheet, put together by the HHS, they note several scenarios where PHI can be shared without patient consent. Here are a few notable examples:
In order for a covered entity (CE) to share information with another CE, in scenarios as outlined above, there are a few prerequisites to be aware of:
How to Prevent Incidental DisclosuresThere is always more a healthcare organization could be doing to prevent incidental disclosures. Here are some basic steps that all organizations should be employing:
No matter how safe an organization tries to be, there are bound to be times when things slip and an incidental disclosure is imminent. Private conversations that were louder than expected and computer screens tilted close to wandering eyes are a couple of examples of typical incidental disclosures. When it comes to PHI, HIPAA is quite strict on its protocols, but it does allow for a generous amount of leniency. Remember, leniency related to an incidental disclosure only applies when an organization follows HIPAA privacy rules without issue. Yet, despite the best safeguards, the occurrence of small disclosures is not a question of if, but rather a question of when. What are two incidental disclosure examples?Examples of HIPAA Incidental Disclosures:
A patient may see a glimpse of another patient's information on a whiteboard or sign-in sheet. An individual may see another person's x-ray on an x-ray board at a hospital. Conversations between nurses may be overheard by those walking past a nurses' station.
What is an incidental exposure?An incidental exposure is where an individual may be exposed to a low level of asbestos dust for a short period of time, for example, when a bystander is present when a worker disturbs asbestos containing material and asbestos fibres become airborne.
What is an unintentional disclosure?1. An event when health professionals unintentionally or by mistake reveal confidential information. Learn more in: Informational, Physical, and Psychological Privacy as Determinants of Patient Behaviour in Health Care.
What is an incidental disclosure quizlet?What is an incidental disclosure? Incidental disclosure is secondary use that cannot be reasonably prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted. These kinds of disclosures are permitted under HIPAA.
|
