Practice Management Alert

READER QUESTIONS:

Are You Required to Report Both Wrongful and Incidental Disclosures?

Question: What is the difference between a wrongful and an incidental disclosure of protected health information (PHI)? Also, do we have to report both types of violations when compiling an accounting of disclosures?


Minnesota Subscriber


Answer: An incidental disclosure is when PHI is shared inadvertently with unauthorized users during the performance of day-to-day operations in your medical office.

For example, a patient in exam room A hears a doctor talking to another patient in exam room B. This is an incidental disclosure.

A wrongful disclosure is when you share PHI with unauthorized users outside of the office's day-to-day operations.

For example, a biller overhears another staffer disclosing her password and log-in information for the office computer system. The biller then uses the incorrect password and log-in to access the practice's medical records.

This is an example of wrongful disclosure of PHI.

Remember: Your office must note all of its wrongful disclosures, which are vital when compiling an accounting of disclosures for auditors. You are not required to list incidental disclosures of PHI.