minimum necessary (HIPAA)

When using or disclosing protected health information (PHI), or when requesting PHI from others, HIPAA's Privacy Rule requires that a covered entity make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

There are important exemptions/exceptions. The minimum necessary standard does not apply to PHI disclosures:

  • by/among health care providers for treatment purposes;
  • to the individual who is the subject of the information, or in response to an authorization requested by that individual;
  • to the Secretary of DHHS when required for HIPAA compliance reviews or other enforcement purposes;
  • to comply with the requirements of other laws.

Under this standard, covered entities must develop policies and procedures which limit information uses, disclosures and requests to those necessary to carry out the organization's work. That includes:

  • identification of persons or classes of persons in the workforce who need access to PHI to carry out their duties;
  • for each of those, specification of the category or categories of PHI to which access is needed and any conditions appropriate to such access; and
  • reasonable efforts to limit access accordingly.

Such policies and procedures, which can include standard protocols, can cover "routine and recurring" uses, disclosures and requests without need for any review. A process must exist for reviewing the non-routine events on an individual basis.

A covered entity may rely on the representations of the party requesting a disclosure that the minimum necessary standard is met when:

  • the information is requested by another covered entity;
  • the information is requested by a professional who is a member of its workforce or is a business associate of the covered entity; or
  • making disclosures to researchers who have documented compliance with HIPAA requirements.

But note that such reliance is appropriate only if "reasonable under the circumstances." A covered entity retains the discretion to tailor a disclosure according to its own determination of minimum necessary.

The regulations add that "a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request."

Few elements of HIPAA have generated more controversy than this standard, though as interpreted it is in fact quite moderate in its reach. Moreover, "minimalism" is a core element of fair information principles, and would be a necessary element of any data protection law.

DHHS has been clear that the minimum necessary standard is to be implemented using a "reasonableness" analysis, so that a covered entity's functions are not unduly restricted. The broad exemption for PHI exchanged among providers for treatment purposes is a particular recognition that the standard was not intended to compromise patient care in any way.

DHHS has also been clear that it will not always be reasonable to segregate a medical record according to user and function, as, for example, in a small office that still relies on paper records. Only larger organizations, with electronic systems capable of making and enforcing such distinctions, would be expected to subdivide in this way.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine