HIPAA Minimum Necessary: Use/Disclosure & Role-based Access Charlene Dunbar Madonna Rehabilitation Hospital Sheila Wrobel Nebraska Health System
Privacy Regulation Citations 45 CFR (b): Minimum Necessary General Standard When using or disclosing PHI or when requesting PHI from another CE, a CE must make reasonable efforts to limit PHI must make reasonable efforts to limit PHI to the minimum necessary to accomplish to the minimum necessary to accomplish the intended purpose of the use, disclosure, the intended purpose of the use, disclosure, or request or request
Privacy Regulation Citations (b) requirements do not apply to: –Disclosures to or requests by a health care provider for treatment –Uses/disclosures to the individual –Uses/disclosures pursuant to an authorization –Disclosures made to DHHS Secretary –Uses/disclosures required by law ( (a)) –Uses/disclosures required to comply with the Privacy Rule Privacy Rule
Privacy Regulation Citations 45 CFR § (d): Minimum Necessary Implementation Specifications (1-5) (d)(1): To comply with 502(b), must follow d(2-5) (d)(2): Role-based Access: A) Identify workforce persons or classes of persons who need PHI to carry out their duties; and B) For each, identify categories of PHI needed, and any conditions appropriate to such access any conditions appropriate to such access ** CE must make reasonable efforts to limit access of PHI consistent with defined categories consistent with defined categories
Implementing Role-based Access 1) Create matrix: Category of PHI Class of Persons History & Physical Labs Progress Notes Etc. Physicians Floor Nurses Billing Clerks Lab Techs
Implementing Role-based Access 2) Incorporate PHI access into job descriptions &/or computer security access matrices & reference them in access matrices & reference them in Use & Disclosure of PHI/Minimum Necessary policy. Use & Disclosure of PHI/Minimum Necessary policy. 3) Other examples?
Minimum Necessary Implementation Specifications § (d)(3): MN Disclosures of PHI (i): Routine and recurring disclosures - “MN” policies & procedures; protocols (ii): Non-Routine disclosures a. Develop “MN” criteria and b. Review on individual basis See attached Disclosure flowchart & policy
Minimum Necessary Disclosures of PHI (cont.) (iii) May reasonably rely on requested disclosure as being “MN” if disclosure to: * a. Public official under * a. Public official under b. Another CE *c. Workforce professional or BA *c. Workforce professional or BA d. Researcher pursuant to (i) i. IRB/Privacy board waiver ii. Review preparatory to research iii. Research on decedent’s PHI (*must represent information requested is MN for stated purpose)
Minimum Necessary Implementation Specifications § (d)(4): MN Requests for PHI –When a CE requests PHI from another CE, must limit requests to “MN” (i) Routine/recurring requests: - “MN” policies & procedures; protocols - “MN” policies & procedures; protocols (ii) Non-routine requests: (ii) Non-routine requests: a. Develop “MN” criteria a. Develop “MN” criteria b. Review on individual basis b. Review on individual basis
Minimum Necessary Implementation Specifications § (d)(5): Other Content Requirement –CE may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as “MN”. “Re-disclosures”: a CE may disclose a complete medical record, including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule.(10/2/02 OCR FAQ)
Attachments MRH Disclosure of PHI Flowchart (draft) MRH Disclosure of PHI - MN Policy (draft) NHS Request for PHI Worksheet (draft) NHS Research Preparation Request (draft) Questions?