[45 CFR §§ 164.502(b),
164.514(d)]
General Requirement
The Privacy Rule generally requires covered entities
to take reasonable steps to limit the use or disclosure
of, and requests for protected health information
(PHI) to the minimum necessary to accomplish the
intended purpose. The minimum necessary provisions
do not apply to the following:
- Disclosures to or requests by a health care
provider for treatment purposes.
- Disclosures to the individual who is the subject
of the information.
- Uses or disclosures made pursuant to an authorization
requested by the individual.
- Uses or disclosures required for compliance
with the standardized Health Insurance Portability
and Accountability Act (HIPAA) transactions.
- Disclosures to the Department of Health and
Human Services (HHS) when disclosure of information
is required under the rule for enforcement purposes.
- Uses or disclosures that are required by other
law.
The implementation specifications for this provision
require a covered entity to develop and implement
policies and procedures appropriate for its own
organization, reflecting the entity's business practices
and workforce. We understand this guidance will
not answer all questions pertaining to the minimum
necessary standard, especially as applied to specific
industry practices. As more questions arise with
regard to application of the minimum necessary standard
to particular circumstances, we will provide more
detailed guidance and clarification on this issue.
Uses and Disclosures of, and Requests
for PHI
For uses of PHI, the policies and procedures must
identify the persons or classes of persons within
the covered entity who need access to the information
to carry out their job duties, the categories or
types of PHI needed, and conditions appropriate
to such access. For example, hospitals may implement
policies that permit doctors, nurses, or others
involved in treatment to have access to the entire
medical record, as needed. Case-by-case review of
each use is not required. Where the entire medical
record is necessary, the covered entity's policies
and procedures must state so explicitly and include
a justification.
For routine or recurring requests and disclosures,
the policies and procedures may be standard protocols
and must limit PHI disclosed or requested to that
which is the minimum necessary for that particular
type of disclosure or request. Individual review
of each disclosure or request is not required.
For non-routine disclosures, covered entities
must develop reasonable criteria for determining,
and limiting disclosure to, only the minimum amount
of PHI necessary to accomplish the purpose of a
non-routine disclosure. Non-routine disclosures
must be reviewed on an individual basis in accordance
with these criteria. When making non-routine requests
for PHI, the covered entity must review each request
so as to ask for only that information reasonably
necessary for the purpose of the request.
Reasonable Reliance
In certain circumstances, the Privacy Rule permits
a covered entity to rely on the judgment of the
party requesting the disclosure as to the minimum
amount of information that is needed. Such reliance
must be reasonable under the particular circumstances
of the request. This reliance is permitted when
the request is made by:
- A public official or agency for a disclosure
permitted under § 164.512 of the rule.
- Another covered entity.
- A professional who is a workforce member or
business associate of the covered entity holding
the information.
- A researcher with appropriate documentation
from an Institutional Review Board (IRB) or Privacy
Board.
The rule does not require such reliance, however,
and the covered entity always retains discretion
to make its own minimum necessary determination
for disclosures to which the standard applies.
Treatment Settings
We understand that medical information must be
conveyed freely and quickly in treatment settings,
and thus understand the heightened concern that
covered entities have about how the minimum necessary
standard applies in such settings. Therefore, we
are taking the following steps to clarify the application
of the minimum necessary standard in treatment settings.
First, we clarify some of the issues here, including
the application of minimum necessary to specific
practices, so that covered entities may begin implementation
of the Privacy Rule. Second, we will propose corresponding
changes to the regulation text, to increase the
confidence of covered entities that they are free
to engage in whatever communications are required
for quick, effective, high quality health care.
We understand that issues of this importance need
to be addressed directly and clearly to eliminate
any ambiguities.
