‘Minimum necessary’ standard perplexes practices
A critical part of protecting the personal health information (PHI) of patients is only releasing the minimum necessary information when records must be shared. But many practices have neither adopted a definition for the minimum standard, nor developed policies and procedures related to the minimum standard.
Under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, the minimum necessary standard requires covered entities to only disclose the minimum amount of information necessary to accomplish a specific purpose. Each covered entity is supposed to evaluate their own operations and determine exactly what constitutes the minimum necessary standard.
The rule is written to allow for flexibility because there are so many different types of covered entities, providing a wide range of services. For example, a small-to-medium physician’s practice providing primary care services will require much different patient information in order to deliver appropriate care than a diagnostic center.
The problem with flexibility is that it often brings about confusion. . Angela Rose, a director of practice excellence with the American Health Information Management Association (AHIMA), says four organizations could have the same definition, but apply and implement it in completely different ways, for example.
Although the U.S. Department of Health and Human Services (HHS) provides guidance for covered entities to develop a definition of the minimum necessary standard, the organization says that the minimum necessary requirement needs to be “sufficiently flexible” to fit the needs of any covered entity. Rose says that many people in the industry would prefer a more uniform definition of the minimum necessary standard. She adds that although much has changed since covered entities were first required to comply with the privacy rule in 2003 there has been no additional guidance regarding the minimum necessary standard.