Minimum Necessary

From Clinfowiki
Revision as of 06:24, 31 March 2015 by MikeT5360 (Talk | contribs)

Jump to: navigation, search

Background

This standard is described in the source document (linked below) as a key protection of the HIPAA Privacy Rule whereby covered entities are required to limit use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose.

How the Rule Works

Intended to be applied to the covered entities business practices, the rule requires the development and implementation of policies and procedures sufficient to establish operation within the requirements of the rule while still fitting the businesses operation.

The covered entity's policies must identify persons or classes of persons who need access to PHI in order to perform their essential job functions.

The elements of PHI to be accessed by identified persons or classes of persons must be specified.

This must be further defined with the conditions necessitating such access.

The rule presumes that access to the entire record in NOT necessary.

Exceptions must be stated explicitly with justification.

The rule does not apply to:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an individual’s authorization.
  • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
  • Uses or disclosures that are required by other law.

Federal Source Document

Minimum Necessary Requirement: 45 CFR 164.502(b), 164.514(d)

PDF Copy of Code of Federal Regulations (CFR)