Practice Brief: Understanding the Minimum Necessary Standard (Updated)

HIM professionals have long made it a practice to limit information disclosed to that information required to fulfill the stated purpose. For example, an HIM professional would not disclose information about a woman's breast removal on a workers' compensation claim for a lacerated finger. Instead, the HIM professional would limit information disclosed to that related only to the injured finger. In other words, the HIM professional would disclose only that information the recipient needs to know.

The Standards for Privacy of Individually Identifiable Health Information, more commonly called the Health Insurance Portability and Accountability Act (HIPAA) final privacy rule, formalize and expand the need-to-know principle. The revised principle is known as the Minimum Necessary Standard. It is important that HIM professionals understand the Minimum Necessary Standard, as most covered entities (CEs) must comply no later than April 14, 2003.¹

HIPAA Final Privacy Rule

Minimum Necessary Standard Applicability

The August 14, 2002, version of the HIPAA final privacy rule states that the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from another CE.² It goes on to say that CEs must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Exceptions to the Minimum Necessary Standard

The rule, however, provides some exceptions. It says that the Minimum Necessary Standard does not apply to:

• disclosures to or requests by healthcare providers for treatment
  
• disclosures to the individual who is the subject of the information
  
• uses or disclosures made pursuant to an authorization
  
• uses or disclosures required for compliance with the standardized HIPAA transactions
  
• disclosures to the Department of Health and Human Services when disclosure of information is required under the rule for enforcement purposes
  
• uses or disclosures required by law
  

Applying the Standard when Disclosing Information

The implementation specifications for the Minimum Necessary Standard require that:³

• CEs identify the persons or classes of persons in their work force who need access to PHI
  
• CEs identify the category or categories of PHI for which access is needed for the person or classes of persons and any conditions appropriate to such access
  
• CEs make reasonable efforts to limit the work force's access to PHI to that which is needed to carry out their duties
  
• for any type of disclosure that occurs on a routine and recurring basis, CEs implement policies and procedures that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure
  
• for all other disclosures, CEs develop criteria designed to limit the PHI disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought, and review requests for disclosure on an individual basis in accordance with such criteria
  

The rule states that CEs may rely on the judgment of the party requesting the disclosure as to the minimum amount of information needed when the request is made by:

• a public official or agency for a disclosure permitted under 45 CFR 164.512 (uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required)
  
• another CE
  
• a professional who is a work force member or business associate of the CE holding the information
  
• a researcher with appropriate documentation from an institutional review board or privacy board
  

The rule does not require that the CE rely on the judgment of the requester, however. The CE retains the right to make its own minimum necessary determination for disclosures to which the minimum necessary standard applies.

Incidental Uses and Disclosures

While the privacy rule holds CEs responsible for making reasonable efforts to limit information use and disclosure to the minimum necessary and to guard against inappropriate intentional or unintentional releases, it recognizes the likelihood that inadvertent releases may occur as a by-product of normal healthcare practices. As such, an additional provision was included in the August 14, 2002, privacy rule modifications making incidental disclosure permissible "to the extent that the CE has applied reasonable safeguards as required by 164.530(c) and implemented the Minimum Necessary Standard, where applicable, as required by 164.502(b) and 164.514(d)" (page 53193). Without conscientious compliance to the minimum necessary standards, incidental disclosures would be considered a violation of the privacy rule.

Requesting Protected Information

Further, the implementation specifications for the Minimum Necessary Standard state that:

• when requesting PHI from other covered entities, a CE must limit any request for PHI to that which is reasonably necessary to accomplish the purpose for which the request is made
  
• for a request that is made on a routine and recurring basis, a CE must implement policies and procedures that limit the PHI requested to the amount reasonably necessary to accomplish the purpose for which the request is made
  
• for all other requests, a CE must review the request on an individual basis to determine that the PHI sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made
  

A CE may not use, disclose, or request an entire medical record, except when the entire medical record is specifically justified as the amount of information that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

Recommendations

• Study the Minimum Necessary Standard and the December 4, 2002, HIPAA Privacy Guidance.
  
• Evaluate where, when, and how PHI is requested.
  
• Evaluate when, where, and how PHI is disclosed.
  
• Develop policies and procedures to ensure that the information requested and disclosed is the minimum necessary to fulfill the stated purpose:
  -Develop policies and procedures for fulfilling routine requests for information on a consistent basis
  -Develop policies and procedures to determine which requests must be scrutinized for compliance with the minimum necessary requirements
  -Develop policies and procedures to ensure that the information requested and disclosed for non-routine requests is the minimum necessary to fulfill the stated purpose
• Educate and train staff about appropriate application of the standards when requesting, using, or disclosing health information.
  
• Evaluate work force access needs to PHI. Identify the information the individuals or categories of individuals need to know to do their jobs. Maintain documentation of such determinations.
  
• Develop policies and procedures that limit access by the work force to only the PHI they need to know to do their jobs.
  
• Develop policies and procedures that ensure that the Minimum Necessary Standard is applied to the request when appropriate. For example, develop a system for periodically auditing disclosures made to ensure that the minimum necessary requirements were met where appropriate. Take corrective action when indicated.
  

Revised by

Beth Hjort, RHIA, CHP, HIM practice manager
Originally prepared by Gwen Hughes, RHIA

Notes

1. Health plans, healthcare clearinghouses, and healthcare providers who submit certain transactions electronically.

2. 42 CFR, Section 164.502 (b).

3. 42 CFR, Section 164.514 (d).

References

Office for Civil Rights. Guidance explaining significant aspects of the privacy rule. December 4, 2002. Available at www.hhs.gov/ocr/hipaa/privacy.html.

"Standards for Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 through 164. Federal Register 67, no. 157 (August 14, 2002). Available at http://aspe.hhs.gov/admnsimp/.

Acknowledgments

Holly Ballam, RHIA
Jill Callahan Dennis, JD, RHIA
Harry Rhodes, MBA, RHIA
Dorothy Wagg, JD, RHIA