DHHS POLICIES AND PROCEDURES

___________________________________________________________________________________________________________________

Section VIII:	Privacy and Security
Title:	Privacy Manual
Chapter:	Use and Disclosure Policies, Minimum Necessary
Current Effective Date:	3/30/05
Revision History:	10/9/03
Original Effective Date:	4/14/03

___________________________________________________________________________________________________________________

Purpose

The purpose of this policy is to set forth the NC Department of Health and Human Services (NC DHHS) requirements for making reasonable efforts to limit the use and disclosure of individually identifiable health information to that which is minimally necessary to support the intent of use or disclosure.

This policy shall apply to any of the following DHHS agencies:

• The Health Insurance Portability and Accountability Act (HIPAA) covered health care components;
• Internal business associates; and
• Non-covered health care components that maintain individually identifiable health information.

Policy

DHHS agencies, as identified in the Purpose section of this policy, must make reasonable efforts to limit individually identifiable health information to that which is minimally necessary to accomplish the intended purpose for the use, disclosure, or request for information. DHHS agencies must evaluate their current practices for using and disclosing individually identifiable health information in order to enhance protections, as needed, to limit unnecessary or inappropriate access to individually identifiable health information.

The minimum necessary requirement applies to:

• Uses or disclosures for payment or health care operations;
• Uses or disclosures requiring the client to have an opportunity to agree or object;
• Uses or disclosures that are permitted without the client's permission (except for those required by law or specified otherwise in the DHHS Policy Manual); and
• Uses or disclosures by External Business Associates.

Controlling the "use" of individually identifiable health information that is primarily paper-based within an agency presents special challenges in applying the minimum necessary requirements. Agencies must rely heavily on the development and implementation of policies and procedures, as well as self-policing. Therefore, this policy takes on special importance for agencies maintaining individually identifiable health information on paper (e.g., paper client records and diagnostic images).

Controlling the "use" of individually identifiable health information that is contained in an automated system requires assessment of existing systems and evaluation of current practices to determine protection enhancements needed to prevent unnecessary or inappropriate access to individually identifiable health information. The department shall allow agencies the flexibility to address their unique circumstances in assessing what information is necessary for a particular purpose. Using a logical approach, agencies must decide the best practices that limit the unnecessary sharing of individually identifiable health information.

In DHHS, access to systems containing individually identifiable health information must be limited through access controls established by each agency. Specification elements must be established for each system that will identify methods for establishing access controls for agency staff.

1. Minimum Necessary within Agency
   
   DHHS agencies are required to identify persons or classes of persons in its workforce who need access to individually identifiable health information and the categories of information to which access is needed.
   
   DHHS agencies must develop and implement procedures that limit routine disclosures of individually identifiable health information to the amount reasonably necessary to achieve the purpose of the disclosure.
   
   DHHS agencies are required to develop criteria designed to limit individually identifiable health information to the minimum necessary.



2. Minimum Necessary Outside Agency
   
   DHHS agencies may rely on a request for disclosure as being limited to the individually identifiable health information that is minimally necessary, if:
1. Disclosure is to a public official who represents that the request is for the minimum necessary information;



2. The request is from another HIPAA covered health care component;



3. The request is from a professional in the agency's own workforce or from a business associate, and the professional represents that the request is for the minimum necessary information; or



4. The requestor provides documentation that the disclosure is for research purposes.

The minimum necessary requirement does not apply to:

• Disclosures to or requests by a health care provider for treatment;
• Uses or disclosures made to a client to whom the information applies;
• Uses or disclosures authorized by the client (or the client's personal representative);
• The Secretary of the United States Department of Health and Human Services for compliance enforcement;
• Uses or disclosures required by law; or
• Uses or disclosures required for compliance with the HIPAA Privacy Rule.

Implementation

The following protocols are in compliance with the HIPAA Privacy Rule and should be considered when staff share individually identifiable health information in the performance of their job responsibilities and when sharing individually identifiable health information with individuals outside the agency.

When using individually identifiable health information within an agency, DHHS agencies must categorize users by their "need-to-know" in order to accomplish their job responsibilities and establish standard protocol (criteria) that reasonably limits inappropriate access to individually identifiable health information based on the following categories:

1. Standard Protocol for Uses of Individually Identifiable Health Information by an Agency's Own Workforce
1. For uses of individually identifiable health information by its own workforce within the agency, standard protocol must:
1. Identify the persons or groups of persons who need access to individually identifiable health information to carry out their job functions;


2. Identify the type of individually identifiable health information to which each person or group needs access, as well as the conditions under which they need the access; and


3. Make reasonable efforts to limit the access of its staff to only the information appropriate to their job functions.
2. Standard Protocol for Disclosures of Individually Identifiable Health Information by an Agency's Own Workforce
1. For routine, recurring disclosures of individually identifiable health information by an agency's own workforce, standard protocol must:
1. Identify the types of information to be disclosed;


2. Identify the types of persons who would receive such information;


3. Identify the conditions that would apply to such access; and


4. Develop reasonable criteria for disclosures to routinely hired types of business associates (e.g., medical transcription).
2. For non-routine disclosures of individually identifiable health information by an agency's own workforce, standard protocol must:
1. Develop reasonable measures to limit information to the minimum necessary to accomplish the purpose of the disclosure; and


2. Use these measures to review non-routine disclosures on an individual basis.
3. Standard Protocol for Making Requests for Individually Identifiable Health Information by an Agency's Own Workforce
1. For routine, recurring requests for individually identifiable health information by an agency's own workforce, standard protocol must:
1. Describe what information is reasonably necessary for the purpose of the request; and


2. Limit the request for individually identifiable health information to that information.
2. For all other requests for individually identifiable health information by an agency's own workforce, standard protocol must ensure that each request is reviewed by an agency staff member who has authority to determine that the information requested is limited to what is reasonably necessary to accomplish the purpose of the request.

Criteria must be developed that control both the request for, and the disclosure of, the entire client record. Criteria must specifically justify why the entire client record is required. Exceptions to agency criteria are prohibited without prior approval of the Agency Privacy Official.

Individuals or entities external to the Department that perform activities or functions on behalf of a DHHS covered health care component as defined by the HIPAA Privacy Rule, are considered External Business Associates of a DHHS agency. As such, External Business Associates are required to comply with the Minimum Necessary requirement as specified in the HIPAA Privacy Rule.

The minimum necessary policy is intended to make DHHS agencies evaluate their current procedures and enhance protections needed to limit unnecessary or inappropriate access to and disclosures of, individually identifiable health information.

DHHS considers best practice for sharing individually identifiable health information is to always limit such information to that which is necessary to accomplish the intended purposes of such use or disclosure.

DHHS agencies must limit their requests for individually identifiable health information to that which is minimally necessary and reasonable.

No use, disclosure, or request for a complete client record is considered minimally necessary unless specific justification is documented.

Reference:

DHHS Directive Number III-11; 45 CFR 164.502 (b); 45 CFR 164.514(d)

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.