In the day to day running of a health care facility communication remains a key activity between patients and health care givers. This is necessary for the delivery of prompt and effective health care. The facilities in which this occurs are such that even under the best of circumstances it is possible for an individual’s health care information to be incidentally disclosed.

An example of such a situation may be when a patient or visitor overhears a conversation between two providers in a busy cafeteria or waiting room. Another may be when a patient accidentally catches a glimpse of a sign in sheet in the waiting room or at a nursing station.

The intent of the Privacy Rule is not to prevent the essential communication necessary for health care delivery. It does not require that all inadvertent disclosures be prevented. It does require that an attempt be made to prevent these disclosures by using reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy. If these are in place the Privacy Rule allows certain incidental uses and disclosures of protected health information.

Incidental Uses & Disclosures

The Privacy Rule allows certain incidental uses and disclosure of PHI that may occur related to another permissible or required use or disclosure, as long as the covered entity uses reasonable safeguards and applies minimum necessary standards, when applicable, in relation to the primary use or disclosure.

Refer to 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.

To make this easier to understand let us say that if your using or disclosing PHI for a valid reason and you accidentally allow someone else to hear or see it but you have used reasonable safeguards then you are not likely to be found in violation of the Privacy Rule.

Reasonable Safeguards

A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information.  To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards.  They help prevent unauthorized uses or disclosures of PHI.  In addition safeguards must be part of every privacy compliance plan.  Organizations must share this with all members of the organization.  See 45 CFR 164.530(c).

It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks.  Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business.  In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy.  Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.

Verbal Protected Health Information

Verbal PHI

Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI. Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally you may ask the persons to leave the room providing the patient an opportunity to object. Speak quietly when discussing a patient’s condition in a waiting room. Avoid using the name of patients in public areas such as hallways or elevators.

Paper PHI

In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person.  Providers must dispose of all paper products that have PHI in a shredder once no longer used.  Personnel must make every effort to give the patients summary to the correct patient.  When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.  Isolate or lock file cabinets or record rooms

Paper PHI
Electronic PHI

Electronic PHI

Password protect all computers in order to protect electronic PHI.  Employees must only use the computer medical accounts to which they are assigned.   One must consider the use of encryption of any email or texts that contains ePHI.

Minimum Necessary Policies

It is important for covered entities to implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed and requested for certain health care activity.  These policies will also limit the who within the organization has access to protected health information and under what conditions, based on their job responsibilities and the nature of their business.  The minimum necessary standard does not apply to the interaction between health providers for treatment purposes.  A physician who is discussing a case with another physician is not limited in the amount of PHI they provide.  See 45 CFR 164.502(b) and 164.514(d).

Reasonable Safeguards Prevent HIPAA Violations

If there is an incidental use or disclosure due to the failure to use reasonable safeguards or the minimum necessary standard this is a non-permitted disclosure and may be a HIPAA violation.  If an individual is allowed to have unimpeded access to patients’ records, where such access is not necessary for the job of the individual the minimum necessary standard is not followed and this may represent an infraction of the Privacy rule.


In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred. The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

Contact us for more valuable information on this topic.

Contact us regarding safeguards today