The “minimum necessary” standard of the HIPAA Privacy Rule is derived from confidentiality codes and practices in common use today. It is based on “sound current practice” that Protected Health Information (PHI) should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires Covered Entities and their Business Associates to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI.
For uses of PHI, the Covered Entity’s and Business Associate’s policies and procedures must identify the persons or classes of persons within the organization who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access.
• Regularly evaluate your workforce’s positions and their level of access to PHI.
• Was a staff member demoted or changed their role, and do their new positions require less privileges within the systems and applications containing PHI?
• When another Covered Entity requests medical information about a mutual patient, is the minimum necessary information to fulfill the request given, or is the whole patient’s record sent?