Definition of “Minimum Necessary” According To HIPAA

Prepared by Dunlap & McDowell for 2-28-03 Pragmatics of HIPAA Training

In the boxes below, you will find direct quotes from the Privacy Rule concerning the “minimum necessary” amount of information to release. 

Here are the highlights: 

1) When you release protected information, make reasonable efforts to limit it to the minimum;

2) You must have “policies and procedures” concerning the “minimum necessary” standard;

3) The covered entity who holds the information always retains discretion to make its own minimum necessary determination.

When you are the professional who holds the information your discretion about what is to be released should be asserted, no matter what kinds of invasive forms, reports requests or other demands the third party payer makes.

Federal Register / Vol. 67, No. 157 / Wednesday, August 14, 2002 / Rules and Regulations

2. Minimum Necessary Standard  (pp. 53195-96 Bold emphases added)

December 2000 Privacy Rule. The Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.

See 164.502(b). Protected health information includes individually identifiable health information (with limited exceptions) in any form, including information transmitted orally, or in written or electronic form…

The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to, and disclosures of, protected health information…

The Privacy Rule contains some exceptions to the minimum necessary standard. The minimum necessary requirements do not apply to uses or disclosures that are required by law, disclosures made to the individual or pursuant to an authorization initiated by the individual, disclosures to or requests by a health care provider for treatment purposes, uses or disclosures that are required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA, or disclosures to the Secretary of HHS for purposes of enforcing this Rule. See 164.502(b)(2).

The Privacy Rule sets forth requirements for implementing the minimum necessary standard with regard to a covered entity’s uses, disclosures, and requests at 164.514(d). A covered entity is required to develop and implement policies and procedures appropriate to the entity’s business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested. For uses of protected health information, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and the conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols. …

 Additionally, in response to those commenters who raised specific concerns with respect to authorizations which request release of psychotherapy notes, the Department clarifies that the final Rule does not require a covered entity to use and disclose protected health information pursuant to an authorization. Rather, as with most other uses and disclosures under the Privacy Rule, this is only a permissible use or disclosure. If a covered health care provider is concerned that a request for an individual’s psychotherapy notes is not warranted or is excessive, the provider may consult with the individual to determine whether or not the authorization is consistent with the individual’s wishes. ...

Further, the Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual’s authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. Thus, the Department believes that these additional protections appropriately and effectively protect an individual’s privacy with respect to psychotherapy notes.

With respect to disclosures to another covered entity, the Privacy Rule permits a covered entity reasonably to rely on another covered entity’s request for protected health information as the minimum necessary for the intended disclosure. See 164.514(d)(3)(iii). The Department does not believe, therefore, that a blanket exception for such disclosures is justified. The covered entity who holds the information always retains discretion to make its own minimum necessary determination.  (p. 53197)