A Summary of the Proposed HIPAA Regulations Implementing HITECH
Limiting Uses and Disclosures to the Minimum Necessary

Limiting Uses and Disclosures to the Minimum Necessary

When a CE uses, discloses, or requests PHI, it must make reasonable efforts to limit such information to the “minimum necessary” needed to achieve the purpose for which the information was released or requested.67  For routine disclosures, a CE may establish standard protocols for particular types of information to limit the release to the minimum necessary.68  For non-routine disclosures, however, a CE must conduct an individual review of each disclosure or request and develop reasonable criteria for limiting the released data to the minimum necessary.69

The minimum necessary standard does not apply to following situations: 1) disclosures to or requests by health care providers for treatment purposes; 2) disclosures to the individual (or personal representative) who is the subject of the information; 3) uses or disclosures made pursuant to an individual’s authorization; 4) uses or disclosures to HHS for compliance review or enforcement; 5) disclosures required for compliance with HIPAA Administrative Simplification Rules; and 6) uses or disclosures that are required by law.

Although HITECH required HHS to issue guidance on what constitutes “minimum necessary,” HHS did not propose any modifications or clarifications on the “minimum necessary” standard in the 2010 Proposed Rule,70 but requested comments on what guidance is needed.  In the meantime, HITECH specifies that a covered entity will be in compliance with the standard as long as, to the extent practicable, either: 1) it limits the PHI disclosed to the equivalent of an LDS or 2) if an LDS does not meet the covered entity’s needs, it complies with its current compliant minimum necessary policies and procedures in disclosing a broader range of data.