The HIPAA Minimum Necessary Standard
Under the HIPAA minimum necessary standard, covered entities must make reasonable efforts to ensure that access to protected health information (PHI) is limited, per the HIPAA Privacy Rule, to the minimum amount of information necessary to fulfill or satisfy the intended purpose of a particular disclosure, request, or use.
When Does the HIPAA Minimum Necessary Standard Apply?
The HIPAA minimum necessary standard applies to uses and disclosures of PHI that are permitted under the HIPAA Privacy Rule. The standard also applies:
- To the accessing of electronic protected health information (ePHI), by
- Covered entities, to
- Business associates and other covered entities.
In addition, the HIPAA Minimum Necessary Standard applies to requests for PHI from other covered entities.
While the terms “reasonable efforts” and “minimum amount of information necessary” are not defined in HIPAA or its regulations, the Department of Health and Human Services (HHS), the federal agency that enforces the HIPAA regulations, provides guidance on this topic.
Under the guidance, covered entities, in implementing the HIPAA minimum necessary standard, are to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. Entities should also, per the HIPAA minimum necessary standard, develop “use and disclosure” policies and procedures that are appropriate for the organization, and that reflect the entity’s business practices and workforce.
The covered entity’s HIPAA Minimum Necessary Standard policies and procedures should identify:
- The persons or classes of persons within the covered entity who need access to the information to carry out their job duties,
- The categories or types of protected health information needed, and
- Conditions appropriate to such access (that is, any condition appropriate for workforce members’ access to or use or disclosure of PHI).
How Do I Implement the HIPAA Minimum Necessary Standard?
Covered entities can take the following actions to implement the HIPAA minimum necessary standard:
- Ensure that information systems containing PHI or ePHI are documented. The documentation should be contained in the use and disclosure policies and procedures.
- Identify what categories of PHI or ePHI each of their information systems contain.
- Determine what types of information need to be accessed for different roles and responsibilities, and tailor the use and disclosure policy or procedure to reflect the determination.
- Develop role-based permissions (“classes of persons” permissions) that limit access to particular types of PHI, so that only individuals that have a need to access the PHI may do so.
- Develop a mechanism for enforcing the use and disclosure policy.
- For example, an entity may include a “sanctions” section in its use and disclosure policy. A sanctions policy addresses the consequences for violation of the minimum necessary standard.
- Train all employees on what PHI they can and cannot access.
- Maintain logs containing information on PHI access and attempts to access PHI. HIPAA refers to such logs as audit logs.
- Develop a system of alert notifications that allow your HIPAA Privacy Officer or Security officer to be notified of any unauthorized employee attempt to access PHI.
- Before entering into a business associate agreement, determine whether BA access to a system or part of a system should be restricted.
- Document all training, and document any actions taken in response to cases of unauthorized access.
Are There Exceptions to the HIPAA Minimum Necessary Standard?
The minimum necessary standard does not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes.
- Disclosures to the individual who is the subject of the information.
- Uses or disclosures made pursuant to an individual’s authorization.
- Uses or disclosures required for compliance with HIPAA Administrative Simplification Rules.
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the HIPAA Privacy Rule for rule enforcement purposes.
- Uses or disclosures that are required by law (such as state criminal law or criminal procedure law).
What is “Reasonable Reliance”?
Under certain circumstances, the HIPAA Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. In other words, the Privacy Rule permits the covered entity to rely on the other party’s judgment with respect to the HIPAA minimum necessary standard. Such reliance must be reasonable under the particular circumstances of the request. Reasonable reliance is permitted when the request is made by:
- A public official or agency, who states that the information requested is the minimum necessary for a public health purpose;
- Another covered entity;
- A professional who is a workforce member or business associate of the covered entity holding the information, who states that the information requested is the minimum necessary for the stated purpose; or
- A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
Note, however, that the HIPAA Privacy Rule does not require such reliance; that is, the covered entity from whom PHI is sought always retains discretion to make its own “minimum necessary standard” determination for PHI uses, disclosures, and requests.
Compliancy Group Simplifies HIPAA Compliance
Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give healthcare organizations everything they need to address the full extent of the HIPAA regulations.
Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business.