The HIPAA Privacy Standards require that some Uses or Disclosures of PHI be limited in their scope.
4.9(1) When Minimum Necessary Standard Must be Applied
To the extent that the Use or Disclosure of PHI may be approved as a permissive use without an Authorization under this Policy, System may Use or Disclose only the PHI that is reasonably necessary to accomplish the purpose for which the Use or Disclosure is sought. This is known as the “Minimum Necessary Standard.”
4.9(2) Disclosure of Entire Record
If a Use or Disclosure by System involves an Individual’s entire medical record, the Privacy Officer shall document the justification for such Use or Disclosure, in accordance with Section 9.2 of this Manual.
4.9(3) Exceptions from Application
A contemplated Use or Disclosure of PHI is not subject to the minimum necessary standard if the Use or Disclosure is approved as a reasonable response to one of the following:
- The Disclosure is to the Individual that is the subject of the PHI;
- The Use or Disclosure is permitted by an Authorization and the Use or Disclosure is made in accordance with the terms of the Authorization;
- A public official requests the PHI (for reasons other than Payment, Health Care Operations, or Notification Disclosure) and represents that such PHI is the minimum necessary for the stated purpose;
- Another Covered Entity requests the PHI;
- A professional who is a member of System’s workforce or a Business Associate that provides professional services to OEB such as an auditor requests the PHI and represents that the information requested is the minimum necessary for the stated purpose; or
- The Disclosure is required by law.
4.9(4) Incidental Disclosures
A Use and Disclosure that occurs incidentally to another Use or Disclosure permitted by this Policy shall be acceptable, provided that the Plan employs reasonable safeguards to limit incidental Uses and Disclosures.
REFERENCES/CITATIONS
45 CFR §164.502(b), §164.514(d)