Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            What is the HIPAA Minimum Necessary Standard?

            Modified on Tue, 15 Jul at 11:19 AM

            DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


            Introduction

            This article discusses the HIPAA Minimum Necessary Standard, a rule that applies to covered entities and business associates. In general the minimum necessary standard requires that an organization and its workforce only use (view or share internally) or disclose (share with those outside of the organization) the minimum necessary amount of PHI necessary to accomplish the purpose of a use or a disclosure.

            What Does the Minimum Necessary Standard Require?


            The HIPAA Minimum Necessary Standard Privacy Rule generally requires HIPAA- covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary amount of PHI to accomplish the intended purpose of the request or disclosure. 

            Here is an example of the application of the minimum necessary standard: A covered entity receives a valid request from a billing company to disclose a patient's PHI for the billing company's billing activities. The request asks for specific billing information associated with a specific treatment date. Under the minimum necessary standard, the covered entity may only disclose that amount of PHI to the biller (the "minimum necessary" amount) to accomplish the puporse of the disclosure - to respond accurately and completely to the biller's request. Under the minimum necessary standard, the covered entity may not provide the patient's entire billing history, but rather, only the specific items of information that are being sought by the biller.

            What Does the Minimum Necessary Standard Not Apply To?

            The minimum necessary standard does not apply to the following:  

            • Disclosures to or requests by a health care provider for treatment purposes.  
            • Disclosures to the individual who is the subject of the information.  
            • Uses or disclosures made pursuant to an individual’s authorization.  
            • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.  
            • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.  
            • Uses or disclosures that are required by other law.  


            Please note that the fact that the minimum necessary standard does not apply to these above-listed disclosure, does not mean that covered entities can disclose as much information as they wish.  Other provisions of HIPAA or other laws may limit the amount of information that can be disclosed.

            For example, if an individual requests specific PHi be sent to them under the HIPAA right of access provision, a provider should not, under that provision, send the entire medical record, but rather, only the information that has been requested.

            In addition, if an individual provides written authorization to disclose specific PHI to a specific individual, a provider should not disclose more PHI than is needed to accomplish the disclosure. 

            In addition, a covered entity may never use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

            What Must Covered Entities Do to Comply With the Minimum Necessary Standard?

            Policy and Procedure requirements: For uses of protected health information, the covered entity’s policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Case-by-case review of each use is not required. Where the entire medical record is necessary, the covered entity’s policies and procedures must state so explicitly and include a justification. 

            Routine or Recurring Requests and Disclosures: For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit the protected health information disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required. 

            Non-Routine or Recurring Requests and Disclosures:             For non-routine disclosures and requests, covered entities must develop reasonable criteria for determining and limiting the disclosure or request to only the minimum amount of protected health information necessary to accomplish the purpose of a non-routine disclosure or request. Non-routine disclosures and requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly. 

            Reasonable Reliance: In certain circumstances, the minimum necessary standard permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by: 

            • A public official or agency who states that the information requested is the minimum necessary for a purpose permitted under 45 CFR 164.512 of the Rule, such as for public health purposes (45 CFR 164.512(b)).
            • Another covered entity.
            • A professional who is a workforce member or business associate of the covered entity holding the information and who states that the information requested is the minimum necessary for the stated purpose. 
            • A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board. (Institutional Review Boards, or IRBs, review research studies to ensure that they comply with applicable regulations, meet commonly accepted ethical standards, follow institutional policies, and adequately protect research participants. IRB reviews help to ensure that research participants are protected from research-related risks and treated ethically, a necessary prerequisite for maintaining the public’s trust in the research enterprise and allowing science to advance for the common good).

            The Rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies. 




             



            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0