Page 1 of 7 HIPAA Policy No. 4A Minimum Necessary/Need to Know Policy and Procedure Policy: 4.1 Uses and Disclosures restricted to minimum necessary information Except for uses and disclosures related to treatment of the patient (and other exceptions discussed below in paragraph 4.4), the provider must make reasonable efforts to limit the amount of patient information used within the organization or disclosed to others to that which is minimally necessary to accomplish the intended purpose of the use or disclosure. 4.2 Uses Within the Organization For uses of information within the organization, the provider must identify all employees by category who need access to protected health information and identify the type of protected health information to which each category of employee needs access. Employees who are involved in treatment of the individual will be given access to the entire medical record (subject to an understanding that access is on a need to know basis). Access to patient information by non-treatment providers will be determined based upon the following grid: Role (type of employee) Patient Name, Demographics, Scheduling information Receptionists x x Billing/financial and insurance information Laboratory Tests/Results Billing personnel x x x Office manager x x x x Front office staff x x x x Finance x x Medical Notes (e.g. physician notes, nurses notes) Training x Case by case Case by case Case by case
Page 2 of 7 4.3 Uses and Disclosures to Third Parties For requests that the provider receives on a routine or recurring basis, see additional specific policies (4B and 4C). Requests that do not occur on a routine basis must be reviewed individually to determine the minimum amount of information that must be disclosed to achieve the stated purpose of the disclosure, based upon the following criteria: Determine whether the requestor was specific about the type of information that is needed (e.g., demographics, financial/billing, physician notes, laboratory results). If the requestor was not specific, ask the requestor specifically what information is needed and why. If the requestor requests the entire medical record, ask the requestor to justify why the entire medical record is needed. Employees should not disclose an entire medical record until satisfactory justification is provided by the requestor. Determine whether the requestor a person who can be relied upon (as set forth in paragraph 4.5 below). If the requestor is a person whose representations can be relied upon, then the employee may disclose the requested information. If the requestor is not a person whose representations can be relied upon, and the employee has any question regarding the appropriateness of the scope of the request, the employee should ask the Privacy Officer for approval to disclose the information. 4.4 Exceptions to minimum necessary requirements The minimum necessary restriction does not apply under the following circumstances: When the disclosure is made to a provider for the purpose of treatment When the patient requests his or her own information When the patient signs an authorization for the disclosure When a disclosure is made because it is required by law, including those disclosures required by the HIPAA regulations (See HIPAA Policy No. 3B). 4.5 Requestors who can be relied upon to determine minimum necessary information When making a permissible disclosure to a public official the provider may rely on the public official s representations regarding the amount of information needed. When making a disclosure to another covered entity (e.g. a provider, health plan or clearinghouse) the provider may rely on the requestor s representations regarding the amount of information needed. The provider may rely upon the professional judgment of a business associate to determine what information is needed for the performance of professional services (for example, an accountant or attorney).
Page 3 of 7 4.6 Verification of Requestor Employees will verify the identity of a requestor if the employee does not know the requestor. 4.7 Application of the minimum necessary rule where provider is the requestor HIPAA requires the provider to restrict requests for information to the minimum necessary to achieve the intended purpose of the requested disclosure. Requests for protected health information should be made subject to the following criteria: Requests should be as specific as possible with respect to the amount of information needed. Requests should not be for entire medical records unless absolutely necessary. If the information is being requested for treatment purposes, the entire medical record may be requested. Employees should be prepared to provide justification for the scope of the request. Procedure: 1. Non-treatment providers should review the above grid regarding levels of access, set forth in paragraph 4.2. All employees will sign a security/need to know agreement (HIPAA Toolkit Form L), agreeing that they will not use information other than that which is necessary to perform their job function. If employees believe that they have a need to access additional information, they should contact the Privacy Officer. 2. When an employee receives a request for information, he or she should first determine whether this is a routine request that has its own specific policy (for example, Policies 4B and 4C). If so, the employee should refer to the specific policy. 3. If the request for information is not routine, the employee should use the criteria set forth in paragraph 4.3 to determine whether the disclosure should be made as requested. 4. If the identity of the requestor is not known, the employee should verify the identity. 5. If an employee makes a request for information from another covered entity, the request should be specific and limited in scope consistent with the criteria set forth in paragraph 4.7. Authorities: 45 CFR 164.502(b) 45 CFR 164.514(d) 45 CFR 164.514(h)
Page 4 of 7 HIPAA Policy No. 4B Minimum Necessary/Need to Know Policy and Procedure Disclosures to Health Plans Policy: 4.1 Disclosures Specifically Required by Health Plans Information may be provided to third party payers (e.g., Medicare, Medicaid, and commercial insurers) as required by contracts and/or subscriber agreements with the payer. The provider can rely upon a health plan s representations regarding the information that is needed for a claim, including representations that are contained in a policy, a provider agreement, or in a health plan newsletter or bulletin. For example, to the extent that the health plan makes representations that the information is necessary, the following information may be provided as part of a claim to a health plan: Date(s) of service Patient demographic information Information regarding the patient s insurance contract number, plan number, group number, etc. Diagnosis and/or procedure codes Information regarding medical history Referral or pre-certification information Other information requested by the health plan 4.2 Unspecific Requests by Health Plan There may be situations when a provider must make a disclosure of protected health information that has not been specifically requested by the third party payer. For example, the provider may need to determine what information should be submitted to support a claim or defend an audit. In these situations, the provider must determine what information is minimally necessary to achieve the results for which the information is being requested. Information beyond that which is minimally necessary should not be disclosed. For example, if a particular date of service is being questioned, it may be necessary to submit excerpts from the date of service in question, as well as information from previous or subsequent visits that support medical necessity, plan of care, etc. Although the entire medical record should not be routinely submitted, it may be where necessary.
Page 5 of 7 Procedure: 1. For the purposes of claims submission, information required or requested by the health plan should be submitted. 2. Employees can rely upon representations from health plans regarding the information that is required. 3. If the provider needs to submit additional information, employees should determine what information is necessary to support the service in question. 4. If an employee has a question as to the amount of information that should be provided for a certain disclosure, he or she should consult with the Privacy Officer.
Page 6 of 7 HIPAA Policy No. 4C Minimum Necessary/Need to Know Policy and Procedure Disclosures to Billing Companies Policy: 4.1 Disclosures to Billing Company The billing company is a business associate of the provider and is performing professional services on behalf of the provider. To the extent that the billing company represents that the requested PHI is necessary to perform these professional services, the provider may rely upon these representations. For example, some of the information that may be routinely provided to the billing company, based upon representations that this information is necessary to perform the professional services includes: Date(s) of service Patient demographic information Information regarding the patient s insurance contract number, plan number, group number, etc. Diagnosis and/or procedure codes Information regarding medical history Referral or pre-certification information Other information necessary to submit a claim on behalf of the provider 4.3 Requests for additional supporting information Besides submitting claims on behalf of the provider, there may be situations where the billing company assists the provider in providing justification for services or appealing denied claims. For example, the billing company may assist the provider in determining what information should be submitted to support a claim or defend an audit. In these situations, the provider may rely upon the billing company s representations regarding what information is necessary to support the claim. However, the provider should work with the billing company to determine the minimum amount of information that needs to be submitted to the billing company and, ultimately, to the insurance company. Information beyond that which is minimally necessary should not be disclosed. For example, the provider should not routinely provide the billing company with access to entire medical records, but may do so where it is necessary. The protocols discussed in policy 4B should be shared with and followed by the billing company.
Page 7 of 7 Procedure: 5. For the purposes of claims submission, the provider should only provide that information that is needed based upon the billing company s representations. 6. Employees can rely upon representations from the billing company with respect to the information that is required for the billing company to perform its services. 7. The billing company should be given a copy of the protocols set forth in Policy 4B to follow when submitting information to health plans on behalf of the provider. 8. If an employee has a question as to the amount of information that should be provided to the billing company, he or she should consult with the Privacy Officer.