The HIPAA Minimum Necessary Rule Standard

The HIPAA minimum necessary rule standard applies to uses and disclosures of PHI that are permitted under the HIPAA Privacy Rule, including the accessing of PHI by healthcare professionals and disclosures to business associates and other covered entities. The standard also applies to requests for protected health information from other HIPAA covered entities.

Under the HIPAA minimum necessary rule, HIPAA-covered entities are required to make reasonable efforts to ensure that uses and disclosures of PHI is limited to the minimum necessary information to accomplish the intended purpose of a particular uses or disclosure.

The terms ‘reasonable’ and ‘necessary’ are open to interpretation which can cause some confusion. The use of these terms leaves it up to the judgement of the covered entity as to what information is disclosed and the efforts that should be made to restrict disclosures to more than necessary.  Any decisions that are made with respect to the minimum necessary standard should be supported by a rational justification, should reflect the technical capabilities of the covered entity, and should also factor in privacy and security risks.

The HIPAA minimum necessary standard applies to all forms of PHI, including physical documents, spreadsheets, films and printed images, electronic protected health information, including information stored on tapes and other media, and information that is communicated verbally.

When Does the HIPAA Minimum Necessary Rule Standard Not Apply?

There are six exceptions to the HIPAA minimum necessary rule standard.

• Disclosures of PHI in response to a request by a healthcare provider for the purposes of providing treatment
• Disclosures to an individual that are permitted under the HIPAA Privacy Rule, including an individual who is exercising his/her right of access to obtain a copy of information contained in a designated record set, provided the information is maintained in that designated record set (with the exception of psychotherapy notes, information compiled for use in civil, criminal, or administrative actions)
• Any  specific uses or disclosures pursuant to an authorization signed by the subject of the PHI
• Disclosures to the Secretary of the HHS as detailed in 45 CFR Part 160 Subpart C
• Uses and disclosures necessary for HIPAA compliance
• Uses and disclosures that are required by law

Complying with the Minimum Necessary Standard

There are several steps that can be taken to ensure compliance with this aspect of HIPAA which have been outlined below:

• Make sure that all systems containing ePHI are documented and it is clear what types of PHI that they contain.
• Determine what types of information need to be accessed for different roles and responsibilities.
• Set up role-based permissions that limit access to certain types of PHI. Granular controls should be applied to all information systems, if possible, which limit access to certain types of information. For example, restricting access to health insurance numbers, Social Security numbers, and medical histories if it is not necessary for that information to be viewed.
• Create and implement a sanctions policy for violations of the minimum necessary standard.
• Make sure employees receive training on the types of information they are permitted to access and what information is off limits. Make sure employees are aware of the consequences of accessing information without authorization.
• Ensure logs are maintained that include information on PHI access and access attempts.
• Set up alerts, if technically possible, that notify compliance team of cases of unauthorized attempts to access PHI and successful attempts to access information of patients by staff with no legitimate work reason for accessing the records.
• Prior to providing access to systems containing ePHI to a business associate, assess what information is needed to perform the requested tasks and ensure that access to parts of a system or unnecessary information is restricted.
• Conduct periodic audits of permissions and review logs regularly to identify individuals who have knowingly or unknowingly accessed restricted information.
• Document any actions taken in response to cases of unauthorized access or accessing more information than is necessary and the sanctions that have been applied as a result.

Examples of Minimum Necessary Standard Violations

If an IT worker is required to perform maintenance work on a database, such a task would not require access to patients’ medical histories. Similarly, a physician would require access to a patient’s medical history as part of assessing the patient or providing treatment, but would not require access to the back end of a patient database or access to Social Security numbers.

One of the most common minimum necessary standard violations is verbal disclosures of PHI that are over and above what is required. An good example comes from a nurse at a Kentucky hospital who performed a timeout before a patient underwent a medical procedure to make sure the patient was aware what the procedure entailed. In addition to instructing the patient about the procedure and performing various checks, the nurse told the physician that gloves should be worn because the patient had hepatitis C. A technician was also present and other patients and staff were in the vicinity and could have overheard. The patient complained and the nurse was terminated. Providing the information about hepatitis to the physician was not necessary as the physician would have already been aware that gloves should be worn to prevent contracting an infectious disease. This was classed as an unauthorized disclosure of PHI.

AHIMA Recommends Changes to the HIPAA Minimum Necessary Standard

Melissa Martin, Board President for the American Health Information Management Association (AHIMA) recently gave testimony at a National Committee on Vital and Health Statistics (NCVHS) hearing on the HIPAA minimum necessary standard of the HIPAA Privacy Rule.

The aim of the hearing was to determine whether the Department of Health and Human Services should issue an update to the HIPAA minimum necessary standard to ensure it can continue to be met by healthcare organizations, and to assess whether there is a need for further guidance in light of the technology changes in the healthcare industry since its introduction.

According to Martin’s testimony, there is still considerable confusion over the standard and what constitutes the “minimum necessary information”.

Organizations must identify individuals or groups of persons within their organization who are required to be given access to PHI and limit the categories of PHI that those individuals or groups are permitted to access.

For instance, organizations should not permit an entire medical record to be accessed or be disclosed unless they can justify that access to the entire record is necessary. The same applies to business associates. If business associates are contracted to perform a specific function on behalf of a covered entity, the business associate should only be provided with the information for that operation to be performed.

Further Guidance Requested to Clear Up Confusion

Martin said at the hearing that the definition of the standard needs to be clarified and that this should be addressed in future HHS guidance. At present, covered entities are permitted to decide what the minimum necessary information is. Interpretation of the standard is therefore inconsistent. Martin said that this could potentially lead to litigation if patients or their legal representatives disagreed with a healthcare organization’s interpretation of the standard.

Martin also said there are now technology challenges that must be considered, pointing out that “as technology continues to advance, so too will the technological challenges associated with complying with the minimum necessary standard.”

One technology challenge concerns EHR systems. The systems do allow access to PHI to be controlled, but Martin pointed out that EHR systems often “lack the sophistication to sequester patients by assigned employees.” She went on to explain, “this often leads to approval for “any and all” access rather than imposing certain access restrictions on the PHI.”

There are also a number of regulatory challenges. Martin explained that various initiatives such as the Qualified Entity Program under Medicare and the Precision Medicine Initiative, which encourage the sharing of data, have resulted in the sharing of an increasing amount of PHI. As we move toward a fully interoperable healthcare system, the concept of the HIPAA minimum necessary standard is now being applied to fewer transactions.

Prior to the hearing, AHIMA conducted a survey of its members who work in privacy and security, data analytics, clinical documentation improvement, and education. 38% were unsure if a definition for the minimum standard had been adopted and 14% of respondents said they did not have a definition for the minimum standard. 21% were in the process of developing a definition. One third of respondents said they had no policies and procedures relating to the HIPAA standard.

Martin made a number of recommendations at the hearing:

• The HHS should develop a clearer definition of the standard
• The role of metadata must be considered in future guidance
• The limitations of technology should be considered and addressed in future guidance
• It is necessary to enhance focus on patients’ needs and consider the role of the steward when developing guidance
• There is a need to improve standardization of the implementation of the standard to ensure that patients have clear expectations of the PHI that will be disclosed or used to perform particular functions
• The HHS should supply educational materials along with future guidance. FAQs and fact sheets would be useful in this regard to help healthcare organizations educate staff on any changes to the standard.

HIPAA Minimum Necessary Rule Standard FAQs

What are the consequences of disclosing more than the minimum necessary PHI?

This depends on the nature and circumstances of the disclosure. Disclosures of the nature mentioned in the “Violations” section above can have significant consequences, while “incidental” or “accidental” disclosures may be permitted by the Privacy Rule depending on the circumstances.

What is the difference between “incidental” and “accidental” disclosures?

Incidental disclosures are secondary disclosures incidental to a disclosure permitted by the Privacy Rule. Accidental disclosures are inadvertent disclosures made in good faith, but not secondary to a disclosure permitted by the Privacy Rule.

Does the HIPAA Minimum Necessary Rule Standard only apply to electronic PHI?

No. The HIPAA Minimum Necessary Rule Standard applies to all PHI regardless of the format. Therefore, electronic PHI, written PHI, and oral PHI is all subject to the HIPAA Minimum Necessary Rule Standard.

How often is the Minimum Necessary Standard violated?

According to HHS´ Enforcement Highlights web page, violations of the Minimum Necessary Standard are the fifth most common compliance issue reported to the Office for Civil Rights. The number of violations is not specified, nor whether these are self-reported violations (i.e., by a covered entity) or complaints of violations submitted by patients and health plan customers.

Are AMINA´s recommended changes likely to be adopted?

In part. At present, HHS is considering several changes to the Privacy Rule which include a relaxation of the standard for care coordination and case management activities. If adopted, the standard would not only be relaxed for communications between covered entities, but also for communications between covered entities and social services agencies, community-based organizations, and community-based service providers that provide health-related services.

The post The HIPAA Minimum Necessary Rule Standard appeared first on HIPAA Journal.