NRPM: Standards for Privacy of Individually Identifiable Health Information. 2. Minimum necessary use and disclosure. (§ 164.506(b))


We propose that, except as discussed below, a covered entity must make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure, taking into consideration practical and technological limitations.

In certain circumstances, the assessment of what is minimally necessary is appropriately made by a person other than the covered entity; in those cases, discussed in this paragraph, and reflected in proposed § 164.506(b)(1)(i), the requirements of this section would not apply. First, the covered entity would not be required to make a “minimum necessary” analysis for the standardized content of the various HIPAA transactions, since that content has been determined through regulation. Second, with one exception, when an individual authorizes a use or disclosure the covered entity would not be required to make a “minimum necessary” determination. In such cases, the covered entity would be unlikely to know enough about the information needs of the third party to make a “minimum necessary” determination. The exception, when the “minimum necessary” principle would apply to an authorization, is for authorizations for use of protected health information by the covered entity itself. See proposed § 164.508(a)(2). Third, with respect to disclosures that are mandatory under this or other law, and which would be permitted under the rules proposed below, public officials, rather than the covered entity, would determine what information is required (e.g., coroners and medical examiners, State reporting requirements, judicial warrants). See proposed §§ 164.510 and 164.506(b)(1)(ii). Fourth, disclosure made pursuant to a request by the individual for access to his or her protected health information presents no possible privacy threat and therefore lies outside this requirement. See proposed § 164.506(b)(1)(i).

Under this proposal, covered entities generally would be required to establish policies and procedures to limit the amount of protected health care information used or disclosed to the minimum amount necessary to meet the purpose of the use or disclosure, and to limit access to protected health information only to those people who need access to the information to accomplish the use or disclosure. With respect to use, if an entity consists of several different components, the entity would be required to create barriers between components so that information is not used inappropriately. For example, a health plan that offers other insurance products would have policies and procedures to prevent protected health information from crossing over from one product line to another. The same principle applies to disclosures. For example, if a covered entity opts to disclose protected health information to a researcher pursuant to proposed § 164.510(j), it would need to ensure that only the information necessary for the particular research protocol is disclosed.

It should be noted that, under section 1173(d) of the Act, covered entities would also be required to satisfy the requirements of the Security standards, by establishing policies and procedures to provide access to health information systems only to persons who require access, and implement procedures to eliminate all other access. Thus, the privacy and security requirements would work together to minimize the amount of information shared, thereby lessening the possibility of misuse or inadvertent release.

A “minimum necessary” determination would need to be consistent with and directly related to the purpose of the use or disclosure and take into consideration the ability of a covered entity to delimit the amount of information used or disclosed and the relative burden imposed on the entity. The proposed minimum necessary requirement is based on a reasonableness standard: covered entities would be required to make reasonable efforts and to incur reasonable expense to limit the use and disclosure of protected health information as provided in this section.

In determining what a reasonable effort is under this section, covered entities should take into consideration the amount of information that would be used or disclosed, the extent to which the use or disclosure would extend the number of individuals or entities with access to the protected health information, the importance of the use or disclosure, the likelihood that further uses or disclosures of the protected health information could occur, the potential to achieve substantially the same purpose with de- identified information, the technology available to limit the amount of protected health information that is used or disclosed, the cost of limiting the use or disclosure, and any other factors that the covered entity believes are relevant to the determination. We would expect that in most cases where covered entities have more information than is necessary to accomplish the purpose of a use or disclosure, some method of limiting the information that is used or disclosed could be found.

We note that all of the uses and disclosures subject to the requirements of this provision are permissive; the minimum necessary provision does not apply to uses or disclosures mandated by law. Covered entities should not make uses or disclosures of protected health information where they are unable to make any efforts to reasonably limit the amount of protected health information used or disclosed for a permissive purpose. Where there is ambiguity regarding the particular information to be used or disclosed, this provision should be interpreted to require the covered entity or make some effort to limit the amount of information used or disclosed.

We note that procedures for implementing the minimum necessary requirement for uses would often focus on limiting the physical access that employees, business partners and others would have to the protected health information. Procedures which limit the specific employees or business partners, or the types of employees or business partners, who would be qualified to gain access to particular records would often be appropriate. Covered entities with advanced technological capabilities should also consider limiting access to appropriate portions of protected health information when it would be practical to do so.

The “minimum necessary” determination would include a determination that the purpose of the use or disclosure could not be reasonably accomplished with information that is not identifiable. Each covered entity would be required to have policies for determining when information must be stripped of identifiers before disclosure. If identifiers are not removed simply because of inconvenience to the covered entity, the “minimum necessary” rule would be violated.

Similarly, disclosure of an entire medical record, in response to a request for something other than the entire medical record, would presumptively violate the “minimum necessary” rule. Except where the individual has specifically authorized use or disclosure of the full medical record, when a covered entity receives a request for an entire medical record, the covered entity could not, under these proposed rules, disclose the entire record unless the request included an explanation of why the purpose of the disclosure could not reasonably be accomplished without the entire medical record.

The decisions called for in determining what would be the minimum necessary information to accomplish an allowable purpose should include both a respect for the privacy rights of the subjects of the medical record and the reasonable ability of covered entities to delimit the amount of individually identifiable health information in otherwise permitted uses and disclosures. For example, a large enterprise that makes frequent electronic disclosures of similar data would be expected to remove identifiers or to limit the data fields that are disclosed to fit the purpose of the disclosure. An individual physician’s office would not be expected to have the same capabilities to limit the amount of information disclosed, although, in the cases of disclosures involving a small number of records, such an office could be expected to hide identifiers or to limit disclosures to certain pages of the medical record that are relevant to the purpose of the disclosure.

Even where it might not be reasonable for a covered entity to limit the amount of information disclosed, there could be opportunities, when the use or disclosure does not require authorization by the individual, to reduce the scope of the disclosure in ways that substantially protect the privacy interests of the subject. For example, if a health researcher wants access to relatively discrete parts of medical records that are presently maintained in paper form for a large number of patients with a certain condition, it could be financially prohibitive for the covered entity to isolate the desired information. However, it could be reasonable for the covered entity to allow the researcher to review the records on-site and to abstract only the information relevant to the research. Much records research is done today through such abstracting, and this could be a good way to meet the “minimum necessary” principle. By limiting the physical distribution of the record, the covered entity would have effectively limited the scope of the disclosure to the information necessary for the purpose.

Proposed § 164.506(b) generally would place the responsibility for determining what disclosure is the “minimum necessary” on the covered entity making the disclosure. The exception would be for health plan requests for information from health care providers for auditing and related purposes. In this instance, since the provider is not in a position to negotiate with the payer, the duty would be shifted to the payer to request the “minimum necessary” information for the purpose. See proposed § 164.506(b)(1)(iv). Whenever a health plan requests a disclosure, it would be required to limit its requests to the information to achieve the purpose of the request. For example, a health plan seeking protected health information from a provider or other health plan to process a payment should not request the entire health record unless it is actually necessary.

In addition, the proposal would permit covered entities to reasonably rely on requests by certain public agencies in determining the minimum necessary information for certain disclosures. For example, a covered entity that reasonably relies on the requests of public health agencies, oversight agencies, law enforcement agencies, coroners or medical examiners would be in compliance with this requirement. See proposed § 164.506(b)(3).

As discussed in prior HIPAA proposed rulemakings, it is likely to be easier to limit disclosure when disclosing computerized records than when providing access to paper records. Technological mechanisms to limit the amount of information available for a particular purpose, and make information available without identifiers, are an important contribution of technology to personal privacy. For example, the fields of information that are disclosed can be limited, identifiers (including names, addresses and other data) can be removed, and encryption can restrict to authorized personnel the ability to link identifiers back to the record.

For electronic information covered by the proposed rules, the “minimum necessary” requirement would mean reviewing, forwarding, or printing out only those fields and records relevant to the user’s need for information. Where reasonable (based on the size, sophistication and volume of the covered entity’s electronic information systems), covered entities would configure their record systems to allow selective access to different portions of the record, so that, for example, administrative personnel get access to only certain fields, and medical personnel get access to other fields. This selective access to information would be implemented using the access control technology discussed in the electronic security regulation.

For non-electronic information covered by the proposed rules, “minimum necessary” would mean the selective copying of relevant parts of protected health information or the use of “order forms” to convey the relevant information. These techniques are already in use in the health care environment today, not because of privacy considerations, but because of the risk of losing access to the full medical record when needed for clinic or emergency visits.

This rule would require, in proposed § 164.520, that each covered entity document the administrative policies and procedures that it will use to meet the requirements of this section. With respect to the “minimum necessary” compliance standard, such procedures would have to describe the process or processes by which the covered entity will make minimum necessary determinations, the person or persons who will be responsible for making such determinations, and the process in place to periodically review routine uses and disclosures in light of new technologies or other relevant changes. Proposed uses or disclosures would have to be reviewed by persons who have an understanding of the entity's privacy policies and practices, and who have sufficient expertise to understand and weigh the factors described above. See proposed § 164.506(b)(2). The policies that would be reasonable would vary depending on the nature and size of the covered entity. For large enterprises, the documentation of policies and procedures might identify the general job descriptions of the people that would make such decisions throughout the organization.

In addition, the procedures would provide that the covered entity will review each request for disclosure individually on its own merits (and, for research, the documentation of required IRB or other approval). Covered entities should not have general policies of approving all requests (or all requests of a particular type) for disclosures or uses without carefully considering the factors identified above as well as other information specific to the request that the entity finds important to the decision.

We understand that the requirements outlined in this section do not create a bright line test for determining the minimum necessary amount of protected health information appropriate for most uses or disclosures. Because of this lack of precision, we considered eliminating the requirement altogether. We also considered merely requiring covered entities to address the concept within their internal privacy procedures, with no further guidance as to how each covered entity would address the issue. These approaches were rejected because minimizing both the amount of protected health information used and disclosed within the health care system and the number of persons who have access to such information is vital if we are to successfully enhance the confidentiality of people’s personal health information. We invite comments on the approach that we have adopted and on alternative methods of implementing the minimum necessary principle.