What is the 'Minimum Necessary' Policy in HIPAA?

What is the "Minimum Necessary" Policy in HIPAA?

Section 1. Defining "Minimum Necessary"

Patient records contain a slew of information. Included may be data on the patient, their illness, family history, employer, spouse, children, past procedures, etc. When the patient is referred to another covered entity, it is usually not necessary that all of this information be disclosed, as some of it is not relevant to the referral.

This may also be the case for a primary doctor or facility. The intake forms may request information that is irrelevant to the reason for the patient's visit, or that is not necessary for the doctor to treat the patient, maintain health care operations, and bill for services.

This is where minimum necessary comes into play. According to the privacy rule:

"A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure."

To accomplish this, a covered entity needs to develop internal processes and policies around what its employees collect and disclose to ensure it meets the "minimum necessary" requirement. Best practices must also be developed to regulate the sharing of information with other parties to ensure that HIPAA guidelines are met.

As part of minimal necessary guidelines, a covered entity must refrain from sending out a patient's entire medical record when responding to a disclosure. The only exception is when the covered entity can justify that the patient's entire record was required to meet the purposes of the request, and therefore adheres to minimum necessary guidelines.

Before examining the practical application of minimum necessary guidelines, let's take a look at the exemptions. The following scenarios are not regulated by the minimum necessary provision of the privacy rule:

  • Disclosures to, or a request by, a health care provider for treatment
  • Disclosure to the individual who is the subject of the treatment or their authorized representative
  • Use or disclosure for which there is a valid patient authorization on file
  • Disclosure to the Department of Health and Human Services for the investigation of a complaint, compliance checks, or enforcement procedures
  • Any disclosures required by law
  • Any use or disclosure required for compliance with the HIPAA Transactions Rule, or other provisions in the Administration Simplification Rules

Section 2. Developing Procedures for the Internal Use and Access to PHI

Prior to the implementation of HIPAA, there were no real restrictions regarding access to patient information within a practice or facility. Patient records may have been left unsecured, and often the duties of personnel overlapped, causing occasional direct access to PHI, even though it was not within the scope of their position.

Interested in learning more? Why not take an online HIPAA Compliance course?

Also, under the "minimum necessary" guidelines, even medical personnel who are authorized to view protected health information should only do so when absolutely required and only the information necessary for them to carry out their duties.

In order to accomplish this, HIPAA dictates that a covered entity must develop and implement procedures to identify each person's role and what information they require access to in order to fulfill their job duties.

The following should be a part of the process when developing minimum necessary procedures:

  • Identify each role or job classification in the facility, outlining the associated job duties.
  • Identify which roles require access to patient information and the frequency/amount of that access.
  • For roles that do not require access to protected health information, put restrictions in place to ensure that they cannot access the data. This may include computer password restrictions, moving their desk to an area away from patient records, etc.
  • For employees that require only occasional access to PHI, consider transitioning those minimal duties to a role that deals with PHI as a routine part of their job.

To illustrate minimum necessary in action, let's use the example of a clinical laboratory. Patients are sent in by their physicians to get their blood drawn and tested. They present the laboratory personnel with a requisition from the doctor that contains the following information:

  • Patient's name
  • Address
  • DOB
  • Social Security Number
  • Insurance ID number
  • Spouse's name, if covered under their plan
  • Test to be ordered
  • Diagnosis code indicating the reason for the test

All of this information is necessary for the laboratory to process the patient's specimen and bill their insurance plan, so it is allowable for it to be collected under the HIPAA privacy rule. However, everyone in the laboratory does not require access to ALL of the patient's personal health information. The breakdown of access based on job duties might look like this:

  • The front desk/intake staff: They are responsible for the intake process and ensuring that all paperwork is filled out correctly for identification and billing purposes. Under minimum necessary, they would have access to all of the information mentioned above, but should not have access to the patient's actual test results. The results can either be submitted directly to the doctor electronically, or given to the patient in a sealed envelope that has minimal information on the front for identification purposes (name, dob, ordering physician, requisition number).
  • Phlebotomist: The individuals who draw the blood would likewise need access to the patient's demographic information, as well procedure codes, etc. The phlebotomist usually verifies the patient information on the requisition a second time and uses the data to generate the identification labels that are wrapped around the vials of blood, therefore they require access to PHI to complete their job duties. However, they are not responsible for generating and reading the results of the tests, so they should NOT have access to the results system.
  • Couriers/logistics personnel: The laboratory drivers are responsible for driving a route daily on which they pick up specimens (with attached requisitions) from various medical facilities. As the driver has no responsibility for logging the patient information on arrival, testing the specimen or reading the results, their access to PHI should be restricted.
An easy way to do this is to place an adhesive seal on the specimen bags, sealing them once the nurse placed the specimen inside (hiding the requisition from view). You would be able to tell if the seal was broken prior to the specimen reaching the lab, thus providing reasonable security against a PHI breach. If the current specimen bags being used are clear plastic, switching to an opaque-colored bag would solve that problem.

In each of these cases, any changes made to comply with minimum necessary guidelines should be documented and staff training provided to ensure that everyone is abreast of the changes. If required, technical changes should be implemented, such as changing access to restricted areas or changing computer system access to so that employees only have the ability to enter screens that apply to their job and limit the unneeded exposure of PHI.

Section 3. Establishing Processes for the Review of Recurring and Non-Routine Disclosures

As a health care provider, it is necessary in the normal course of business that disclosures will be required; however, they must be limited to other covered entities, business associates, and circumstances that are clearly outlined in the privacy rule.

As part of developing HIPAA procedures, a covered entity must catalogue the types of disclosures that routinely occur. Once categorized, a standard process must be developed for each scenario that adheres to the privacy rule and enforces minimum necessary guidelines.

In addition, a policy must be drafted to address non-routine requests for disclosure. These are disclosure requests that occur so infrequently that they cannot be anticipated, and developing a process around every one-off situation is simply not feasible. Instead, the covered entity develops a general process for the review of all non-routine disclosures not covered in the examples laid out in the privacy rule. Each non-routine disclosure request is to be evaluated individually, and every effort made to ensure minimum necessary standards are met.

Section 4. Reasonable Reliance

When a covered entity receives a request for disclosure from another health care provider, the "reasonable reliance" rule allows them to assume that the information requested by another covered entity conforms to minimum necessary standards. As long as there is a valid written authorization on file from the patient, then the information can be released.

Additional individuals for which reasonable reliance can be assumed for include:

  • Public officials
  • Business associates of covered entities, such as a lawyer
  • A researcher who furnishes proper documentation

Food for Thought

Do you think that many health care facilities had documented disclosure processes prior to HIPAA?
Do you feel that the minimum necessary guideline might hampe
r the timely transfer of information necessary to treat the patient and other health care-related tasks?


Under the privacy rule, stringent internal guidelines must be developed and implemented in all health care facilities to regulate the disclosure of protected health information. Also, of the information that is disclosed, reasonable efforts must be made to ensure that the minimum amount of data necessary has been released.