What is an example of incidental use and disclosure of Protected Health Information (PHI)?

Incidental use and disclosure of Protected Health Information (PHI) refers to situations where PHI is unintentionally disclosed during the course of permitted activities, even though appropriate safeguards have been implemented.

In the scenario with the pharmacist counseling a patient, the passerby overhearing the conversation constitutes an incidental disclosure. While the pharmacist is engaged in a permissible activity—providing necessary information to the patient—the fact that someone outside the conversation can overhear it is an example of an unintended disclosure that can occur in healthcare settings. The HIPAA Privacy Rule rules allow for incidental use and disclosure, as long as reasonable safeguards were in place.

The other scenarios depicted do not fall under incidental use and disclosure. A patient reviewing their medical record privately entails no disclosure at all; it is strictly within the patient's privacy rights. A nurse discussing patient details in a private room suggests a lack of appropriate safeguards, as the discussion should remain within the confines of those permitted to hear it. Similarly, a doctor writing notes in a secure location illustrates an act of protecting PHI rather than disclosing it, which does not align with the concept of incidental disclosure.