Minimum Necessary Rule. When the HIPAA Privacy Rule requires application of the Minimum Necessary Rule, Business Associate agrees to use, disclose, or request only the Limited Data Set, or if that is inadequate, the minimum PHI necessary to accomplish the intended purpose of that use, Disclosure, or request. Business Associate agrees to make uses, Disclosures, and requests for PHI consistent with any of Covered Entity’s existing Minimum Necessary policies and procedures.
Minimum Necessary Rule. An important aspect of the HIPAA Privacy Rule is the principle of "minimum necessary". UTRGV employees must make reasonable efforts to request, use, and share only the minimum amount of PHI needed to accomplish the intended purpose. When the minimum necessary standard applies to a use or disclosure of PHI, employees may not request the entire medical record for a particular purpose, unless this purpose specifically justifies the whole record as the amount reasonably needed to accomplish the intended purpose. The minimum necessary requirement does not apply to: • Health care providers for treatment purposes • Disclosures to the patient or their legal representative • Disclosures made in accordance with an authorization • Other disclosures required by law Patient information used in research is subject to special HIPAA provisions. Please contact the Institutional Review Board (IRB) for more information at 000-000-0000
Minimum Necessary Rule. 11.1. In all instances, only the information that is necessary and appropriate may be released. Do not disclose PHI via blog, web site, discussion group, social network, or other public place even when you believe the information is “de-identified” unless the information is reviewed and approved by the Compliance Officer or designee. Posts on social media sites can give enough info for friends and family to recognize patient. Names do not have to be included to be a violation.
