Countdown to HIPAA

Incidental disclosures of health information

By Walter L. Fitzgerald Jr., R.Ph., J.D.

The nature of the healthcare system requires covered entities to routinely communicate with others on patients' protected health information (PHI). But because of this, the potential exists for PHI to be used or disclosed in a way that "is incidental to" or "is a by-product of" a permissible use or disclosure. For example, a pharmacist discussing one patient's treatment with a physician over the telephone is overheard by another patient. The permissible use or disclosure is the pharmacist talking to the physician, and the incidental disclosure is the patient overhearing the conversation.

Fortunately, the Health Insurance Portability & Accountability Act permits such incidental uses and disclosures if two requirements are met. The first of these requirements is that the covered entity must comply with the "minimum necessary rule." This rule requires that a covered entity use, disclose, or request only the minimum PHI necessary to satisfy a particular purpose or to carry out a function. However, a number of exceptions to application of the rule exist:

• disclosures or requests by a healthcare provider for treatment purposes

• disclosures to the individual who is the subject of the PHI

• uses or disclosures made pursuant to an individual's authorization

• uses or disclosures required for compliance with HIPAA Administrative Simplification Rules

• disclosures to HHS required for enforcement purposes

• uses or disclosures required by law

The rule also requires covered entities to examine their practices and then implement policies to limit unnecessary uses, disclosures, and requests for PHI. The policies must reflect the nature of the entity's business practices and workforce. Specifically, the policies must identify persons or classes of persons within the entity who need access to PHI to carry out their job duties, the types of PHI needed, and conditions appropriate to such access. For example, in a community pharmacy the pharmacists and technicians would be identified as persons who need access to PHI to carry out their job duties. But also to be considered are cashiers and other employees.

The second requirement that must be met for an incidental disclosure to be permissible is that the covered entity must implement appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by HIPAA, as well as protect against incidental uses and disclosures. Significantly, it is not expected that an entity's safeguards will guarantee the privacy of PHI from any and all potential risks.

In its Dec. 3, 2002, guidance, the Office for Civil Rights (OCR) describes several practices that are permissible under HIPAA, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby. Related to pharmacy, the guidance states "[A] pharmacist may discuss a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone." But then the guidance provides that "reasonable precautions for such a practice could include lowering voices or talking apart from others when sharing PHI." The guidance further provides that "Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling."

This safeguard should also be considered for other areas of the pharmacy, such as a drive-through window that uses a public address (PA) system to communicate with patients. The privacy official needs to position himself as though in a car behind the car at the window to determine whether communications can be overheard, and, if so, then the volume of the PA should be lowered, or implementation of some other safeguard considered.

As to the suggestion that pharmacies ask patients to step a few feet back from the counter, some pharmacists may feel awkward requesting this of patients, so other ideas could be explored. Think about how other businesses, such as banks, maintain distance when communicating with customers. As an idea, the pharmacy could position a rope barrier a few feet back from the counter, with a sign on top of one or more of the stands holding the rope barrier that states, "Wait here until your name is called."

The OCR Guidance provides an excellent discussion of this issue, and pharmacists are encouraged to refer to it under the "What's New" section of the OCR HIPAA Web site at www.hhs.gov/ocr/hipaa .

The author, a pharmacist-attorney, is a professor of pharmacy at the University of Tennessee College of Pharmacy and author of the NCPA HIPAA Compliance Handbook for Independent Pharmacy. To access the NCPA Web site, go to: www.ncpanet.org .

Walter Fitzgerald. Incidential disclosures of health information.

Drug Topics

Apr. 21, 2003;147:71.