Minimum Necessary Policy
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
This policy applies to all personnel, regardless of affiliation, who have access to Protected Health Information (“PHI”) under the auspices of Indiana University (IU). Please refer to the IU HIPAA Affected Areas document for a full list of units impacted within Indiana University.
IU HIPAA Affected Areas shall limit the amount of PHI requested, used, or disclosed to others to the minimum amount necessary to achieve the specific purpose of that use, request, or disclosure. The standard also applies when an area is a business associate to another IU HIPAA Affected Area or an external covered entity.
This limitation does not apply when PHI is:
- Disclosed to or requested from another health care provider for the purpose of treatment;
- Disclosed as required by federal or state law;
- Disclosed to the patient of record; or
- Disclosed in compliance with a valid authorization.
- Use of Protected Health Information (PHI)
- IU HIPAA Affected Areas shall only access the minimum information necessary to perform their assigned duties or to accomplish a stated purpose
- Routine disclosures of PHI shall be limited to the pre-determined and established criteria of the workforce member’s roles, the information used and disclosures required or necessary
- Non-routine disclosures of protected health information shall be reviewed on a case-by-case basis
- Disclosures of Protected Health Information (PHI)
- IU HIPAA Affected Areas shall limit the disclosure of PHI to that which is minimally necessary in each situation in order to achieve the purpose of the disclosure.
- Disclosures for research purposes will rely on documentation from an Institutional Review Board (IRB) that describes the protected health information needed for research purposes. The documentation shall sufficiently describe the PHI needed.
- Requests for Protected Health Information (PHI)
- Request for PHI shall be limited and reviewed on a case-by-case basis to determine what PHI is reasonable necessary for the particular use or disclosure.
- IU HIPAA Affected Areas shall limit request for PHI to the minimum necessary to accomplish a particular tasks or purpose.
- Researchers shall limit request for PHI for research purposes to the minimum necessary for the described research, including PHI to be released pursuant to an authorization. Documentation must sufficiently describe the PHI needed.
Note: Uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d), may qualify as breaches
Reason for Policy
This policy is designated for purposes of complying with the final provisions of the privacy and security rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. It establishes limits regarding the amount of PHI which may be used or disclosed for an intended purpose to the minimum necessary, in accordance with HIPAA and HITECH privacy regulations, in-conjunction with existing state laws, federal laws, and Indiana University Policy covering human subjects, security and privacy.