What is the difference between an incidental/accidental disclosure and a breach?
With the approaching breach notification deadline (Before March 1st, all breaches must be reported 60 days after the end of the previous calendar year that the breach occurred), I have receive many calls and emails asking, "is this a breach and do I need to report it?". This is an important topic that needs some clarification.
These disclosures are non-intentional and occur as a by-product of allowed uses and disclosures. They are allowed as long as the minimum necessary standard and reasonable safeguards are applied in the course of your everyday operations. An example would be if a passerby overhears PHI being discussed at a nursing station. These disclosures do not have to be accounted for.
These types of disclosures are distinctly different from incidental disclosures. Accidental disclosures
happen when a mistake is made in disclosing a patient’s PHI. Examples include faxing or mailing PHI to the wrong destination or disclosing PHI to an unauthorized person. If you are aware of an accidental disclosure, you need to log the disclosure on the disclosure log. If the disclosure is potentially harmful or damaging to the patient, you need to notify the patient of the accidental disclosure.
Identifying a Breach of Unsecured PHI
A breach is defined in the HIPAA HITECH Act as:
The unauthorized acquisition, access, use, or disclosure of unsecured protected
health information which compromises the security or privacy of such
information, except where an unauthorized person to whom such information is
disclosed would not reasonably have been able to retain such information. (Note
that de-identified health information, as defined in HIPAA’s Privacy Rule, is not
PHI; therefore no breach notification is required.)
• Any unintentional acquisition, access, or use of protected health information by an
employee or individual acting under the authority of a covered entity if:
• Such acquisition, access, or use was made in good faith and within the course and
scope of the employment or other professional relationship of such employee or
individual, respectively, with the covered entity; and
• Such information is not further acquired, accessed, used, or disclosed by any
• Any inadvertent disclosure from an individual who is otherwise authorized to
access protected health information at a facility operated by a covered entity to
another similarly situated individual at the same facility; and
• Any such information received as a result of such disclosure is not further
acquired, accessed, used, or disclosed without authorization by any person.
I hope the information listed above helps you have a better understanding of the difference between an incidental/accidental disclosure and a breach. Here is another article that could offer some additional information.
If you would like additional information, please feel free to email firstname.lastname@example.org