BLOG HOME > HIPAA > 5 Minimum Necessary HIPAA PHI Tips

5 Minimum Necessary HIPAA PHI Tips

What is PHI? 

Download the latest guide to HIPAA Compliance

Download now

PHI stands for Protected Health Information. It refers to any information disclosed or used during healthcare services that would identify an individual. 

PHI generally includes information regarding health conditions, billing information, treatments, tests, and any communication, including digital communication, between a healthcare provider and a patient. 

Examples of PHI include: 

  • Names, dates, addresses, and phone numbers 
  • Email addresses 
  • Medical record numbers 
  • Account numbers
  • Prescription information 
  • Emails or communication to healthcare providers 
  • Appointment scheduling information 
  • Test results 

What is not considered PHI under HIPAA?

While PHI covers a broad range of information, not all health information is protected. The difference between what is PHI and what is not PHI depends more on who accesses the information than the information itself. HIPAA regulations apply to Covered Entities (CE) and their Business Associates (BA). If your information is handled by an organization that is not a covered entity or business associate, it is not protected. 

The HIPAA minimum necessary rule

The HIPAA minimum necessary rule helps covered entities manage healthcare information by requiring them to limit access to and disclosure of PHI. There aren’t many times in life where you can get away with doing the bare minimum. PHI is one of them. Here are 5 things you should know about the minimum necessary HIPAA requirement.

SEE ALSO: What is the HIPAA Privacy Rule?

“All this is on a strictly need-to-know basis. As in, nobody else needs to know.” –Kami Garcia.

Have a HIPAA Deadline?

Request a Quote

HIPAA minimum necessary rule examples

1. PHI should only be shared on a need-to-know basis.

In military operations, a need-to-know restriction is the control of extremely sensitive information by only those who must know the information to get the job done. Although thousands of personnel are involved in planning battles, only a small number (usually high-ranking officers) have the security clearance to know everything about the operation. The rest are only informed on parts of the plan necessary to get their specific task completed.

Protected health information (PHI) is kind of like a sensitive battle plan. Instead of the need-to-know restriction, the HHS calls this control the minimum necessary PHI requirement. The HHS says this requirement is “based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”

Only those who need to see PHI to do their jobs should get to see it, and unless you have a specific need for the information, access must be restricted. For example, a receptionist (or someone who doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do his or her job.

2. Limit user access by creating individual user accounts.

The HHS states, “if a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard.”

It’s a covered entity’s responsibility to limit who within the organization has access to each specific part or component of PHI. The easiest way to take charge of the data is by creating individual user accounts.

SEE ALSO: Everyone Is Not Created Equal In Healthcare

In the ideal scenario, each user account in a network, EHR, or computer system, would be given certain privileges based on the job title or role of the user. For example, a “doctor” privilege would get access to all PHI in their patient database, because they need it to do their job. An “IT admin” would have restricted access to PHI, because they are not involved with patient care.

3. Covered entities pass way too much data to their business associates.

The minimum necessary PHI requirement doesn’t just apply to an organization. It applies to the information shared externally, with third parties and subcontractors. Entities are required to limit how much PHI is disclosed based on job responsibilities and nature of the third party’s business.

Say a patient needed a prosthetic leg. If a hospital sent the entire patient record to the prosthetic manufacturer (their business associate), the hospital would be violating the minimum necessary requirement. The prosthetic manufacturer doesn’t need to know about the patient’s flu shot 10 years ago. All he needs to know are the specifics for the prosthetic required for him to correctly do his job.

SEE ALSO: You Can't Hide Behind a Business Associate Agreement

Passing too much PHI to a business associate could get your organization slapped with a fine. Be careful about how much data you are sending and receiving.

4. Don’t worry about passing too much data when talking to other doctors.

If you’re communicating doctor to doctor, don’t worry. You get a free pass. The minimum necessary rule is a little different if you’re communicating with someone who actually provides healthcare to patients.

Because many ailments, treatments, and medications are related, most situations require the entire medical history to be sent from doctor to doctor. Just remember to use your best judgment.

5. Both entities and business associates are responsible for the minimum necessary requirement.

I’ve witnessed many business associates tell their covered entity partners they get to decide how much data they receive, and it’s the covered entity’s responsibility to just ship it all over. Au contraire Mr. Business Associate!

Each party (covered entity and business associate) has a minimum necessary responsibility under HIPAA. That means either party can be fined by the HHS for misapplying (or completely disregarding) the minimum necessary rule. If a business associate demands more data than is necessary from its covered entities, it could be fined for ignoring the rules.

Let me clear up any confusion about your responsibility concerning minimum necessary data:

  • Covered entity responsibility:  determine what data is the minimum necessary to send, and then only send that data and nothing else.
  • Business associate responsibility:  only accept and use the minimum necessary data.
Just remember: Less is more when it comes to sharing PHI.

Join Thousands of Security Professionals and Subscribe