The HIPAA “Minimum Necessary” standard is an important provision of HIPAA and one that all employees of covered entities and business associates need to understand – especially healthcare professionals in patient-facing roles.
What is the HIPAA “Minimum Necessary” Standard?
The HIPAA “Minimum Necessary” standard requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information (PHI) to the minimum amount necessary to achieve the purpose for which it is being used, requested, or disclosed.
An example would be the disclosure of protected health information to a business associate that is performing a service on behalf of a covered entity. The covered entity must make “reasonable efforts” to ensure only PHI essential for the service being provided is disclosed to the business associate. The service is unlikely to require access to patients’ entire medical histories, so that information should not be disclosed.
A physician would require access to patients’ entire medical histories, but not patients with whom they do not have a treatment relationship. A physician would also not require access to patients’ Social Security numbers, so access to that information should be restricted.
When the HIPAA “Minimum Necessary” Standard Applies
The HIPAA “Minimum Necessary” standard applies to uses and disclosures permitted by the HIPAA Privacy Rule. That includes uses, requests, and disclosures of physical PHI such as charts and medical images, electronic copies of protected health information such as the information stored in EHRs, and also verbal disclosures. The HIPAA “Minimum Necessary” standard applies to the accessing of PHI and ePHI, and requests from other covered entities and business associates.
When Does the HIPAA “Minimum Necessary” Standard Not Apply?
The HIPAA “Minimum Necessary” standard applies to most uses and disclosures of PHI, but there are six exceptions as detailed below.
- Healthcare providers making requests for PHI for the purpose of providing treatment to a patient
- Requests from patients for copies of their own medical records
- Requests for PHI when there is a valid authorization from the subject of the PHI
- Requests for PHI that are required for compliance with the HIPAA Administrative Simplifications Rules
- Requests for a disclosure of PHI by the Department of Health and Human Services required for the enforcement of compliance with HIPAA Rules under 45 CFR Part 160 Subpart C
- Requests for PHI that are otherwise required by law
What are Reasonable Efforts?
HIPAA requires covered entities to make “reasonable efforts” to comply with the HIPAA “Minimum Necessary” standard and limit access, uses, and disclosures to the minimum necessary information, but what is considered reasonable? The interpretation of what is reasonable is left to the judgement of the covered entity. When making a determination, any decision should be supported by a reasonable justification. Compliance will also depend on the technical capabilities of the covered entity.
When requests are received for access to PHI, the HIPAA Privacy Rule permits, in certain circumstances, the covered entity to rely on the judgement of the covered entity requesting the PHI. In each case, the reliance must be reasonable under the specific circumstances of the request. This “Reasonable Reliance” applies in the following situations:
- A request from a public official or agency who states that the PHI requested is the minimum necessary for a purpose permitted under the HIPAA Privacy Rule.
- A request from another covered entity.
- A request from a professional who is a workforce member or business associate of the covered entity who holds the information and states that the information requested is the minimum necessary for the stated purpose.
- A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
In each case, it is up to the covered entity who holds the PHI to decide whether the person requesting the PHI is requesting the minimum necessary information. They may develop their own policies covering the above requests.
How to Comply with the HIPAA “Minimum Necessary” Standard
In order to ensure that the HIPAA “Minimum Necessary” standard is adhered to across your organization, you must first know where all physical PHI is located and document all information systems containing ePHI, along with the types of PHI/ePHI in each location or information system.
Covered entities should develop written policies and procedures covering the minimum necessary standard. Those policies and procedures should be appropriate to each covered entity and should reflect their business practices. They should state the different types of persons or roles within their organization and the types of information that each role is required to access to complete work duties, along with any conditions associated with access, uses, or disclosures. Permissions should be set to limit access to ePHI based on an individual’s role and logs should be maintained and regularly reviewed to identify any violations.
Compliance with policies and procedures should be enforced and violations should be subject to an organization’s sanctions policy. Training should be provided to all employees on the HIPAA “Minimum Necessary” Rule. All training should be documented as well as any sanctions for violations of the HIPAA “Minimum Necessary” standard.
HIPAA Minimum Necessary Standard FAQs
What exemptions exist to the Minimum Necessary Standard in the Administrative Simplification Rules?
The exemptions referred to concern the HIPAA transaction standards. The transaction standards allow disclosures of all data elements that are required or situationally required in transactions. Furthermore, covered entities have discretion as to the optional data elements included in transactions and the minimum necessary standard does not apply to these optional data elements.
If a news outlet reports on the health condition of a celebrity, is that a breach of the Minimum Necessary Standard?
The news outlet´s reporting of the health condition is not a breach of the Minimum Necessary Standard because news outlets are not covered entities under HIPAA. However, how the news outlet acquired the information could be subject to review if the celebrity did not give their written authorization for their health condition to be disclosed.
Who is responsible for determining the minimum necessary information when a patient authorizes the disclosure of PHI?
When a patient authorizes a disclosure of PHI, he or she should be informed what PHI is being disclosed, who it is being disclosed to, and why it is being disclosed. Although the information being disclosed should be the minimum necessary to achieve the purpose for which it is being disclosed, the patient has the right to limit the disclosure before providing their authorization.
If a covered entity discloses more than the minimum necessary information, what happens?
If it is discovered that a covered entity or an employee of a covered entity has disclosed more than the minimum necessary information – either via a breach investigation or a patient complaint to the Department of Health and Human Services - the consequences will likely depend on the nature and content of the excess disclosure and what harm results.
What are “incidental disclosures”? Are these covered by the Minimum Necessary Standard?
Incidental disclosures are inadvertent disclosures of PHI that occur as a by-product of a permissible disclosure. Generally, the Department of Health and Human Services will not take enforcement action against a covered entity when an incidental disclosure has occurred provided the covered entity has applied reasonable safeguards and implemented the minimum necessary standard.