HIPAA Information Sharing Guide: Minimum Necessary, TPO, and De-identified Data

Minimum Necessary Standard

The minimum necessary standard requires you to use, disclose, and request only the smallest amount of protected health information needed to accomplish a specific purpose. It applies to most routine operations by covered entities and business associates, guiding you to share no more PHI than is reasonably necessary for the task.

In practice, you implement the minimum necessary standard through role-based access, purpose-driven queries, and narrowly scoped disclosures. For routine requests, establish standard protocols that predefine the fields released. For non-routine requests, review each one individually and document why the requested elements are necessary.

• Define role-based access so staff see only the PHI needed for their duties.
• Limit queries to relevant time windows, encounter types, and data fields.
• Use redaction, field suppression, and data segmentation to remove extraneous details.
• Apply “reasonable reliance” when appropriate—for example, when a qualified requestor states the information sought is the minimum necessary.
• Train your workforce and audit disclosures to verify compliance and adjust controls.

The standard has important boundaries. It does not apply to disclosures to health care providers for treatment, to disclosures to the patient, or to disclosures made pursuant to a valid patient authorization. You will see targeted applications to research and public health later in this guide.

Treatment Payment and Healthcare Operations (TPO)

TPO allows you to use or disclose PHI without patient authorization for three core purposes—treatment, payment, and health care operations—often summarized as treatment payment healthcare operations. Understanding what fits within each category helps you share appropriately while honoring the minimum necessary standard where it applies.

Treatment covers activities such as diagnosis, consultation, referrals, care coordination, and emergency handoffs. You may share relevant PHI with providers directly involved in an individual’s care. The minimum necessary standard does not apply to uses or disclosures for treatment, but good practice still favors sharing only what a receiving clinician needs.

Payment includes billing, claims management, eligibility checks, utilization review, and coordination of benefits. Health care operations cover quality assessment, patient safety activities, training, accreditation, auditing, fraud detection, and business planning. For payment and operations, apply the minimum necessary standard—scope data to the specific purpose, use the least-detailed data that will work, and avoid unnecessary free-text or full-record releases.

• Examples of permissible TPO: claim submission with targeted encounter details, quality improvement using aggregated metrics, and peer review using case-limited records.
• Activities typically outside TPO: marketing communications or the sale of PHI, which generally require patient authorization.

De-identified Data and Safe Harbor Method

HIPAA treats data as de-identified when it cannot reasonably identify an individual. Under the safe harbor method, you remove specific identifiers and have no actual knowledge that the remaining information could identify the person. Once properly de-identified, the data are not PHI.

Safe harbor requires the removal of the following identifiers about the individual, relatives, employers, or household members:

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP Code); three-digit ZIPs are permitted only where the combined population of all ZIPs sharing those three digits is at least 20,000; otherwise use 000.
• All elements of dates (except year) related to an individual, including birth, death, admission, discharge, and service dates; ages over 89 must be grouped into “90 or older.”
• Telephone numbers, fax numbers, and email addresses.
• Social Security numbers, medical record numbers, health plan beneficiary numbers, and account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code (except a re-identification code that is not derived from PHI and cannot be used by the recipient to re-identify individuals).

These de-identification criteria minimize re-identification risk while preserving utility where possible. If any retained detail could reasonably identify a person, you must further generalize or suppress it before release.

Limited Data Set and Data Use Agreements

A limited data set (LDS) is PHI stripped of direct identifiers but still containing certain useful elements—such as dates and town/city/ZIP—that are excluded from safe harbor de-identification. You may use or disclose an LDS without individual authorization, but only for research, public health, or health care operations, and only under a data use agreement.

A limited data set excludes direct identifiers including names; street addresses; phone and fax numbers; email addresses; Social Security, medical record, health plan, and account numbers; certificate/license numbers; vehicle and device identifiers; web URLs and IP addresses; biometric identifiers; and full-face images. It may include dates (e.g., admission/discharge, birth/death), age in years including over 89, and geographic elements such as city, state, and ZIP Code.

A data use agreement (DUA) must, at minimum, specify permitted uses/disclosures, identify who may use or receive the LDS, require safeguards, prohibit re-identification and contact with individuals, bind agents/subrecipients to the same terms, require reporting of impermissible uses, and mandate return or destruction of the data when the project ends or document why retention is necessary.

Statistical Method for De-identification

Alternatively to safe harbor, an expert can determine—using generally accepted statistical and scientific principles—that the risk is very small that the data could identify an individual, alone or in combination with other reasonably available information. This “statistical method” is flexible and can preserve more data utility than safe harbor when justified by a rigorous risk analysis.

Experts typically combine techniques such as generalization (e.g., broader age bands), suppression (removing rare values), perturbation/noise, rounding, and aggregation. They assess re-identification risk against external data sources, document the methodology, justify thresholds for “very small” risk, and record which fields were transformed.

Good governance treats de-identification as an ongoing process. If you release multiple versions or refreshes, reassess risk to prevent linkage attacks, and keep documentation so others can rely on the expert determination over time.

Application of Minimum Necessary Standard to Research

When research proceeds with a participant’s valid authorization, the minimum necessary standard does not apply to that specific use or disclosure. Even so, you should still follow data minimization principles to reduce risk and honor patient expectations.

When research relies on an Institutional Review Board (IRB) or Privacy Board waiver of authorization, or when you access PHI for preparatory-to-research activities, the minimum necessary standard applies. Limit the dataset to what the protocol requires, use the shortest feasible look-back period, and document why each category of PHI is needed. For research exclusively on decedents, obtain required representations and disclose only what is necessary.

Many projects can succeed with a limited data set under a data use agreement or with fully de-identified data. Choosing the least identifying data that meet your aims streamlines approval, reduces privacy risk, and often accelerates data access.

Application of Minimum Necessary Standard to Public Health

HIPAA permits disclosures of PHI to public health authorities for activities such as disease surveillance, case reporting, vital events, and adverse event monitoring. Unless a disclosure is required by law, you should apply the minimum necessary standard—share only the data a public health objective needs.

You may reasonably rely on a public health authority’s statement that a requested dataset is the minimum necessary for the stated purpose. Still, tailor your extracts to relevant timeframes, conditions, and demographics, suppress extraneous notes or images, and prefer aggregated counts when individual-level data are unnecessary.

Common public health disclosures include case notifications with diagnosis date, age or age band, sex, limited location (e.g., county or ZIP), and relevant lab results. For program evaluation or outbreak investigation, coordinate early to define the smallest set of fields that will answer the question.

Done well, the minimum necessary standard strengthens trust, reduces breach risk, and preserves the data utility needed for care, operations, research, and public health.

FAQs.

What information can be shared under the Minimum Necessary Standard?

You may share only the least amount of PHI reasonably needed to achieve the purpose. For example, send a targeted problem list and recent labs for a quality review instead of an entire chart, or limit billing disclosures to codes, dates of service, and amounts. Use role-based access, predefined release templates, and redaction to keep disclosures narrowly focused.

When is the minimum necessary standard not required?

The standard does not apply to: disclosures to health care providers for treatment; disclosures made to the individual; uses or disclosures made pursuant to a valid authorization; disclosures required by law; and disclosures to government regulators for HIPAA compliance. Although not required for treatment, you should still practice data minimization whenever feasible.

How is data de-identified under HIPAA?

HIPAA recognizes two paths. Under the safe harbor method, you remove specified identifiers—such as names, full addresses below state, most elements of dates, and numbers like MRNs and SSNs—and ensure you have no actual knowledge that the remaining data could identify someone. Under the statistical (expert determination) method, a qualified expert applies accepted techniques and documents that the risk of re-identification is very small.

What is a limited data set and when can it be used?

A limited data set is PHI that excludes direct identifiers but may retain dates and limited geography (e.g., city, state, ZIP). You may use or disclose an LDS without individual authorization only for research, public health, or health care operations, and only under a data use agreement that sets safeguards, prohibits re-identification and contact, and limits further sharing. An LDS remains PHI and requires appropriate protections.