Minimum Necessary
- Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?
- How are covered entities expected to detemine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?
- Won't the HIPAA Privacy Rule's minimum necessary standard impede the ability of workers' compensation insurers, State administrative agencies, and employers to obtain the health information needed to pay injured or ill workers the benefits guaranteed them under State workers' compensation system?
- In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule's minimum necessary requirements?
- Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual?
- Do the HIPAA Privacy Rule's minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patient medical information in the course of their training?
- Doesn't the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?
- Won't the HIPAA Privacy Rule's minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?
- Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary?
- May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation?
- May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary?
- A provider might have a patient's medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?
- Are providers required to make a minimum necessary determination to disclose to Federal or State agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals' applications for Federal or State benefits?
- Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of protected health information it makes to another covered entity?