Interpreting the "Minimum Necessary" Portion of the HIPAA Rule

Michelle Bilsky, CHCO, LHRM, MLA, CBA - Vice President of Risk Management at MedMal Direct // September 11, 2017

The HIPAA Privacy rule has significant responsibility placed on medical staff in many areas of maintaining patient information confidentiality.  One area that has been discussed as having too much room for interpretation is the "Minimum Necessary" portion of the rule.


The rule specifically states:

(b)Standard: Minimum necessary - Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the usedisclosure, or request.

The rule then goes on to state:

(2)Minimum necessary does not apply. This requirement does not apply to:

(i) Disclosures to or requests by a health care provider for treatment;

The confusing part which is open to interpretation is what information does a healthcare provider need in order to treat a patient.  For example – if a patient has a communicable disease such as HIV or Hepatitis is it within the scope of the rule that anyone who is going to treat that patient be advised of the diagnosis?  On initial review we may say that it is necessary for the safety of the staff taking care of the patient to know the disease that the patient has but on the other hand OSHA requires that we utilize PPE (personal protective equipment) when caring for any patient and to treat each as if they do have communicable diseases therefore rendering the need for disclosure of the specific disease unnecessary.  Essentially the “answer” comes in the organizations HIPAA policy.  The organization must clearly state to its employees how they must handle disclosures and potential HIPAA breach situations. 

A recent KY appeals court provided confirmation on an interpretation of the rule in which the underlying court decision was questioned as regards minimum necessary.  You can read more here.

The general rule of thumb that we advise for our clients is that if there is not a direct need for disclosure of information to protect the patient’s health then the information should not be disclosed.  HIPAA does not cover safety of healthcare employees that would be governed by OSHA and you should educate your staff on this major difference.