Difference between revisions of "Minimum Necessary"

From Clinfowiki
Jump to: navigation, search
(Federal Source Document)
(Background)
Line 1: Line 1:
 
===Background===
 
===Background===
This is a standard described in the source document (linked below) as a key protection of the HIPAA Privacy Rule (45 CFR 164.502(b))whereby covered entities are required to limit use or disclosure of [[Protected Health Information (PHI)|protected health information (PHI)]] to the minimum necessary to accomplish the intended purpose.
+
This is a standard described in the source document (linked below) as a key protection of the HIPAA Privacy Rule (45 CFR 164.502(b))whereby [http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ covered entities] are required to limit use or disclosure of [[Protected Health Information (PHI)|protected health information (PHI)]] to the minimum necessary to accomplish the intended purpose.
  
 
Expanding the application of the HIPAA Privacy Rule: In 2013, Health and Human Services (HHS) issued a [https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-168 Final Rule in the Federal Register] for modifications to 45 CFR 164.502(b) aligning it with [http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf section 13404 of the Health Information for Economic and Clinical Health (HITECH) Act of 2009]. This established the direct liability of business associates under the HIPAA Privacy Rule, including the Minimum Necessary standard. This established business associates as equivalent to covered entities in terms of provisions and penalties for disclosures of PHI.
 
Expanding the application of the HIPAA Privacy Rule: In 2013, Health and Human Services (HHS) issued a [https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-168 Final Rule in the Federal Register] for modifications to 45 CFR 164.502(b) aligning it with [http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf section 13404 of the Health Information for Economic and Clinical Health (HITECH) Act of 2009]. This established the direct liability of business associates under the HIPAA Privacy Rule, including the Minimum Necessary standard. This established business associates as equivalent to covered entities in terms of provisions and penalties for disclosures of PHI.

Revision as of 07:03, 6 April 2015

Background

This is a standard described in the source document (linked below) as a key protection of the HIPAA Privacy Rule (45 CFR 164.502(b))whereby covered entities are required to limit use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose.

Expanding the application of the HIPAA Privacy Rule: In 2013, Health and Human Services (HHS) issued a Final Rule in the Federal Register for modifications to 45 CFR 164.502(b) aligning it with section 13404 of the Health Information for Economic and Clinical Health (HITECH) Act of 2009. This established the direct liability of business associates under the HIPAA Privacy Rule, including the Minimum Necessary standard. This established business associates as equivalent to covered entities in terms of provisions and penalties for disclosures of PHI.

How the Rule Works

Intended to be applied to the covered entities business practices, the rule requires the development and implementation of policies and procedures sufficient to establish operation within the requirements of the rule while still fitting the businesses operation.

The covered entity's policies must identify persons or classes of persons who need access to PHI in order to perform their essential job functions.

The elements of PHI to be accessed by identified persons or classes of persons must be specified.

This must be further defined with the conditions necessitating such access.

The rule presumes that access to the entire record in NOT necessary.

Exceptions must be stated explicitly with justification.

The rule does not apply to:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an individual’s authorization.
  • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
  • Uses or disclosures that are required by other law.

Federal Source Document

Minimum Necessary Requirement: 45 CFR 164.502(b), 164.514(d)

Related Documents

Title XIII-Health Information Technology Section 13001: Health Information Technology for Economic and Clinical Health (HITECH Act)

Federal Register 1/25/2013