Skip to Content

HIPAA Privacy - Minimum Necessary - Disclosures of PHI 164.514(d)(3)

546  Matthew Burdick September 29, 2022  Special Case Requirements (Privacy)

Overview:
§164.514(d)(3)
Implementation specification: Minimum necessary disclosures of protected health information.
(i) For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
(ii) For all other disclosures, a covered entity must: (A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and (B) Review requests for disclosure on an individual basis in accordance with such criteria.
(iii) A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when: (A) Making disclosures to public officials that are permitted under § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s); (B) The information is requested by another covered entity; (C) The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or (D) Documentation or representations that comply with the applicable requirements of § 164.512(i) have been provided by a person requesting the information for research purposes.


Action Items:
1) Obtain and review policies and procedures related to minimum necessary disclosures and evaluate the content relative to the established performance criterion.
2) Obtain and review a sample of protocols for disclosures made on a routine and recurring basis and determine if such protocols limit to the PHI to what is reasonably necessary to achieve the purpose of the disclosure, as required by 514(d)(3).


Related Documents:
1) Policies and procedures related to minimum necessary disclosures
2) Sample of protocols for disclosures made on a routine and recurring basis


Additional Guidance:
Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
Not Rated
Secure Code