|
minimum
necessary (HIPAA)
When using or disclosing
protected health information
(PHI), or when requesting PHI from others, HIPAA's Privacy
Rule requires that a covered
entity make reasonable efforts to limit itself to "the
minimum necessary to accomplish the intended purpose of the
use, disclosure, or request."
There are important
exemptions/exceptions. The
minimum necessary standard does not apply to PHI disclosures:
- by/among health
care providers for treatment
purposes;
- to the individual
who is the subject of the information, or in response to
an authorization requested
by that individual;
- to the Secretary
of DHHS when required for HIPAA compliance
reviews or other enforcement purposes;
- to comply with
the requirements of other laws.
Under this standard,
covered entities must develop policies and procedures which
limit information uses, disclosures and requests to those
necessary to carry out the organization's work. That includes:
- identification
of persons or classes of persons in the workforce
who need access to PHI to carry out their duties;
- for each of
those, specification of the category or categories of PHI
to which access is needed and any conditions appropriate
to such access; and
- reasonable efforts
to limit access accordingly.
Such policies and
procedures, which can include standard protocols, can cover
"routine and recurring" uses, disclosures and requests
without need for any review. A process must exist for reviewing
the non-routine events on an individual basis.
A covered entity
may rely on the representations of the party requesting a
disclosure that the minimum necessary standard is met when:
- the information
is requested by another covered entity;
- the information
is requested by a professional who is a member of its workforce
or is a business associate
of the covered entity; or
- making disclosures
to researchers who have documented
compliance with HIPAA requirements.
But note that such
reliance is appropriate only if "reasonable under the
circumstances." A covered entity retains the discretion
to tailor a disclosure according to its own determination
of minimum necessary.
The regulations
add that "a covered entity may not use, disclose or request
an entire medical record, except when the entire medical record
is specifically justified as the amount that is reasonably
necessary to accomplish the purpose of the use, disclosure,
or request."
Few elements of
HIPAA have generated more controversy than this standard,
though as interpreted it is in fact quite moderate in its
reach. Moreover, "minimalism" is a core element
of fair information
principles, and would be a necessary element of any data
protection law.
DHHS has been clear
that the minimum necessary standard is to be implemented using
a "reasonableness" analysis, so that a covered entity's
functions are not unduly restricted. The broad exemption for
PHI exchanged among providers for treatment purposes is a
particular recognition that the standard was not intended
to compromise patient care in any way.
DHHS has also been
clear that it will not always be reasonable to segregate a
medical record according to user and function, as, for example,
in a small office that still relies on paper records. Only
larger organizations, with electronic systems capable of making
and enforcing such distinctions, would be expected to subdivide
in this way.
See also:
|
