The "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information

Title

The University of North Carolina at Chapel Hill "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information (PHI)

Policy

The University of North Carolina at Chapel Hill ("UNC–Chapel Hill") is committed to ensuring the privacy and security of protected health information ("PHI") in accordance with the Privacy regulations of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).

PHI is health information created by or received from a health care provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental condition of an individual, the provision of health care services to an individual, or the past, present, or future payment for the provision of health care services, and that either identifies the individual or provides a reasonable basis to believe that the information can be used to identify the individual.

While PHI must be available to health care professionals in the process of ensuring proper care and performing related job duties, University Workforce Members shall avoid accessing, using or disclosing more PHI than needed to perform his/her relevant job duties or to meet the purpose for which the disclosure is made.

This policy describes the appropriate application of the "minimum necessary" standard described in and required by HIPAA, and other applicable federal, state, and/or local laws and regulations for access, use and disclosure of PHI by UNC-Chapel Hill's Workforce Members.

This policy does not apply to the following uses or disclosures:

  • disclosures to or requests by a provider for treatment;
  • uses or disclosures made to the individual who is the subject of the information;
  • uses or disclosures pursuant to a valid authorization signed by the individual who is the subject of the information;
  • disclosures made to the Secretary of the Department of Health and Human Services;
  • uses or disclosures required by law; and
  • uses or disclosures required for compliance with applicable laws and regulations.

This policy applies to all other uses and disclosures of PHI by UNC-Chapel Hill Covered Component Workforce Members, including both employees and those who perform University work as fellows, students, volunteers, trainees, agents, contractors, and/or affiliates, whether paid or unpaid.

Definitions

A. Workforce Member: UNC-Chapel Hill faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or affiliates, whether paid or unpaid, who work or train in UNC-Chapel Hill units that create, receive, maintain, or access PHI.

Procedure

UNC-Chapel Hill Covered Component Custodians of the PHI Records:

  1. Minimum Necessary access by the Covered Component's Workforce:
    In UNC-Chapel Hill units that have been designated as "Covered Components" under HIPAA, and that are the custodians of PHI, access to PHI will be granted based on the individuals role as determined by the department head or the University's Chief Privacy Officer. Covered Components will identify:
    1. Those persons or classes of persons in their Workforce, including faculty, staff, fellows, students, volunteers, trainees, agents, contractors, and/or affiliates, whether paid or unpaid, who need access to PHI in the Covered Component's custody to carry out their duties; and
    2. For each such person or class of persons, the category or categories of PHI to which access is needed.
  2. UNC-Chapel Hill Covered Component Workforce Members will not access PHI that is not necessary for the performance of their relevant job duties as outlined by the Covered Component's role-based access determination described in Procedure #1 of this Policy.
  3. Minimum Necessary as it applies to uses and disclosures of PHI by the Covered Component custodian of the PHI record and requests for PHI from another covered entity:
    1. When using or disclosing PHI or when requesting PHI from another covered entity, the Covered Component will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
    2. The Covered Component custodian of PHI may rely, if reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when requested by:
      1. public officials if the requester represents the information requested is the minimum necessary for the stated purpose;
      2. other covered entities;
      3. a professional who is a member of the Covered Component's Workforce or who is a Business Associate of UNC-Chapel Hill for the purpose of providing professional services to UNC-Chapel Hill, if the professional represents that the information requested is the minimum necessary for the stated purpose;
      4. a person providing proper documentation or representations when requesting the information for research purposes.
  4. A UNC-Chapel Hill Covered Component may not use, disclose or request the entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.
  5. Requests for non-routine disclosures of PHI will be reviewed by the Covered Component's Health Information Manager or the University's Institutional Privacy Office on an individual basis in accordance with criteria developed by the Covered Component to determine the amount of PHI reasonably necessary to achieve the disclosure.
  6. Covered Components must adopt processes to ensure that only the minimum necessary amount of PHI is accessed or disclosed and only by and to those with a job-related reason to access or disclose it.
  7. Knowledge of a violation or potential violation of this policy must be reported directly to the University's Institutional Privacy Office immediately, but in no event, no later than 24 hours after discovery.
100% helpful - 1 review