Is a covered entity required to prevent any incidental use or disclosure of protected health information?


No. The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards to limit incidental uses or disclosures. See 45 CFR 164.530(c)(2).



Date Created: 12/19/2002
Last Updated: 03/14/2006

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013