Policy Summary
The HIPAA Privacy Rule requires application of the “minimum necessary” standard for the use, disclosure, or request for protected health information, except as specifically stated in the regulations. UW–Madison will only use, disclose, or request the minimum amount of protected health information as is necessary to accomplish the intended use or disclosure. This is known as the “minimum necessary” standard.
The minimum necessary standard does not apply to the following:
- Disclosures to or requests for protected health information by a health care provider for treatment purposes.
- Disclosures of protected health information to the patient or the patient’s legally authorized representative.
- Uses or disclosures of protected health information made pursuant to an authorization signed by the patient or the patient’s legally authorized representative.
- Uses or disclosures of protected health information that are required by law.
- Uses or disclosures of protected health information that may be required for compliance with HIPAA (including disclosures made to the U.S. Department of Health and Human Services in response to an investigation of compliance with HIPAA).
Policy Detail
- Minimum Necessary As It Applies to Access to and Use of PHI
- All access to protected health information, whether it be electronic or hardcopy, must be limited to individuals who have a legitimate clinical or business need-to-know the information. Accessing or using more information than is necessary to do one’s job is prohibited.
- Each UW HCC unit’s privacy coordinator is responsible for identifying roles within each unit. This will normally be done with assistance from directors/managers. A role is defined as the category or class of person(s) doing a job, defined by a set of similar or identical responsibilities. For example, UW HCC units may identify the following roles:
- Treatment provider
- Support to treatment provider
- Admissions/registration
- Business services
- Clinic management
- Health information management (HIM)/medical record staff
- Housekeeping/environmental services
- Maintenance
- Each unit’s privacy coordinator (or designee) must analyze each role and determine to what degree staff in that role require access to protected health information.
- Access to the highest level of protected health information (e.g., unlimited access to electronic information or the entire hardcopy medical record) may be justified in the following circumstances:
- The “role” provides direct clinical care (e.g., nurses, physicians, athletic trainers, speech or language pathologists, audiologists, psychologists, mental health therapists, physical therapists, pharmacists, social workers, dieticians, and health care trainees/health care students in assigned rotation or clerkship) and access to different parts of the medical record for different patients may vary from patient to patient depending on the circumstances surrounding the provision of care.
- The “role” conducts quality assurance, peer review, and related functions and access to potentially all protected health information is necessary because different review processes may require access to different parts of a patient’s medical record.
- The “role” is a legal or risk management function and access to potentially all of a patient’s protected health information is necessary because review and use of the protected health information may require access to different parts of the medical record depending on the circumstances surrounding the legal or risk management inquiry.
- Various “roles” related to health information management (medical records) as necessary to code, release, file, transport, and secure medical records.
- “Roles” in business services/billing in which access to potentially the entire medical record is necessary to provide third-party payors with information related to payment of a claim.
- The “role” needs access to potentially the entire medical record because the individuals in those roles need to investigate employee or patient issues or complaints (e.g., directors, managers, supervisors).
- Senior management, administration staff, and the UW HCC unit privacy coordinator who potentially need access to the entire medical record for treatment, payment, or health care operations purposes.
- Directors/Managers are responsible for assuring staff has access to the appropriate level of protected health information. This includes electronic or paper.
- Varying levels of access to protected health information may be appropriate, depending upon role definition, for the following (staff with varying levels of need to access protected health information for their role often have access to the entire hardcopy medical record, and are expected to access and use only that protected health information in the hardcopy medical record, that they would normally have access to electronically):
- The “role” provides support to direct clinical providers (e.g., clinic assistants, clerical support staff, and physician secretaries) and access needs to varying levels of protected health information depend on the type of support provided (e.g., ordering tests, supplies, etc., for patients, maintenance of charts, data collection related to treatment, completion of billing or compliance paperwork).
- Business management roles in which access to limited protected health information (e.g., demographic and financial information) is necessary for business and operations analysis and decision-making.
- Information Services and Technology staff who need access to electronic systems to provide technical support to these systems.
- Admissions/Registration staff who need access to limited protected health information to process admissions documents, provide information to payors for benefits information and related purposes, and schedule clinic visits or procedures.
- Public Affairs staff who need access to limited protected health information to handle inquiries from outside sources and to manage marketing and fundraising activities.
- Minimal access to use of protected health information is appropriate for the following roles depending on job duties: Some volunteers or others who need minimal access to protected health information, for example, to assist families and friends with directory information, to provide information in the surgical waiting room, and to deliver items to patients.
- Access to use of protected health information, except when incidental, is inappropriate for the following roles:
- Housekeeping/Environmental services
- Transportation staff who handle and deliver protected health information (e.g., in a sealed envelope or box)
- Plant engineering/facility management
Table 1. Summary of “Roles” and Levels of Access to PHI
|
All PHI |
Limited PHI |
Minimal PHI |
No PHI |
Limitations |
Clinical Staff |
X |
|
|
|
Need to Know |
QI/QA Staff |
X |
|
|
|
Need to Know |
Legal/Risk Management Staff |
X |
|
|
|
Need to Know |
HIS/Med Records Staff |
X |
|
|
|
Need to Know |
Directors, Managers, Supervisors |
X |
|
|
|
Need to Know |
UW Privacy Officer/Coordinators |
X |
|
|
|
Need to Know |
Admissions/Registration |
X (Some) |
|
|
|
|
Support to Direct Clinical Providers |
|
X |
|
|
Need to Know |
Business Management Roles |
|
X |
|
|
Need to Know |
IS/IT Staff |
|
X |
|
|
Need to Know |
Public Affairs |
|
X |
|
|
Need to Know |
Volunteers |
|
|
X (Some) |
X (Most) |
Need to Know |
Housekeeping/Environmental Services |
|
|
|
X |
NA |
Transportation |
|
|
|
X |
NA |
Facility Maintenance |
|
|
|
X |
NA |
- Minimum Necessary As It Applies to Disclosures of PHI
- Routine Disclosures. When responding to requests for disclosures made on a periodic or recurring basis, the UW HCC unit must limit the disclosures to the amount reasonably necessary to achieve the purpose. A “routine” disclosure is one made on a routine or recurring basis, and/or is relatively straightforward and appropriate to release per state and federal law. Disclosures in response to routine requests must be evaluated and released according to the following limiting measures:
- By what is specifically authorized
- By what is specifically requested
- Documents (e.g. procedure notes, test results, etc.) related to specific dates
Table 2. Examples of Routine Disclosures where Minimum Necessary rule applies
Requester |
Purpose of Request |
What is Disclosed |
Business Associates (Collection Agency, Transcription Service, etc) |
Obtain information to carry out business purpose |
When outside the exceptions-Need to Know Only |
Health Oversight Agency |
Audits and Investigations |
Only release minimal information requested |
Law Enforcement |
Investigative accident or locate victim or suspect of crime |
Only release minimal information requested |
Insurance Carrier |
Billing, Collections, of Payment |
Limit release of documents to the dates of services in question |
Court Order |
Legal issues such as placement of mentally or physically handicapped child |
Only what is requested per written order |
- Non-Routine Disclosures. When responding to requests for non-routine disclosures, the UW HCC unit must limit the disclosures to the amount reasonably necessary to achieve the purpose based on the criteria established below. Non-routine means the disclosure is made infrequently or processing the request often requires legal assistance. All non-routine disclosures will be directed to the unit privacy coordinator for review and processing. When necessary, the unit privacy coordinator will consult with the UW–Madison privacy officer to aid in the review and processing of a request. The UW HCC unit will apply the following criteria when reviewing requests for non-routine disclosures:
- Specificity of the request
- Purpose/importance of the request
- Impact on patients
- Impact on the UW HCC unit
- The extent to which disclosures would increase the number of individuals or organizations with access to protected health information
- Likelihood of re-disclosure
- Ability to achieve the same purpose with de-identified information
- The technology available to limit the disclosures of the protected health information
- Cost of limiting the disclosure of protected health information
- Other factors
- Examples of non-routine disclosures:
- Court order
- Request from federal or state governmental agency
- To county/investigating agency, protective services
- To foster care, group home, child care institutions, or correctional facility for minor
- To the military for purposes other than recruitment
- Insurance carrier audit
- Minimum Necessary As It Applies to Requests by UW HCC Staff for PHI from Other Covered Organizations
- Requests by UW HCC staff for protected health information from other organizations covered by the HIPAA Privacy Rule, including business associates, must be limited to the portions of the record reasonably necessary to accomplish the purpose for which the request is made.
- Any request for the entire medical record that is not made by a health care provider for treatment purposes must have justification for requesting the entire medical record.
- Monitoring of Minimum Necessary Requirement
- UW HCC unit privacy coordinators will carry out periodic reviews, at least annually but more frequently when appropriate, of access levels to determine:
- Changes in staff member position or scope of responsibilities; and
- Changes in the information available through information components.
- UW HCC unit privacy coordinators, in collaboration with data security analysts, will periodically monitor access to determine the appropriateness of staff review of protected health information. Tracking incidents of unauthorized access will increase the security of patients’ health information and decrease the risk of privacy violations. Methods for auditing access may include:
- Conducting random spot-checks of patients to determine the appropriateness of access;
- Using exception reports to determine the time of access, length of access, access to “confidential” or “publicly recognizable” patient protected health information;
- Reviewing “role-based” access by position and unit of assignment within the organization; or
- Reviewing requests for and access to “hard-copy” patient records.
- Reports of monitoring done under 1. and 2. above should be filed with the UW HIPAA privacy officer by each UW HCC unit privacy coordinator.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.