What is an Inadvertent Disclosure under HIPAA?
An inadvertent disclosure is an event where a health professional unintentionally reveals protected health information (PHI) to an unauthorized person by mistake. Generally, if PHI is disclosed to unauthorized personnel, a breach of PHI is presumed to have occurred. Depending on the size of the unauthorized disclosure, HHS and affected individuals may have to be notified. If actually accessed or viewed, unintentional disclosures of PHI put patients at risk because the data can be misused or further transmitted to other entities or personnel. For example, if the compromised data is very sensitive, it can be used against the patient to harm them. Some examples of situations that may result in inadvertent disclosures:
- Fax or mail is sent to a member of the staff in error.
- USB flash drive containing PHI is lost or stolen.
- Third-party tracking and other applications reporting individually identifiable information.
- Disclosing PHI or the wrong patient to authorized personnel.
- Releasing the wrong document that has not been approved for release.
- Login credentials are shared.
- Posts on social media discuss a patient’s PHI.
HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured PHI is impermissibly used or disclosed or “breached” in a way that compromises the privacy and security of the PHI.1 An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised. The American Medical Association (AMA) prompts physicians to use this four-factor test to assess the severity of the improper use or disclosure of PHI2:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification.
- The unauthorized person (or people) who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
Covered entities are under no obligation to perform the entire 4-factor risk assessment if the PHI is obviously compromised. Covered entities may always begin the breach notification process without conducting a formal risk assessment. Once a covered entity knows or by reasonable diligence should have known (referred to as the “date of discovery”) that a breach of PHI has occurred, the entity has an obligation to notify the relevant parties (individuals, HHS and/or the media) “without unreasonable delay” or up to 60 calendar days following the date of discovery, even if upon discovery the entity was unsure as to whether PHI had been compromised.
In general, entities can increase HIPAA compliance by providing annual trainings, sending compliance reminders to medical staff, setting stricter work etiquette guidelines, providing a more secure method of communication, and by staying up to date with HIPAA regulations.
1 HHS.gov, 2023, “Breach Notification Rule”
2 AMA, 2023, “HIPAA Breach Notification Rule”