Incidental Use and Disclosure of HIPAA Information
When a pharmacy learns of a HIPAA breach, it, and its business associates involved in the breach, are required to report the incident to the government.1
But not all violations are reportable and may not be considered a breach. HIPAA was passed by congress in 1996. Primarily a set of requirements aimed at insurance companies, the third section was to protect against release of confidential patient information. That third section was not completed when the bill was passed. The law gave Congress until August 21, 1999, to pass the section on comprehensive health privacy legislation.
If Congress did not enact such legislation after three years, the law required HHS to craft such protections by regulation. Perhaps not surprisingly, Congress did not meet the self-imposed requirement by 1999, so the job of writing HIPAA regulations fell to HHS.
When the regulations were written and the third section became effective, some problems became apparent. Originally by the strict terms of the regulations, a pharmacist could not hand a prescription to the patient’s next door neighbor who had been asked by the patient to pick it up. The pharmacy could not announce or post on an electronic board, “Baker, your prescription
is ready.” A hospital receptionist could not even tell the floral shop’s delivery person what room a patient was in and whether the patient was in the hospital.2
HHS began to recognize that some disclosures were not only convenient, but also valuable and necessary. HHS moved to solve such problems by making exceptions to the rules and announced:
. . . [The] potential exists for an individual’s health information to be disclosed incidentally. . . HIPAA Privacy . . . does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.3