Client Information

If you would like to be notified when this page changes please e-mail us at proassoc@proassoc.com ; include your e-mail address

July 14, 2003

HIPAA Privacy Rule- “MINIMUM NECESSARY”

One of the key components of the HIPAA Privacy Rule is the “minimum necessary” standard. This is based on the prudent practice that Protected Health Information (PHI) should not be used or disclosed when it is not necessary to satisfy the requirements of a particular purpose or carry out an approved function.  The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. The Privacy Rule’s requirements for minimum necessary are designed to be flexible enough to accommodate a variety of circumstances of any covered entity.

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce. 

The minimum necessary standard does not apply to the following:

   ·  Disclosures to or requests by a healthcare provider for treatment purposes.

   ·  Disclosures to the individual who is the subject of the information.

   ·  Uses or disclosures made pursuant to an individual’s authorization.

   ·  Uses or disclosures required for compliance with the (HIPAA) Administrative Simplification Rules

   ·  Disclosures to the (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.

   ·  Uses or disclosures that are required by other law.

 Uses and Disclosures of, and Requests for, Protected Health Information:

 For uses of PHI, the covered entity’s policies and procedures must identify the persons or classes of persons within the covered entity who need access to the PHI to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access.  For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed.  Case-by-case review of each use is not required.  Where the entire medical record is necessary, the covered entity’s policies and procedures must state so explicitly and include a justification.

 For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit the PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request.  Individual review of each disclosure or request is not required.

 For non-routine disclosures and requests, covered entities must develop reasonable criteria for determining and limiting the disclosure or request to only the minimum amount of PHI necessary to accomplish the purpose of a non-routine disclosure or request.  Non-routine disclosures and requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly.

 Of course, where PHI is disclosed to, or requested by, healthcare providers for treatment purposes, the minimum necessary standard does not apply.     

Reasonable Reliance:

 In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed.  Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by:

   ·        A public official or agency who states that the information requested is the minimum necessary for a purpose permitted under the “Rule”, such as for public health purposes.

   ·        Another covered entity.

   ·        A professional who is a workforce member or business associate (such as Professional Associates) of the covered entity holding the information and who states that the information requested is the minimum necessary for the stated purpose.

   ·        A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.

 The Rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies.

 Professional Associates is committed to the implementation and maintenance of a comprehensive HIPAA Compliance Program, in accordance with all government rules and regulations. I welcome your comments and/or questions concerning Professional Associates’ HIPAA Privacy Standards and how they relate to all of us. You may email me at proassoc@proassoc.com .

 Jim Heckman, Professional Associates’ HIPAA Privacy Officer

References:

This article was based and developed from the “Standards for Privacy of Individually Identifiable Health Information” Guidance Document promulgated by the Office for Civil Rights within the Department of Health and Human Services (HHS), revised April 3, 2003. The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.

May 06, 2003

HIPAA Privacy Rule

 As many of you are aware, the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) became effective on April 14, 2003. The intent of the HIPAA Privacy Rule is to create national standards to protect individuals’ medical records and other personal health information.

 It sets boundaries on the use and release of Protected Health Information (PHI).

• It establishes appropriate safeguards that healthcare providers and others must achieve to protect the privacy of PHI.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
• It empowers individuals to control certain uses and disclosures of their PHI.

Although many of the provisions of this legislation pertain to Healthcare Providers and the relationship they have with their patients; PA is committed to properly handling the Protected Health Information (PHI) entrusted to us. To this end, all PA employees will continue to safeguard any PHI, including financial data, from unauthorized disclosure. Release of PHI will continue to be restricted and limited to the minimum information required to properly perform Billing and Accounts Processing.

Professional Associates is committed to the implementation and maintenance of a comprehensive HIPAA Compliance Program, in accordance with all government rules and regulations. I welcome your comments and/or questions concerning Professional Associates’ HIPAA Privacy Standards and how they relate to all of us. You may email me at proassoc@proassoc.com .

 Jim Heckman, Professional Associates’ HIPAA Privacy Officer

April 25, 2002

CMS (Centers for Medicare & Medicaid Services) is providing a quarterly update on their web site.

The address is

http://www.cms.hhs.gov/providerupdate