Question: What is the difference between a wrongful and an incidental disclosure of protected health information (PHI)? Also, do we have to report both types of violations when compiling an accounting of disclosures?
Minnesota Subscriber
Answer: An incidental disclosure is when PHI is shared inadvertently with unauthorized users during the performance of day-to-day operations in your medical office.
For example, a patient in exam room A hears a doctor talking to another patient in exam room B. This is an incidental disclosure.
A wrongful disclosure is when you share PHI with unauthorized users outside of the office's day-to-day operations.
For example, a biller overhears another staffer disclosing her password and log-in information for the office computer system. The biller then uses the incorrect password and log-in to access the practice's medical records.
This is an example of wrongful disclosure of PHI.
Remember: Your office must note all of its wrongful disclosures, which are vital when compiling an accounting of disclosures for auditors. You are not required to list incidental disclosures of PHI.