2. Background
According to the U.S. Department of Health & Human
Services (2019), the minimum necessary standard, a key
component of the Health Information Portability
Accountability Act (HIPAA), dictates that protected health
information (PHI) should not be used or disclosed when it is
not necessary to satisfy a particular purpose or carry out a
function.
This standard requires organizations to evaluate their
practices and safeguards to limit unnecessary or
inappropriate access to and disclosure of PHI.
U.S. Dept. of Health & Human Services, (2019). Minimum
Necessary Requirement. HHS.gov. Retrieved from:
https://hhs.gov/hipaa/for-
professionals/privacy/guidance/minimum-necessary-
requirements/index.html
3. How the rule works
There must be measures in place to
limit the use or disclosures, and
requests for PHI to minimum
necessary to accomplish the intended
activity.
Implementation of this rule requires
that the organization develop and
implement policies and procedures
that reflect the organizational business
practices and employee workforce.
4. Uses and Disclosure of, Requests for PHI
Policies must identify persons who
need access to information
Routine or recurring requests must
have standard protocols
For non routine requests there must be
specific determination criteria for the
information
5. What about Violations?
After reviewing the article, Fox News. (2008). Report Over 120 UCLA hospital staff
saw celebrity health records (Links to an external site.). It is clear that the policies
and procedures that were in place at this hospital were ineffective. Employee
training was either ineffective or disregarded.
It is the employers’ responsibility to provide training, but it is the employees
responsibility to follow the policies and procedures set forth by the organization.
After the article review, it was noted that one employee was dismissed for their
actions and criminal charges have been brought against another for violation of
patient’s privacy.
6. Review and questions?
HIPAA laws are very specific as to what kinds of PHI can be disclosed, requested or
released and for what reasons
There can be legal and monetary implications for employee and organization
violations
Regulatory scrutiny can be placed on offending organization
Safety, privacy and security are number one focus of the regulation
QUESTIONS?