A covered entity must make reasonable efforts to use and disclose only the minimum amount of PHI necessary to complete the intended purpose. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary, when the minimum necessary standard applies. A covered entity may not use or request the entire record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
The minimum necessary requirement is not imposed in the following circumstances:
- Disclosure to an individual who is the subject of the information (Individuals may request all information contained in their record)
- Disclosure to Health and Human Services for complaint investigation, compliance review or enforcement
- Use or Disclosure that is required by law
- Use or Disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules
Access and Uses
For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of PHI based on the specific roles of the members of the workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to PHI to carry out their duties, the categories of PHI to which access is needed, and any conditions under which they need the information to do their jobs.
Disclosures and Requests
A covered entity must establish policies, procedures, and protocols, for routine, recurring disclosures, or requests for disclosures, that limits the PHI to that which is minimum necessary. For non-routine, non-recurring disclosures or requests that it makes, covered entities must develop criteria designed to limit disclosure to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
If another covered entity makes a request for protected health information, a covered entity may rely (if reasonable under the circumstances) on the request as complying with the minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary PHI from:
- A public official
- A professional (such as an attorney or accountant) who is the covered entity's business associate, seeking the information to provide services to or for the covered entity
- A researcher who provides the documentation or representation required by the Privacy Rule for research