HIPAA and The Minimum Necessary Standard

HIPAA
March 22, 2021
HIPAA and the Minimum Necessary Standard - This requirement explains, 'covered entities take all reasonable steps to see to it that protected health information (PHI) is only accessed to the minimum amount necessary to complete the tasks at hand.'

HIPAA and The Minimum Necessary Standard

The Minimum Necessary Standard, which can be found under the umbrella of the Privacy Rule, is a requirement that covered entities take all reasonable steps to see to it that protected health information (PHI) is only accessed to the minimum amount necessary to complete the tasks at hand. HIPAA and the HHS obviously recognize that healthcare professionals must use PHI constantly in order to complete countless tasks throughout their days. However, this standard seeks to set the precedent of minimizing the handling of PHI as much as possible in order to decrease the chances of a breach or misconduct by an employee. 

HIPAA's Minimum Necessary Standard; When does this apply? 

The HIPAA Minimum Amount Necessary Standard applies to just about every use and disclosure of PHI that is permitted underneath the Privacy Rule, aside from the few exceptions we’ll address below. Specifically, the standard applies to all traditional access to PHI, using electronic protected health (ePHI), and requests for PHI from other covered entities. 

What type of information does this minimum necessary rule refer to? 

This requirement applies to PHI in every form and can be found in physical copies, film or images, electronic protected health information, and information that is shared verbally. 

Essentially what this means for these situations is that when a person accesses PHI, ePHI, or goes to share either of those with another (permitted) group upon request, then they should take all considerations to only share the piece of the information that is directly needed. 

What does the minimum necessary rule look like in practice?

Rather than sharing a patient’s entire medical record and personal data with another covered entity or business associate- if all they need is the individual’s insurance claim number in order to do their job, then that is the only bit of information that should be shared. There are certainly times when all of the information is needed in order for the healthcare worker to do their job or complete a request, however, this standard simply requires that individuals share the minimum amount they need to in every given situation to lessen the chances of mishandling or hacking. 

As mentioned above, the standard applies to almost every situation in the healthcare industry however there are a few exceptions that the HHS lays out. 

What are the exceptions to the minimum necessary rule? 

According to the HHS, there are six exceptions to the Minimum Necessary Standard. In these instances, the full report or requested information must be provided rather than just the “minimum amount.” These are the only stated exceptions to this standard as directly stated by the HHS and the Privacy Rule:  

  • Disclosures to or requests by a health care provider for treatment purposes.  
  • Disclosures to the individual who is the subject of the information.  
  • Uses or disclosures made pursuant to an individual’s authorization.  
  • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.  
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of the information is required under the Privacy Rule for enforcement purposes.  
  • Uses or disclosures that are required by other law. 

How to implement the minimum necessary standard: 

Just as with many other aspects of HIPAA, there are no specific implementation directions given to organizations to follow. Instead, covered entities are instructed to create and implement procedures and policies that fit that organization’s practices and workforce specifically. It is required that the Minimum Amount Necessary Standard be implemented in every company that is underneath HIPAA but tailored to their specific operations and needs. 

Things to consider for implementation with regard to the minimum necesary rule: 

Although the procedures that are implemented won’t look the same for every organization under HIPAA, there are certain steps that should be taken by every company to establish the minimum necessary standard. 


Here are the steps to take to establish the Minimum Necessary Standard for a covered entity: 

  • Assess your systems for holding PHI or ePHI to see what categories they contain.
  • Set standards for which job positions can access what types of information, and tailor your use and disclosure policy to reflect that. 
  • Train every employee on what PHI is, and what they each have authorized access to as well as what they are not allowed to handle. 
  • Develop a system for enforcing this policy - whether that is through sanctions for violating the organization’s minimum necessary standard or another method. 
  • Keep logs that detail when PHI is accessed or attempted to be accessed. This is typically referred to as “audit logs.” 
  • Form a system of reporting and alerts to be sent to your designated Privacy Officer in the event of unauthorized access or suspicious activity. 

Questions for staff to ask themselves before accessing patient information: 

In addition to the actual HIPAA training that each and every employee of a covered entity must go through, it may also be beneficial to provide them with a process for analyzing their own actions by the minimum necessary standard. Here are a few questions for staff to ask themselves before handling PHI or ePHI: 

  • Do I need this information in order to do my job? 
  • Does my coworker need this information in order to complete the task at hand? 
  • Could I (or we) complete this job with a lesser amount of protected health information? 

HIPAA Compliance Management 

As we know, HIPAA is a complex law that contains many requirements and steps for the organizations underneath it to follow. The Minimum Necessary Standard is one particular aspect that we are exploring today but it does not operate entirely independently. The need to comply with this standard is just a piece of how PHI should be handled and protected to ensure its safety. Working through all of the steps of implementation listed above plus all of the other requirements of HIPAA that weren’t even mentioned today can seem like an impossible task. 

Rather than spending all the time and effort that it would take to coordinate this compliance entirely on your own, try Accountable’s free trial today to see what it could be like to let the experts walk you through it instead. Our intuitive dashboard makes this vague and complicated law into a simple step-by-step process, plus we’ll provide you with all the support you could need to feel confident in your compliance. It sounds like a win-win to me, feel free to watch our demo or schedule a call if it does for you too! 


Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals