Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You

Does your healthcare organization develop and implement policies and procedures that are appropriate and reflect your organization’s business practices?

Under the HIPAA Minimum Necessary Standard , all covered entities must have policies and procedures that identify who needs access to Protected Health Information (PHI) to perform their job duties, the categories of PHI required, and the conditions where access is justified.

For instance, as a hospital, you can allow doctors, surgeons, or others to access a patient’s medical records if they’re involved in the treatment of that patient. If the entire medical history is required, your organization’s policies and procedures must explicitly state so and include a justified reason.

As a provider, you also need to take reasonable steps to make sure that no PHI is accidentally available for access. For example, if you’ll be hosting a meeting in your office, then you must ensure that no one from the meeting can access PHI documents accidentally.

How Does The Minimum  Necessary Requirement Work?

As the name implies, under the HIPAA Minimum Necessary Standard, it’s mandatory for covered entities to take reasonable measures to limit the use or disclosure of PHI and requests for PHI, to the minimum necessary needed to achieve the intended goal.

However, it’s important to note that the minimum necessary standard does not apply to:

• Requests for disclosure by a healthcare provider for treatment purposes  
• Disclosing information to the patient in question   
• Uses or disclosures after a patient’s authorization  
• Uses or disclosures needed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules  
• Disclosing PHI to the Department of Health and Human Services (HHS) under the Privacy Rule for reasons of enforcement  
• Disclosing PHI for use under other laws

The Minimum Necessary Standard of the HIPAA Privacy Rule requires that your covered entity develops and implements policies and procedures that are appropriate for your organization and that reflect your business’ practices and workforce. Only those who need access to PHI should receive access, and even then, the PHI should be restricted to the minimum necessary information needed to perform the job.

Why Does It Matter?

Did you know the healthcare industry is one of the most vulnerable sectors when it comes to cyber attacks and data theft? If your organization fails to meet the minimum necessary standard, you could face fines of $50,000 or more.     

In fact, penalties for HIPAA violations can reach $1,500,000 annually per violation based on the type of breach.  

The largest American health data breach to ever occur took place in January 2015. It exposed the electronic PHI of nearly 79 million people and resulted in Anthem Insurance paying OCR $16 Million!  

The investigation found that Anthem did not perform an enterprise-wide risk analysis, and the organization’s procedures did not regularly review information system activity. Anthem also failed to identify and respond to security incidents, and they did not implement proper minimum access controls to prevent the risk of cyber-attacks from stealing sensitive ePHI.

Complying with HIPAA’s minimum necessary standard matters if you want to avoid the risk of an expensive fine.

How Can You Comply?

Under HIPAA’s minimum necessary standard, the terms ‘reasonable’ and ‘necessary’ are open to interpretation and left up to the judgment of the covered entity. It’s up to your organization to determine what information should be disclosed and what information needs restricted access.

However, to make sure that you’re complying with this requirement, there are some basic steps you should follow:

1. Prepare a list of all systems that contain PHI and what types of PHI they include.
2. Establish role-based permissions that restrict access to certain kinds of PHI. All information systems should limit access to certain types of information. For instance, you can limit access to health insurance numbers, Social Security numbers, and medical histories if it’s not necessary for everyone to see that PHI.
3. Design and implement a policy for sanctions if violations of the minimum necessary standard occur.
4. Provide proper employee training about the types of information they’re permitted to access and what information is off limits. Be clear about the consequences of obtaining information when not authorized.
5. Create alerts when possible that notify the compliance team if there’s an unauthorized attempt to access PHI.
6. Ensure that the minimum necessary rule is being applied to all information shared externally, with third parties and subcontractors. It’s mandatory for covered entities to limit how much PHI is disclosed based on the job duties and the nature of the third party’s business.
7. Perform annual reviews and periodic audits of permissions and review logs to determine if anyone has knowingly or unknowingly accessed restricted information. Such reviews may also be required when a major incident takes place, such as the treatment of a celebrity in your organization, or if a shooting or newsworthy accident takes place and your organization is involved.
8. Document all actions taken to address cases of unauthorized access or accessing more information than is necessary and the sanctions that took place as a result.

Adhering to the HIPAA Minimum Necessary Standard is important to protect your organization and your patient relationships. When you take the appropriate steps to comply with HIPAA, you’ll not only have a much better chance of avoiding the risk of a costly data breach, but you’ll also build trust with your patients.