On January 17, 2013, the U.S. Department of Health and Human Services ("HHS") announced the final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") in accordance with the HITECH Act of 2009 (the "2013 Amendments"). Effective on March 26, 2013, the 2013 Amendments supplement and modify the HIPAA Privacy, Security, Breach Reporting and Enforcement Rules (the "HIPAA Rules"). This Alert addresses the HIPAA "minimum necessary" standard—one of the most essential, yet vague, aspects of the HIPAA Rules.
The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information ("PHI"), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make "reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."
What Every Covered Entity and Business Associate Should Know About the Minimum Necessary Standard
The minimum necessary standard is alive and well—robust compliance should continue.
Under the HIPAA Rules, covered entities and business associates are required to identify which workforce members need access to what kind of PHI to carry out their job functions.
Under the HIPAA Rules, covered entities and business associates are required to establish protocols that define the minimum necessary amount of PHI for routine uses, disclosures and requests, and how to apply the minimum necessary standard with respect to non-routine uses, disclosures and requests.
Minimum necessary violations should be investigated and, if appropriate, reported according to the new breach notification rules.
Business associates may be directly liable for minimum necessary standard violations.
Covered entities may be liable for business associates' minimum necessary standard violations.
The HIPAA Privacy Rule and guidance issued by HHS establish the parameters of the minimum necessary rule. For routine disclosures, a covered entity may establish standard protocols for particular types of information to limit the release to the minimum necessary. For non-routine disclosures, however, a covered entity must conduct an individual review of each disclosure or request and develop reasonable criteria for limiting the released data to the minimum necessary.
Along with all of the other new requirements in the 2013 Amendments, covered entities and business associates should ensure compliance with the minimum necessary standard set out in the HITECH Act of 2009. The minimum necessary standard generally requires a covered entity—and now, business associates—to make reasonable efforts to limit access to PHI to those persons who need access to PHI to carry out their duties, and to disclose only an amount of PHI reasonably necessary to achieve the purpose of any particular use or disclosure. While these requirements are broad, the 2013 Amendments also reinforce the preexisting rule that covered entities and business associates disclosing PHI in response to a request may reasonably rely on the requests as requesting the minimum necessary for the disclosure.
Covered entities and business associates are also required to develop policies and procedures detailing how the minimum necessary standard applies to their own uses and disclosures. These policies and procedures should include, for example, limitations on workforce members' access to PHI and policies that require them to return or destroy the information to which they obtained unauthorized access.
The minimum necessary standard does not apply to the following disclosures:
Disclosures to or requests by a healthcare provider for treatment purposes;
Disclosures to the individual who is the subject of the information;
Uses or disclosures made pursuant to an individual's authorization;
Uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules;
Disclosures to HHS when disclosure of information is required under the Privacy Rule for enforcement purposes; and
Uses or disclosures that are required by other law.
The 2013 Amendments provide additional information on the application of the minimum necessary standard to the new business associate definition and breach notification requirements. What are likely to be viewed as the three most-significant aspects of the 2013 Amendments are:
Minimum necessary violations are subject to the new breach notification requirements.
The 2013 Amendments impose substantial obligations on covered entities and business associates to notify HHS of potential PHI breaches. While some commentators requested an exemption from the breach notification requirements for minimum necessary violations, HHS rejected this limitation. Thus, in accordance with the HIPAA Rules, a covered entity or business associate should investigate any minimum necessary violation to determine the probability that the PHI has been compromised and whether any breach notification is required.
In analyzing the probability that an impermissible use or disclosure compromised PHI, covered entities and business associates should consider analyzing whether the person who used the information or to whom the disclosure was made was an unauthorized person. If the minimum necessary violation occurs in a disclosure to a business associate or as an internal use within a covered entity or business associate, the fact that the information was not acquired by a third party would be a part of the risk assessment and would support that there is a low probability that PHI was compromised. While certain minimum necessary violations may fall within the exceptions to the definition of breach, those exceptions should be carefully analyzed before any covered entity or business associate elects not to report a minimum necessary standard violation.
An in-depth discussion of the new breach notification rule may be found in Duane Morris' January 25, 2013, Alert on the new rules.
Business associates have direct liability for failing to comply with the minimum necessary standard.
As discussed in greater detail in Duane Morris' January 23, 2013, Alert on the new business associate definition and requirements under the 2013 Amendments, business associates are now faced with significantly expanded HIPAA compliance requirements. One such requirement is that a business associate can be held directly liable for failing to comply with the minimum necessary standard. Thus, liability may result where a business associate fails to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The minimum necessary standard has to be used by business associates anytime they use or disclose PHI, or even request PHI from another covered entity. Subcontractors to business associates are also required to comply with the minimum necessary standard.
The 2013 Amendments also describe that the minimum necessary standard is a condition of permissible use of PHI; thus, where a business associate does not apply the minimum necessary standard guidelines, the business associate is not making a permitted use or disclosure under HIPAA.
A business associate's violation of the minimum necessary standard may be imputed to the covered entity.
The final rule details that under 45 CFR § 160.402(c) of the 2013 Amendments, covered entities and business associates are liable for the acts of their business associate agents under common law rules of agency: i.e., when the agent acts within the scope of agency. A key aspect of this analysis is that an agent may be held to act within the scope of its agency when its conduct occurs during the performance of the assigned work, or incident to such work, even though the business associate disregards a covered entity's specific instruction, makes a mistake in performance or works carelessly.
Under this analysis, according to HHS, a business associate agent acts within the scope of agency if it impermissibly discloses more than the minimum necessary information to a health plan for purposes of payment, even if the disclosure is contrary to clear instructions of the covered entity.
While the rules do not require covered entities to detail their minimum necessary policies and procedures in each agreement with business associates, business associate agreements should limit the business associate's PHI uses/disclosures consistent with the covered entity's policies and procedures. Given the potential for liability, robust provisions on expected minimum necessary standards in each business associate's agreement, along with strong indemnity clauses, may be useful safeguards to limit a covered entity's liability for its business associate's potential violations of the minimum necessary standard.
As detailed in the 2013 Amendments, the minimum necessary standard also applies to the new rules regarding genetic information, disclosures to public health officials and fundraising. Thus, when an individual seeks benefits under a plan and the plan requires genetic information to determine the medical appropriateness of the treatment, the plan may use or disclose the minimum necessary genetic information to determine the medical appropriateness of the particular benefit. Similarly, the 2013 Amendments authorize covered entities to disclose the minimum necessary PHI to public health authorities or other designated persons or entities, without an authorization from the individual, for certain public health purposes specified in the 2013 Amendments. Finally, the minimum necessary standard applies in full force and effect to disclosures of PHI under the new rule on fundraising-related disclosures. The 2013 Amendments specify that permissible uses for fundraising purposes include screening and eliminating from fundraising solicitations those individuals experiencing a sub-optimal outcome, as well as disclosures to business associates or institutionally-related foundations only where such a screening function is done by those parties.
In light of HIPAA's expanded requirements under the 2013 Amendments for business associates and the increased emphasis on breach notifications and enforcement, the minimum necessary guidelines should now, more than ever, become a key component to every covered entity's and business associate's policies and procedures. This includes policies applicable to the use and disclosure of PHI wirelessly: i.e., through health information technology ("HIT"). Covered entities and business associates may also want to stay tuned—HHS announced in the final omnibus rule that it will issue future guidance on the minimum necessary standard, including addressing additional issues raised by business associates' application of the minimum necessary standard. In the meantime, specific and practical minimum necessary standard policies and procedures, along with incorporating those policies and procedures into agreements with business associates, are essential to maintaining compliance with the minimum necessary standard.
About Duane Morris
Duane Morris attorneys provide the full range of services to entities that handle healthcare and other personal data, including healthcare providers, entities involved in mobile health (mHealth), data analytic and management companies, software development and storage vendors, telemedicine entities, health information organizations/exchanges ("HIOs" or "HIEs") and many others. Attorneys in the Duane Morris Health Law Practice Group have extensive experience with counseling clients on potential data breaches under HIPAA and other privacy and security laws, and in developing and executing a data breach response plan, including reporting to federal, state, local and foreign governmental agencies and responding to formal agency investigations.
For Further Information
If you have any questions about this Alert or would like more information, please contact Elinor L. Hart, Lisa W. Clark, any of the attorneys in our Health Law Practice Group or the attorney in the firm with whom you are regularly in contact.