Standards
for Privacy of Individually Identifiable Health Information
B. Section 164.502--Uses and Disclosures of
Protected Health Information: General Rules
2. Minimum Necessary Standard
December 2000 Privacy Rule
The Privacy Rule generally requires covered entities to make reasonable
efforts to limit the use or disclosure of, and requests for, protected
health information to the minimum necessary to accomplish the intended
purpose. See Sec. 164.502(b). Protected health information includes
individually identifiable health information (with limited exceptions)
in any form, including information transmitted orally, or in written
or electronic form. See the definition of "protected health
information" at Sec. 164.501. The minimum necessary standard
is intended to make covered entities evaluate their practices and
enhance protections as needed to limit unnecessary or inappropriate
access to, and disclosures of, protected health information.
The Privacy Rule contains some exceptions to the minimum necessary
standard. The minimum necessary requirements do not apply to uses
or disclosures that are required by law, disclosures made to the
individual or pursuant to an authorization initiated by the individual,
disclosures to or requests by a health care provider for treatment
purposes, uses or disclosures that are required for compliance with
the regulations implementing the other administrative simplification
provisions of HIPAA, or disclosures to the Secretary of HHS for
purposes of enforcing this Rule. See Sec. 164.502(b)(2).
The Privacy Rule sets forth requirements for implementing the minimum
necessary standard with regard to a covered entity's uses, disclosures,
and requests at Sec. 164.514(d). A covered entity is required to
develop and implement policies and procedures appropriate to the
entity's business practices and workforce that reasonably minimize
the amount of protected health information used, disclosed, and
requested. For uses of protected health information, the policies
and procedures must identify the persons or classes of persons within
the covered entity who need access to the information to carry out
their job duties, the categories or types of protected health information
needed, and the conditions appropriate to such access. For routine
or recurring requests and disclosures, the policies and procedures
may be standard protocols. Non-routine requests for, and disclosures
of, protected health information must be reviewed individually.
With regard to disclosures, the Privacy Rule permits a covered
entity to rely on the judgment of certain parties requesting the
disclosure as to the minimum amount of information that is needed.
For example, a covered entity is permitted reasonably to rely on
representations from a public official, such as a State workers'
compensation official, that the information requested is the minimum
necessary for the intended purpose. Similarly, a covered entity
is permitted reasonably to rely on the judgment of another covered
entity that the information requested is the minimum amount of information
reasonably necessary to fulfill the purpose for which the request
has been made. See Sec. 164.514(d)(3)(iii).
March 2002 NPRM
The Department proposed a number of minor modifications to the
minimum necessary standard to clarify the Department's intent or
otherwise conform these provisions to other proposed modifications.
First, the Department proposed to separate Sec. 164.502(b)(2)(ii)
into two subparagraphs (Sec. 164.502(b)(2)(ii) and (iii)) to eliminate
confusion regarding the exception to the minimum necessary standard
for uses or disclosures made pursuant to an authorization under
Sec. 164.508, and the separate exception for disclosures made to
the individual. Second, to conform to the proposal to eliminate
the special authorizations required by the Privacy Rule at Sec.
164.508(d), (e), and (f), the Department proposed to exempt from
the minimum necessary standard any uses or disclosures for which
the covered entity had received an authorization that meets the
requirements of Sec. 164.508, rather than just those authorizations
initiated by the individual.
Third, the Department proposed to modify Sec. 164.514(d)(1) to
delete the term "reasonably ensure" in response to concerns
that the term connotes an absolute, strict standard and, therefore,
is inconsistent with the Department's intent that the minimum necessary
requirements be reasonable and flexible to the unique circumstances
of the covered entity. In addition, the Department proposed to generally
revise the language in Sec. 164.514(d)(1) to be more consistent
with the description of standards elsewhere in the Privacy Rule.
Fourth, so that the minimum necessary standard would be applied
consistently to requests for, and disclosures of, protected health
information, the Department proposed to add a provision to Sec.
164.514(d)(4) to make the implementation specifications for applying
the minimum necessary standard to requests for protected health
information by a covered entity more consistent with the corresponding
implementation specifications for disclosures. Specifically, for
requests not made on a routine and recurring basis, the Department
proposed to add the requirement that a covered entity must implement
the minimum necessary standard by developing and implementing criteria
designed to limit its request for protected health information to
the minimum necessary to accomplish the intended purpose.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The Department received a number of comments on its proposal to
exempt from the minimum necessary standard any use or disclosure
of protected health information for which the covered entity has
received an authorization that meets the requirements of Sec. 164.508.
Many commenters supported this proposal. A few commenters generally
urged that the minimum necessary standard be applied to uses and
disclosures pursuant to an authorization. A few other commenters
appeared to misinterpret the policy in the December 2000 Rule and
urged that the Department retain the minimum necessary standard
for disclosures "pursuant to an authorization other than disclosures
to an individual." Some commenters raised specific concerns
about authorizations for psychotherapy notes and the particular
need for minimum necessary to be applied in these cases.
A number of commenters expressed support for the Department's statements
in the preamble to the proposed Rule reinforcing that the minimum
necessary standard is intended to be flexible to account for the
characteristics of the entity's business and workforce, and not
intended to override the professional judgment of the covered entity.
Similarly, some commenters expressed support for the Department's
proposal to remove the term "reasonably ensure" from Sec.
164.514(d)(1). However, a few commenters expressed concerns that
the proposed alternative language actually would implement a stricter
standard than that included in the December 2000 Privacy Rule.
Final Modifications
In this final Rule, the Department adopts the proposed policy to
exempt from the minimum necessary standard any uses or disclosures
for which the covered entity has received an authorization that
meets the requirements of Sec. 164.508. The final modification adopts
the proposal to eliminate the special authorizations that were required
by the December 2000 Privacy Rule at Sec. 164.508(d), (e), and (f).
(See section III.E.1. of the preamble for a detailed discussion
of the modifications to the authorization requirements of the Privacy
Rule.) Since the only authorizations to which the minimum necessary
standard applied are being eliminated in favor of a single consolidated
authorization, the final Rule correspondingly eliminates the minimum
necessary provisions that applied to the now-eliminated special
authorizations. All uses and disclosures made pursuant to any authorization
are exempt from the minimum necessary standard.
In response to commenters who opposed this proposal as a potential
weakening of privacy protections or who wanted the minimum necessary
requirements to apply to authorizations other than disclosures to
the individual, the Department notes that nothing in the final Rule
eliminates an individual's control over his or her protected health
information with respect to an authorization. All authorizations
must include a description of the information to be used and disclosed
that identifies the information in a specific and meaningful fashion
as required by Sec. 164.508(c)(1)(i). If the individual does not
wish to release the information requested, the individual has the
right to not sign the authorization or to negotiate a narrower authorization
with the requestor.
Additionally, in response to those commenters who raised specific
concerns with respect to authorizations which request release of
psychotherapy notes, the Department clarifies that the final Rule
does not require a covered entity to use and disclose protected
health information pursuant to an authorization. Rather, as with
most other uses and disclosures under the Privacy Rule, this is
only a permissible use or disclosure. If a covered health care provider
is concerned that a request for an individual's psychotherapy notes
is not warranted or is excessive, the provider may consult with
the individual to determine whether or not the authorization is
consistent with the individual's wishes.
Further, the Privacy Rule does not permit a health plan to condition
enrollment, eligibility for benefits, or payment of a claim on obtaining
the individual's authorization to use or disclose psychotherapy
notes. Nor may a health care provider condition treatment on an
authorization for the use or disclosure of psychotherapy notes.
Thus, the Department believes that these additional protections
appropriately and effectively protect an individual's privacy with
respect to psychotherapy notes.
The final Rule also retains for clarity the proposal to separate
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii)
and (iii)); commenters did not explicitly address or raise issues
with this proposed clarification.
In response to concerns that the proposed language at Sec. 164.514(d)(1)
would implement a stricter standard, the Department disagrees and,
therefore, adopts the proposed language. The language in Sec. 164.514(d)(1)
describes the standard: covered entities are required to meet the
requirements in the implementation specifications of Sec. 164.514(d)(2)
through (d)(5). The implementation specifications describe what
covered entities must do reasonably to limit uses, disclosures,
and requests to the minimum necessary. Thus, the Department believes
that the language in the implementation specifications is adequate
to reflect the Department's intent that the minimum necessary standard
is reasonable and flexible to accommodate the unique circumstances
of the covered entity.
Commenters also generally did not address the Department's proposed
clarification to make the implementation specifications for requests
of protected health information consistent with those for disclosures
of protected health information. Consequently, as commenters did
not raise concerns with the proposal, this final Rule adopts the
proposed provision at Sec. 164.514(d)(4). For requests of protected
health information not made on a routine and recurring basis, a
covered entity must implement the minimum necessary standard by
developing and implementing criteria designed to limit its request
for protected health information to the minimum necessary to accomplish
the intended purpose.
Response to Other Public Comments
Comment: Many commenters recommended changes to the minimum
necessary standard unrelated to the proposed modifications. For
example, some commenters urged that the Department exempt from the
minimum necessary standard all uses of protected health information,
or at least uses of protected health information for treatment purposes.
Alternatively, one commenter urged that the minimum necessary standard
be applied to disclosures for treatment purposes. Others requested
that the Department exempt uses and disclosures for payment and
health care operations from the standard, or exempt disclosures
to another covered entity for such purposes. A few commenters argued
that the minimum necessary standard should not apply to disclosures
to another covered entity. Some urged that the minimum necessary
standard be eliminated entirely.
Response: The Department did not propose modifications relevant
to these comments, nor did it seek comment on these issues. The
proposed modifications generally were intended to address those
problems or issues that presented workability problems for covered
entities or otherwise had the potential to impede an individual's
timely access to quality health care. Moreover, the proposed modifications
to the minimum necessary standard were either minor clarifications
of the Department's intent with respect to the standard or would
conform the standard to other proposed modifications. The Department
has, in previous guidance as well as in the preamble to the December
2000 Privacy Rule, explained its position with respect to the above
concerns. The minimum necessary standard is derived from confidentiality
codes and practices in common use today. We continue to believe
that it is sound practice not to use or disclose private medical
information that is not necessary to satisfy a request or effectively
carry out a function. The privacy benefits of retaining the minimum
necessary standard outweigh the burden involved with implementing
the standard. The Department reiterates that position here.
Further, the Department designed the minimum necessary standard
to be sufficiently flexible to accommodate the various circumstances
of any covered entity. Covered entities will develop their own policies
and procedures to meet this standard. A covered entity's policies
and procedures may and should allow the appropriate individuals
within an entity to have access to protected health information
as necessary to perform their jobs with respect to the entity's
covered functions. The Department is not aware of any workability
issues with this standard.
With respect to disclosures to another covered entity, the Privacy
Rule permits a covered entity reasonably to rely on another covered
entity's request for protected health information as the minimum
necessary for the intended disclosure. See Sec. 164.514(d)(3)(iii).
The Department does not believe, therefore, that a blanket exception
for such disclosures is justified. The covered entity who holds
the information always retains discretion to make its own minimum
necessary determination.
Lastly, the Department continues to believe that the exception
for disclosures to or requests by health care providers for treatment
purposes is appropriate to ensure that access to timely and quality
treatment is not impeded.
As the Privacy Rule is implemented, the Department will monitor
the workability of the minimum necessary standard and consider proposing
revisions, where appropriate, to ensure that the Privacy Rule does
not hinder timely access to quality health care.
Comment: One commenter requested that the Department state
in the preamble that the minimum necessary standard may not be used
to interfere with or obstruct essential health plan payment and
health care operations activities, including quality assurance,
disease management, and other activities. Another commenter asked
that the final Rule's preamble acknowledge that, in some cases,
the minimum protected health information necessary for payment or
health care operations will be the entire record. One commenter
urged that the Rule be modified to presume that disclosure of a
patient's entire record is justified, and that such disclosure does
not require individual review, when requested for disease management
purposes.
Response: The minimum necessary standard is not intended
to impede essential treatment, payment, or health care operations
activities of covered entities. Nor is the Rule intended to change
the way covered entities handle their differences with respect to
disclosures of protected health information. The Department recognizes
that, in some cases, an individual's entire medical record may be
necessary for payment or health care operations purposes, including
disease management purposes. However, the Department does not believe
that disclosure of a patient's entire medical record is always justified
for such purposes. The Privacy Rule does not prohibit the request
for, or release of, entire medical records in such circumstances,
provided that the covered entity has documented the specific justification
for the request or disclosure of the entire record.
Comment: A few commenters requested that the Department
add to the regulatory text some of the statements included in the
preamble to the proposed modifications. For example, commenters
asked that the final Rule state that the minimum necessary standard
is "intended to be consistent with, and not override, professional
judgement and standards." Similarly, others requested that
the regulation specify that "covered entities must implement
policies and procedures based on their own assessment of what protected
health information is reasonably necessary for a particular purpose,
given the characteristics of their business and their workforce,
and using their own professional judgment."
Response: It is the Department's policy that the minimum
necessary standard is intended to be consistent with, and not override,
professional judgment and standards, and that covered entities must
implement policies and procedures based on their own assessment
of what protected health information is reasonably necessary for
a particular purpose, given the characteristics of their business
and their workforce. However, the Department does not believe a
regulatory modification is necessary because the Department has
made its policy clear not only in the preamble to the proposed modifications
but also in previous guidance and in this preamble.
Comment: A commenter argued that the Department should exempt
disclosures for any of the standard transactions as required by
the Transactions Rule, when information is requested by a health
plan or its business associate.
Response: The Department disagrees. The Privacy Rule already
exempts from the minimum necessary standard data elements that are
required or situationally required in any of the standard transactions
(Sec. 164.502(b)(2)(v)). If, however, a standard transaction permits
the use of optional data elements, the minimum necessary standard
applies. For example, the standard transactions adopted for the
outpatient pharmacy sector use optional data elements. The payer
currently specifies which of the optional data elements are needed
for payment of its particular pharmacy claims. The minimum necessary
standard applies to the payer's request for such information. A
pharmacist is permitted to rely on the payer's request for information,
if reasonable to do so, as the minimum necessary for the intended
disclosure.
Comment: A few commenters expressed concerns with respect
to a covered entity's disclosures for research purposes. Specifically,
one commenter was concerned that a covered entity will not accept
documentation of an external IRB's waiver of authorization for purposes
of reasonably relying on the request as the minimum necessary. It
was suggested that the Department deem that a disclosure to a researcher
based on appropriate documentation from an IRB or Privacy Board
meets the minimum necessary standard.
Response: The Department understands commenters' concerns
that covered entities may decline to participate in research studies,
but believes that the Rule already addresses this concern. The Privacy
Rule explicitly permits a covered entity reasonably to rely on a
researcher's documentation or the representations of an IRB or Privacy
Board pursuant to Sec. 164.512(i) that the information requested
is the minimum necessary for the research purpose. This is true
regardless of whether the documentation is obtained from an external
IRB or Privacy Board or one that is associated with the covered
entity. The preamble to the March 2002 NPRM further reinforced this
policy by stating that reasonable reliance on an IRB's documentation
of approval of the waiver criteria and a description of the data
needed for the research as required by Sec. 164.512(i) would satisfy
a covered entity's obligations with respect to limiting the disclosure
to the minimum necessary. The Department reiterates this policy
here and believes that this should give covered entities sufficient
confidence in accepting IRB waivers of authorization.
Comment: A number of commenters requested that the Department
limit the amount of information that pharmacy benefits managers
(PBM) may demand from pharmacies as part of their claims payment
activities.
Response: The health plan, as a covered entity, is obligated
to instruct the PBM, as its business associate acting through the
business associate contract, to request only the minimum amount
of information necessary to pay a claim. The pharmacist may rely
on this determination if reasonable to do so, and then does not
need to engage in a separate minimum necessary assessment. If a
pharmacist does not agree that the amount of information requested
is reasonably necessary for the PBM to fulfill its obligations,
it is up to the pharmacist and PBM to negotiate a resolution of
the dispute as to the amount of information needed by the PBM to
carry out its obligations and that the pharmacist is willing to
provide, recognizing that the PBM is not required to pay claims
if it has not received the information it believes is necessary
to process the claim in accordance with its procedures, including
fraud prevention procedures.
The standard for electronic pharmacy claims, adopted by the Secretary
in the Transactions Rule, includes optional data elements and relies
on each payer to specify the data elements required for payment
of its claims. Understandably, the majority of health plans require
some patient identification elements in order to adjudicate claims.
As the National Council for Prescription Drug Programs (NCPDP) moves
from optional to required and situational data elements, the question
of whether the specific element of "patient name" should
be required or situational will be debated by the NCPDP, by the
Designated Standards Maintenance Organizations, by the National
Committee on Vital and Health Statistics, and ultimately will be
decided in rulemaking by the Secretary.
Comment: One commenter requested that the minimum necessary
standard be made an administrative requirement rather than a standard
for uses and disclosures, to ease liability concerns with implementing
the standard. The commenter stated that this change would mean that
covered entities would be required to implement reasonable minimum
necessary policies and procedures and would be liable if: (1) They
fail to implement minimum necessary policies and procedures; (2)
their policies and procedures are not reasonable; or (3) they fail
to enforce their policies and procedures. The commenter further
explained that health plans would be liable if their policies and
procedures for requesting health information were unreasonable,
but the burden of liability for the request shifts largely to the
entity best suited to determine whether the amount of information
requested is the minimum necessary.
Response: The Privacy Rule already requires covered entities
to implement reasonable minimum necessary policies and procedures
and to limit any use, disclosure, or request for protected health
information in a manner consistent with its policies and procedures.
The minimum necessary standard is an appropriate standard for uses
and disclosures, and is not merely an administrative requirement.
The Privacy Rule provides adequate flexibility to adopt minimum
necessary policies and procedures that are workable for the covered
entity, thereby minimizing a covered entity's liability concerns.
Comment: A number of commenters expressed concerns about
application of the minimum necessary standard to disclosures for
workers' compensation purposes. Commenters argued that the standard
will prevent workers' compensation insurers and State administrators,
as well as employers, from obtaining the information needed to pay
injured workers the benefits guaranteed under the State workers'
compensation system. They also argued that the minimum necessary
standard could lead to fraudulent claims and unnecessary legal action
in order to obtain information needed for workers' compensation
purposes.
Response: The Privacy Rule is not intended to disrupt existing
workers' compensation systems as established by State law. In particular,
the Rule is not intended to impede the flow of health information
that is needed by employers, workers' compensation carriers, or
State officials in order to process or adjudicate claims and/or
coordinate care under the workers' compensation system. To this
end, the Privacy Rule at Sec. 164.512(l) explicitly permits a covered
entity to disclose protected health information as authorized by,
and to the extent necessary to comply with, workers' compensation
or other similar programs established by law that provide benefits
for work- related injuries or illnesses without regard to fault.
The minimum necessary standard permits covered entities to disclose
any protected health information under Sec. 164.512(l) that is reasonably
necessary for workers' compensation purposes and is intended to
operate so as to permit information to be shared for such purposes
to the full extent permitted by State or other law.
Additionally, where a State or other law requires a disclosure
of protected health information for workers' compensation purposes,
such disclosure is permitted under Sec. 164.512(a). A covered entity
also is permitted to disclose protected health information to a
workers' compensation insurer where the insurer has obtained the
individual's authorization pursuant to Sec. 164.508 for the release
of such information. The minimum necessary provisions do not apply
to disclosures required by law or made pursuant to authorizations.
See Sec. 164.502(b), as modified herein.
Further, the Department notes that a covered entity is permitted
to disclose information to any person or entity as necessary to
obtain payment for health care services. The minimum necessary provisions
apply to such disclosures but permit the covered entity to disclose
the amount and types of information that are necessary to obtain
payment.
The Department also notes that because the disclosures described
above are permitted by the Privacy Rule, there is no potential for
conflict with State workers' compensation laws, and, thus, no possibility
of preemption of such laws by the Privacy Rule.
The Department's review of certain States workers' compensation
laws demonstrates that many of these laws address the issue of the
scope of information that is available to carriers and employers.
The Privacy Rule's minimum necessary standard will not create an
obstacle to the type and amount of information that currently is
provided to employers, workers' compensation carriers, and State
administrative agencies under these State laws. In many cases, the
minimum necessary standard will not apply to disclosures made pursuant
to such laws. In other cases, the minimum necessary standard applies,
but permits disclosures to the full extent authorized by the workers'
compensation laws. For example, Texas workers' compensation law
requires a health care provider, upon the request of the injured
employee or insurance carrier, to furnish records relating to the
treatment or hospitalization for which compensation is being sought.
Since such disclosure is required by law, it also is permissible
under the Privacy Rule at Sec. 164.512(a) and exempt from the minimum
necessary standard. The Texas law further provides that a health
care provider is permitted to disclose to the insurance carrier
records relating to the diagnosis or treatment of the injured employee
without the authorization of the injured employee to determine the
amount of payment or the entitlement to payment. Since the disclosure
only is permitted and not required by Texas law, the provisions
at Sec. 164.512(l) would govern to permit such disclosure. In this
case, the minimum necessary standard would apply to the disclosure
but would allow for information to be disclosed as authorized by
the statute, that is, as necessary to "determine the amount
of payment or the entitlement to payment."
As another example, under Louisiana workers' compensation law,
a health care provider who has treated an employee related to a
workers' compensation claim is required to release any requested
medical information and records relative to the employee's injury
to the employer or the workers' compensation insurer. Again, since
such disclosure is required by law, it is permissible under the
Privacy Rule at Sec. 164.512(a) and exempt from the minimum necessary
standard. The Louisiana law further provides that any information
relative to any other treatment or condition shall be available
to the employer or workers' compensation insurer through a written
release by the claimant. Such disclosure also would be permissible
and exempt from the minimum necessary standard under the Privacy
Rule if the individual's written authorization is obtained consistent
with the requirements of Sec. 164.508.
The Department understands concerns about the potential chilling
effect of the Privacy Rule on the workers' compensation system.
Therefore, as the Privacy Rule is implemented, the Department will
actively monitor the effects of the Rule on this industry to assure
that the Privacy Rule does not have any unintended negative effects
that disturb the existing workers' compensation systems. If the
Department finds that, despite the above clarification of intent,
the Privacy Rule is being misused and misapplied to interfere with
the smooth operation of the workers' compensation systems, it will
consider proposing modifications to the Rule to clarify the application
of the minimum necessary standard to disclosures for workers' compensation
purposes.
Comment: Another commenter urged the Department to clarify
that a covered entity can reasonably rely on a determination made
by a financial institution or credit card payment system regarding
the minimum necessary information needed by that financial institution
or payment system to complete a contemplated payment transaction.
Response: Except to the extent information is required or
situationally required for a standard payment transaction (see 45
CFR 162.1601, 162.1602), the minimum necessary standard applies
to a covered entity's disclosure of protected health information
to a financial institution in order to process a payment transaction.
With limited exceptions, the Privacy Rule does not allow a covered
entity to substitute the judgment of a private, third party for
its own assessment of the minimum necessary information for a disclosure.
Under the exceptions in Sec. 164.514(d)(3)(iii), a covered entity
is permitted reasonably to rely on the request of another covered
entity because, in this case, the requesting covered entity is itself
subject to the minimum necessary standard and, therefore, required
to limit its request to only that information that is reasonably
necessary for the purpose. Thus, the Department does not agree that
a covered entity should generally be permitted reasonably to rely
on the request of a financial institution as the minimum necessary.
However, the Department notes that where, for example, a financial
institution is acting as a business associate of a covered entity,
the disclosing covered entity may reasonably rely on a request from
such financial institution, because in this situation, both the
requesting and disclosing entity are subject to the minimum necessary
standard.
Comment: A number of commenters continued to request additional
guidance with respect to implementing this discretionary standard.
Many expressed support for the statement in the NPRM that HHS intends
to issue further guidance to clarify issues causing confusion and
concern in industry, as well as provide additional technical assistance
materials to help covered entities implement the provisions.
Response: The Department is aware of the need for additional
guidance in this area and intends to provide technical
assistance and further clarifications as necessary to
address these concerns and questions.
|
