Category: Privacy

Date: March 2003

Reviewed/Revised: April 2013

Purpose

The purpose of this policy is to comply with HIPAA Rule 164.514 (d). The referenced section of the HIPAA or Privacy law defines the requirements for using and disclosing protected health information in compliance with the Minimum Necessary Standard.

Policy

  1. Covered entities must restrict access and use of protected health information to the minimum necessary for an employee to perform their specific job role. Computer sign-ons and overall access to protected health information will be determined by the scope and responsibilities of an employee’s position. Specific access will be listed in departmental policies and in job descriptions as appropriate. 
  2. Routine disclosures must always be limited to the minimum amount necessary to meet the needs of the disclosure.
  3. A minimum necessary disclosure for oversight purposes could include large numbers of records to allow oversight agencies to perform statistical analysis to identify deviations in payment or billing patterns, and other data analysis.