Auditor Tips: Minimum Necessary Best Practices

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.

“Organizations should only use and disclose the minimum amount of PHI necessary.”

The minimum necessary requirement is a key part of the HIPAA Privacy Rule. The goal of this requirement isn’t to encourage organizations to perform the minimum necessary, but rather for organizations to only use and disclose the minimum amount of PHI necessary

Once, while discussing what PHI a dental care facility needed to perform their functions, it became obvious that they did not need any PHI. I asked them what data they collected and was shown a form requesting very basic information–none of which was PHI. But then they proceeded to show me several prescriptions from different offices, many of which included full names, photos with full names, and many other personal details about the patient. The dentists sending prescriptions from other offices were divulging their secret recipes to the dental care facility who did not need it.

This experience highlights the need to only provide the minimum amount of necessary information to another organization. These same principles should be applied within the organization as well. Do the front desk staff require full access to patient histories? Does PHI need to be placed on an office-wide file share? If you aren’t sure where to start here, eliminate all access to patient data and then grant access to PHI as needs arrive. It is all too common for us as auditors to see a one-size-fits-all mentality where staff all share the same access.

Also, consider whether or not you need to collect and store the PHI you are collecting from patients. Some common examples of data collected from patients that may not be necessary include Social Security Numbers, email addresses, physical addresses, pictures of the patient, and telephone numbers. These are important questions every organization must ask, then act on to mitigate unnecessary risk.