Presentation is loading. Please wait.

Presentation is loading. Please wait.

Minimum Necessary Standard Version 1.0

Published byPriscila Diller Modified over 9 years ago

Similar presentations

Presentation on theme: "Minimum Necessary Standard Version 1.0"— Presentation transcript:

1 Minimum Necessary Standard Version 1.0
HIPAA Collaborative of Wisconsin HIPAA COW

2 Disclaimer This Training Module is Copyright  2003 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Training Module is provided “as is” without any express or implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training Module. Therefore, this form may need to be modified in order to comply with Wisconsin law. Copyright HIPAA Collaborative of Wisconsin

3 Minimum Necessary Standard
Application of The Minimum Necessary Standard As Amended August 2002 “When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” Reference F.R. § (b) Copyright HIPAA Collaborative of Wisconsin

4 Minimum Necessary Standard
With some exceptions, the Minimum Necessary Standard applies to uses, disclosures and requests for protected health information (PHI), including those for treatment, payment and healthcare operations. Treatment: A Covered Entity may not use, disclose or request the entire medical record unless the entire medical record is justified as the amount of information that is reasonably necessary to accomplish the purpose of the use, disclosure or request. Copyright HIPAA Collaborative of Wisconsin

5 Exceptions The Minimum Necessary Standard does not apply to:
Disclosures to, or requests by, a health care provider for treatment purposes; Uses or disclosures made to the individual; Uses or disclosures made pursuant to an authorization; Disclosures made to the Secretary of HHS for compliance and investigation purposes; Uses and disclosures required by law; and Uses or disclosures that are required for compliance with the Privacy Rule. Exceptions: See Federal Register (b) Authorizations: All authorizations must include a description of the information to be used or disclosed. The individual can decline the authorization or can redefine the information being used or disclosed. See Federal Register Copyright HIPAA Collaborative of Wisconsin

6 De-Identified PHI A covered entity may disclose PHI that it is no longer individually identifiable (de-identified). Disclosure of the code or method to re-identify the PHI constitutes a disclosure of PHI. If de-identified PHI is re-identified, a covered entity may use or disclose such information only as required by the Privacy Laws. Specifications to de-identification PHI: Federal Register (a) Copyright HIPAA Collaborative of Wisconsin

7 Reasonableness The Minimum Necessary Standard requires that covered entities make “reasonable efforts” to limit the amount of identifiable information used or disclosed. Covered entities must balance the privacy rights of individuals with reasonable approaches to delimit the amount of PHI used, disclosed or released. OCR’s HIPAA Privacy Guidance (December 3, 2002): “This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.” Copyright HIPAA Collaborative of Wisconsin

8 Implementation Uses of PHI: Identify workforce access to PHI.
Limit access to PHI through Policies and Procedures. Access based on job responsibilities and “need-to-know” – Role Based Access. Identify the flow of PHI within the organization. A covered entity must identify persons or classes of persons within the workforce who need access to protected health information to carry out their duties. Policies and procedure must limit access to only the identified persons and to only the identified health information. Copyright HIPAA Collaborative of Wisconsin

9 Role Based Access By “Role Based Access”, HIPAA means that employees should only have access to PHI that they need based on their roles and responsibilities in the organization (i.e. Clinical staff would need more access to PHI than registration staff, who would need more access than maintenance staff). Organizations need to identify multiple levels of access to PHI and define specific individuals, work groups or employee types that would have each level of access. Reference: F.R. § (d)(2). Copyright HIPAA Collaborative of Wisconsin

10 Role Based Access Role Based Access defines the flow of protected health information. Privacy: Role Based Access ensures that employees and healthcare workers use or disclose only the minimum amount of PHI needed to perform their jobs. Security: Role Based Access refers to the use of technology to control access to software applications according to job class. Physical security as well. Copyright HIPAA Collaborative of Wisconsin

11 Example: Role Based Access
Inventory access to PHI stored electronically. Who receives PHI? How is PHI stored? Who has access to computer databases, programs, etc. Inventory allowed Access and Uses of PHI. Identify sources of information. Identify tasks that access and use PHI. Inventory Allowed Disclosures of PHI. To whom information disclosed? How information is disclosed? Are disclosures routine or non-routine? This is an example of the types of information a covered entity should inventory when assessing their staff’s role-based-access to protected health information. Copyright HIPAA Collaborative of Wisconsin

12 Example: Role-Based-Access Assessment Tool
Job Class & Date Reviewed Inventory of Allowed Computer Access Indicate Function of Allowed Access & Disclosures of PHI. Primary Function (Required for job) Secondary Function (Exception) Incidental Function (Access may occur, but not required to perform job. Title:__________ Date Reviewed:________ 1.___________ 2.__________ 3.___________ 4.___________ 5.___________ 6.___________ List Tasks & Duties of Each Role Example of a Role-Based-Access Assessment Tool Copyright HIPAA Collaborative of Wisconsin

13 Implementation Disclosures of PHI:
Routine Disclosures: Establish Policies and Procedures (standard protocols) to limit the amount of PHI disclosed to the minimum amount needed to accomplish the task. Non-routine Disclosures: Develop criteria to review requests for these disclosures. Limit disclosures to the minimum necessary health information needed to accomplish the task. Identify the flow of PHI that your organization discloses to others (Business Associates, providers, payers, clearinghouses, etc.) Each organization is responsible for informing and training it’s staff concerning it’s policies and procedures on routine and non-routine disclosures. Management must communicate with it’s staff to identify and define allowed disclosures of protected health information. Copyright HIPAA Collaborative of Wisconsin

14 Implementation Making Requests for PHI:
A Covered Entity must limit any request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made. Develop policies and procedures to limit the amount of PHI requested, based on the “need-to-know”. OCR HIPAA Privacy Guidance (December 3,2002): “If a covered entity does not agree that the amount of information requested by another covered entity is reasonably necessary for the purpose, it is up to both covered entities to negotiate a resolution of the dispute as to the amount of information needed. Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with another covered entity making a request, and negotiating an information exchange that meets the needs of both parties.” Copyright HIPAA Collaborative of Wisconsin

15 Reasonable Reliance Requests for PHI:
“A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when… the information is requested by another covered entity.” Reference F.R. § (d)(3) OCR HIPAA Privacy Guidance (December 3, 2002): “Covered entities are required to apply the minimum necessary standard to their own requests for protected health information. One covered entity may reasonably rely on another covered entity’s request as the minimum necessary, and then does not need to engage in a separate minimum necessary determination.” However, covered entities may need to negotiate the amount of PHI they deem “reasonable” if they are in disagreement. Examples of Payers asking for PHI from Providers: pre-existing conditions, medical necessity determinations, subrogation, claim reviews, authorize referrals, case management. Copyright HIPAA Collaborative of Wisconsin

16 Reasonable Reliance When making disclosures of PHI, the covered entity is allowed to rely on a requested disclosure as being the minimum necessary for the purpose of: Disclosures to public officials; Request for PHI is from another covered entity; Request is from a professional member of the workforce or business associate who provide services to or on behalf of the covered entity; or For research purposes. Copyright HIPAA Collaborative of Wisconsin

17 Public Officials Disclosures of PHI:
A covered entity may rely on the judgment of public officials or agencies, to determine the minimum amount of information that is needed. Examples of public officials include: Public health officials Food and Drug Administration Health oversight activities Law enforcement – disclosures required or permitted by law Federal Register (b) through (f). Public Health Officials – preventing or controlling disease, public health investigations,tracking communicable diseases, interventions, child abuse or neglect investigations, etc. Food and Drug Administration – record adverse events, product defects, product recalls, etc. Health Oversight Activities – Government benefit programs, compliance determination, fraud and abuse, etc. Law Enforcement – disclosures required or permitted by law, in response to authorized court orders, subpoenas, etc. Copyright HIPAA Collaborative of Wisconsin

18 Business Associates Disclosures of PHI:
A covered entity may disclose PHI to its business associate for the purpose of providing services for or on behalf of the covered entity, if the covered entity obtains written satisfactory assurance that the business associate will appropriately safeguard the information. Reference: F.R. § (e) This can be accomplished through the Business Associate Agreement. See HIPAA COW website for examples of this document. The business associate agreement must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. Copyright HIPAA Collaborative of Wisconsin

19 Research Disclosures of PHI: A Covered Entity may reasonably rely on documentation from an Institutional Review Board (IRB) or privacy board describing the PHI needed for research purposes. A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents. Reference: Federal Register Section (i), ``Uses and Disclosures for Research Purposes.'' Copyright HIPAA Collaborative of Wisconsin

20 Issues when Implementing the Minimum Necessary Standard:
Policy Changes What information is being used or disclosed? Can the information be de-identified? Inform and train staff on policies & procedures. Develop routine and non-routine disclosure protocols. Contractual Changes Are Business Associate Agreements needed? Is technology in place to allow the limitation of access? Are business associates willing to sign Business Associate Agreement? Copyright HIPAA Collaborative of Wisconsin

21 Issues when Implementing the Minimum Necessary Standard:
Technology Changes What are the costs involved to limit access? What will be the security requirements dictated by the Security Rule (when published)? Pre-emption Issues Review state law for issues:mental health, minors, Alcohol & drug abuse,etc. Role Bases Access Analysis Assessment tools Copyright HIPAA Collaborative of Wisconsin

22 Primary Author: Joan Benson, MBA
Training Workgroup Reviewers: Karen Bauer Anthony Cooper, FHFMA, CFE William Jensen , MBA Tammy Kritz, MBA Jennifer Laughlin, RHIA Christine Lidbury Richard Reynolds, FHIMSS Dan Speerschneider Beth Zallar, MS, RHIA Copyright HIPAA Collaborative of Wisconsin

Download ppt "Minimum Necessary Standard Version 1.0"

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
JCAHO –A HIPAA Business Associate National HIPAA Summit

JCAHO –A HIPAA Business Associate National HIPAA Summit
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.

Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.

PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
1 HIPAA OVERVIEW Version 2: 12/16/02 HIPAA Collaborative of Wisconsin (HIPAA COW) www.hipaacow.org  Copyright 2002 HIPAA COW.

1 HIPAA OVERVIEW Version 2: 12/16/02 HIPAA Collaborative of Wisconsin (HIPAA COW)  Copyright 2002 HIPAA COW.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

Similar presentations

Ads by Google