When and how is a covered entity required to limit the use and disclosure of, and requests for, protected health information (PHI) to the minimum necessary?
According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule requires covered entities to “implement policies and procedures to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes.
- Disclosures to the individual who is the subject of the information.
- Uses or disclosures made pursuant to an individual’s authorization.
- Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
- Uses or disclosures that are required by other law.”1
What your minimum necessary policies and procedures should include:
Uses. Identify who requires access to PHI, either the type or category of PHI to which each person or class of persons needs access, and the appropriate conditions under which PHI may be accessed.
Routine/Recurring Disclosures and Requests. Describe the standard procedures to use in order to limit disclosed or requested PHI to the minimum necessary for a specific type of disclosure or request. With standard procedures in place, a minimum necessary review of each request or disclosure is not required.
Non-routine Disclosures/Requests. Establish criteria for determining and limiting PHI requested or disclosed to the minimum necessary for a non-routine request and disclosure. Each non-routine request and disclosure must be reviewed in accordance with the established criteria.
Good to Know
Reasonable Reliance. In certain situations, a covered entity may rely on the judgment of a party requesting the disclosure of PHI, that the information they are requesting is the minimum amount required for the purpose stated. This reasonable reliance is permitted when the requester is one of the following:
- A public official or agency making a request permitted by the Privacy Rule and who states that the information requested is the minimum necessary;
- Another covered entity;
- A covered entity’s employee or business associate who states that the information requested is the minimum necessary for the stated purpose; or,
- A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
A covered entity is not required to rely on a requester’s judgment of the minimum amount required and may, therefore, make their own determination of what is the minimum necessary.1
Using, disclosing, or requesting an entire medical record. The minimum necessary standard does not apply to the use, disclosure, or request for an entire medical record by a health care provider for treatment purposes or when the disclosure is to the individual who is the subject of the protected health information. A case-by-case justification for the use, disclosure, or request of an entire medical record for other than treatment purposes is not required so long as it is documented in the covered entity’s policies and procedures that the entire medical record is the reasonable amount necessary for a specified purpose.2
Business Associates and the Minimum Necessary Standard.A business associate contract must limit a business associate’s uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose as defined in the covered entity’s minimum necessary policies and procedures. A business associate contract may not authorize a business associate to use or further disclose protected health information in a way that the covered entity would not be permitted to do under the HIPAA Privacy Rule.3
Minimum necessary requirements for disclosers to Federal or State agencies.Disclosers to Federal and State agencies require an authorization from the individual. The authorization will indicate what protected health information may be disclosed. Information disclosed pursuant to an authorization is exempt from the HIPAA Privacy Rule’s minimum necessary requirements.4
Establishing what is reasonable. Each covered entity has its own unique circumstances to address when determining what PHI is reasonably necessary for a specific purpose. Covered entities should assess their organization’s practices and their workforce and then implement policies and procedures to limit unnecessary or inappropriate access to PHI accordingly. Covered entities are expected to enhance protections without sacrificing the quality of health care provided.5 What is considered reasonable will be largely dependent on the size of the organization. Smaller entities may find that simply providing appropriate training to their employees will be sufficient, while others may need to provide more security, reconfigure their record systems to limit access to specific fields, or make physical adjustments to their facility to minimize access.6
Authorizations. When an individual submits an authorization for the use or disclosure of their protected health information, the minimum necessary requirements do not apply. As long as the authorization meets the requirements under the HIPAA Privacy Rule, a covered entity is permitted to use or disclose protected health information pursuant to an authorization without making a minimum necessary determination.7 An external Institutional Review Board’s or a Privacy Board’s waiver of authorization may also be accepted by a covered entity without making a minimum necessary determination. The covered entity can reasonably rely on a researcher’s documentation that the information requested is the minimum necessary for the research purpose.8
Minimum Necessary Standard vs. HIPAA Transaction Standards. Uses and disclosures required for compliance with the transactions standards are exempt from the minimum necessary standard. However, optional data elements are required to meet the minimum necessary standard. HHS provides the following example:
The transactions standard adopted for the outpatient pharmacy sector is an example of a standard that uses optional data elements. The health plan, or payer, currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The health plan or its business associates must apply the minimum necessary standard when requesting this information. In this example, a pharmacist may reasonably rely on the health plan’s request for information as the minimum necessary for the intended disclosure. For example, as part of a routine protocol, the name of the individual may be requested by the payer as the minimum necessary to validate the identity of the claimant or for drug interaction or other patient safety reasons.9
Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:
§ 164.502(b) – Uses and disclosures of protected health information: general rules (Minimum Necessary)
§ 164.504(e)(2) – Uses and disclosures: Organizational requirements (Business Associate Contracts)
§ 164.514(d) – Other requirements relating to uses and disclosures of protected health information (Minimum Necessary Requirements)
U.S. Department of Health and Human Services Resources:
1. ”Minimum Necessary Requirement,” hhs.gov, last modified April 4, 2003, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html.
2. “Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/213.html.
3. “Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/252.html.
4. “Are providers required to make a minimum necessary determination to disclose to Federal or State agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals’ applications for Federal or State benefits?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/211.html.
5. “How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/207.html.
6. “In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule’s minimum necessary requirements?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/215.html.
7. “Must the HIPAA Privacy Rule’s minimum necessary standard to be applied to uses or disclosure that are authorized by an individual?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/210.html.
8. “May a covered entity accept documentation of an external Institutional Review Board’s (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/research_disclosures/217.html.
9. “Doesn’t the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/212.html.