HIPAA GENERAL OPERATING POLICY #7
MINIMUM NECESSARY REQUIREMENTS
I. In General
When using or disclosing protected health information or when requesting PHI from another Covered Entity, a HCC must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
This rule does not apply to:
a. Disclosures to or requests by a health care provider for treatment;
b. Uses or disclosures made to the individual;
c. Uses or disclosures made pursuant to an authorization;
d. Disclosures made to the Secretary for compliance and enforcement;
e. Uses or disclosures required by law; and
f. Uses and disclosures that are required for compliance with HIPAA requirements
II. Uses of PHI - A HCC must meet the following requirements with respect to a request for, or the use and disclosure of PHI.
A HCC must:
i. Identify the persons or classes of persons in its workforce who need access to PHI to carry out their duties;
ii. For each such person or classes of persons, identify the category or categories of PHI to which access is needed and any conditions appropriate to such access; and
iii. Limit the access of such persons or classes identified in (i) to the PHI identified in (ii).
III. Disclosures of PHI
i. For routine and recurring disclosures, a HCC must implement policies and procedures that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure;
ii. For all other disclosures, a HCC must:
A. Develop criteria designed to limit the PHI disclosed to the information reasonably necessary to accomplish the purpose of the disclosure; and
B. Review requests for disclosure on an individual basis in accordance with such criteria.
iii. A HCC may rely, if such reliance is reasonable, on a requested disclosure as the minimum necessary for the stated purpose when:
A. Making permitted disclosures to public officials if the public official represents that the information requested is the minimum necessary;
B. The information is requested by another Covered Entity;
C. The information is requested by a professional who is a member of its workforce or a Business Associate for the purpose of providing professional services to the HCC and the professional represents that the information requested is the minimum necessary; or
D. Documentation or representations complying with the requirements pertaining to research have been provided by a person requesting the information for research purposes.
IV. Requests for PHI
When requesting PHI from other Covered Entities, a HCC must limit its request to that which is reasonably necessary to accomplish the purpose for which the request is made.
i. For routine and recurring requests, a HCC must implement policies and procedures that limit the PHI requested to the amount reasonably necessary to achieve the purpose for which the request is made.
ii. For all other requests, a HCC must:
A. Develop criteria designed to limit the request for PHI to the information reasonably necessary to accomplish the purpose for which the request is made; and
B. Review requests for disclosure on an individual basis in accordance with such criteria.
V. Entire Record
For all uses, disclosures or requests to which the minimum necessary requirements apply, a HCC may not use, disclose or request an entire medical record, except when the entire medical record is the amount reasonably necessary to accomplish the purpose.