Presentation on theme: "1 Minimum Necessary Standard Version 1.0 HIPAA Collaborative of Wisconsin HIPAA COW."— Presentation transcript:
1 Minimum Necessary Standard Version 1.0 HIPAA Collaborative of Wisconsin HIPAA COW
2 Disclaimer This Training Module is Copyright 2003 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Training Module is provided “as is” without any express or implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training Module. Therefore, this form may need to be modified in order to comply with Wisconsin law. Copyright HIPAA Collaborative of Wisconsin
3 Minimum Necessary Standard Copyright HIPAA Collaborative of Wisconsin Application of The Minimum Necessary Standard As Amended August 2002 “When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” Reference F.R. § (b)
4 Minimum Necessary Standard Copyright HIPAA Collaborative of Wisconsin With some exceptions, the Minimum Necessary Standard applies to uses, disclosures and requests for protected health information (PHI), including those for treatment, payment and healthcare operations.
5 Exceptions Copyright HIPAA Collaborative of Wisconsin Disclosures to, or requests by, a health care provider for treatment purposes; Uses or disclosures made to the individual; Uses or disclosures made pursuant to an authorization; Disclosures made to the Secretary of HHS for compliance and investigation purposes; Uses and disclosures required by law; and Uses or disclosures that are required for compliance with the Privacy Rule. The Minimum Necessary Standard does not apply to:
6 De-Identified PHI A covered entity may disclose PHI that it is no longer individually identifiable (de-identified). Disclosure of the code or method to re-identify the PHI constitutes a disclosure of PHI. If de-identified PHI is re-identified, a covered entity may use or disclose such information only as required by the Privacy Laws. Copyright HIPAA Collaborative of Wisconsin
7 Reasonableness The Minimum Necessary Standard requires that covered entities make “reasonable efforts” to limit the amount of identifiable information used or disclosed. Covered entities must balance the privacy rights of individuals with reasonable approaches to delimit the amount of PHI used, disclosed or released. Copyright HIPAA Collaborative of Wisconsin
8 Implementation Uses of PHI: Identify workforce access to PHI. Limit access to PHI through Policies and Procedures. Access based on job responsibilities and “need-to-know” – Role Based Access. Identify the flow of PHI within the organization. Copyright HIPAA Collaborative of Wisconsin
9 Role Based Access Copyright HIPAA Collaborative of Wisconsin By “Role Based Access”, HIPAA means that employees should only have access to PHI that they need based on their roles and responsibilities in the organization (i.e. Clinical staff would need more access to PHI than registration staff, who would need more access than maintenance staff). Organizations need to identify multiple levels of access to PHI and define specific individuals, work groups or employee types that would have each level of access.
10 Role Based Access Copyright HIPAA Collaborative of Wisconsin Role Based Access defines the flow of protected health information. Privacy: Role Based Access ensures that employees and healthcare workers use or disclose only the minimum amount of PHI needed to perform their jobs. Security: Role Based Access refers to the use of technology to control access to software applications according to job class. Physical security as well.
11 Example: Role Based Access 1. Inventory access to PHI stored electronically. Who receives PHI? How is PHI stored? Who has access to computer databases, programs, etc. 2. Inventory allowed Access and Uses of PHI. Identify sources of information. Identify tasks that access and use PHI. 3. Inventory Allowed Disclosures of PHI. To whom information disclosed? How information is disclosed? Are disclosures routine or non-routine? Copyright HIPAA Collaborative of Wisconsin
12 Example: Role-Based-Access Assessment Tool Copyright HIPAA Collaborative of Wisconsin Job Class & Date Reviewed Inventory of Allowed Computer Access Indicate Function of Allowed Access & Disclosures of PHI. Primary Function (Required for job) Secondary Function (Exception) Incidental Function (Access may occur, but not required to perform job. Title:__________ Date Reviewed:________ 1.___________ 2.__________ 3.___________ 4.___________ 5.___________ 6.___________ List Tasks & Duties of Each Role
13 Implementation Copyright HIPAA Collaborative of Wisconsin Disclosures of PHI: Routine Disclosures: Establish Policies and Procedures (standard protocols) to limit the amount of PHI disclosed to the minimum amount needed to accomplish the task. Non-routine Disclosures: Develop criteria to review requests for these disclosures. Limit disclosures to the minimum necessary health information needed to accomplish the task. Identify the flow of PHI that your organization discloses to others (Business Associates, providers, payers, clearinghouses, etc.)
14 Implementation Making Requests for PHI: A Covered Entity must limit any request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made. Develop policies and procedures to limit the amount of PHI requested, based on the “need-to-know”. Copyright HIPAA Collaborative of Wisconsin
15 Reasonable Reliance Copyright HIPAA Collaborative of Wisconsin Requests for PHI: “A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when… the information is requested by another covered entity.” Reference F.R. § (d)(3)
16 Reasonable Reliance When making disclosures of PHI, the covered entity is allowed to rely on a requested disclosure as being the minimum necessary for the purpose of: Disclosures to public officials; Request for PHI is from another covered entity; Request is from a professional member of the workforce or business associate who provide services to or on behalf of the covered entity; or For research purposes. Copyright HIPAA Collaborative of Wisconsin
17 Public Officials Disclosures of PHI: A covered entity may rely on the judgment of public officials or agencies, to determine the minimum amount of information that is needed. Examples of public officials include: Public health officials Food and Drug Administration Health oversight activities Law enforcement – disclosures required or permitted by law Copyright HIPAA Collaborative of Wisconsin
18 Business Associates Disclosures of PHI: A covered entity may disclose PHI to its business associate for the purpose of providing services for or on behalf of the covered entity, if the covered entity obtains written satisfactory assurance that the business associate will appropriately safeguard the information. Reference: F.R. § (e) Copyright HIPAA Collaborative of Wisconsin
19 Research Disclosures of PHI: A Covered Entity may reasonably rely on documentation from an Institutional Review Board (IRB) or privacy board describing the PHI needed for research purposes. A covered entity may also reasonably rely on a representation made by the requestor that the information is necessary to prepare a research protocol or for research on decedents. Copyright HIPAA Collaborative of Wisconsin
20 Issues when Implementing the Minimum Necessary Standard: Policy Changes What information is being used or disclosed? Can the information be de-identified? Inform and train staff on policies & procedures. Develop routine and non-routine disclosure protocols. Contractual Changes Are Business Associate Agreements needed? Is technology in place to allow the limitation of access? Are business associates willing to sign Business Associate Agreement? Copyright HIPAA Collaborative of Wisconsin
21 Issues when Implementing the Minimum Necessary Standard: Technology Changes What are the costs involved to limit access? What will be the security requirements dictated by the Security Rule (when published)? Pre-emption Issues Review state law for issues:mental health, minors, Alcohol & drug abuse,etc. Role Bases Access Analysis Assessment tools Copyright HIPAA Collaborative of Wisconsin
22 Primary Author: Joan Benson, MBA Copyright HIPAA Collaborative of Wisconsin Training Workgroup Reviewers: Karen Bauer Anthony Cooper, FHFMA, CFE William Jensen, MBA Tammy Kritz, MBA Jennifer Laughlin, RHIA Christine Lidbury Richard Reynolds, FHIMSS Dan Speerschneider Beth Zallar, MS, RHIA