How email combats the risk of incidental exposures of PHI to passersby

A journal article from the CDA Journal notes, “Incidental disclosures are allowable as long as a health care provider has implemented appropriate safeguards and applies the minimum necessary rule.

Incidental exposure refers to the accidental or unintended disclosure of protected health information (PHI) in situations where reasonable safeguards are in place but complete prevention is impracticable. In healthcare environments, email communications are a factor for the exchange of PHI but also pose risks of incidental exposure through visible screens in public or semi-public spaces, notifications, and metadata.

HIPAA compliant email systems reduce incidental exposure risk primarily through encryption, access controls, and data loss prevention mechanisms. Transport Layer Security (TLS) encrypts email content during transmission, preventing interception by unauthorized entities and protecting PHI from exposure en route. At rest, emails may be encrypted on servers and devices to secure stored PHI even if physical devices are lost or stolen.

What is an incidental exposure of PHI?

The above mentioned CDA journal article also notes that, “Incidental uses and disclosures of information occur during a permitted use or disclosure and cannot be reasonably prevented. For example, calling the patient’s name in the waiting room is allowed as long as the purpose of the announcement is not disclosed.”

While the privacy and security regulations under HIPAA require the protection of PHI, incidental exposures can still happen in environments where healthcare services and communications are delivered. 

The HIPAA Privacy Rule acknowledges the inevitability of such exposures but notes the need for covered entities to always have reasonable safeguards in place. Incidental exposure differs from unauthorized disclosure in that it generally occurs as a byproduct of legitimate healthcare activities and reasonable safeguards rather than due to negligence or malicious intent. 

A healthcare provider discussing a patient’s condition within earshot of an unauthorized individual or viewing electronic PHI on a computer screen visible to passersby can constitute incidental exposure. 

These incidents do not necessarily represent breaches requiring formal notification unless the exposure violates the minimum necessary standard or results in harm. The concept is aligned with the practical realities in healthcare settings, where absolute prevention of all incidental disclosures is not always feasible but can and must be minimized through prudent measures.

The risk of incidental exposures 

According to a study published in Healthcare , “The total number of records exposed in these breaches was more than 10 billion (10,376,741,867) [6]. The different types of attacks used to breach the information were Intentional Insider Attacks (INSD)...Unknown Approaches (UNKN), and Unintentional Disclosure (DISC).” There are a multitude of opportunities for incidental exposure of PHI to passersby. These include: 

• Overheard conversations between healthcare providers and patients in waiting areas, hallways, or elevators. 
• Sign-in sheets left unattended on reception desks may contain visible patient names and appointment times. 
• An open computer screen displaying patient data, unencrypted fax transmissions, or misdirected paperwork. 
  
  

Why email metadata matters

Metadata generally includes email headers that show the sender and recipient addresses, timestamps, routing information, and often subject lines, which are frequently not encrypted and therefore more susceptible to unauthorized viewing. According to a Journal of American Medical Informatics Association study, “Approximately 0.4% of Canadian IP addresses had PHI, as did 0.5% of US IP addresses. There was more disclosure of financial information, at 1.7% of Canadian IP addresses and 4.7% of US IP addresses.”

This makes metadata a covert channel through which sensitive healthcare data can be unintentionally exposed, particularly in environments where emails are accessed on devices or networks without stringent controls. Instances of such exposure occur when passersby glimpse screens displaying email metadata, or when metadata is captured or leaked through network monitoring, email logs, or storage systems, posing privacy risks under HIPAA regulations.

Metadata, like subject lines, can inadvertently disclose health conditions or treatments. A subject line indicating HIV test results or psychiatric consultation can reveal highly sensitive PHI even if the detailed content is not visible or accessible. Routing information included in metadata may reveal the pattern and frequency of communication between patients and providers, indirectly exposing patient care details. 

Because metadata frequently remains unencrypted during transit and at rest in conventional email systems, it creates vulnerabilities exploitable by malicious actors or susceptible to incidental leaks to unauthorized individuals physically near devices used for healthcare communications.

HIPAA compliant email: The solution

HIPAA compliant email solutions like Paubox ensure email content is encrypted from the moment it leaves the sender’s device until it is decrypted only by the intended recipient. As a result, even if the email is intercepted during transmission or accessed on a device by someone not authorized, the PHI remains unreadable and protected. 

Conventional email systems lack this level of encryption, which leaves message content and attachments vulnerable to being viewed by unauthorized persons, especially in semi-public or shared environments.

A paper by AFMC HIPAA Watch provides, “staff must participate in regular training sessions to keep abreast of privacy and security concerns. Ongoing education reduces the risk of unintentional disclosures in discussing privacy issues or leaving documents in common areas, while emphasizing the importance of observing and reporting suspicious events.” Training programs reinforce staff awareness to avoid practices that increase incidental exposure, such as reading PHI aloud in public areas or failing to lock screens when away. 

FAQs

What is an incidental disclosure of PHI?

An incidental disclosure occurs when patient information is unintentionally shared during a permissible activity under HIPAA. 

Is every unintentional disclosure a HIPAA violation?

No, not all unintentional violations are incidental disclosures. Breaches due to mistakes, oversights, or lack of awareness are still violations. 

What are 'reasonable safeguards' in relation to incidental disclosures?

Reasonable safeguards are proactive steps that covered entities can take to minimize the occurrence of incidental disclosures and protect client privacy.