The "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information

Title

The "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information

Policy

The University of North Carolina at Chapel Hill ("UNC – Chapel Hill") is committed to ensuring the privacy and security of Protected Health Information ("PHI").

PHI is health information created by or received from a health care provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental condition of an individual, the provision of health care services to an individual, or the past, present, or future payment for the provision of health care services, and that either identifies the individual or provides a reasonable basis to believe that the information can be used to identify the individual.

While PHI must be available to health care professionals in the process of ensuring proper care and performing related job duties, University workforce members shall avoid accessing, using or disclosing more PHI than needed to perform his/her relevant job duties or to meet the purpose for which the disclosure is made.

This policy describes the appropriate application of the "minimum necessary" standard described in and required by HIPAA, and other applicable federal, state, and/or local laws and regulations for access, use and disclosure of PHI by members of UNC-Chapel Hill's workforce.

This policy does not apply to the following uses or disclosures:

• disclosures to or requests by a provider for treatment;
• uses or disclosures made to the individual who is the subject of the information;
• uses or disclosures pursuant to a valid authorization signed by the individual who is the subject of the information;
• disclosures made to the Secretary of the Department of Health and Human Services;
• uses or disclosures required by law; and
• uses or disclosures required for compliance with applicable laws and regulations.

This policy applies to all other uses and disclosures of PHI by the UNC-Chapel Hill covered University unit workforce, including both employees and those who perform University work as students, volunteers, business associates or other agents.

Procedure

UNC-Chapel Hill covered University unit Custodians of the PHI Records:

1. Minimum Necessary access by the covered University unit's workforce:
   In UNC-Chapel Hill units that have been designated as "covered University units" under HIPAA, and that are the custodians of PHI, access to PHI will be granted based on the individual's role as determined by the department head or the covered University unit's HIPAA Privacy Liaison. Covered University units will identify:
   1. Those persons or classes of persons in their workforce, including students, volunteers, temporary employees, business associates or contractors working on-site and trainees, who need access to PHI in the covered University unit's custody to carry out their duties; and
   2. For each such person or class of persons, the category or categories of PHI to which access is needed.
2. UNC-Chapel Hill covered University unit employees will not access PHI that is not necessary for the performance of their relevant job duties as outlined by the covered University unit's role-based access determination described in Procedure #1 of this Policy.
3. Minimum Necessary as it applies to uses and disclosures of PHI by the covered University unit custodian of the PHI record and requests for PHI from another covered entity:
   1. When using or disclosing PHI or when requesting PHI from another covered entity, the covered University unit will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
   2. The covered University unit custodian of PHI may rely, if reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when requested by:
      1. public officials is the requestor represents the information requested is the minimum necessary for the stated purpose;
      2. other covered entities;
      3. a professional who is a member of the covered University unit's workforce or who is a Business Associate of UNC-Chapel Hill for the purpose of providing professional services to UNC-Chapel Hill, if the professional represents that the information requested is the minimum necessary for the stated purpose;
      4. a person providing proper documentation or representations when requesting the information for research purposes.
4. A UNC-Chapel Hill covered University unit may not use, disclose or request the entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.
5. Requests for non- routine disclosures of PHI will be reviewed by the covered University unit's Health Information Manager or HIPAA Privacy Liaison on an individual basis in accordance with criteria developed by the covered University unit to determine the amount of PHI reasonably necessary to achieve the disclosure.
6. Covered University units must adopt processes to ensure that only the minimum necessary amount of PHI is accessed or disclosed and only by and to those with a job-related reason to access or disclose it.
7. Knowledge of a violation or potential violation of this policy must be reported directly to the covered University unit's HIPAA Privacy Liaison or the University Privacy Officer.