The HIPAA Privacy Rules requires organizations to limit the use and disclosure of, and requests for “PHI to the minimum necessary to accomplish the intended purpose.” The minimum necessary standard is in place to help maintain the confidentiality of PHI by limiting who within the organization can access or view it. This includes all forms of PHI, including images, ePHI, spreadsheets, even information that is communicated verbally.
Some of the language under the HIPAA minimum necessary standard can be open to interpretation. This leaves it to the judgement of the organization to decide the rules surrounding what information is disclosed and what should be done to restrict access. These rules surrounding the minimum necessary standard should be documented and be available to all employees for reference.
To comply with the standard, it is important to have proper policies and procedures in place that outline which positions within the organization need access to the information to be able to perform their job duties. These positions should then be categorized based on the type of PHI they will need to access and when it is appropriate to access the information. There should also be security controls in place around systems that contain ePHI to limit access to information. For example, if it is not nessessary for a nurse to have access to an individual’s Social Security number then access to that information should be restricted through system permissions. Additionally, a doctor or nurse may need to access and review one specific patient chart but does not need to access all of the patients’ charts.
Having policies and procedures that outline the organization’s minimum necessary standard is important to set clear expectations. Along with those expectations, a sanctions policy for violations of the minimum necessary standard should also be included.
A covered entity’s vendor’s and business associates should be held to the same standard and should be outlined appropriately in any agreements.