About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
According to the Office of Civil Rights, which is the federal agency that investigates and enforces HIPAA violations, some covered entities (“CEs”) are getting themselves into difficulty under HIPAA by forgetting about HIPAA’s “minimum necessary” standard. Learn more about the minimum standard in this article.
by David G. Jensen, JD former Staff Attorney The Therapist January/February 2010 Updated August 2010 by David Jensen, JD, Staff Attorney
According to the Office of Civil Rights, which is the federal agency that investigates and enforces HIPAA violations, some covered entities (“CEs”) are getting themselves into difficulty under HIPAA by forgetting about HIPAA’s “minimum necessary” standard. In general, under HIPAA, CEs must use, disclose, and request only that amount of personal health information (“PHI”) that is reasonably necessary to accomplish a task or function. The minimum necessary standard is somewhat difficult for CEs to implement, however, because there are a number of aspects to it. One aspect tells CEs what the basic rule is; another tells CEs about exceptions to the basic rule; and, yet another tells CEs how to implement the rule. What must be clear for CEs to understand is that all aspects of the minimum necessary rule must be addressed by CEs to avoid running afoul of HIPAA.
As a part of HIPAA, the minimum necessary standard is applicable to CEs only. Consequently, if you are not a CE under HIPAA, and many of our members are not because they only accept cash-paying patients, then you do not have to comply with the minimum necessary standard because such standard is not part of California’s legal requirements. If you are unsure about whether you are a CE, please review the article Are You a Covered Entity?, which is available at CAMFT’s website. Alternatively, you may call and consult about this issue with one of the lawyers on CAMFT’s staff.
Moreover, keep in mind that violating HIPAA is now more problematic than ever because aggrieved patients may be able to share in monetary penalties assessed by the government.1 Thus, there is now a fiscal incentive for turning CEs in when they run afoul of HIPAA. With this incentive in place, it is a much more troublesome world to practice in so be careful and, if you are a CE, take your HIPAA compliance seriously. Do not save your HIPAA compliance efforts for the next rainy day because it might not rain before a complaint gets filed against you!
The Basic Idea of the Minimum Necessary Rule The basic idea behind the minimum necessary standard is that CEs must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.2 In other words, if the PHI is not necessary for a specific purpose or to carry out a specific function, the information should not be used within the entity, disclosed to third parties outside of the entity, or sought from another entity.
Situations Where Minimum Necessary Does Not Apply What makes the minimum necessary standard complex is that there are a number of situations where the standard does not apply, meaning that using, disclosing, or requesting PHI that goes beyond what is reasonably necessary to accomplish a specific purpose or function is permitted under HIPAA. For instance, 45 CFR 502(b) sets forth a number of instances where the minimum necessary standard does not apply:
Of this list of nine exceptions to the minimum necessary standard, perhaps the two that will come into play most often are the fourth and the sixth ones listed: providing the patient with copies of records the patient is entitled access to under HIPAA and disclosures made pursuant to a written authorization signed by the patient.
With regards to access to treatment records by patients, it is very important for CEs to remember that the rules for accessing records by patients are different under HIPAA than they are under California law. For instance, under California law, a provider has the option of providing a patient with a summary of the patient’s treatment.3 However, under HIPAA, the patient must agree to accept the treatment summary.4 Moreover, under HIPAA, if the CE has kept “psychotherapy notes,” such notes do not have to be disclosed to the patient,5 although the patient would have access rights to the non-psychotherapy note information in the file.6 Under California law, the provider has some discretion when deciding whether to disclose mental health records to a patient.7
With regards to written authorizations, if the patient authorizes the disclosure of PHI, the minimum necessary standard does not apply.8 The provider is free to disclose whatever the patient has authorized, even if the information exceeds the amount of PHI reasonably necessary to accomplish the purpose of the disclosure. In other words, the provider can rely on the patient’s authorization for direction. With a written authorization, there is no minimum necessary problem.
The Minimum Necessary Rule and Mandated Reporting The reporting of child or elder and dependent adult abuse poses a unique problem in terms of the minimum necessary standard. Although the minimum necessary standard technically does not apply to such reports,9 does that mean Child Protective Services or Adult Protective Services can then access the patient’s entire treatment file just because an allegation of abuse has been filed?
The answer should be “No” because the reporting laws themselves limit the type of information that must be disclosed to the government. It is not all patient information that is required to be disclosed; it is only the factual “stuff” that causes one to suspect abuse has occurred or know abuse has occurred that must be reported. It is the child’s unexplained burn or bruise, for example, but not necessarily the child’s entire patient history. In this sense then, there seems to be a false dichotomy between the minimum necessary standard and the entire treatment file. It is not necessarily one or the other; there is another option, a middle road, and that road is defined by the parameters of California’s abuse reporting laws.
The Minimum Necessary Rule and Using PHI Within an Entity Using PHI within an entity presents challenges for CEs and their compliance with the minimum necessary standard. If you are in private practice for yourself, you already have access to all PHI anyway. You created it; you use it; you secure it.
Using PHI within a CE becomes more problematic when the CE has employees. If the CE has employees, a key question to consider is what PHI, if any, does an employee need to know to accomplish the tasks the employee performs on behalf of the entity? To use PHI lawfully within an organization, a CE must:
For instance, suppose a CE has an employee who does billing work. To do such work, that employee will need access to some PHI, i.e., dates of service, procedural codes, and diagnosis information, etc. to prepare claim forms. However, that same employee probably does not need access to the patient’s entire treatment file, including psychotherapy notes, to prepare the claim forms.
Hence, if the billing person was given the patient’s complete treatment file and allowed access to PHI that he or she did not need to have to prepare the claim forms, the minimum necessary standard would be violated; conversely, if the CE simply provided the billing person with only the specific PHI that the billing person needs to prepare the claim forms, the minimum necessary standard would be met.
But, perhaps you are wondering how access can be limited? In lieu of a whole file being given to an employee to do the billing work, the employee could be given a form containing only the PHI the employee needs to prepare the bills. If the CE maintains PHI electronically, the employee can be granted access only to the PHI he or she needs to do the job but denied access to all other PHI. Obviously, these situations demand careful assessment in light of the particular situations involved, and, especially with electronic records, the use of IT professionals to address the CE’s computer security issues.
On the administrative side, the CE would have discharged its obligations under HIPAA by documenting these decisions and by documenting its training of the person preparing the claim forms.11 Do not forget about documenting these policies and procedures and the training of employees! The Office of Civil Rights would expect to see such documents during an investigation of a complaint under HIPAA, and such documents would help get the investigation closed in your favor. Failing to document this information can be a violation of HIPAA in and of itself.
The Minimum Necessary Rule and Disclosing PHI to Third Parties When disclosing PHI to third parties, and when no exception to the minimum necessary standard applies, HIPAA mandates that careful thought be given to the situation to ensure that only the amount of PHI necessary to accomplish the purpose of the disclosure is actually disclosed. Key questions include: What is the purpose for the disclosure? What information do you really need to know to accomplish such purpose? Certainly, consultations with privacy officers and/or attorneys can help answer these questions.
In addressing this situation, HIPAA has some special rules. The first thing to do is identify the circumstances when the CE may disclose PHI to third parties without written authorization, if any. Then, for each item identified, the CE must decide whether the disclosure is one that is going to be made on a “routine and recurring basis.” Unfortunately, HIPAA does not define “routine and recurring basis.” However, the phrase seems to connote disclosures likely to happen again and again and that are simple enough to address in a policy.
The rules for disclosing PHI are different, depending on whether or not the disclosure is “routine and recurring.” If the disclosure is on a “routine and recurring basis,” the CE must implement policies and procedures limiting the PHI that gets disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.12 These policies and procedures essentially amount to “standing orders” to disclose PHI in certain situations in a designated, standardized way.
If the disclosure is not on a “routine and recurring” basis, the CE must develop criteria designed to limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure, and then review these disclosures on an individual basis.13 This approach is not subject to standing orders; each disclosure must be reviewed by the person charged with making such decisions on behalf of the CE.
Keep in mind that the minimum necessary standard applies to physicians as well as psychotherapists, and physicians undoubtedly have to make disclosures without written authorization, such as to public health organizations, that therapists do not. So, this aspect of the minimum necessary standard will probably have more general applicability to physicians than to psychotherapists.
The Minimum Necessary Rule and Requesting PHI from Covered Entities When requesting PHI from other CEs, a CE must limit any request for PHI to that which is reasonably necessary to accomplish the purpose for which the request is made.14 Since a managed care organization is also a type of CE, this means that an HMO seeking patient information from you is also bound by the minimum necessary standard.
But, as we have already seen, if you are a provider seeking treatment information from another provider the minimum necessary standard does not apply to the disclosure.
If the request for PHI is one the CE will be making on a “routine and recurring basis,” the CE must implement policies and procedures limiting the PHI getting requested to the amount reasonably necessary to achieve the purpose of the disclosure.15 So, again, the CE is expected to give careful thought to the minimum amount of PHI necessary to accomplish the function.
If the request for PHI is one the CE will not be making on a “routine and recurring” basis, the CE must develop criteria designed to limit the PHI requested to the amount reasonably necessary to achieve the purpose of the request, and the CE must review these requests for PHI on an individual basis.16
An Office of Civil Rights Problem Case One of the reasons the minimum necessary standard can be challenging in terms of compliance is the standard can be violated in a big way, such as by providing access to an entire file when that is not allowed under HIPAA, or it can be violated in a little way, such as by something simple, like a small red sticker.
In a case involving a dental practice, the Office of Civil Rights confirmed that a dental practice had placed a red sticker with the words “AIDS” written on the outside cover of files for patients who did in fact have AIDS. These records were then handled in such a manner as to allow other patients and staff, who did not need to know this information to do their jobs, to read the red sticker.17 To resolve this issue, the Office of Civil Rights required the practice to move the red sticker to the inside cover of the file, where it could still serve as an alert to those involved in the patient’s treatment, but could not be seen by patients and employees who did not need to know this information.
Another lesson that should be clear from the case, although it does involve a dental practice, is that CEs must consider their operations to determine if they have any “red-sticker like” issues of their own.
The Minimum Necessary Rule and Someone Else’s Judgment Ordinarily, if the patient has not authorized the disclosure, which we have seen is an exception to the minimum necessary standard, the CE disclosing PHI would probably be involved in making minimum necessary determinations. However, in some situations, HIPAA allows third parties to substitute their own judgment regarding this determination in place of the CE’s judgment. For instance, if a professional person, such as an attorney who is a member of the CE’s workforce, or is a business associate of the CE, requests PHI and the disclosure is for the purpose of providing professional services to the CE and the professional person represents that the PHI requested is the minimum amount necessary for the stated purpose, the professional’s judgment can be substituted for the CE’s.18
Summing Up The minimum necessary standard is one of the more fundamental aspects of HIPAA. It affects what a CE does with PHI within its own four walls and what it does with PHI when dealing with third parties, whether one is the CE who is disclosing PHI or the CE who is requesting PHI. To comply with the minimum necessary standard, CEs must understand when the standard does and does not apply and they must give careful thought when using PHI within the entity, when disclosing PHI outside of the entity, and when requesting PHI from other entities. Such thought should also be reflected in the CE’s written policies and procedures. Doing all of this “stuff” will help keep CEs out of trouble under HIPAA!
David Jensen, JD, is a Staff Attorney for CAMFT. He is available to answer member calls regarding business, legal, and ethical issues.
References 1 HITECH Act § 13410(c)(3) 2 45 CFR 164.502(b)(1) javascript:void(0); 3 California Health & Safety Code § 123130(a) 4 45 CFR § 164.524(c)(2)(ii) 5 45 CFR § 164.524(a)(1)(i) 6 45 CFR § 164.524(a)(1) 7 California Health & Safety Code § 123115(b) 8 45 CFR 164.502(b)(2)(iii) 9 45 CFR 502(b)(2)(v) 10 45 CFR 164.514(d)(2) 11 45 CFR 164.530(b) 12 45 CFR 164.514(d)(3)(i) 13 45 CFR 164.514(d)(3)(ii) 14 45 CFR 164.514(d)(4)(i) 15 45 CFR 164.514(d)(4)(ii) 16 45 CFR 164.514(d)(4)(iii) 17 www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ allcases.html#case4 18 45 CFR 164.514(d)(3)(iii)(C)