|
|
 |
| |
LIMITATION ON MINIMUM
NECESSARY STANDARD
On February 17, 2009, President Obama signed into law the American
Recovery and Reinvestment Act of 2009 (the "Recovery Act").
Title XIII of the Recovery Act is known as the Health Information
Technology for Economic and Clinical Health Act ("HITECH").
Among other provisions, HITECH makes several changes to the Privacy and
Security Rules adopted pursuant to the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"). Due to the significance
of those changes, we will be issuing a series of Alerts providing an
analysis of each of those changes. This is the fourth in a
series of seven such Alerts.
Existing
Minimum Necessary Standard
Prior to HITECH, HIPAA required covered entities when using or
disclosing protected health information, or when requesting protected
health information ("PHI") from another covered entity, to reasonably
ensure that the covered entity limited the PHI to that which was
reasonably necessary to accomplish the intended purpose.
HIPAA did not define "minimum necessary" but did provide that the
minimum necessary standard does not apply to:
- Disclosures or requests by a health care provider for
treatment
- Uses or disclosures made to an individual who is the
subject of the information
- Uses or disclosures made pursuant to an authorization
- Uses or disclosures required for compliance with HIPAA
- Uses or disclosures made to the Secretary of the Department
of Health and Human Services ("Secretary") required for compliance with
or enforcement of HIPAA
- Uses or disclosures that are required by law
New
Minimum Necessary Standard HITECH limits covered entities' discretion for determining
what
constitutes the minimum necessary and requires covered entities to
initially limit the use, disclosure or request of PHI, to the extent
practicable, to a limited data set or, if needed, to the minimum
necessary to accomplish the intended purpose of such use, disclosure,
or request. HITECH clarifies that the entity disclosing the
PHI (as opposed to the requester) is responsible for making the minimum
necessary determination. The Secretary is required to issue
guidance on what constitutes minimum necessary no later than August 17,
2010. At such time, this requirement to use a limited data
set, or if needed, the minimum necessary to accomplish the intended
purpose will go away and uses, disclosures, or requests will have to
comply with the new minimum necessary guidance to be issued by the
Secretary. What
is a Limited Data Set?
A limited data set is PHI that excludes direct identifiers of the
individual or the relatives, employers, or household members of the
individual. Direct identifiers include names; postal address
information other than town or city, state, and zip code; telephone
numbers; fax numbers; electronic mail addresses; social security
numbers; medical record numbers; health plan beneficiary numbers;
account numbers; certificate/license numbers; vehicle identifiers and
serial numbers (including license plate numbers); device identifiers or
serial numbers; URL's; Internet Protocols (IP) address numbers;
biometric identifiers (including finger and voice prints); and full
face photographic images and any comparable images.
Thus, until the Secretary issues guidance on what constitutes minimum
necessary, covered entities, to the extent practicable, must limit the
use, disclosure, or request of PHI to a limited data set, which means
removing all the identifiers stated above from the PHI. If
that limitation is not practicable, the covered entity may limit the
PHI to the minimum necessary to accomplish the intended purpose of such
use, disclosure, or request, which means it may include some of the
identifiers above, if needed. However, covered entities must
be prepared to justify why the limited data set was not practicable in
a particular case.
Next
Steps
- While we cannot predict how restrictive the regulations
defining minimum necessary will be, covered entities should start
preparing by evaluating their existing minimum necessary policy and
procedures and determining which identifiers are generally necessary
for common requests for uses or disclosures of PHI and which
identifiers can be eliminated.
- Covered entities should also begin to develop a process to
be able to remove identifiers from PHI when responding to requests for
uses and disclosures of PHI.
- Covered entities should anticipate revising their minimum
necessary policy and procedures to comply with the regulations once
issued in 2010.
If you have additional questions regarding the minimum necessary
standard, please contact your Hall Render attorney or Charise R.
Frazier at (317) 871-6222 or cfrazier@hallrender.com
This information is intended for general
information purposes only and does not and is not intended to
constitute legal advice. The reader must consult with legal counsel to
determine how laws or decisions discussed herein apply to the reader's
specific circumstances. |
|
Printer-friendly version: Download
|
|
| |
| Click here to return to the Impact Series homepage. |
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with
legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
|
