Incidental Disclosure vs. Privacy Violation: Train Your Staff


In a recent Kentucky court case, a hospital fired a nurse for an alleged HIPAA privacy violation. The nurse had been helping a technician and physician prepare for a medical procedure, telling them to wear gloves because the patient had Hepatitis C.  After the patient filed a complaint, the hospital decided that the nurse had violated HIPAA and fired her. What did she do wrong? In this case, we see the fine line between incidental disclosures and privacy violations.

What are Incidental Disclosures?

Let’s say a patient checks in at the front desk. Even though there’s a partition, the patient hears a name and date of birth as the clerk talks quietly on the phone. This is an incidental disclosure and not a HIPAA violation because reasonable safeguards were in place: a partition and the clerk speaking quietly.

In the Kentucky case, the nurse sued the hospital for firing her, claiming that the disclosure was incidental. But did she reasonably safeguard the patient’s privacy? The nurse didn’t lower her voice or take any other protective measure, even though others were present, so it wasn’t incidental.

Furthermore, healthcare staff must also use the minimum necessary standard to protect patient privacy. This means they may only use the minimum amount of information they need to get the job done.

In this case, the nurse didn’t need to tell the technician or physician to wear gloves, and she certainly didn’t need to name the patient’s condition. Because she didn’t take reasonable safeguards or use the minimum necessary standard, the nurse’s disclosure was not incidental but violated HIPAA’s privacy rule.

How Do I Avoid a Privacy Violation?

Train your staff. Staff members should be able to protect patient privacy as they carry out their work. Train them to recognize the difference between incidental disclosures and privacy violations. Well-trained staff members will not only protect patient privacy but also protect your organization from litigation.

HIPAAtrek software helps you manage staff training and leaves an auditable trail of compliance. Request a demo or contact us to learn how you can simplify your HIPAA compliance program.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like


Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »
Double Extortion

Double Extortion-What it is and how you can prevent it

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »