HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information: Minimum Necessary - § 164.502(b)
As Contained in the HHS HIPAA Privacy Rules
HHS Guidance: Minimum Necessary
HHS Regulations as Amended January 2013 |
(b) Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not apply to:
(i) Disclosures to or requests by a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;
(iii) Uses or disclosures made pursuant to an authorization under §164.508;
(iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;
(v) Uses or disclosures that are required by law, as described by §164.512(a); and
(vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
HHS Description and Commentary From the January 2013 Amendments |
Before the HITECH Act, the Privacy Rule did not govern business associates directly. However, section 13404 of the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates, and creates direct liability for noncompliance by business associates with regard to those Privacy Rule requirements.
Specifically, section 13404(a) of the HITECH Act creates direct liability for uses and disclosures of protected health information by business associates that do not comply with its business associate contract or other arrangement under the Privacy Rule.
Additionally, section 13404(a) applies the other privacy requirements of the HITECH Act directly to business associates just as they apply to covered entities. Section 13404(b) applies the provision of § 164.504(e)(1)(ii) regarding knowledge of a pattern of activity or practice that constitutes a material breach or violation of a contract to business associates. Finally, section 13404(c) applies the HIPAA civil and criminal penalties to business associates. We discuss the modifications to the Privacy Rule pursuant to paragraphs (a) and (b) of section 13404 of the HITECH Act below.
We note that we have not added references to “business associate” to all provisions of the Privacy Rule that address uses and disclosures by covered entities.
Such additions to the Privacy Rule are unnecessary, as a business associate generally may only use or disclose protected health information in the same manner as a covered entity.
Therefore, any Privacy Rule limitation on how a covered entity may use or disclose protected health information automatically extends to a business associate.
Proposed Rule
We proposed to modify the minimum necessary standard at § 164.502(b) to require that when business associates use, disclose, or request protected health information from another covered entity, they limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Applying the minimum necessary standard is a condition of the permissibility of many uses and disclosures of protected health information. Thus, a business associate is not making a permitted use or disclosure under the Privacy Rule if it does not apply the minimum necessary standard, where appropriate. Additionally, the HITECH Act at section 13405(b) addresses the application of minimum necessary and, in accordance with 13404(a), also applies such requirements to business associates.
Overview of Public Comments
While the Department received general support for application of the minimum necessary standard to requests and uses and disclosures by business associates, several commenters requested clarification on such application.
Final Rule
The final rule adopts the proposal to apply the minimum necessary standard directly to business associates when using or disclosing protected health information or when requesting protected health information from another covered entity. The final rule also makes clear that requests directed to another business associate, in addition to those directed to another covered entity, must also be limited to the minimum necessary.
Covered entities and business associates disclosing protected health information in response may reasonably rely on such requests as requesting the minimum necessary for the disclosure.
How a business associate will apply the minimum necessary standard will vary based on the circumstances. As is the case today, a business associate agreement must limit the business associate’s uses and disclosures of protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. We leave it to the discretion of the parties to determine to what extent the business associate agreement will include specific minimum necessary provisions to ensure a business associate’s uses and disclosures and requests for protected health information are consistent with the covered entity’s minimum necessary policies and procedures. The Department intends to issue future guidance on the minimum necessary standard in accordance with section 13405(b) of the HITECH Act that will consider the specific questions posed by commenters with respect to business associates’ application of the minimum necessary standard.
HHS Description of and Commentary From the August 2002 Revisions General Rules for Uses and Disclosures of Protected Health Information: Minimum Necessary |
December 2000 Privacy Rule. The Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. See § 164.502(b). Protected health information includes individually identifiable health information (with limited exceptions) in any form, including information transmitted orally, or in written or electronic form. See the definition of "protected health information" at § 164.501. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to, and disclosures of, protected health information.
The Privacy Rule contains some exceptions to the minimum necessary standard. The minimum necessary requirements do not apply to uses or disclosures that are required by law, disclosures made to the individual or pursuant to an authorization initiated by the individual, disclosures to or requests by a health care provider for treatment purposes, uses or disclosures that are required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA, or disclosures to the Secretary of HHS for purposes of enforcing this Rule. See § 164.502(b)(2).
The Privacy Rule sets forth requirements for implementing the minimum necessary standard with regard to a covered entity's uses, disclosures, and requests at § 164.514(d). A covered entity is required to develop and implement policies and procedures appropriate to the entity's business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested. For uses of protected health information, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and the conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols. Non-routine requests for, and disclosures of, protected health information must be reviewed individually.
With regard to disclosures, the Privacy Rule permits a covered entity to rely on the judgment of certain parties requesting the disclosure as to the minimum amount of information that is needed. For example, a covered entity is permitted reasonably to rely on representations from a public official, such as a State workers' compensation official, that the information requested is the minimum necessary for the intended purpose. Similarly, a covered entity is permitted reasonably to rely on the judgment of another covered entity that the information requested is the minimum amount of information reasonably necessary to fulfill the purpose for which the request has been made. See § 164.514(d)(3)(iii).
March 2002 NPRM. The Department proposed a number of minor modifications to the minimum necessary standard to clarify the Department's intent or otherwise conform these provisions to other proposed modifications. First, the Department proposed to separate § 164.502(b)(2)(ii) into two subparagraphs (§ 164.502(b)(2)(ii) and (iii)) to eliminate confusion regarding the exception to the minimum necessary standard for uses or disclosures made pursuant to an authorization under § 164.508, and the separate exception for disclosures made to the individual. Second, to conform to the proposal to eliminate the special authorizations required by the Privacy Rule at § 164.508(d), (e), and (f), the Department proposed to exempt from the minimum necessary standard any uses or disclosures for which the covered entity had received an authorization that meets the requirements of § 164.508, rather than just those authorizations initiated by the individual.
Third, the Department proposed to modify § 164.514(d)(1) to delete the term "reasonably ensure" in response to concerns that the term connotes an absolute, strict standard and, therefore, is inconsistent with the Department's intent that the minimum necessary requirements be reasonable and flexible to the unique circumstances of the covered entity. In addition, the Department proposed to generally revise the language in § 164.514(d)(1) to be more consistent with the description of standards elsewhere in the Privacy Rule.
Fourth, so that the minimum necessary standard would be applied consistently to requests for, and disclosures of, protected health information, the Department proposed to add a provision to § 164.514(d)(4) to make the implementation specifications for applying the minimum necessary standard to requests for protected health information by a covered entity more consistent with the corresponding implementation specifications for disclosures. Specifically, for requests not made on a routine and recurring basis, the Department proposed to add the requirement that a covered entity must implement the minimum necessary standard by developing and implementing criteria designed to limit its request for protected health information to the minimum necessary to accomplish the intended purpose.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
The Department received a number of comments on its proposal to exempt from the minimum necessary standard any use or disclosure of protected health information for which the covered entity has received an authorization that meets the requirements of § 164.508. Many commenters supported this proposal. A few commenters generally urged that the minimum necessary standard be applied to uses and disclosures pursuant to an authorization. A few other commenters appeared to misinterpret the policy in the December 2000 Rule and urged that the Department retain the minimum necessary standard for disclosures "pursuant to an authorization other than disclosures to an individual." Some commenters raised specific concerns about authorizations for psychotherapy notes and the particular need for minimum necessary to be applied in these cases.
A number of commenters expressed support for the Department's statements in the preamble to the proposed Rule reinforcing that the minimum necessary standard is intended to be flexible to account for the characteristics of the entity's business and workforce, and not intended to override the professional judgment of the covered entity. Similarly, some commenters expressed support for the Department's proposal to remove the term "reasonably ensure" from § 164.514(d)(1). However, a few commenters expressed concerns that the proposed alternative language actually would implement a stricter standard than that included in the December 2000 Privacy Rule.
Final Modifications. In this final Rule, the Department adopts the proposed policy to exempt from the minimum necessary standard any uses or disclosures for which the covered entity has received an authorization that meets the requirements of § 164.508. The final modification adopts the proposal to eliminate the special authorizations that were required by the December 2000 Privacy Rule at § 164.508(d), (e), and (f). (See section III.E.1. of the preamble for a detailed discussion of the modifications to the authorization requirements of the Privacy Rule.) Since the only authorizations to which the minimum necessary standard applied are being eliminated in favor of a single consolidated authorization, the final Rule correspondingly eliminates the minimum necessary provisions that applied to the now-eliminated special authorizations. All uses and disclosures made pursuant to any authorization are exempt from the minimum necessary standard.
In response to commenters who opposed this proposal as a potential weakening of privacy protections or who wanted the minimum necessary requirements to apply to authorizations other than disclosures to the individual, the Department notes that nothing in the final Rule eliminates an individual's control over his or her protected health information with respect to an authorization. All authorizations must include a description of the information to be used and disclosed that identifies the information in a specific and meaningful fashion as required by § 164.508(c)(1)(i). If the individual does not wish to release the information requested, the individual has the right to not sign the authorization or to negotiate a narrower authorization with the requestor.
Additionally, in response to those commenters who raised specific concerns with respect to authorizations which request release of psychotherapy notes, the Department clarifies that the final Rule does not require a covered entity to use and disclose protected health information pursuant to an authorization. Rather, as with most other uses and disclosures under the Privacy Rule, this is only a permissible use or disclosure. If a covered health care provider is concerned that a request for an individual's psychotherapy notes is not warranted or is excessive, the provider may consult with the individual to determine whether or not the authorization is consistent with the individual's wishes. Further, the Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual's authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. Thus, the Department believes that these additional protections appropriately and effectively protect an individual's privacy with respect to psychotherapy notes.
The final Rule also retains for clarity the proposal to separate § 164.502(b)(2)(ii) into two subparagraphs (§ 164.502(b)(2)(ii) and (iii)); commenters did not explicitly address or raise issues with this proposed clarification.
In response to concerns that the proposed language at § 164.514(d)(1) would implement a stricter standard, the Department disagrees and, therefore, adopts the proposed language. The language in § 164.514(d)(1) describes the standard: covered entities are required to meet the requirements in the implementation specifications of § 164.514(d)(2) through (d)(5). The implementation specifications describe what covered entities must do reasonably to limit uses, disclosures, and requests to the minimum necessary. Thus, the Department believes that the language in the implementation specifications is adequate to reflect the Department's intent that the minimum necessary standard is reasonable and flexible to accommodate the unique circumstances of the covered entity.
Commenters also generally did not address the Department's proposed clarification to make the implementation specifications for requests of protected health information consistent with those for disclosures of protected health information. Consequently, as commenters did not raise concerns with the proposal, this final Rule adopts the proposed provision at § 164.514(d)(4). For requests of protected health information not made on a routine and recurring basis, a covered entity must implement the minimum necessary standard by developing and implementing criteria designed to limit its request for protected health information to the minimum necessary to accomplish the intended purpose.
Response to Other Public Comments.
Comment: Many commenters recommended changes to the minimum necessary standard unrelated to the proposed modifications. For example, some commenters urged that the Department exempt from the minimum necessary standard all uses of protected health information, or at least uses of protected health information for treatment purposes. Alternatively, one commenter urged that the minimum necessary standard be applied to disclosures for treatment purposes. Others requested that the Department exempt uses and disclosures for payment and health care operations from the standard, or exempt disclosures to another covered entity for such purposes. A few commenters argued that the minimum necessary standard should not apply to disclosures to another covered entity. Some urged that the minimum necessary standard be eliminated entirely.
Response: The Department did not propose modifications relevant to these comments, nor did it seek comment on these issues. The proposed modifications generally were intended to address those problems or issues that presented workability problems for covered entities or otherwise had the potential to impede an individual's timely access to quality health care. Moreover, the proposed modifications to the minimum necessary standard were either minor clarifications of the Department's intent with respect to the standard or would conform the standard to other proposed modifications. The Department has, in previous guidance as well as in the preamble to the December 2000 Privacy Rule, explained its position with respect to the above concerns. The minimum necessary standard is derived from confidentiality codes and practices in common use today. We continue to believe that it is sound practice not to use or disclose private medical information that is not necessary to satisfy a request or effectively carry out a function. The privacy benefits of retaining the minimum necessary standard outweigh the burden involved with implementing the standard. The Department reiterates that position here.
Further, the Department designed the minimum necessary standard to be sufficiently flexible to accommodate the various circumstances of any covered entity. Covered entities will develop their own policies and procedures to meet this standard. A covered entity's policies and procedures may and should allow the appropriate individuals within an entity to have access to protected health information as necessary to perform their jobs with respect to the entity's covered functions. The Department is not aware of any workability issues with this standard.
With respect to disclosures to another covered entity, the Privacy Rule permits a covered entity reasonably to rely on another covered entity's request for protected health information as the minimum necessary for the intended disclosure. See § 164.514(d)(3)(iii). The Department does not believe, therefore, that a blanket exception for such disclosures is justified. The covered entity who holds the information always retains discretion to make its own minimum necessary determination.
Lastly, the Department continues to believe that the exception for disclosures to or requests by health care providers for treatment purposes is appropriate to ensure that access to timely and quality treatment is not impeded.
As the Privacy Rule is implemented, the Department will monitor the workability of the minimum necessary standard and consider proposing revisions, where appropriate, to ensure that the Privacy Rule does not hinder timely access to quality health care.
Comment: One commenter requested that the Department state in the preamble that the minimum necessary standard may not be used to interfere with or obstruct essential health plan payment and health care operations activities, including quality assurance, disease management, and other activities. Another commenter asked that the final Rule's preamble acknowledge that, in some cases, the minimum protected health information necessary for payment or health care operations will be the entire record. One commenter urged that the Rule be modified to presume that disclosure of a patient's entire record is justified, and that such disclosure does not require individual review, when requested for disease management purposes.
Response: The minimum necessary standard is not intended to impede essential treatment, payment, or health care operations activities of covered entities. Nor is the Rule intended to change the way covered entities handle their differences with respect to disclosures of protected health information. The Department recognizes that, in some cases, an individual's entire medical record may be necessary for payment or health care operations purposes, including disease management purposes. However, the Department does not believe that disclosure of a patient's entire medical record is always justified for such purposes. The Privacy Rule does not prohibit the request for, or release of, entire medical records in such circumstances, provided that the covered entity has documented the specific justification for the request or disclosure of the entire record.
Comment: A few commenters requested that the Department add to the regulatory text some of the statements included in the preamble to the proposed modifications. For example, commenters asked that the final Rule state that the minimum necessary standard is "intended to be consistent with, and not override, professional judgment and standards." Similarly, others requested that the regulation specify that "covered entities must implement policies and procedures based on their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and their workforce, and using their own professional judgment."
Response: It is the Department's policy that the minimum necessary standard is intended to be consistent with, and not override, professional judgment and standards, and that covered entities must implement policies and procedures based on their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and their workforce. However, the Department does not believe a regulatory modification is necessary because the Department has made its policy clear not only in the preamble to the proposed modifications but also in previous guidance and in this preamble.
Comment: A commenter argued that the Department should exempt disclosures for any of the standard transactions as required by the Transactions Rule, when information is requested by a health plan or its business associate.
Response: The Department disagrees. The Privacy Rule already exempts from the minimum necessary standard data elements that are required or situationally required in any of the standard transactions (§ 164.502(b)(2)(v)). If, however, a standard transaction permits the use of optional data elements, the minimum necessary standard applies. For example, the standard transactions adopted for the outpatient pharmacy sector use optional data elements. The payer currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The minimum necessary standard applies to the payer's request for such information. A pharmacist is permitted to rely on the payer's request for information, if reasonable to do so, as the minimum necessary for the intended disclosure.
Comment: A few commenters expressed concerns with respect to a covered entity's disclosures for research purposes. Specifically, one commenter was concerned that a covered entity will not accept documentation of an external IRB's waiver of authorization for purposes of reasonably relying on the request as the minimum necessary. It was suggested that the Department deem that a disclosure to a researcher based on appropriate documentation from an IRB or Privacy Board meets the minimum necessary standard.
Response: The Department understands commenters' concerns that covered entities may decline to participate in research studies, but believes that the Rule already addresses this concern. The Privacy Rule explicitly permits a covered entity reasonably to rely on a researcher's documentation or the representations of an IRB or Privacy Board pursuant to § 164.512(i) that the information requested is the minimum necessary for the research purpose. This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or one that is associated with the covered entity. The preamble to the March 2002 NPRM further reinforced this policy by stating that reasonable reliance on an IRB's documentation of approval of the waiver criteria and a description of the data needed for the research as required by § 164.512(i) would satisfy a covered entity's obligations with respect to limiting the disclosure to the minimum necessary. The Department reiterates this policy here and believes that this should give covered entities sufficient confidence in accepting IRB waivers of authorization.
Comment: A number of commenters requested that the Department limit the amount of information that pharmacy benefits managers (PBM) may demand from pharmacies as part of their claims payment activities.
Response: The health plan, as a covered entity, is obligated to instruct the PBM, as its business associate acting through the business associate contract, to request only the minimum amount of information necessary to pay a claim. The pharmacist may rely on this determination if reasonable to do so, and then does not need to engage in a separate minimum necessary assessment. If a pharmacist does not agree that the amount of information requested is reasonably necessary for the PBM to fulfill its obligations, it is up to the pharmacist and PBM to negotiate a resolution of the dispute as to the amount of information needed by the PBM to carry out its obligations and that the pharmacist is willing to provide, recognizing that the PBM is not required to pay claims if it has not received the information it believes is necessary to process the claim in accordance with its procedures, including fraud prevention procedures.
The standard for electronic pharmacy claims, adopted by the Secretary in the Transactions Rule, includes optional data elements and relies on each payer to specify the data elements required for payment of its claims. Understandably, the majority of health plans require some patient identification elements in order to adjudicate claims. As the National Council for Prescription Drug Programs (NCPDP) moves from optional to required and situational data elements, the question of whether the specific element of "patient name" should be required or situational will be debated by the NCPDP, by the Designated Standards Maintenance Organizations, by the National Committee on Vital and Health Statistics, and ultimately will be decided in rulemaking by the Secretary.
Comment: One commenter requested that the minimum necessary standard be made an administrative requirement rather than a standard for uses and disclosures, to ease liability concerns with implementing the standard. The commenter stated that this change would mean that covered entities would be required to implement reasonable minimum necessary policies and procedures and would be liable if: (1) they fail to implement minimum necessary policies and procedures; (2) their policies and procedures are not reasonable; or (3) they fail to enforce their policies and procedures. The commenter further explained that health plans would be liable if their policies and procedures for requesting health information were unreasonable, but the burden of liability for the request shifts largely to the entity best suited to determine whether the amount of information requested is the minimum necessary.
Response: The Privacy Rule already requires covered entities to implement reasonable minimum necessary policies and procedures and to limit any use, disclosure, or request for protected health information in a manner consistent with its policies and procedures. The minimum necessary standard is an appropriate standard for uses and disclosures, and is not merely an administrative requirement. The Privacy Rule provides adequate flexibility to adopt minimum necessary policies and procedures that are workable for the covered entity, thereby minimizing a covered entity's liability concerns.
Comment: A number of commenters expressed concerns about application of the minimum necessary standard to disclosures for workers' compensation purposes. Commenters argued that the standard will prevent workers' compensation insurers and State administrators, as well as employers, from obtaining the information needed to pay injured workers the benefits guaranteed under the State workers' compensation system. They also argued that the minimum necessary standard could lead to fraudulent claims and unnecessary legal action in order to obtain information needed for workers' compensation purposes.
Response: The Privacy Rule is not intended to disrupt existing workers' compensation systems as established by State law. In particular, the Rule is not intended to impede the flow of health information that is needed by employers, workers' compensation carriers, or State officials in order to process or adjudicate claims and/or coordinate care under the workers' compensation system. To this end, the Privacy Rule at § 164.512(l) explicitly permits a covered entity to disclose protected health information as authorized by, and to the extent necessary to comply with, workers' compensation or other similar programs established by law that provide benefits for work-related injuries or illnesses without regard to fault. The minimum necessary standard permits covered entities to disclose any protected health information under § 164.512(l) that is reasonably necessary for workers' compensation purposes and is intended to operate so as to permit information to be shared for such purposes to the full extent permitted by State or other law.
Additionally, where a State or other law requires a disclosure of protected health information for workers' compensation purposes, such disclosure is permitted under § 164.512(a). A covered entity also is permitted to disclose protected health information to a workers' compensation insurer where the insurer has obtained the individual's authorization pursuant to § 164.508 for the release of such information. The minimum necessary provisions do not apply to disclosures required by law or made pursuant to authorizations. See § 164.502(b), as modified herein.
Further, the Department notes that a covered entity is permitted to disclose information to any person or entity as necessary to obtain payment for health care services. The minimum necessary provisions apply to such disclosures but permit the covered entity to disclose the amount and types of information that are necessary to obtain payment.
The Department also notes that because the disclosures described above are permitted by the Privacy Rule, there is no potential for conflict with State workers' compensation laws, and, thus, no possibility of preemption of such laws by the Privacy Rule.
The Department's review of certain States workers' compensation laws demonstrates that many of these laws address the issue of the scope of information that is available to carriers and employers. The Privacy Rule's minimum necessary standard will not create an obstacle to the type and amount of information that currently is provided to employers, workers' compensation carriers, and State administrative agencies under these State laws. In many cases, the minimum necessary standard will not apply to disclosures made pursuant to such laws. In other cases, the minimum necessary standard applies, but permits disclosures to the full extent authorized by the workers' compensation laws. For example, Texas workers' compensation law requires a health care provider, upon the request of the injured employee or insurance carrier, to furnish records relating to the treatment or hospitalization for which compensation is being sought. Since such disclosure is required by law, it also is permissible under the Privacy Rule at § 164.512(a) and exempt from the minimum necessary standard. The Texas law further provides that a health care provider is permitted to disclose to the insurance carrier records relating to the diagnosis or treatment of the injured employee without the authorization of the injured employee to determine the amount of payment or the entitlement to payment. Since the disclosure only is permitted and not required by Texas law, the provisions at § 164.512(l) would govern to permit such disclosure. In this case, the minimum necessary standard would apply to the disclosure but would allow for information to be disclosed as authorized by the statute, that is, as necessary to "determine the amount of payment or the entitlement to payment."
As another example, under Louisiana workers' compensation law, a health care provider who has treated an employee related to a workers' compensation claim is required to release any requested medical information and records relative to the employee's injury to the employer or the workers' compensation insurer. Again, since such disclosure is required by law, it is permissible under the Privacy Rule at § 164.512(a) and exempt from the minimum necessary standard. The Louisiana law further provides that any information relative to any other treatment or condition shall be available to the employer or workers' compensation insurer through a written release by the claimant. Such disclosure also would be permissible and exempt from the minimum necessary standard under the Privacy Rule if the individual's written authorization is obtained consistent with the requirements of § 164.508.
The Department understands concerns about the potential chilling effect of the Privacy Rule on the workers' compensation system. Therefore, as the Privacy Rule is implemented, the Department will actively monitor the effects of the Rule on this industry to assure that the Privacy Rule does not have any unintended negative effects that disturb the existing workers' compensation systems. If the Department finds that, despite the above clarification of intent, the Privacy Rule is being misused and misapplied to interfere with the smooth operation of the workers' compensation systems, it will consider proposing modifications to the Rule to clarify the application of the minimum necessary standard to disclosures for workers' compensation purposes.
Comment: Another commenter urged the Department to clarify that a covered entity can reasonably rely on a determination made by a financial institution or credit card payment system regarding the minimum necessary information needed by that financial institution or payment system to complete a contemplated payment transaction.
Response: Except to the extent information is required or situationally required for a standard payment transaction (see 45 CFR '' 162.1601, 162.1602), the minimum necessary standard applies to a covered entity's disclosure of protected health information to a financial institution in order to process a payment transaction. With limited exceptions, the Privacy Rule does not allow a covered entity to substitute the judgment of a private, third party for its own assessment of the minimum necessary information for a disclosure. Under the exceptions in § 164.514(d)(3)(iii), a covered entity is permitted reasonably to rely on the request of another covered entity because, in this case, the requesting covered entity is itself subject to the minimum necessary standard and, therefore, required to limit its request to only that information that is reasonably necessary for the purpose. Thus, the Department does not agree that a covered entity should generally be permitted reasonably to rely on the request of a financial institution as the minimum necessary. However, the Department notes that where, for example, a financial institution is acting as a business associate of a covered entity, the disclosing covered entity may reasonably rely on a request from such financial institution, because in this situation, both the requesting and disclosing entity are subject to the minimum necessary standard.
Comment: A number of commenters continued to request additional guidance with respect to implementing this discretionary standard. Many expressed support for the statement in the NPRM that HHS intends to issue further guidance to clarify issues causing confusion and concern in industry, as well as provide additional technical assistance materials to help covered entities implement the provisions.
Response: The Department is aware of the need for additional guidance in this area and intends to provide technical assistance and further clarifications as necessary to address these concerns and questions.
HHS Description from Original Rulemaking General Rules for Uses and Disclosures of Protected Health Information: Minimum Necessary |
The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure (proposed § 164.506(b)). This final rule significantly modifies the proposed requirements for implementing the minimum necessary standard. In the final rule, § 164.502(b) contains the basic standard and § 164.514 describes the requirements for implementing the standard. Therefore we discuss all aspects of the minimum necessary standard and specific requirements below in the discussion of § 164.514(d).
HHS Response to Comments Received from Original Rulemaking General Rules for Uses and Disclosures of Protected Health Information: Minimum Necessary |
Comments on the minimum necessary standard are addressed in the preamble to § 164.514(d).