The HIPAA “Minimum Necessary” standard is an important provision of HIPAA and one that all healthcare professionals need to understand. It is a requirement of HIPAA that applies to many aspects of healthcare professionals’ day to day working lives.
What is the HIPAA “Minimum Necessary” Standard?
The HIPAA “Minimum Necessary” standard requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information (PHI) to the minimum amount necessary to achieve the purpose for which it is being used, requested, or disclosed.
An example would be the disclosure of protected health information to a business associate that is performing a service on behalf of a covered entity that requires access to PHI. The covered entity must make “reasonable efforts” to ensure that the only PHI provided to that business associate is information that is essential for the service being provided. Those services are unlikely to require access to patients’ entire medical histories, so that information should not be disclosed.
A physician would require access to patients’ entire medical histories, but not patients with whom they do not have a treatment relationship with. A physician would also not require access to patients’ Social Security numbers, so access to that information should also be restricted.
When the HIPAA “Minimum Necessary” Standard Applies
The HIPAA “Minimum Necessary” standard applies to uses and disclosures permitted by the HIPAA Privacy Rule. That includes uses, requests, and disclosures of physical PHI such as charts and medical images, electronic copies of protected health information such as the information stored in EHRs, and also verbal disclosures. The HIPAA “Minimum Necessary” standard applies to the accessing of PHI and ePHI, requests from other covered entities and business associates, and disclosures to other covered entities and business associates and other individuals and entities.
When Does the HIPAA “Minimum Necessary” Standard Not Apply?
The HIPAA “Minimum Necessary” standard applies to most uses and disclosures of PHI, but there are six exceptions as detailed below.
- Healthcare providers making requests for PHI for the purpose of providing treatment to a patient
- Requests from patients for copies of their own medical records
- Requests for PHI when there is a valid authorization
- Requests for PHI that are required for compliance with the HIPAA Administrative Simplifications Rules
- Requests for a disclosure of PHI by the Department of Health and Human Services required for the enforcement of compliance with HIPAA Rules under 45 CFR Part 160 Subpart C
- Requests for PHI that are otherwise required by law
What are Reasonable Efforts?
HIPAA requires covered entities to make “reasonable efforts” to comply with the HIPAA “Minimum Necessary” standard and limit access, uses, and disclosures to the minimum necessary information, but what is considered reasonable? The interpretation of what is reasonable is left to the judgement of the covered entity. When making a determination, any decision should be supported by a reasonable justification. Compliance will also depend on the technical capabilities of the covered entity.
When requests are received for access to PHI, the HIPAA Privacy Rule permits, in certain circumstances, the covered entity to rely on the judgement of the covered entity requesting the PHI. In each case, the reliance must be reasonable under the specific circumstances of the request. This “Reasonable Reliance” applies in the following situations:
- A request from a public official or agency who states that the PHI requested is the minimum necessary for a purpose permitted under the HIPAA Privacy Rule.
- A request from another covered entity.
- A request from a professional who is a workforce member or business associate of the covered entity who holds the information and states that the information requested is the minimum necessary for the stated purpose.
- A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
In each case, it is up to the covered entity who holds the PHI to decide whether the person requesting the PHI is requesting the minimum necessary information. They may develop their own policies covering the above requests.
How to Comply with the HIPAA “Minimum Necessary” Standard
In order to ensure that the HIPAA “Minimum Necessary” standard is adhered to across your organization, you must first know where all physical PHI is located and document all information systems containing ePHI, along with the types of PHI/ePHI in each location or information system.
Covered entities should develop written policies and procedures covering the minimum necessary standard. Those policies and procedures should be appropriate to each covered entity and should reflect their business practices. They should state the different types of persons or roles within their organization and the types of information that each role is required to access to complete work duties, along with any conditions associated with access, uses, or disclosures. Permissions should be set to limit access to ePHI based on an individual’s role and logs should be maintained and should be regularly reviewed to identify any violations.
An compliance with policies and procedures should be enforced and violations should be subject to an organization’s sanctions policy. Training should be provided to all employees on the HIPAA “Minimum Necessary” Rule. All training should be documented as well as any sanctions for violations of the HIPAA “Minimum Necessary” standard.