The "minimum necessary" requirement under the HIPAA Medical Privacy Rule is considered a "key protection" by the federal government. It was put in place to limit the unnecessary sharing of a person's protected health information. The requirement applies not only to treatment situations, but also to the payment and operations activities of a covered health care provider.

The rule states: "When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." This is a very broad requirement.

"Disclosure" refers not only to release of protected health information (PHI) outside a covered entity practice, but also to release by an organization or practice to its own workforce. "Use" is a reference to the use of PHI inside a practice. The word "request" refers to PHI requested by one practice of another, i.e., both those requests for PHI submitted to a practice and those submitted by a practice.

With respect to a practice's use of PHI, HIPAA expressly requires that a covered practice audit and identify: (1) those persons or classes of persons in its workforce who need access to PHI to carry out their duties; and (2) for each person or class of persons, the category or categories of information to which access is needed and any conditions that may be appropriate to such access. An easy one: Does, and if so which or how much, the practice or office delivery person need access to any PHI.

Once the audit/identification described above has been completed, the HIPAA Privacy Rule requires a covered entity to develop and implement policies and procedures appropriate to its own organization, practices, and needs, which reasonably minimize the amount of PHI used by its workforce.

This minimum necessary requirement makes all covered entities evaluate their practices and reinforce or shore up the protections in their practices as needed in order to prevent unnecessary or inappropriate access to, and use and disclosure of, patients' protected health information. In some instances, policies will need to be prepared anew, in others, all that will be required is amendment of existing policies and standard protocols.

HIPAA imposes different requirements for routine versus non-routine disclosures of PHI. For a disclosure that is made on a routine and recurring basis, a practice may employ policies and procedures, which may be standard protocols, to limit the disclosure to the minimum amount necessary. Non-routine disclosures, however, for internal uses as well as in response to requests from outside entities, must be evaluated on a case-by-case basis.

Covered entities should realize that the HIPAA Privacy Rule does provide certain exceptions to the minimum necessary requirement, and those and those need to be studied carefully before reliance can be had on them.