HIPAA Minimum Necessary Uses and Disclosures of and Requests for Protected Health Information

Version 1 (Current Version)
All Versions:
  • Version 1
PolicyREG12.60.22
TitleHIPAA Minimum Necessary Uses and Disclosures of and Requests for Protected Health Information
CategoryHealth Affairs
Sub-categoryHealth Affairs Matters - General
AuthorityChancellor
History

Effective:April 14, 2003; September 19, 2013

Revised:January 8, 2004; October 11, 2010; September 18, 2013

Transitioned from Interim to Permanent: July 17, 2014.

Related Policies
Additional References

45 CFR 164 Subpart E: Privacy of Individually Identifiable Health Information
"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702
ECU Healthcare Components


1. Purpose

East Carolina University Health Care Components ("ECU Health Care Components") have a legal duty to limit the protected health information ("PHI") used, disclosed or requested to the amount reasonably necessary to achieve the purpose of the use, disclosure or request. Additionally, this regulation covers interactions involving uses, disclosures and requests between an ECU Health Care Component and other areas of ECU that may receive PHI. The purpose of this regulation is to provide guidance to ECU's Health Care Components that create or maintain PHI on limiting uses, disclosures or requests for PHI to the minimum necessary in order to accomplish the intended purpose of the use, disclosure or request.

2. Definitions

2.1. Covered Entity means a health plan, health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

2.2. Disclosure means the release, transfer, provision of access to, or divulging in any manner of PHI outside of an ECU Health Care Component.

2.3. Limited Data Set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

2.3.1. (1) Names; (2) postal address information, other than town or city, state, and zip code; (3) telephone numbers; (4) fax numbers; (5) email addresses; (6) social security numbers; (7) medical record numbers; (8) health plan beneficiary numbers; (9) account numbers; (10) certificate/license numbers; (11) vehicle identifiers and serial numbers, including license plate numbers; (12) device identifiers and serial numbers; (13) web URLs; (14) IP address numbers; (15) biometric identifiers, including finger and voice prints; and (16) full face photographic images and any other comparable images

2.3.2. A Limited Data Set may include: (1) zip codes; (2) geographical codes; (3) dates of birth and other date information, i.e., date of service; and (4) any other code not specified in paragraph 2.3.1 above.

2.4. Protected Health Information means:

2.4.1. Individually identifiable information, that is a subset of health information, including demographic information collected from an individual, and:

2.4.1.1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2.4.1.2. Relates to the past, present, or future physical or mental health or condition of a subject; the provision of health care to a subject, or the past, present, or future payment for the provision of health to a subject; and

2.4.1.2.1. That identifies the subject; or

2.4.1.2.2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

2.4.2. PHI can be:

2.4.2.1. Transmitted by electronic media;

2.4.2.2. Maintained in electronic media; or

2.4.2.3. Transmitted or maintained in any other form or medium.

2.4.3. PHI excludes individually identifiable information that is:

2.4.3.1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

2.4.3.2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

2.4.3.3. In employment records held by a covered entity in its role as employer; and

2.4.3.4. Regarding a person who has been deceased for more than 50 years.

2.5. Use means the sharing, employment, application, utilization, examination, or analysis of PHI within ECU's Health Care Components.

2.6. Workforce means employees, volunteers, trainees, learners, faculty, students and other persons whose conduct in the performance of work for an ECU Health Care Component, is under the direct control of such ECU Health Care Component, whether or not they are paid by the ECU Health Care Component.

3. Policy

3.1. It is the policy of ECU Health Care Components to:

3.1.1. Limit the Use of PHI to only the minimum extent necessary to accomplish specific job duties;

3.1.2. Ensure that PHI is only disclosed to the amount reasonably necessary to satisfy the Disclosure;

3.1.3. Limit any request for PHI from other Covered Entities to that which is reasonably necessary to accomplish the purpose of the request; and

3.1.4. Specifically justify that the Use, Disclosure, or request for an entire medical record from another Covered Entity is the amount of information reasonably necessary to accomplish the purpose of the Use, Disclosure, or request.

3.2. The minimum necessary requirement does not apply to:

3.2.1. Disclosures to a provider for treatment;

3.2.2. Disclosures pursuant to an authorization;

3.2.3. Disclosures to the individual about his/her PHI;

3.2.4. Disclosures made to the Department of Health and Human Services for compliance and enforcement purposes;

3.2.5. Disclosures required by law; and

3.2.6. Uses or Disclosures required to comply with federal privacy regulations.

4. Procedure

4.1. Limited Data Set.

4.1.1. ECU Health Care Components must Use, Disclose or request a Limited Data Set in lieu of the minimum necessary PHI to accomplish the purpose of the Use, Disclosure or request unless the Limited Data Set is not sufficient to accomplish the purpose of the permitted Use, Disclosure, or request.

4.1.1.1. This will no longer be effective after the date guidance is published as required by 42 U.S.C. ยง 17935(b).

4.1.2. The remainder of this procedure section sets forth the provisions where the ECU Health Care Component has determined that a Limited Data Set is not sufficient for the permitted Use, Disclosure or request.

4.2. Minimum Necessary Uses of PHI.

4.2.1. ECU Health Care Components must identify:

4.2.1.1. Those persons or classes of persons, as appropriate, in its Workforce who need access to PHI to carry out their duties; and

4.2.1.1.1. The following list of job roles is provided as a guideline for identifying persons or classes of persons:

4.2.1.1.1.1. Non-clinical support staff

4.2.1.1.1.2. Clinical support staff

4.2.1.1.1.3. Clinical staff

4.2.1.1.1.4. Health care providers

4.2.1.1.1.5. Payment support staff

4.2.1.1.1.6. Clinical managers/administrators

4.2.1.1.1.7. Non-clinical mangers/administrators

4.2.1.1.1.8. Health care operations staff

4.2.1.1.1.9. Research team members

4.2.1.2. For each such person or class of persons, the category or categories of PHI to which access is needed and any conditions appropriate to such access.

4.2.1.2.1. The following list of access levels is provided as a guideline for ECU Health Care Components when determining appropriate access for its Workforce members:

4.2.1.2.1.1. Level 1 - full access within and to a specific individual's PHI

4.2.1.2.1.2. Level 2 - partial access within and to a specific individual's PHI

4.2.1.2.1.3. Level 3 - limited access within and to a specific individual's PHI

4.2.1.2.1.4. Level 4 - Summary PHI with limited or no identifiable information

4.2.2. ECU Health Care Components must make reasonable efforts to limit the access of such persons or classes identified in paragraph 4.2.1.1. to PHI consistent with paragraph 4.2.1.2.

4.3. Minimum Necessary Disclosures of PHI.

4.3.1. For any type of Disclosure that is made on a routine or recurring basis, ECU Health Care Components must implement policies and procedures that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

4.3.2. For all other Disclosures, ECU Health Care Components must:

4.3.2.1. Develop criteria designed to limit the PHI Disclosed to the information reasonably necessary to accomplish the purpose for which Disclosure is sought; and

4.3.2.2. Review requests for Disclosure on an individual basis in accordance with such criteria.

4.3.3. ECU Health Care Components may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:

4.3.3.1. Making Disclosures to public officials that are permitted to receive PHI under HIPAA, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);

4.3.3.2. The information is requested by another Covered Entity;

4.3.3.3. The information is requested by a professional who is a member of an ECU Health Care Component's Workforce or is a business associate of such Component for the purpose of providing professional services to the Component, if the professional represents that the information requested is the minimum necessary for the stated purposes(s); or

4.3.3.4. Documentation or representations that comply with the applicable requirements of Uses and Disclosure for research purposes.

4.4. Minimum Necessary Requests for PHI.

4.4.1. ECU Health Care Components must limit any request for PHI to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other Covered Entities.

4.4.2. For a request that is made on a routine and recurring basis, ECU Health Care Components must implement policies and procedures that limit the PHI requested to the amount reasonably necessary to accomplish the purpose for which the request is made.

4.4.3. For all other requests, ECU Health Care Components must:

4.4.3.1. Develop criteria designed to limit the request for PHI to the information reasonably necessary to accomplish the purpose for which the request is made; and

4.4.3.2. Review requests for Disclosure on an individual basis in accordance with such criteria.