1 Minimum Necessary Standard Version 1.0 HIPAA Collaborative of Wisconsin HIPAA COW.

1

Minimum Necessary StandardVersion 1.0

Minimum Necessary StandardVersion 1.0

HIPAA Collaborative of Wisconsin

HIPAA COW

2

DisclaimerThis Training Module is Copyright 2003 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice

is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Training Module is provided “as is” without any express or implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal advice, you

should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training

Module. Therefore, this form may need to be modified in order to comply with Wisconsin law.

Copyright 2003 - HIPAA Collaborative of Wisconsin

3

Minimum Necessary Standard


Application of The Minimum Necessary StandardAs Amended August 2002

“When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit

protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or

request.”

Reference F.R. § 164.502(b)

4

Minimum Necessary Standard


With some exceptions, the Minimum Necessary Standard applies to uses, disclosures and requests for protected health information

(PHI), including those for treatment, payment and healthcare operations.

5

Exceptions


Disclosures to, or requests by, a health care provider for treatment purposes;

Uses or disclosures made to the individual;

Uses or disclosures made pursuant to an authorization;

Disclosures made to the Secretary of HHS for compliance and investigation purposes;

Uses and disclosures required by law; and

Uses or disclosures that are required for compliance with the Privacy Rule.

The Minimum Necessary Standard does not apply to:

6

De-Identified PHI

A covered entity may disclose PHI that it is no longer individually identifiable (de-identified).

Disclosure of the code or method to re-identify the PHI constitutes a disclosure of PHI.

If de-identified PHI is re-identified, a covered entity may use or disclose such information only as required by the Privacy Laws.


7

Reasonableness

The Minimum Necessary Standard requires that covered entities make “reasonable efforts” to limit the amount of identifiable information used or disclosed.

Covered entities must balance the privacy rights of individuals with reasonable approaches to delimit the amount of PHI used, disclosed or released.


http://www.videoclipart.com/MemberShip.htm

8

Implementation Uses of PHI:

Identify workforce access to PHI.

Limit access to PHI through Policies and Procedures.

Access based on job responsibilities and “need-to-know” – Role Based Access.

Identify the flow of PHI within the organization.


9

Role Based Access


By “Role Based Access”, HIPAA means that employees should only have access to PHI that they need based on their roles and responsibilities in the organization (i.e. Clinical staff would need more access to PHI than registration staff, who would need more access than maintenance staff). Organizations need to identify multiple levels of access to PHI and define specific individuals, work groups or employee types that would have each level of access.

10

Role Based Access


• Role Based Access defines the flow of protected health information.

• Privacy: Role Based Access ensures that employees and healthcare workers use or disclose only the minimum amount of PHI needed to perform their jobs.

• Security: Role Based Access refers to the use of technology to control access to software applications according to job class. Physical security as well.

11

Example: Role Based Access 1. Inventory access to PHI stored electronically.

• Who receives PHI?• How is PHI stored? Who has access to computer

databases, programs, etc.

2. Inventory allowed Access and Uses of PHI.• Identify sources of information.• Identify tasks that access and use PHI.

3. Inventory Allowed Disclosures of PHI.• To whom information disclosed?• How information is disclosed?• Are disclosures routine or non-routine?


12

Example: Role-Based-Access Assessment Tool


Job Class & Date Reviewed

Inventory of Allowed Computer Access

Indicate Function of Allowed Access & Disclosures of PHI.

• Primary Function (Required for job)

• Secondary Function (Exception)

• Incidental Function (Access may occur, but not required to perform job.

Title:__________

Date Reviewed:________

1.___________

2.__________

3.___________

4.___________

5.___________

6.___________

List Tasks

& Duties of

Each Role

13

Implementation


Disclosures of PHI:

Routine Disclosures: Establish Policies and Procedures (standard protocols) to limit the amount of PHI disclosed to the minimum amount needed to accomplish the task.

Non-routine Disclosures: Develop criteria to review requests for these disclosures. Limit disclosures to the minimum necessary health information needed to accomplish the task.

Identify the flow of PHI that your organization discloses to others (Business Associates, providers, payers, clearinghouses, etc.)

14

Implementation

Making Requests for PHI:

A Covered Entity must limit any request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made.

Develop policies and procedures to limit the amount of PHI requested, based on the “need-to-know”.


15

Reasonable Reliance


Requests for PHI:

“A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when… the information is requested by another covered entity.”

Reference F.R. § 164.514(d)(3)

16

Reasonable Reliance When making disclosures of PHI, the covered entity is

allowed to rely on a requested disclosure as being the minimum necessary for the purpose of:

Disclosures to public officials; Request for PHI is from another covered entity; Request is from a professional member of the

workforce or business associate who provide services to or on behalf of the covered entity; or

For research purposes.


17

Public Officials

Disclosures of PHI:

A covered entity may rely on the judgment of public officials or agencies, to determine the minimum amount of information that is needed. Examples of public officials include:

Public health officials Food and Drug Administration Health oversight activities Law enforcement – disclosures required or permitted by law


18

Business Associates

Disclosures of PHI:

A covered entity may disclose PHI to its business associate for the purpose of providing services for or on behalf of the covered entity, if the covered entity obtains written satisfactory assurance that the business associate will appropriately safeguard the information.

Reference: F.R. §164.502(e)


19

Research Disclosures of PHI:

A Covered Entity may reasonably rely on documentation from an Institutional Review Board (IRB) or privacy board describing the PHI needed for research purposes.

A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents.


20

Issues when Implementing the Minimum Necessary Standard:

Policy Changes What information is being used or disclosed? Can the information be de-identified? Inform and train staff on policies & procedures. Develop routine and non-routine disclosure protocols.

Contractual Changes Are Business Associate Agreements needed? Is technology in place to allow the limitation of access? Are business associates willing to sign Business

Associate Agreement?


21

Issues when Implementing the Minimum Necessary Standard:

Technology Changes What are the costs involved to limit access? What will be the security requirements dictated by

the Security Rule (when published)?

Pre-emption Issues Review state law for issues:mental health, minors,

Alcohol & drug abuse,etc.

Role Bases Access Analysis Assessment tools


22

Primary Author: Joan Benson, MBA


Training Workgroup Reviewers: Karen Bauer

Anthony Cooper, FHFMA, CFE

William Jensen , MBA

Tammy Kritz, MBA

Jennifer Laughlin, RHIA

Christine Lidbury

Richard Reynolds, FHIMSS

Dan Speerschneider

Beth Zallar, MS, RHIA

1 Minimum Necessary Standard Version 1.0 HIPAA Collaborative of Wisconsin HIPAA COW.

Documents

Transcript of 1 Minimum Necessary Standard Version 1.0 HIPAA Collaborative of Wisconsin HIPAA COW.