HIPAA Minimum Necessary Requirement
PERFORMED BY:
This policy applies to the Community Health Network, Inc. (CHNw) workforce.
STATEMENTS OF PURPOSE:
This policy describes how CHNw implements the minimum necessary requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
POLICY STATEMENTS:
A. Under HIPAA, all access, uses, disclosures of and requests for PHI must be limited to the minimum necessary to accomplish the intended purpose.
B. Minimum necessary means “need to know.”
C. Workforce members will only have access to PHI needed to do their jobs and will only access, use, disclose or request the least amount of PHI needed to do their work.
- Workforce members who provide care to patients will only access PHI of patients in whose care they are involved.
- Workforce members may not use their system access to review or obtain copies of their own PHI or the PHI of family members, friends and other persons with whom they have a close personal relationship.
- Workforce members will follow established policies and procedures to review or get copies of their own PHI or the PHI of family members, friends and others with whom they have a close personal relationship.
- Workforce members will not use their system access for personal reasons or to satisfy their curiosity.
D. Workforce members should avoid the appearance of wrongdoing and seek guidance if their work involves the access, use or disclosure of their own PHI or the PHI of family, friends, co-workers or other persons with whom the workforce member has a close personal relationship.
E. The minimum necessary requirements do not apply to:
- Access, uses and disclosures for treatment purposes;
- Disclosures made to the person who is the subject of the information (usually, that is the patient);
- A valid, written authorization signed by the patient;
- Uses and disclosures to meet HIPAA’s billing and coding requirements;
- Uses or disclosures required by law (45 CFR §164.512(a)); and
- Disclosures to the U.S. Department of Health and Human Services for enforcement purposes.
F. CHNw may rely on the professional judgment of the person asking for information in deciding the minimum amount of PHI needed when the request is made by:
- Another covered entity;
- A member of the CHNw workforce or a CHNw Business Associate;
- A researcher with appropriate documentation from an Institutional Review Board (IRB); or
- A public official or agency when the disclosure does not require the patient’s authorization. (See 45 CFR §164.512.)
G. CHNw may not use, disclose or request an entire medical record except when it is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.
DEFINITIONS:
A. Business Associate – A person or entity who performs a function or service for or on behalf of CHNw and who uses or discloses PHI in performing that function.
B. CHNw – Community Health Network, Inc. and its affiliates.
C. Covered Entity – a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form. For purposes of this policy, CHNw is considered a covered entity.
D. Disclosure – the release, transfer, provision of access to, or divulging in any manner, of information outside CHNw.
E. Patient – the individual who is the subject of the PHI, or his/her personal representative if the patient is a minor or is incapacitated and unable to make decisions about his/her own health.
F. Protected Health Information (PHI) – “individually identifiable health information” that includes all health information records maintained by CHNw that:
- identifies the patient; or
- there is a reasonable basis to believe the information can be used to identify the patient.
G. Routine and Non-Routine Disclosures
- Routine – frequent or repeated disclosures. Routine would include disclosures occurring five (5) or more times per year. Examples include: PHI submitted to collection agencies for collection of past due accounts; disclosures to insurance companies as evidence of care provided for payment; patient registration information given to other providers for their billing records; reporting required by state law, including birth/death reporting, communicable disease reporting, gunshot wounds, etc.; and PHI sent to CHNw business associates.
- Non-Routine – disclosures that do not occur routinely or frequently. Non-routine disclosures would usually occur less than five (5) times per year. Examples include: information requested as part of a Joint Commission survey; patient records requested by the Department of Justice as part of a formal investigation; disclosures in response to a subpoena; disclosures of a person’s PHI to a correctional institution or law enforcement official having lawful custody of the person, etc.
H. Workforce – employees, volunteers, trainees, and other individuals who perform work for CHNw and whose conduct is under the direct control of such entity, whether or not they are paid by CHNw.
GENERAL INFORMATION:
None
PROCEDURE:
All routine and non-routine disclosures of PHI will be reviewed for minimum necessary requirements by the person responsible for disclosing the PHI. If you need help, contact your supervisor or manager, a compliance liaison or the VP of Compliance.
A. Access to PHI
- We will identify workforce members who need access to PHI to do their jobs.
- For those workforce members who need access to PHI to do their jobs, we will identify the category or categories of PHI for which access is needed and any conditions appropriate to that access.
- We will make reasonable efforts to limit the access identified in 1 and 2 above to the PHI needed to carry out their duties.
B. When we ask for PHI from another covered entity or business associate, we will make reasonable efforts to limit the PHI requested to the minimum necessary to accomplish the intended purpose of the request.
- Routine and recurring requests: limit the PHI requested to the amount reasonably necessary to accomplish the intended purpose.
- Non-routine requests: ensure that the minimum necessary PHI is requested by
a. Specifying the documents or information being requested and the time period of the information requested;
b. Clearly stating the purpose of the request and that the PHI being requested is directly related to the purpose;
c. Determining that de-identified information would not accomplish the purpose of the request; and
d. Considering any other relevant factors.
C. Routine Disclosures:
- All routine disclosures must be reviewed for reasonableness.
- We will deny requests for PHI that do not meet the minimum necessary requirements. (Example: A payer asks for an entire medical record covering multiple years of services to substantiate and pay a claim for a specific date of service. This would be unreasonable and the request would be denied. Only the information necessary to confirm and pay that specific date of service should be disclosed.)
- We will limit routine disclosures to business associates to the PHI necessary for them to do their work under the service contract.
- We will limit routine disclosures to the information specifically requested.
D. Non-Routine Disclosures:
- We will evaluate non-routine disclosures requests for minimum necessary compliance on a case-by-case basis. Consider:
a. Is the disclosure request specific as to documents, information requested and time period?
b. Is the purpose of the request clear? Does the request related directly to the purpose?
c. Is there no negative impact on the patient? For example, are you sure it would not introduce a reason for discrimination or termination of employment, or harm the patient’s care?
d. Is there no negative impact on CHNw? For example, could the disclosure result in denial of a valid claim?
e. Is there little likelihood of re-disclosure?
f. Can we achieve the same purpose with de-identified information?
g. Can we use technology to limit the disclosure, for example, by use of secure, encrypted, user ID-required network?
h. What other factors are relevant?
- If we determine that the request for disclosure meets the minimum necessary requirement, we will disclose the PHI.
- If we determine that the request for disclosure does NOT meet the minimum necessary requirements, we will notify the requestor and we will not disclose the PHI.
- If the denied request is changed to address the minimum necessary concerns and the revised request meets the minimum necessary requirements, we will disclose the PHI.
E. If it is reasonable under the circumstances, we will rely on a request for PHI as the minimum necessary for the stated purpose when:
- Making disclosures to public officials allowed under 45 CFR § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);
- The PHI is requested by another covered entity;
- The PHI is requested by a workforce member or business associate, if the person confirms that the PHI requested is the minimum necessary for the stated purpose(s);
- Documentation or representations that follow the applicable requirements of HIPAA have been provided by a person requesting the PHI for research purposes.
EQUIPMENT:
None
DOCUMENTATION:
None
REFERENCES:
45 CFR 164.514(d)
RELATED DOCUMENTS:
Access to Medical Records and Information policy
De-Identified Information and Limited Data Sets policy
Legacy Policy Number: COMP-003
Attachments
No Attachments
Approval Signatures
Step Description
Approver
Date
Chief Risk and Compliance Officer
Virginia Davidson
01/2019
Stakeholders (Compliance Collaborators User Group)
Darlene Wilhoit
01/2019
VP Compliance
Jackie Smith
11/2018
Editor
Darlene Wilhoit
11/2018
Policy Owner
Marti Baker
11/2018
Applicability
Community Health Network, Inc., Community Health Outpatient, Community Health Retail, Community Hospital East and Heart Hospital, Community Hospital North, Community Hospital South, Community Howard Regional Health, Community Howard Specialty Hospital, Visionary Exterprises.