In the day to day running of a health care facility communication remains a key activity between patients and health care givers. This is necessary for the delivery of prompt and effective health care. The facilities in which this occurs are such that even under the best of circumstances it is possible for an individual’s health care information to be incidentally disclosed.

An example of such a situation may be when a patient or visitor overhears a conversation between two providers in a busy cafeteria or waiting room. Another may be when a patient accidentally catches a glimpse of a sign in sheet in the waiting room or at a nursing station.

The intent of the Privacy Rule is not to prevent the essential communication necessary for health care delivery. It does not require that all inadvertent disclosures be prevented. It does require that an attempt be made to prevent these disclosures by using reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy. If these are in place the Privacy Rule allows certain incidental uses and disclosures of protected health information.

Reasonable Safeguards for HIPAA

Incidental Uses & Disclosures

The Privacy Rule allows certain incidental uses and disclosure of PHI that may occur related to another permissible or required use or disclosure, as long as the covered entity uses reasonable safeguards and applies minimum necessary standards, when applicable, in relation to the primary use or disclosure.

Refer to 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.

To make this easier to understand let us say that if your using or disclosing PHI for a valid reason and you accidentally allow someone else to hear or see it but you have used reasonable safeguards then you are not likely to be found in violation of the Privacy Rule.

Reasonable Safeguards

A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information.  To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards.  They help prevent unauthorized uses or disclosures of PHI.  In addition safeguards must be part of every privacy compliance plan.  Organizations must share this with all members of the organization.  See 45 CFR 164.530(c).

It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks.  Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business.  In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy.  Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.

Verbal Protected Health Information

Verbal PHI

Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI. Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure. Finally you may ask the persons to leave the room providing the patient an opportunity to object. Speak quietly when discussing a patient’s condition in a waiting room. Avoid using the name of patients in public areas such as hallways or elevators.

Paper PHI

In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person.  Providers must dispose of all paper products that have PHI in a shredder once no longer used.  Personnel must make every effort to give the patients summary to the correct patient.  When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.  Isolate or lock file cabinets or record rooms

Paper PHI
Electronic PHI

Electronic PHI

Password protect all computers in order to protect electronic PHI.  Employees must only use the computer medical accounts to which they are assigned.   One must consider the use of encryption of any email or texts that contains ePHI.

Minimum Necessary Policies

It is important for covered entities to implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed and requested for certain health care activity.  These policies will also limit the who within the organization has access to protected health information and under what conditions, based on their job responsibilities and the nature of their business.  The minimum necessary standard does not apply to the interaction between health providers for treatment purposes.  A physician who is discussing a case with another physician is not limited in the amount of PHI they provide.  See 45 CFR 164.502(b) and 164.514(d).

Reasonable Safeguards Prevent HIPAA Violations

If there is an incidental use or disclosure due to the failure to use reasonable safeguards or the minimum necessary standard this is a non-permitted disclosure and may be a HIPAA violation.  If an individual is allowed to have unimpeded access to patients’ records, where such access is not necessary for the job of the individual the minimum necessary standard is not followed and this may represent an infraction of the Privacy rule.

Home Office and HIPAA

As we see the home office become more popular, protected Health Information (PHI) is now at greater risk than ever before.  In this new setting devices containing PHI are frequently more susceptible to malware attacks and intrusions.  Special precautions must be taken to ensure the safety of PHI. 

One of the first issues to consider at home is that family members or visitors might be able to view or access a patient’s PHI, unlike the office setting.  In these circumstances it will be important to use special precautions to protect PHI.

Physical safeguards may be very helpful to prevent this from happening.  Some steps that should be used regularly are as follow:

Lock the screen when you walk away from your computer

Use a privacy screen on your computer

Restrict access to the devices that contain PHI

Be careful not to mention PHI aloud in a place where someone could overhear. 

Bring Your Own Device

Bring Your Own Device (BYOD) is now very common in and out of the office setting.  Certainly, it will be ubiquitous in the home setting.  This will require an increased need for technical safeguards.

An organization must first consider the creation of a Bring Your Own Device (BYOD) Agreement with its workforce.

Some safeguards that should be considered are as follows:

  • Obtain the latest software updates and security configurations for your device. 
  • Ensure that laptops are equipped with firewalls and antivirus software to protect network access.
  • Encrypt and password protect all personal devices that may be used to access PHI such as cellphones, tablets, and laptops. 
  • Consider using multi-factor authentication on all platforms

Creating Safe Networks

Safe Networks

All employees will require the use of a home network.  Special precautions will be required.

A home wireless router’s default password should be updated in addition to using Wi-Fi that is encrypted. 

There are newer types of encryptions such as WPA (Wi-Fi protected access) and the WPA2 which implement the latest security standards.  A password will be required to access these networks. 

Virtual Private Networks (VPNs) are of great benefit in the home setting.  A VPN protects your internet connection and privacy online.  It creates an encrypted setting for your information.  It keeps your identity hidden and allows you to use public Wi-Fi hotspots safely.

Employees should be taught to disconnect from the company VPN when their daily work is complete. This can be enforced by implementing measures like IT configuring timeouts.

Meeting Apps

Meeting apps have become very popular as they allow staff to continue to work with each other.  Some of the apps that are now commonly used are FaceTime, Google Hangouts, Zoom, Skype, Teams, or Facebook Messenger video chat. It is important that providers enable all privacy and encryption modes available on these apps.  

Organizations are required to complete business associate agreements with these organizations.  This should be obtained and kept on file.

External Drives

External drives are used increasingly in this setting but will require precautions.  First, use flash drives, hard drives or other materials that have been approved by the company.  These external media devices should be encrypted for best security.

Only print PHI if necessary & then be sure to keep all forms of PHI safe in a lockable file cabinet or safe.

The home office which will be around for a long time and remote workers will have to adjust with the required safeguards. 


In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred. The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

Contact us for more valuable information on this topic.