HIPAA Minimum Necessary: UseDisclosure

1
HIPAA Minimum Necessary Use/Disclosure
Role-based Access

• Charlene Dunbar
• Madonna Rehabilitation Hospital
• Sheila Wrobel
• Nebraska Health System

2
Privacy Regulation Citations

• 45 CFR 164.502(b) Minimum Necessary General
  Standard
• When using or disclosing PHI or when requesting
  PHI from another CE, a CE
• must make reasonable efforts to limit PHI
• to the minimum necessary to accomplish
• the intended purpose of the use, disclosure,
• or request

3
Privacy Regulation Citations

• 164.502(b) requirements do not apply to
• Disclosures to or requests by a health care
  provider for treatment
• Uses/disclosures to the individual
• Uses/disclosures pursuant to an authorization
• Disclosures made to DHHS Secretary
• Uses/disclosures required by law (164.512(a))
• Uses/disclosures required to comply with the
• Privacy Rule

4
Privacy Regulation Citations

• 45 CFR 164.514(d) Minimum Necessary
  Implementation Specifications (1-5)
• (d)(1) To comply with 502(b), must follow
  d(2-5)
• (d)(2) Role-based Access
• A) Identify workforce persons or classes of
  persons who need PHI to carry out their
  duties and
• B) For each, identify categories of PHI needed,
  and
• any conditions appropriate to such
  access
• CE must make reasonable efforts to limit
  access of PHI
• consistent with defined categories

5
Implementing Role-based Access

• 1) Create matrix

6
Implementing Role-based Access

• 2) Incorporate PHI access into job descriptions
  /or computer security
• access matrices reference them in
• Use Disclosure of PHI/Minimum
  Necessary policy.
• 3) Other examples?

7
Minimum Necessary Implementation Specifications

• 164.514(d)(3) MN Disclosures of PHI
• (i) Routine and recurring disclosures
• - MN policies procedures protocols
• (ii) Non-Routine disclosures
• a. Develop MN criteria and
• b. Review on individual basis
• See attached Disclosure flowchart policy

8
Minimum Necessary Disclosures of PHI (cont.)

• (iii) May reasonably rely on requested disclosure
  as being MN if disclosure to
• a. Public official under 164.512
• b. Another CE
• c. Workforce professional or BA
• d. Researcher pursuant to 164.512(i)
• i. IRB/Privacy board waiver
• ii. Review preparatory to research
• iii. Research on decedents PHI
• (must represent information requested is MN for
  stated purpose)

9
Minimum Necessary Implementation Specifications

• 164.514(d)(4) MN Requests for PHI
• When a CE requests PHI from another CE, must
  limit requests to MN
• (i) Routine/recurring requests
• - MN policies procedures protocols
• (ii) Non-routine requests
• a. Develop MN criteria
• b. Review on individual basis

10
Minimum Necessary Implementation Specifications

• 164.514(d)(5) Other Content Requirement
• CE may not use, disclose or request an entire
  medical record, except when the entire medical
  record is specifically justified as MN.
• Re-disclosures a CE may disclose a complete
  medical record, including portions that were
  created by another provider, assuming that the
  disclosure is for a purpose permitted by the
  Privacy Rule.(10/2/02 OCR FAQ)

11
Attachments

• MRH Disclosure of PHI Flowchart (draft)
• MRH Disclosure of PHI - MN Policy (draft)
• NHS Request for PHI Worksheet (draft)
• NHS Research Preparation Request (draft)
• Questions?