Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Minimum Necessary


The "minimum necessary" policy in the final rule has essentially three components: first, it does not pertain to certain uses and disclosures including treatment-related exchange of information among health care providers; second, for disclosures that are made on a routine basis, such as insurance claims, a covered entity is required to have policies and procedures governing such exchanges (but the rule does not require a case-by-case determination in such cases); and third, providers must have a process for reviewing non-routine requests on a case-by-case basis to assure that only the minimum necessary information is disclosed. The final rule makes changes to the NPRM that reduce the burden of compliance on small businesses.

Based on public comments and subsequent fact-finding, the Department sought to lessen the burden of this provision. The NPRM proposed applying the minimum necessary standard to disclosures to providers for treatment purposes and would have required individual review of all uses of protected health information. The final rule exempts disclosures of protected health information from a covered entity to a health care provider for treatment from the minimum necessary provision and eliminates the case-by-case determinations that would have been necessary under the NPRM. The Department has concluded that the requirements of the final rule are similar to the current practice of most health care providers. For standard disclosure requests, for example, providers generally have established procedures. Under the final rule providers will have to have policies and procedures to determine the minimum amount of protected health information to disclose for standard disclosure requests as well, but may need to review and revise existing procedures to make sure they are consistent with the final rule. For non-routine disclosures, providers have indicated that they currently ask questions to discern how much information should be disclosed. In short, the minimum necessary requirements of this rule are similar to current practice, particularly among small providers.