HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

When Does "Minimum Necessary" Apply?

QUESTION: When does the minimum necessary disclosure requirement apply? Is a covered entity's internal use of protected health information ("PHI") subject to the minimum necessary standard for disclosure or does it only apply to disclosures made to other entities? Are there specific requirements for determining the minimum amount necessary to be disclosed?

ANSWER: The "minimum necessary" requirement is applicable to the use of PHI within covered entities as well as to disclosures made outside of the organization. Covered entities must make their own determination of exactly what PHI is reasonably necessary for any particular purpose. However, among other exceptions, this standard does not apply to disclosures to or requests by a health care provider for treatment purposes.

Whenever a covered entity uses or discloses PHI, it must make a reasonable effort not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of that use or disclosure. This requirement was borne out of the concern that individuals' medical records and other protected health information were far too accessible. The minimum necessary requirement is not a strict standard; it is intended to make covered entities evaluate their current practices and implement protections, as needed, to prevent unnecessary disclosures of PHI. Accordingly, covered entities may make their own assessment of what PHI is reasonably necessary to be disclosed for any particular purpose.

Although covered entities retain the flexibility to determine the minimum amount of PHI necessary to achieve the intended purpose, the disclosure of an individual's entire medical record requires documented justification. Such disclosures cannot be made except pursuant to policies that specifically justify why an individual's entire medical record is needed in any particular instance. Disclosure of an entire medical record in the absence of such a policy is a presumptive violation of the rule.

The privacy rule organizes the different uses and disclosures of PHI into three different categories and imposes different requirements for compliance with the minimum necessary standard in each category. The categories and their compliance requirements are as follows:

  • Internal use of PHI. Covered entities are required to audit their operations and identify the persons or classes of persons within their operations who need access to PHI to carry out their job duties, the categories or types of PHI that each of these classes of people require, and under what conditions such persons will need to access the PHI necessary to perform their jobs. Policies and procedures must be implemented to ensure that the use of PHI remains limited to the necessary scope as identified in the audit.

  • Routine Disclosures. For routine or recurring requests and disclosures, covered entities must develop standard protocols, policies and procedures which limit the PHI disclosed or requested to the minimum necessary to achieve the purpose of that particular disclosure or request. Each disclosure does not have to be individually reviewed.

  • Non-Routine Disclosures. Covered entities are required to develop criteria that will allow them to consistently determine the minimum amount of PHI necessary to accomplish the intended purpose of the disclosure in response to non-routine requests. Unlike the preceding categories, non-routine requests must be evaluated on an individual case-by-case basis in accordance with the criteria developed by the covered entity to ensure the minimum necessary disclosure.

Covered entities would be wise to join compliance groups or otherwise share or monitor the way in which the minimum necessary standard is implemented across the industry. Because the rule does not apply strict parameters around the definition of "minimum necessary," DHHS is likely to look at best practices across the industry when making determinations about compliance.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.