1
Minimum Necessary StandardVersion 1.0
Minimum Necessary StandardVersion 1.0
HIPAA Collaborative of Wisconsin
HIPAA COW
2
DisclaimerThis Training Module is Copyright 2003 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice
is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Training Module is provided “as is” without any express or implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal advice, you
should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training
Module. Therefore, this form may need to be modified in order to comply with Wisconsin law.
Copyright 2003 - HIPAA Collaborative of Wisconsin
3
Minimum Necessary Standard
Copyright 2003 - HIPAA Collaborative of Wisconsin
Application of The Minimum Necessary StandardAs Amended August 2002
“When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit
protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or
request.”
Reference F.R. § 164.502(b)
4
Minimum Necessary Standard
Copyright 2003 - HIPAA Collaborative of Wisconsin
With some exceptions, the Minimum Necessary Standard applies to uses, disclosures and requests for protected health information
(PHI), including those for treatment, payment and healthcare operations.
5
Exceptions
Copyright 2003 - HIPAA Collaborative of Wisconsin
Disclosures to, or requests by, a health care provider for treatment purposes;
Uses or disclosures made to the individual;
Uses or disclosures made pursuant to an authorization;
Disclosures made to the Secretary of HHS for compliance and investigation purposes;
Uses and disclosures required by law; and
Uses or disclosures that are required for compliance with the Privacy Rule.
The Minimum Necessary Standard does not apply to:
6
De-Identified PHI
A covered entity may disclose PHI that it is no longer individually identifiable (de-identified).
Disclosure of the code or method to re-identify the PHI constitutes a disclosure of PHI.
If de-identified PHI is re-identified, a covered entity may use or disclose such information only as required by the Privacy Laws.
Copyright 2003 - HIPAA Collaborative of Wisconsin
7
Reasonableness
The Minimum Necessary Standard requires that covered entities make “reasonable efforts” to limit the amount of identifiable information used or disclosed.
Covered entities must balance the privacy rights of individuals with reasonable approaches to delimit the amount of PHI used, disclosed or released.
Copyright 2003 - HIPAA Collaborative of Wisconsin
8
Implementation Uses of PHI:
Identify workforce access to PHI.
Limit access to PHI through Policies and Procedures.
Access based on job responsibilities and “need-to-know” – Role Based Access.
Identify the flow of PHI within the organization.
Copyright 2003 - HIPAA Collaborative of Wisconsin
9
Role Based Access
Copyright 2003 - HIPAA Collaborative of Wisconsin
By “Role Based Access”, HIPAA means that employees should only have access to PHI that they need based on their roles and responsibilities in the organization (i.e. Clinical staff would need more access to PHI than registration staff, who would need more access than maintenance staff). Organizations need to identify multiple levels of access to PHI and define specific individuals, work groups or employee types that would have each level of access.
10
Role Based Access
Copyright 2003 - HIPAA Collaborative of Wisconsin
• Role Based Access defines the flow of protected health information.
• Privacy: Role Based Access ensures that employees and healthcare workers use or disclose only the minimum amount of PHI needed to perform their jobs.
• Security: Role Based Access refers to the use of technology to control access to software applications according to job class. Physical security as well.
11
Example: Role Based Access 1. Inventory access to PHI stored electronically.
• Who receives PHI?• How is PHI stored? Who has access to computer
databases, programs, etc.
2. Inventory allowed Access and Uses of PHI.• Identify sources of information.• Identify tasks that access and use PHI.
3. Inventory Allowed Disclosures of PHI.• To whom information disclosed?• How information is disclosed?• Are disclosures routine or non-routine?
Copyright 2003 - HIPAA Collaborative of Wisconsin
12
Example: Role-Based-Access Assessment Tool
Copyright 2003 - HIPAA Collaborative of Wisconsin
Job Class & Date Reviewed
Inventory of Allowed Computer Access
Indicate Function of Allowed Access & Disclosures of PHI.
• Primary Function (Required for job)
• Secondary Function (Exception)
• Incidental Function (Access may occur, but not required to perform job.
Title:__________
Date Reviewed:________
1.___________
2.__________
3.___________
4.___________
5.___________
6.___________
List Tasks
& Duties of
Each Role
13
Implementation
Copyright 2003 - HIPAA Collaborative of Wisconsin
Disclosures of PHI:
Routine Disclosures: Establish Policies and Procedures (standard protocols) to limit the amount of PHI disclosed to the minimum amount needed to accomplish the task.
Non-routine Disclosures: Develop criteria to review requests for these disclosures. Limit disclosures to the minimum necessary health information needed to accomplish the task.
Identify the flow of PHI that your organization discloses to others (Business Associates, providers, payers, clearinghouses, etc.)
14
Implementation
Making Requests for PHI:
A Covered Entity must limit any request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made.
Develop policies and procedures to limit the amount of PHI requested, based on the “need-to-know”.
Copyright 2003 - HIPAA Collaborative of Wisconsin
15
Reasonable Reliance
Copyright 2003 - HIPAA Collaborative of Wisconsin
Requests for PHI:
“A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when… the information is requested by another covered entity.”
Reference F.R. § 164.514(d)(3)
16
Reasonable Reliance When making disclosures of PHI, the covered entity is
allowed to rely on a requested disclosure as being the minimum necessary for the purpose of:
Disclosures to public officials; Request for PHI is from another covered entity; Request is from a professional member of the
workforce or business associate who provide services to or on behalf of the covered entity; or
For research purposes.
Copyright 2003 - HIPAA Collaborative of Wisconsin
17
Public Officials
Disclosures of PHI:
A covered entity may rely on the judgment of public officials or agencies, to determine the minimum amount of information that is needed. Examples of public officials include:
Public health officials Food and Drug Administration Health oversight activities Law enforcement – disclosures required or permitted by law
Copyright 2003 - HIPAA Collaborative of Wisconsin
18
Business Associates
Disclosures of PHI:
A covered entity may disclose PHI to its business associate for the purpose of providing services for or on behalf of the covered entity, if the covered entity obtains written satisfactory assurance that the business associate will appropriately safeguard the information.
Reference: F.R. §164.502(e)
Copyright 2003 - HIPAA Collaborative of Wisconsin
19
Research Disclosures of PHI:
A Covered Entity may reasonably rely on documentation from an Institutional Review Board (IRB) or privacy board describing the PHI needed for research purposes.
A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents.
Copyright 2003 - HIPAA Collaborative of Wisconsin
20
Issues when Implementing the Minimum Necessary Standard:
Policy Changes What information is being used or disclosed? Can the information be de-identified? Inform and train staff on policies & procedures. Develop routine and non-routine disclosure protocols.
Contractual Changes Are Business Associate Agreements needed? Is technology in place to allow the limitation of access? Are business associates willing to sign Business
Associate Agreement?
Copyright 2003 - HIPAA Collaborative of Wisconsin
21
Issues when Implementing the Minimum Necessary Standard:
Technology Changes What are the costs involved to limit access? What will be the security requirements dictated by
the Security Rule (when published)?
Pre-emption Issues Review state law for issues:mental health, minors,
Alcohol & drug abuse,etc.
Role Bases Access Analysis Assessment tools
Copyright 2003 - HIPAA Collaborative of Wisconsin
22
Primary Author: Joan Benson, MBA
Copyright 2003 - HIPAA Collaborative of Wisconsin
Training Workgroup Reviewers: Karen Bauer
Anthony Cooper, FHFMA, CFE
William Jensen , MBA
Tammy Kritz, MBA
Jennifer Laughlin, RHIA
Christine Lidbury
Richard Reynolds, FHIMSS
Dan Speerschneider
Beth Zallar, MS, RHIA
Top Related