The HIPAA Minimum Necessary Standard

Struggling to understand how to implement the HIPAA Minimum Necessary Standard?

Well, get in line!

The HIPAA Minimum Necessary Standard is one of the most important and loosely defined requirements of the HIPAA laws. This article will help clear things up for you so you can reach your HIPAA Compliance goals.

What is the HIPAA Minimum Necessary Standard?

The HIPAA law states that “when using or disclosing PHI (Protected Health Information) or when requesting PHI from another Covered Entity or Business Associate, the entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Unlike many other standards in the HIPAA laws, the minimum necessary standard uses two, hard to pin down terms that are very much up to interpretation (or open to analysis); reasonable and necessary.

What do “necessary” and “reasonable” mean?

Let’s start by discussing what the term necessary means in this context.

For healthcare workers, database administrators, or any other employee working for an organization that is required to be HIPAA compliant, what is necessary for you to access depends on your job.

• It may be necessary for a developer to access a database containing patient records in order to perform their job of ensuring that the database is functioning correctly.
• It is also necessary for doctors to access a patient’s medical history in order to make appropriate diagnoses.
• However, it is not necessary for a database developer to access a patient’s medical history to fix a database issue, nor is it necessary for a doctor to access the backend of a database.

The latter instances would be violations of the minimum necessary standard, potential HIPAA breaches, and should be investigated to ensure that appropriate controls are in place to prevent it from happening again.

Now how should an organization make a judgment about what efforts are considered reasonable when it comes to enforcing the minimum necessary standard?

What is “reasonable” depends on the unique circumstances, technology stack, resources, and data that the organization utilizes.

For example, if a dental office only uses paper records, it would not be reasonable to implement technical controls that notify the privacy officer if users have accessed records beyond their need.

However, a fairly well funded radiology practice that uses a modern software system to store patient images should reasonably be able to implement a role-based permissions system that prevents users from accessing information pertaining to patients they aren’t treating.

The judgment that your organization makes regarding what is “reasonable” should:

1. Be supported by a clear understanding of your information systems and the data that reside in them;
2. Include documentation of the security/privacy risks that could impact said data systems;
3. Describe a rational justification that explains your decision.

High profile breaches involving the Minimum Necessary Standard

The girlfriend of a well-known student-athlete at the University of Iowa received a positive pregnancy test from an employee at the student health center. The employee discussed the results of the pregnancy test with co-workers, pointed out the athlete, who was sitting in the waiting room, and stated to others that she hoped the young couple was happy.

It gets worse. The employee then opened the patient’s medical files to view past visits and medications and shared the details with another staff member, information that neither employee needed to accomplish their work. Staff at the medical center reported the HIPAA violation to a manager. The University of Iowa fired the health center employee.

This incident was a case of a data breach that involved multiple violations of the minimum necessary rule and violated the patient’s’ right to privacy.

The University of Iowa may have been able to prevent this breach by:

1. Training all nurses not to search for or review records of patients that they are not directly treating, specifically addressing the importance of protecting the privacy of high profile individuals.
2. Setting up alerts in the software system that would notify the compliance team if a nurse views records of patients that they aren’t directly treating.
3. Implementing technical controls in the software that limits nurses from viewing records of patients that they aren’t treating.

(Want more juicy stories of data breaches? Read our 2018 recap of the worst of the worst!)

How to implement the minimum necessary standard in your organization

In the case of the University of Iowa, there was a clear HIPAA violation!  However, you’ll want to be diligent within your own organization to ensure that you are meeting the minimum necessary standard. Gazelle Consulting recommends the following:

1. Document all information systems that contain PHI and the types of PHI that reside in them.
2. Define and document roles, responsibilities, and required level of access to PHI for all employees that access systems or paper records that contain PHI. Document this in their job description and share this with the employee.
3. Utilize the roles and responsibilities to create an information access management program that uses technical and/or behavioral controls to limit access to PHI to only the information that individual employees need to perform their jobs.
   1. Administrative Controls – Training: Provide all employees who access PHI with the training needed to understand their job duties, their access rights, the limitations of their access rights, the minimum necessary standard, and the consequences for violating the standard.
   2. Technical Controls – Information Access Management: If reasonable, develop a granular role-based permissions system in all applications that contain PHI that will limit data access for each role to only the minimum amount necessary needed for staff to do their job.
   3. Technical Controls – Audit: If reasonable, configure information system monitoring to identify when staff has viewed information that is not needed for them to perform their job.
4. Investigate violations of the minimum necessary standard and apply appropriate sanctions.
   1. Administrative Controls – Security Incident Investigation: Regularly review audit records and incident reports to identify staff members who may have knowingly or unknowingly obtained more access than the minimum necessary. Document how the incident occurred, whether PHI was involved, and the actions you have taken to resolve the incident and report the incident to the required parties.
   2. Administrative Controls – Sanctions: Document the incident and provide sanctions including retraining, suspension, or termination if necessary. Especially if the minimum necessary violation involves a high profile patient, social media, or disclosure of PHI to other individuals, termination of the employee may be necessary to demonstrate that the organization has taken “reasonable” steps to remediate the risk that this will occur again. Sanctions are an important control to implement, lest you incur the wrath of the OCR.

Sounding like a hefty workload? Gazelle Consulting can make implementing the minimum necessary standard feel like a delightful bound through a grassy Savannah. Give us a call at (503) 389-5666 or email us at info@gazelleconsulting.org (no lions please).