HIPAA’s Minimum Necessary standard generally requires a Covered Entity to take reasonable steps to limit the use of, disclosure of, or request for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. However, the Minimum Necessary standard does not apply to the following types of disclosures, including:
1. Disclosure to or request by a health care provider for treatment purposes.
2. Use or disclosure made to the individual who is the subject of the PHI.
3. Use or disclosure made under a valid Authorization.
4. Use or disclosure required for compliance with HIPAA’s electronic transaction standards.
5. Use or disclosure required by other laws.
6. Use or disclosure to the Department of Health and Human Services.
The Minimum Necessary standard requires Covered Entities to develop and implement policies and procedures identifying the persons or classes of persons who need access to certain Protected Health Information to carry out their job duties. The University meets this requirement through the Role-Based Access Worksheet.
A Role-Based Access Worksheet must be completed for each University employee who works for a Health Care Component of the University.