Accessing and Disclosing Information- Are You Adhering to the Minimum Necessary Standard?

Accessing and Disclosing Information- Are You Adhering to the Minimum Necessary Standard?

When our team of experts here at HCP are offsite visiting healthcare facilities they are often asked questions by clients about how they can ensure their employees are adhering to the minimum necessary standards when accessing and disclosing information.

For example, on a recent visit, we learned of a healthcare employee who released confidential and sensitive test results to a patient. This employee had the best of intentions and was just trying to help the patient, but there were a few problems with this release of information. First of all, the employee was not authorized to access the records. Secondly, she was not authorized to share sensitive results with the patient. And finally, she should not have sent the information unsecured to a patient's third-party email account.

HIPAA Minimum Necessary Standard

Under the HIPAA Privacy Rule, the minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information (PHI). This means medical practices and their employees are required to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

The minimum necessary standard does not apply to the following:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an individual's authorization.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of the information is required under the Privacy Rule for enforcement purposes.
  • Uses or disclosures that are required by other laws.
  • Other uses or disclosures are required for compliance with HIPAA.

When did this employee potentially violate the minimum necessary standard?

The employee was not a healthcare provider, lacked the individual's authorization, and was not authorized by the healthcare organization's policies and procedures to access and release sensitive test results.

Learning from this example, it is important for all healthcare employees to consider the following questions:

  1. Am I authorized to access the information?
  2. Is the information I am accessing the minimum necessary to accomplish the intended task?
  3. Have I double-checked that I have the right documentation for the right patient?
  4. If the information is to be disclosed, have I made sure the information is being provided in accordance with our policies and procedures? (e.g., patient portal)
  5. If ever I have a question or feel I may be accessing more than the minimum necessary, who can I contact? (e.g., compliance officer)

Do you have additional questions about the minimum necessary standard? We are happy to help. Please contact us by email: or by phone: 855-427-0427.

Need a quick reference guide? Download the PDF version here.