When the new HITECH rules came out OCR specifically said, “...uses or disclosures that impermissibly involve more than the minimum necessary information...may qualify as breaches.” But what exactly is the minimum necessary standard and how does an entity apply this in its day-to-day functioning and practice? 45 CFR 164.502 (b)(i) specifically states, “A covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” But what, again, specifically does this mean? Work Comp insurance providers typically request a significant amount of information, searching for pre-existing conditions, exacerbations and a wide array of things which might impact upon a work comp claim. Insurance carriers, in order to do utilization audits and similar items may request information well beyond whatever the most recent claim is and physicians frequently want every piece of information they can obtain regarding a difficult or complex patient so they avoid missing anything in terms of diagnosis or utilization. Further, its not uncommon to get a request from an employer demanding “any and all” documents relating to the person who is the subject of the subpoena or the information request. Any and all can go back to your neonatal records all the way through your most recent orthopedic treatment.
As always, the devil is in the details in how a covered entity manages these HIPAA issues. OCR has not clarified what is and is not minimum necessary and has relatively few cases listed on its websites regarding the minimum necessary standard.
In essence the covered entity:
Must identify who needs access to information to carry out their duties;
The covered entity must identify what categories of information each group can access and any conditions relating to the access;
The covered entity must make reasonable efforts to limit access by all employees to those items which are reasonably necessary for the employee to perform his or her essential job functions.
These limitations make it easier to show that the covered entity has made efforts to provide exclusively the minimum necessary information. You should note that these standards also apply for internal communications and utilization.
For disclosures the covered entity must:
Limit the disclosure of information to the amount reasonable necessary to achieve the purpose requested. So if the attorney asked for the last year of records but you think they are going to come back and ask for another year of records once they see these, you cannot simply provide all the records you think they might need. You want to read the request narrowly, focus specifically on the need stated, and if the request is overbroad, seek clarification or revision.
For routine matters there should be a standard policy drafted by the facility which is applied by the employees who are required to provide information and disclosure.
For non-routine matters there must be a criteria upon which you assess these non-routine matters on individualized basis; and
For non-routine matters there should also be a double check system so that a single employee is not making the determination alone and therefore subject to criticism or concerns of favoritism.
One area where greater latitude is granted to the covered entity is when the request is from another covered entity, such as another facility, physician or other provider. The covered entity can reasonably rely on the representations of the physician or other facility that the information requested does in fact meet the minimum necessary standard. However, if it is obvious that this is an excessive amount of information or is requested for an inappropriate purpose, then the covered entity cannot in good faith claim that it reasonably relied upon the request in good faith. Further, business associates should know that all of these rules apply to them and as currently written the HITECH standards state that business associates must comply with the covered entities written standards regarding privacy, security and the release of information pursuant to the minimum necessary standard.
OCR determinations regarding the minimum necessary standard are fairly rare. One listed case involves messaging, where a hospital employee left a telephone message on a patient’s home number detailing both diagnosis and treatment. This was found to be a violation because the patient had asked for the use of her work number rather than the home number and this therefore exposed her information to a separate group of people. Further, it was determined by OCR that too much information was left on the voicemail message and that the information could have been more reasonably and appropriately limited in order to notify the patient without breaching her HIPAA rights.
Email distribution can also create a problem as assessed by OCR, in another case. In this instance the operating schedule was distributed via email to all department heads. The idea was the department heads, ranging from environmental and housekeeping all the way through the Chief Nursing Officer, would need to know how many procedures were set. In this particular instance, an employee was receiving surgery at the facility and was on the schedule. The employee felt that her information was inappropriately distributed through a wide variety of hospital sources and as such her HIPAA rights were violated. The facility changed its rules and OR schedules and similar items were distributed exclusively on a “need to know” basis to avoid this excessive distribution and potential HIPAA violation. The idea with minimum necessary is that facilities and providers need to look at their policies and practices and understand how information is being requested. Once requested, the facility needs to know exclusively how it is being delivered both internally and outside of the facility. Many practices you may have had several years ago regarding the dissemination of information, such as the email list, are probably currently in violation of HIPAA and need to be revised.