The verbiage in the rules about this is cryptic but does help explain the concept. The rules state “Incident to a use or disclosure otherwise permitted or required by this subpart” which is a fancy way of saying a use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. There is a lot of confusion around this rule that has led people to believe that, for example,you can’t have a sign in sheet with individuals names on it or you can’t use a persons name to call them out of a waiting room. These are examples of an incidental disclosure allowed by the privacy rule. The HIPAA Privacy Rule is not intended to impede essential communications practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Covered entities should take steps to minimize these types of disclosures to the minimum necessary for the intended function of the communication. So, for example, a sign-in sheet that listed the medical procedure that is the reason for a visit is a disclosure inconsistent with the minimum necessary principle and should not usually be allowed.