When the original HIPAA Privacy Rule was published in December of 2000, most in health care worried that the restrictions on the use and disclosure of protected health information ("PHI") prohibited many common communications and practices. Some feared, for example, they would not be able to have confidential conversations with patients if there was any possibility at all the conversation could be overheard. Others felt the strict standards in the privacy rule did not make allowances for certain activities and communications that are essential to the care and treatment of patients.

In the preamble to the August 14, 2002, modifications to the Privacy Rule, however, HHS clarified it had not intended to hamper traditional customary and necessary health care communications or practices, and the August 2002 final amendments add a new section to the Privacy Rule that explicitly permits certain “incidental uses and disclosures.”

Incidental uses and disclosures are defined by HHS in the preamble to the modifications as secondary uses or disclosures that: (1) cannot be reasonably prevented; (2) are limited in nature; and (3) occur as a by-product of an otherwise permissible use or disclosure. Examples of incidental disclosures are when a patient or other person happens to see individually identifiable health information of other patients on sign-in sheets in waiting rooms of clinics or physicians' offices, on patient charts at bedside, or on empty prescription vial labels.

Another example would be that a physician’s office may call out a patient’s name in a waiting room, and a pharmacist or clerk may call out a person’s name when his or her prescription is filed and ready so long as the information disclosed is appropriately limited. Also, doctors can confer at a nurse’s station wit,hout fear of being in violation of the rule if overheard by a passerby. And, provided reasonable safeguards and appropriate minimum necessary standards are in place, a pharmacist should be able to confer with a patient in his/her pharmacy without fear of being in violation of the rule.

Incidental uses and disclosures of PHI thus are permissible, but only to the extent that reasonable safeguards are in place to minimize such disclosures, and, where applicable, the minimum necessary standard has been implemented. The modification does not, however, excuse erroneous uses or disclosures or those that result from neglect or carelessness. The concept is that covered entities are required to protect PHI with a minimum standard of care. As long as that standard of care is maintained, then a covered provider will be in compliance even in the event of an incidental disclosure or use of PHI.