6 expert tips help you minimize your disclosure risk. You're putting a serious cramp in your compliance efforts if you ignore the Health Insurance Portability and Accountability Act's incidental uses and disclosures provision. A covered entity that fails to take appropriate steps to curb and manage any incidental uses and disclosures of protected health information could easily find itself running into a brick wall of irate patients and potential HIPAA violations. So what is an incidental use or disclosure? "Basically, it's a disclosure of protected health information to somebody who's not supposed to have it, but it's incidental to performing your day-to-day operations," says Margret Amatayakul, president of Schaumburg, IL-based Margret A. Consulting. According to Amatayakul and other experts, one of the most common examples of an incidental disclosure would be one patient overhearing a PHI-laden conversation in an adjoining room between a physician and another patient. 2 requirements: Such incidental disclosures are permitted under HIPAA's final privacy rule, but only if two very important conditions are met, reports attorney Clark Stanton of Davis Wright Tremaine in San Francisco. "First of all, you have to comply with the minimum necessary requirement," he states, which requires entities to have already made reasonable efforts to limit staffers to the minimum amount of PHI they need to perform their jobs. "Secondly, you have to have policies and procedures that seek to minimize incidental disclosures," which includes implementing reasonable safeguards to protect patients' confidential health information from incidental leaks. "You have to meet both of those requirements in order to get a pass under the rule on incidental disclosures. Otherwise, it could constitute a violation," counsels Stanton. To help your organization minimize incidental uses or disclosures -- and the potential for privacy violations -- here are some compliance tips from several HIPAA experts: 1. Figure Out What "Reasonable" Means To Your Organization. According to the privacy rule guidance issued by the Department of Health and Human Services' Office for Civil Rights, a covered entity must have in place reasonable administrative, technical, and physical safeguards that will limit incidental uses and disclosures. So when it comes to reining in incidental leaks, the question for many covered entities will be "What constitutes a reasonable safeguard?" As Amatayakul points out, OCR's privacy guidance also specifically states that entities need not implement particular safeguards that would create undue financial or administrative burdens. Therefore, "we don't need to rebuild our offices" only to create private, soundproof rooms, she contends. Instead: What's deemed "reasonable" is largely going to depend on the individual entity, the type of disclosure, and the context in which the disclosure is made. "For example, it's one thing to call out a patient's name in a waiting room. It's another thing to call out the patient's name on the P.A. system," suggests Matthew Rosenblum, chief operations officer for CPI Directions in New York. According to Gwen Hughes, a consultant with Chicago-based Care Communications, an entity should discuss what kinds of safeguards or practices it deems "reasonable" and then document those decisions. This way, a CE would be able to produce a documented rationalization if any of its safeguards or policies are ever called into question. 2. Raise Your Staff's Awareness. "What the incidental rule is really all about, I think, is consciousness-raising," declares attorney Jack Rovner of Michael Best & Friedrich in Chicago. "Everybody in health care ought to think first that if it was their medical information, would they think that was an appropriate use or disclosure or an appropriate way to discuss it," he suggests. Hughes recommends using training time to orient your workforce with your organization's policies concerning incidental uses and disclosures. Trainers could pose various kinds of examples and then have the staff talk it through and decide whether the use or disclosure would be deemed okay or not under the rule, offers Hughes. 3. Keep Your Staff's Awareness Raised. Just because you've already given your workforce members their one-time privacy training required by HIPAA doesn't mean you've completely catalogued and contained all incidental uses and disclosures in your facility. "You think of a hospital that's got over 300 physicians on its medical staff plus employees, and you can have all the training in the world and you're not going to be able to eliminate incidental disclosures," reports Stanton. It's going to be a constant effort to monitor such disclosures and make sure they don't become privacy violations, he maintains. "What you should be able to establish is that not only has appropriate training been done to sensitize your staff, but also advertising campaigns are done to continually sensitize your staff and remind them" about the potential dangers of incidental PHI disclosures, explains Rovner. What you want to create is an environment that constantly reinforces the appropriate handling of PHI, such that employees will always know better than to go "talking about PHI in an elevator," he states. Employing signs or slogans in and around the facility might help remind workforce members of their responsibilities, suggests Rovner. Good idea: CEs can also reinforce their staff's awareness by hosting quarterly training sessions designed to tackle the issue of incidental uses and disclosures, suggests Hughes. Privacy officials can hold regular roundtable discussions with the staff to brainstorm ways to minimize incidental disclosures without greatly upsetting workflow, she advises. Hughes also recommends CEs comb through news reports for real examples of privacy violations or inappropriate disclosures at other facilities. Then, those reports can be brought to department meetings where it can be determined how such occurrences might be prevented within their own organization. 4. Maintain A Reliable And Comfortable Reporting Mechanism. Any covered entity eager to keep tabs on its incidental uses and disclosures of PHI should implement -- or already have in place -- a mechanism for staff to identify and report any such incidents. According to Rosenblum, most organizations such as hospitals "are readily engaged in incident reporting systems," such that "inappropriate disclosures of protected health information would lend themselves to exactly that kind of reporting and that hospitals that have already implemented incident reporting systems could easily fold those types of reports into that same system." "What's important for entities to keep in mind is that most unintended disclosures of PHI have "more to do with bad policies or bad training or lack of supervision than it does with some disgruntled employee who releases a whole bunch of information," stresses Rosenblum. Therefore, he says, it's essential that the staff feel comfortable reporting any mistakes or privacy breaches they may make or witness. Tip: One way to both educate and involve your workforce when it comes to reporting incidental disclosures is to employ "staff discovery tools," such as the kind developed by Amatayakul. These tools -- which instruct staffers to be on the lookout for and record any incidental disclosures they may spot -- can also allow entities to continually monitor the effectiveness of its policies and procedures. 5. Look For Areas Of Improvement. Incidental disclosures may be permitted under HIPAA, but is your organization constantly thinking of low-cost ways to minimize their occurrences? For example, notes Rosenblum, anyone who visits a hospital unit is sure to see whole banks of electronic monitors labeled with patients' names. "So anyone walking through that area might see heart rates, EKGs and other respiratory monitoring output on virtually every patient that's up there," he asserts. And while the regs might allow for the incidental disclosure of PHI on these machines, Rosenblum contends that simply by repositioning patient monitors out of public view, entities could avoid such disclosures altogether with minimal cost and effort. Similarly, he notes, offices fretting over patient sign-in sheets can employ peel-off signature labels. Once a patient has signed in, the receptionist can peel off the signature label and place it in a separate book away from other patients' eyes. Hughes also suggests hospitals consider the number of surgery schedules printed and distributed. Do you really need to have 25 copies of the schedule? And is all of the information on the schedule necessary for all to see? Also to consider: Does your organization leave patient charts in open areas, such as at a nursing station or outside the door of a doctor's office? If so, "then maybe you could flip the chart upside down and have it face the wall," advises Hughes. Or simply take the charts off of the top of the counter and put them below in a desk drawer, she counsels. These are all low-cost, easy steps any entity could take to help minimize incidental disclosures, explains Hughes. 6. Don't Let Safeguards Impede Patient Care. While it's necessary for CEs to employ reasonable safeguards to curtail incidental disclosures, it's also vital that your safeguards don't interfere with the efficient delivery of care, experts warn. "It's not the intent of HIPAA to impede good clinical care," states Rosenblum. So if nurses have come to depend on the availability of PHI on a whiteboard to provide good clinical care, then some accommodation should be granted, he maintains. However, "it doesn't give the entity the right not to attend to incidental exposures that don't need to occur," because "at that point, it's no longer an incidental occurrence," remarks Rosenblum. "The key is balancing incidental disclosures with the idea that we still have care to provide," cautions Stanton. "You don't want to let it get in the way of providing care, but you have to look at how information is used and how it might be disclosed in an incidental fashion, and find ways to minimize that."