A Guide to HIPAA Minimum Necessary Standard and AHIMA Recommended Changes

  What is the HIPAA Minimum Necessary Standard? What has gone wrong with its implementation? What challenges do we need to meet due to evolving technological system involved? These are some of the ideas we need to explore and discuss. We'll do this to ensure proper handling and disclosure of sensitive, private information. Otherwise, we could face litigation. We recommend standardized review and reeducation procedures along with other helpful actions. These recommendations will help ensure a clear definition of the standard. It will improve operations now and moving forward. What is the HIPAA Minimum Necessary Standard? What are the AHIMA recommended changes? We explain the answers in this guide.

What is the HIPAA Minimum Necessary Standard?

We apply the HIPAA Minimum Necessary Standard to disclosures and uses of what we know as PHI. We allow these disclosures and uses under the HIPAA Privacy Rule. These include the ability for healthcare professionals to access ePHI. This is to inform covered business associates and other covered entities. This information applies to sharing any protected health information with other HIPAA-covered entities. This also applies to sharing any protected health information with other HIPAA-covered entities. These entities must take reasonable precautions to ensure limited access to PHI. We must only make available the necessary information for the intended purpose. The terms 'necessary' and 'reasonable' are open to your interpretation. This may cause confusion. It's up to the covered entity how much and what we should disclose. It's also up to them how much we should restrict, and what steps we should take to ensure privacy. These decisions made about the HIPAA Minimum Necessary Standard should be rational and take into account the covered entity's technical capabilities as well as any security and privacy risks. Remember that the HIPAA Minimum Necessary Standard is applicable to any and all forms of PHI. This includes films, physical documents, spreadsheets, and printed images. This also includes any verbally communicated information on tapes or other media. Make security efforts to allow only the least necessary access to ePHI. HIPAA-covered entities are to create, maintain, and update these access logs. We should redact any unnecessary information over and above that which is necessary. This includes that from paper records if we need to supply them.

When Does the HIPAA Minimum Necessary Standard Not Apply?

Here are the 6 exceptions where the HIPAA Minimum Necessary Standard does not apply:

1. We may give disclosures of PHI may to a healthcare provider if they request it to perform a treatment.
2. We allow disclosures to someone who under the HIPAA Privacy Rule. This includes those exercising their right of access. These individuals can get a copy of certain information within a recordset.Exceptions to this include:
   • Psychotherapy notes
   • Information kept for use in administrative, criminal, or civil actions.
3. Any disclosure needed to obtain authorization of some kind.
4. We allow any disclosures if the request comes from the Secretary of the HHS. (See 45 CFR part 160 Subpart C for details).
5. Disclosures and/or uses needed for compliance with HIPAA rules.
6. Disclosures and/or uses required by law.

How to Implement the Minimum Necessary Standard

To ensure compliance, document any and all ePHI-containing systems. This documentation needs to be clear in regards to what kinds of PHI they contain. Learn which types of information we use for which roles and responsibilities. Set up a system of permissions and are specific to each role to make sure access is limited to specific types of PHI. Apply granular controls to all information systems when possible. This will help limit access to those not eligible or to those who could accidentally access the PHI. Examples of this sensitive information include medical histories, Social Security numbers, and health insurance numbers. Make and keep a sanctions policy to deal with any violations of the standard. Remember to thoroughly train all employees on which kinds of information they can and cannot access. They need to know the specific consequences if they do access this information without prior authorization. Set up notifications to the compliance team. Do this by showing any unauthorized personnel's attempts to gain access. This includes any successful attempts by office staff and patients who do not have a good reason. (HIPAA refers to these as audit logs.) Provide access to those systems which contain ePHI only after assessing what specific information they need in order to complete their requested task. This will ensure the unnecessary information or parts of the system remain restricted. Remember to make the audits of review logs and permissions periodically and regularly. This will let you know which individuals access restricted information. Note and record anything done after cases of specifically unauthorized access. Also, do this for any attempts to access more information than they need and which sanctions have been applied in response.

What Some Examples of Minimum Necessary Standard Violations?

Let's say an IT worker is needed to fix or maintain a database. They do not need access to any medical histories to perform this action. If a physician needs access to a patient's medical history in order to assess that patient or to provide necessary care or treatment, they wouldn't need access to any back end databases or Social Security numbers. The most common violation when it comes to minimum necessary standards is simply talking about too much information in front of the wrong people. If you mention PHI within the hearing range of any unauthorized party, it is considered a violation. Remember to train your office staff thoroughly on all the rules and give them examples of what could be a common violation so it doesn't seem abstract, but rather relevant to their day to day experiences.

AHIM Recommended Changes for HIPAA

Board President for the American Health Information Management Association (AHIMA), Melissa Martin, recently testified on the HIPAA Minimum Necessary Standard of the HIPAA Privacy Rule. This occurred at NCVHS or the National Committee on Vital and Health Statistics. She attended and gave her input. Her purpose was to clarify any modifications or guidance that the DHHS might need to apply to the HIPAA Minimum Necessary Standard. This is due to technology changes within the healthcare system which were made to ensure that we continue the standard. Martin says there is still a lot of confusion over what "minimum necessary information" is and over the standard in general. Once again, she would like organizations to identify those individuals or groups inside the organization who need to be given specific access to PHI. This is to limit and protect categories of PHI that they can access. For example, justification must be given to permit access to medical records in their entirety. This also applies to any business associates. However, if they're contracted for a certain function for the entity, they should only have access to the information needed to perform that specific operation.

Guidance Requested for Clarification

Martin pointed out an inconsistency within the guidance process, which is causing some confusion. As of now, entities are allowed to decide what "minimum necessary information" consists of. This is inconsistent with the description of what it should be interpreted as. This could lead to potential legal action if a patient or legal representative did not agree with the organization's interpretation of the minimum necessary standard. Therefore the definition needs clarification during HHS guidance. EHR systems are of concern when it comes to technology challenges. They don't give access to PHI according to who may access what information. Martin points out that they often lack the sophistication needed to sequester certain patients from unauthorized employees. This can and does lead to a blanket approval for the access of all information in some situations rather than imposing the right restrictions.

Regulatory Challenges

Martin includes that many different initiatives such as QEP or the Qualified Entity Program encourages sharing of data and has resulted in an increase in shared PHI. The Qualified Entity Program lies under the Precision Medicine Initiative and Medicare. The healthcare system is becoming more and more interoperable, and as a result, we must be aware that the HIPAA Minimum Necessary Standard is being applied to fewer transactions. Before the hearing, a survey was conducted by the AHIMA. This surveyed its members working in security and privacy, clinical documentation improvement, education, and data analytics. The results of the survey are as follows:

• Percent of people unsure of the adoption of a minimum standard -- 38%
• Percent of people saying they didn't have a definition of the standard -- 14%
• Percent of people who were in the process of developing a definition -- 21%
• 1/3 of people said they lacked any related policies or procedures related to the standard.

Martin recommends:

• Development by the HHS of a more refined and clear definition of the standard is needed
• Considering the role of metadata in guidance
• Considering the limitations technology presents and address this in guidance
• Developing guidance with an enhanced focus on the needs of patients and consider the stewardship role
• Improving the consistency and standards by which the implementation is taught.
  • This will clear up expectations and ensure proper disclosure of each type of PHI for certain functions

She also recommends that the HHS supply effective educational materials and followup guidance to teach standards and changes to standards. We can consider fact sheets and FAQs to help in this regard.

More Implementation Recommendations

How can we temporarily prohibit all walk-in access for questions about medical records?

• Try to closely work with the ROI vendor if you have one to maintain continuity.
• Put up signs on such things as doors and windows in order to show families and patients other resources
• Update websites with changes to record requests and on any other automated messaging systems.
• Remember to alert Patient Acess staff of any processing changes

How can I give alternative options to patients and families who make record requests?

• HIM staff phone authorization for witnesses and the documentation of this in the audit log record
• Direct any phone messages to the patient portal or phone portal
• Instruct HIM staff on how to get and fill out the authorization form

How can I validate identities by phone?

• Verify the patient by asking for DOB, home address, and the last four numbers in their SSN
• Use reliable demographic information collected such as nickname, cell phone number, etc. if the above is not available.

Change support on patient portal to 24/7 if possible and train/hire in accordance with this need. If different languages are used within your patient population, ensure that these are represented within the record request rules and advice. Remember to thoroughly educate and refresh staff and providers on the importance of the information exchange surrounding health. Stay educated and updated on how to integrate new or updated technologies into your daily workflow.