Tuesday, March 8, 2016

Share Your Opinion - Is This a HIPAA Breach or Merely an Accidental or Incidental Disclosure?

Emails Exposed BJC HealthCare Patients’ Data

What is the difference between an Incidental and an Accidental disclosure of protected health information (PHI) or a HIPAA Data Breach? Can you give examples of each? How do you handle each in your practice for an accounting of disclosures as required in the HIPAA privacy rule regulations?

The difference between an "incidental" and an "accidental" disclosure of PHI is the difference between complying with the privacy rule and violating it.
In a recent story, BJC HealthCare, a not-for-profit health system based in St. Louis, MO., has started notifying 2,393 of its patients that some of their protected health information has been exposed as a result of an email error that occurred on December 30, 2015.

An email containing sensitive data covered by HIPAA was emailed to another medical group. While HIPAA permits the sharing of healthcare data for certain healthcare operations, the Security Rule requires any shared data to be protected in transit.

If ePHI is to be shared electronically with another covered entity or business associate, it must be adequately protected to prevent unauthorized access and to protect the integrity of those data. Controls to protect the integrity of ePHI are addressable issued under 45 CFR § 164.312(e).

In this case, the data were not encrypted to the standards required by the Security Rule, and consequently the data could potentially have been intercepted in transit.

HIPAA requires covered entities to notify individuals when their PHI has been exposed or viewed by a third party to allow them to take precautions to protect their identities and reduce the risk of loss or harm.

Patients have been advised by mail that their name, date of birth, gender, and Medicare Beneficiary information were included in the email, although Social Security numbers were not exposed, and no financial or medical data were contained in the email. Patients affected by the email error were part of the healthcare provider’s accountable care organization.

An investigation into the incident showed that the email was received by the intended recipient and no other individual appeared to have gained access to any patient data, although the possibility cannot be ruled out. Out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring services for a period of one year.

In order to prevent similar errors from occurring in the future, BJO HealthCare will be conducting further staff training to ensure that staff members are aware of the protocols that must be followed when transmitting data covered by HIPAA.


So with all information considered, would you say this incident is a Data Breach, an Accidental disclosure or an Incidental disclosure?  Please post a comment with your feedback.

Additional Information:

Certain "incidental" disclosures are a permitted use of PHI and, therefore, are not a violation of the regulations. (See Section 164.502(a)(1)(iii).) On the other hand, an "accidental" disclosure is not permitted under the regulations and would subject the organization to penalties for the violation. (See Section 164.502(a)(1) and (2) of the regulations.) The HIPAA statute would limit the penalties for an accidental disclosure to civil penalties alone. 

An "incidental" use and disclosure occurs as a by-product of another permissible or required use or disclosure under the privacy rule. It is a limited disclosure that cannot reasonably be prevented.   Examples of "incidental" disclosures include a hospital visitor overhearing a provider's confidential conversation with another provider or a patient, or a visitor catching a glimpse of a patient's information on a sign-in sheet or nursing station whiteboard.

An incidental use or disclosure may result from any use or disclosure permitted under the privacy rule. It is not limited to treatment communications or to communications among healthcare providers or other medical staff. An incidental use or disclosure may occur, for example, when a provider talks with an administrative staff member about billing a patient for a particular procedure and is overheard by 1 or more persons in the waiting room. 

An incidental use or disclosure is not a violation of the HIPAA medical privacy regulation provided the covered entity has applied reasonable safeguards (see Section 164.530(c) of the regulation) and implemented the minimum necessary standard (see Sections 164.502(b) and 164.514(d) of the regulation), where applicable, with respect to the underlying use or disclosure. (See Section 164.502(a)(1)(iii) of the regulation). If the underlying use or disclosure violates the privacy rule, however, the incidental use or disclosure would be a violation of the rule. 

Incidental disclosures do not have to be included in the accounting of disclosures provided at the patient's request. (See Section 164.528(a)(1)(iii) of the regulation.) 

Source(s): www.hipaajournal.comwww.medscape.com, www.law.cornell.edu, hhs.gov

To subscribe to this blog, enter your email address:

Delivered by FeedBurner


  1. Defiantly a HIPPA breach in that the information was not properly encrypted to ensure it was not able to be read during transport.

  2. LifeVoxel.AI has developed a Interactive Streaming and AI Platform for medical imaging using GPU clusters cloud computing. It is a leap in cloud technology platform in medical imaging that encompasses use cases in visualization, AI, image management and workflow. It’s approach is unique that it has been granted 12 International patents.

    Interactive Streaming AI Platform RIS PACS

  3. Violating HIPAA standards can result in heavy fines, based on the level of negligence.
    Contact RSI Security for HIPAA Compliance and avoid heavy fines and damage to business reputation.
    RSI Security helps you meet HIPAA compliance requirements.

  4. LifeVoxel.AI platform helps imaging diagnostic centers and hospitals to save up to 50%+ over conventional RIS PACS with higher functionality. LifeVoxel.AI is the fastest RIS PACS available globally and have unimaginable capabilities of centralized PACS across all your network of Imaging Centers to single window HUB.

    RIS PACS software

  5. Perfect Data Entry is one of the companies in the world's leading outsourcing companies. It's prepared to deal with the entirety of your organization's backend needs. No activity is excessively little or enormous for us. Visit the Perfect data entry official site to know more about hippa data entry

  6. I was wondering what you guys think about possible upcoming data solutions to accidental HIPPA violations? I’ve come across a few data companies that are actively involved in trying to make the best data security solutions to keep HIPPA compliant. Some of the most interesting at the moment have been infoVia, DataRebels, and Data Vault. It’s a bit over my head to explain, but it seems there’s a growing movement to both ‘free-up’ a company’s data, like the way they share it throughout the organization while protecting it very closely. it’s been a really interesting conversation going on, one I think businesses like hospitals and insurance groups need to have. One of the most helpful breakdowns of these I could find is infoVia’s that I wanted to share and have your thoughts on. Do you guys think it’s got some legs to it? https://info-via.com/infosecur/

  7. here is the link I meant to hyperlink