The HIPAA Privacy Rule generally requires that covered entities, when using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, make reasonable efforts to limit protected health information (PHI) used and disclosed to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “make reasonable efforts to limit PHI to the minimum necessary” rule is referred to as the HIPAA minimum necessary standard.
What are the Exceptions to the HIPAA Minimum Necessary Standard?
The minimum necessary standard does not apply to these specific uses or disclosures:
Disclosures to or requests by a health care provider for treatment purposes.
Disclosures to the individual who is the subject of the information.
Uses or disclosures made pursuant to an individual’s authorization.
Uses or disclosures required for compliance with the HIPAA rules.
Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the HIPAA Privacy Rule for enforcement purposes.
Uses or disclosures that are required by other laws.
How Does a Covered Entity Determine When the Minimum Necessary Standard Applies?
A covered entity must develop and implement minimum necessary standard policies and procedures that are appropriate for its own organization, reflecting the entity’s business practices and workforce.
These policies and procedures must identify:
1. The persons or classes of persons within the covered entity who need access to the information to carry out their job duties;
2. The categories or types of protected health information needed; and
3. Conditions appropriate to such access.
Can the Entire Medical Record be Necessary?
Yes. Where the entire medical record is necessary, the covered entity’s policies and procedures must state so explicitly and include a justification.
How Can the Policies and Procedures Address Routine And Recurring Requests and Disclosures?
For routine or recurring requests and disclosures, the policies and procedures may consist of standard protocols. Such protocols must limit the protected health information disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Once this limitation has been implemented, individual review of each disclosure or request would not be required.
How Can Policies and Procedures Address Non-Routine Disclosures and Requests?
For non-routine disclosures and requests, covered entities must develop reasonable criteria for determining and limiting the disclosure or request to only the minimum amount of protected health information necessary to accomplish the purpose of a non-routine disclosure or request. Non-routine disclosures and requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly.
Can a Covered Entity Rely on the Judgment of the Party Requesting the Disclosure, to Determine What is the Minimum Necessary Amount of Information?
Yes, in some instances. In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request.
This reliance is permitted when the request is made by:
A public official or agency who states that the information requested is the minimum necessary for a purpose permitted under 45 CFR 164.512 of the Privacy Rule, such as for public health purposes (45 CFR 164.512(b)).
Another covered entity.
A professional who is a workforce member or business associate of the covered entity holding the information, and who states that the information requested is the minimum necessary for the stated purpose.
A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
The Privacy Rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies.
Are Business Associates Required To Restrict their Uses and Disclosures to the Minimum Necessary?
A covered entity’s contract with a business associate may not authorize the business associate to use or further disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Therefore, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures.
May a Covered Entity Reasonably Rely on a Request from a Covered Entity's Business Associate as the Minimum Necessary?
Given that a business associate contract must limit a business associate’s requests for protected health information on behalf of a covered entity to what is reasonably necessary to accomplish the intended purpose, a covered entity is permitted to reasonably rely on such requests from a business associate of another covered entity as the minimum necessary.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article