Overview:
§164.514(d)(4)
Implementation specifications: Minimum necessary requests for protected health information.
(i) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.
(ii) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
(iii) For all other requests, a covered entity must:
(A) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and
(B) Review requests for disclosure on an individual basis in accordance with such criteria.
Action Items:
1) Obtain and review policies and procedures related to minimum necessary requests and evaluate the content relative to the specified criteria.
2) Obtain and review a sample of requests made on a routine and recurring basis and determine if they are limited to the PHI reasonably necessary to achieve the purpose of the disclosure, as required by §164.514(d)(4).
Related Documents:
1) Policies and procedures related to minimum necessary requests
2) Sample of requests made on a routine and recurring basis
Additional Guidance:
For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
Article ID: 547
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-minimum-necessary-requests-for-protected-health-information-164-514-d-4-547.html