Incidental Disclosure means ‘a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the HIPAA Rule.’
Here is what the Department of Health and Human Services has to say about incidental disclosure:
Many customary health care communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective health care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive health care or other services from covered entities, the potential exists for an individual’s health information to be disclosed incidentally. For example, a hospital visitor may overhear a provider’s confidential conversation with another provider or a patient, or may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard. The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.
Incident disclosures are permitted:
1. If they are a by-product of a permissible or required use or disclosure, and
2. As long as the covered entity [health care provider or health plan] has applied reasonable safeguards; and
3. If they have implemented the minimum necessary standards, with respect to the permitted or required use or disclosure.
See 45 CFR 164.502(a)(1)(iii) and http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html