‘Minimum necessary’ standard perplexes practices

A critical part of protecting the personal health information (PHI) of patients is only releasing the minimum necessary information when records must be shared. But many practices have neither adopted a definition for the minimum standard, nor developed policies and procedures related to the minimum standard.

Under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, the minimum necessary standard requires covered entities to only disclose the minimum amount of information necessary to accomplish a specific purpose. Each covered entity is supposed to evaluate their own operations and determine exactly what constitutes the minimum necessary standard.

The rule is written to allow for flexibility because there are so many different types of covered entities, providing a wide range of services. For example, a small-to-medium physician’s practice providing primary care services will require much different patient information in order to deliver appropriate care than a diagnostic center.

The problem with flexibility is that it often brings about confusion. . Angela Rose, a director of practice excellence with the American Health Information Management Association (AHIMA), says four organizations could have the same definition, but apply and implement it in completely different ways, for example.

Although the U.S. Department of Health and Human Services (HHS) provides guidance for covered entities to develop a definition of the minimum necessary standard, the organization says that the minimum necessary requirement needs to be “sufficiently flexible” to fit the needs of any covered entity. Rose says that many people in the industry would prefer a more uniform definition of the minimum necessary standard. She adds that although much has changed since covered entities were first required to comply with the privacy rule in 2003 there has been no additional guidance regarding the minimum necessary standard.

Recently, Melissa Martin, RHIA, CCS, president of AHIMA testified before the National Committee on Vital and Health Statistics (NCVHS) subcommittee on privacy, confidentiality, and security. She urged the subcommittee to develop a clear definition of minimum necessary that includes objective criteria, rather than continuing to require individual organizations to develop their own definitions.

Before the hearing, AHIMA conducted a survey of its members and found that 38% were unsure if their organization had adopted a definition for minimum standard, 14% said that no definition had been adopted and 21% said a definition was currently being developed. One-third reported there were no policies or procedures in place relating to the minimum standard.

Rose helped conduct the survey, and says that it is likely smaller practices are in the same situation as the survey respondents, (who worked at a variety of facilities), and many probably don’t have definite policies and procedures in place.

 “Every interpretation [of minimum standard] is different,” she says.  Part of the reason for the survey was to help AHIMA identify “points of pain,” says Rose, so that they could offer recommendations to HHS.

The designated privacy officer is the person who is usually in charge of developing the policies and procedures surrounding the minimum standard and seeing that they are implemented appropriately. For practices that have not adopted a definition or developed minimum standard-related policies, Rose suggests the first step is to read the rule itself, and then to consider how the requirement relates to the organization.

Even if only one or two people in an office are responsible for releasing information, Rose says that everyone should have an understanding of the policies and procedures related to the minimum necessary standard, including physicians, who often don’t get involved in that aspect of the practice.

“There needs to be a lot of education and training, but the biggest piece is defining it for your organization,” Rose concludes.