5-minute lesson · For all healthcare staff
Every day, protected health information (PHI) is shared in hospitals, clinics, and offices. Not every unintended disclosure is a HIPAA violation — but knowing the difference between what's allowed and what's not protects your patients, your organization, and you.
In this lesson, you'll learn to confidently tell the difference between an Incidental disclosure and an Impermissible one — and why it matters.
HIPAA recognizes that some PHI exposure happens despite doing everything right. Understanding these two categories is the foundation of compliance.
A secondary, unintentional disclosure that happens as a byproduct of an otherwise permitted and appropriate use or disclosure of PHI.
Any use or disclosure of PHI that is not authorized by the Privacy Rule — regardless of whether it was intentional or accidental.
The key question: Was a reasonable safeguard in place, and was the primary action permitted?
For a disclosure to be considered incidental — and not a violation — all three of these must be true:
The underlying action (e.g., discussing a patient's care with a colleague) must itself be allowed under HIPAA.
Your organization took appropriate steps to minimize PHI exposure — lowered voices, privacy screens, closed doors, etc.
Only the PHI needed for the purpose was used or shared — not extra or unrelated patient information.
Let's look at how this plays out in the workplace.
A nurse calls out a patient's name in the waiting room to bring them back. Another patient overhears the name.
✔ Calling patients is a permitted activity. A sign-in sheet or hushed tone may not be practical. The exposure is minimal and unintentional.
Two physicians discuss a patient's diagnosis in a semi-private area and a passerby overhears part of the conversation.
✔ Care coordination is permitted. If they used reasonable discretion (e.g., stepped away from the crowded hallway), this is incidental — not a violation.
A staff member posts about a patient's condition on social media "without naming them" but includes enough detail that the person could be identified.
✗ Social media posts about patient cases are never permitted without explicit authorization. There is no reasonable safeguard that makes this acceptable.
A billing clerk accesses a celebrity patient's records out of curiosity, even though they have no role in that patient's care.
✗ Accessing PHI beyond what's needed for your job violates the minimum necessary standard. Curiosity is never a permitted purpose.
Answer all 3 questions. Choose the best answer for each scenario.
How should this be classified?
Is this incidental or impermissible?
Which best describes this situation?
You've completed the HIPAA lesson.
Incidental disclosures are not violations — as long as the primary action was permitted, safeguards were in place, and the minimum necessary standard was followed.
Impermissible disclosures are always violations — even if they were accidental. Unauthorized access, wrong-recipient emails, and social media posts all fall here.
Safeguards are your protection — privacy screens, lowered voices, role-based access, and the minimum necessary rule help keep routine disclosures incidental, not impermissible.
When in doubt, ask — if you're unsure whether a disclosure is permitted, check with your Privacy Officer before acting.