DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page

DHHS POLICIES AND PROCEDURES

___________________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Privacy Manual

Chapter:

Use and Disclosure Policies, Minimum Necessary

Current Effective Date:

2/1/16, 11/15/15, 3/30/05

Revision History:

10/9/03, 11/15/15

Original Effective Date:

4/14/03

___________________________________________________________________________________________________________________

Purpose

DHHS agencies, must make reasonable efforts to limit individually identifiable health information to that which is minimally necessary to accomplish the intended purpose for the use, disclosure, or request for information. DHHS agencies must evaluate their current practices for using and disclosing individually identifiable health information in order to enhance protections, as needed, to limit unnecessary or inappropriate access to individually identifiable health information.

The minimum necessary requirement applies to:

Controlling the "use" of individually identifiable health information that is primarily paper-based within an agency presents special challenges in applying the minimum necessary requirements. Agencies must rely heavily on the development and implementation of policies and procedures, as well as self-policing. Therefore, this policy takes on special importance for agencies maintaining individually identifiable health information on paper (e.g., paper client records and diagnostic images).

Policy

Minimum Necessary within Agency

DHHS agencies are required to identify persons or classes of persons in its workforce who need access to individually identifiable health information and the categories of information to which access is needed.

DHHS agencies must develop and implement procedures that limit routine disclosures of individually identifiable health information to the amount reasonably necessary to achieve the purpose of the disclosure.

DHHS agencies are required to develop criteria designed to limit individually identifiable health information to the minimum necessary.

Minimum Necessary Outside Agency

DHHS agencies may rely on a request for disclosure as being limited to the individually identifiable health information that is minimally necessary, if:

The minimum necessary requirement does not apply to:

Implementation

The following protocols are in compliance with the HIPAA Privacy Rule and should be considered when staff share individually identifiable health information in the performance of their job responsibilities and when sharing individually identifiable health information with individuals outside the agency.

When using individually identifiable health information within an agency, DHHS agencies must categorize users by their "need-to-know" in order to accomplish their job responsibilities and establish standard protocol (criteria) that reasonably limits inappropriate access to individually identifiable health information based on the following categories:

Standard Protocol for Uses of Individually Identifiable Health Information by an Agency's Own Workforce

For routine, recurring disclosures of individually identifiable health information by an agency's own workforce, standard protocol must:

For non-routine disclosures of individually identifiable health information by an agency's own workforce, standard protocol must:

Standard Protocol for Making Requests for Individually Identifiable Health Information by an Agency's Own Workforce

For routine, recurring requests for individually identifiable health information by an agency's own workforce, standard protocol must:

For all other requests for individually identifiable health information by an agency's own workforce, standard protocol must ensure that each request is reviewed by an agency staff member who has authority to determine that the information requested is limited to what is reasonably necessary to accomplish the purpose of the request.

Criteria must be developed that control both the request for, and the disclosure of, the entire client record. Criteria must specifically justify why the entire client record is required. Exceptions to agency criteria are prohibited without prior approval of the Agency Privacy Official.

Individuals or entities external to the Department that perform activities or functions on behalf of a DHHS covered health care component as defined by the HIPAA Privacy Rule, are considered External Business Associates of a DHHS agency. As such, External Business Associates are required to comply with the Minimum Necessary requirement as specified in the HIPAA Privacy Rule.

The minimum necessary policy is intended to make DHHS agencies evaluate their current procedures and enhance protections needed to limit unnecessary or inappropriate access to and disclosures of, individually identifiable health information.

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Previous PageTop Of Page Next Page



 


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback