Skip to page content

GUIDANCE (Oct. 2006)


My co-workers say incidental disclosures of protected health information (PHI) are allowed under HIPAA if reasonable safeguards are used to prevent a patient privacy violation, but I don't know what that means.

General privacy principles founded in state law and the HIPAA Privacy Rules are not intended to prohibit the treatment team from talking to each other and/or to their patients.  Of course, others outside the treatment team may be in the general area during these discussions and may overhear information that they do not need to know.  While reasonable precautions should be used to avoid sharing patient information with those not involved in the patient's care, it is possible that minor amounts of patient information may be disclosed to people near where patient care is delivered or being coordinated.  This is referred to as an incidental disclosure.

Privacy principles do not prohibit an incidental disclosure of patient information so long as reasonable safeguards are taken to minimize the disclosure.  What is reasonable depends on the situation.

For example, in an emergency the need to provide quality care may necessitate loud communications.  On the other hand, in a non-emergent situation, discussing a patient's condition in front of other patients, visitors, or family members in a hallway is not appropriate.  The key is balancing the objectives of safeguarding confidentiality while engaging in communications for effective and high quality health care.

Reasonable safeguards include:
Conversations discussing PHI should be conducted in a private area or room, especially when discussions involve highly confidential information (i.e. Mental Illness or Developmental Disability, HIV/AIDS Testing or Treatment, Communicable Diseases, Venereal Disease(s), Substance (i.e. alcohol, drugs) Abuse, Abuse of an Adult with a Disability, Sexual Assault, Child Abuse and Neglect, Genetic Testing, Artificial Insemination, and Domestic Violence).

The following examples illustrate how reasonable safeguards are used to minimize the chance of disclosing patient information to others who may be nearby:
  1. Healthcare staff may orally coordinate services at hospital nursing stations, but should avoid yelling down the hallway or having conversations in areas where patients or visitors/families are standing.

  2. Nurses or other health care professionals may discuss a patient's condition over the phone with the patient, a provider, or a family member, but should speak quietly.

  3. Nurses or other health care professionals may discuss a patient's condition face to face with a patient, a provider, or a family member who is permitted to receive this information, but should do so in a semi-private area so to avoid others from over hearing the conversation.

  4. A physician may discuss a patient's condition or treatment regimen in the patient's semi-private room, but he/she should ask the other patient's visitors/family to leave, pull the curtain, and speak quietly.

  5. A health care professional may discuss test results with a patient or other provider in a joint treatment area, but should speak quietly.

  6. Healthcare professionals may discuss a patient's condition during training rounds, but should speak quietly and avoid having conversations in public areas where patients and families are present.

Consider how you would want your patient information discussed in a hospital, and remember to use reasonable precautions.

Please contact the HIPAA Program Office at 4-9716 if you have any questions.

Back to Guidances

Call 4-9716 for more details.

PDF version