HIPAA Compliance Strategies

Confusion, Problems Are Resulting From HIPAA Minimum Necessary Standard

Reprinted from the June 2007 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

When doctors or their office staff members call the medical records department at a small hospital in Washington state, they are told they can't get the information they are seeking until they fax a request on their letterhead to the hospital.

The medical records (or more officially, the health information management) personnel at the hospital also ask the doctors or the staff to specify in the fax what information they want. A verbal request is honored only if the caller is known to the staff of 126-bed Olympic Medical Center in Port Angeles.

This is the way Olympic shares information with outside health care providers, in keeping with the culture of confidentiality that has always been the hallmark of a good hospital, and based on its interpretation of the "minimum necessary" concept in the privacy rule. (The hospital is also required to document the release of patient information by the state's Uniform Health Information Act.)

However, technically, the minimum-necessary concept is not supposed to be applied to the disclosure of protected health information (PHI) for treatment purposes at all, although it is supposed to be applied to the use of PHI for treatment purposes.

Yet a recent survey of 32 states by a government contractor found that many covered entities (CEs) mistakenly believe that the minimum-necessary concept is applied to both uses and disclosures of PHI for treatment. And the distinction between uses and disclosures is lost on most folks and seems to be ignored in the industry, according to the survey.

In addition to this misunderstanding, the survey also found that CEs have their own ideas about what "minimum necessary" means and that some refuse to share information when they should, which creates animosity and mistrust among CEs. One preliminary recommendation from the survey was that HHS may want to consider developing a national definition of "minimum necessary."

There's no simple answer to this quandary. But experts advise that, to be in technical compliance with the rule, CEs probably should not apply minimum necessary to disclosures about treatment — but they point out that this is a gray area, because the rule doesn't force CEs to release the information - it just gives them the authority to do so.

As it has been four years since the privacy rule went in effect, experts also recommend that you review your minimum-necessary policies to see if they need to be updated or changed.

The concept of minimum necessary is part of the foundation of the privacy rule. But there was an understanding that it was a difficult concept, so it was among the topics addressed by the HHS Office of Civil Rights (OCR), which enforces the privacy rule, in a guidance document issued in 2002 and updated in 2003.

"The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today," the OCR guidance states. "It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The privacy rule's requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity."

The guidance documents also offers a summary of how CEs are to comply with this concept, stating, "The privacy rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose."

But HHS also recognized that it did not want to bring the practice of medicine to a grinding halt by impeding the flow of information, so it provided a list of exceptions for uses and disclosures that would not be subject to the minimum-necessary standard.

HHS Provided List of Exceptions

According to the guidance, "the minimum necessary standard does not apply to the following:"

• Disclosures to or requests by a health care provider for treatment purposes;
• Disclosures to the individual who is the subject of the information;
• Uses or disclosures made pursuant to an individual's authorization;
• Uses or disclosures required for compliance with the HIPAA administrative simplification rules;
• Disclosures to HHS when disclosure of information is required under the privacy rule for enforcement purposes; and
• Uses or disclosures that are required by other law.

Yet the survey revealed that, in practice, minimum necessary is still misunderstood and misapplied to treatment. Kirk Nahra, a partner with Wiley Rein & Fielding, a Washington, D.C.-based law firm, said the concept was among the most confusing aspects of the rule.

"I think it is essentially a common-sense standard that says take reasonable steps to use what you need, and not use what you don't need," Nahra said. "I think it is very much in the eye of the beholder. There is lots of confusion, particularly when you push someone to describe what it means."

Olympic's Policy Evolved Over Time

"The privacy rule is quite ambiguous in a lot of ways," agreed Mic Sager, Olympic's associate compliance officer. "People will disagree on what a reasonable effort is."

Olympic takes the position that it is the requester's responsibility to whittle the request down to the minimum-necessary information. With this as the starting point, Olympic employees are trained to grant requests as submitted, Sager said.

"We ask them what they want....If the doctor says he wants the entire medical record, there's no reason for us not to give him that. We don't question that," he said, and the rule does allow for this. If the caller isn't really sure just what the doctor wants from Olympic's medical records for a particular patient, the hospital has a "default" amount of PHI it will send, Sager said.

"The default would be a discharge summary, the history and physical, operative report and the last three to four days of labs," he said. "But if they ask for something else, they will get it."

The information is then faxed to the provider's office. This process has evolved over time, Sager added.

CEs that don't have medical records systems that can easily segment information have a more difficult time of complying with minimum necessary, the survey showed. Some CEs were having to print out copies of charts and manually redact information before faxing it. This would appear to be unnecessary, given that minimum necessary is not supposed to be applied to information disclosed for treatment purposes anyway, Nahra pointed out.

On the reverse side, Olympic has told its employees to "only ask for the information you need" when requesting PHI from other entities, including those in different departments of the hospital itself, Sager said.

The hospital's medical records system has controls that restrict employees' access. "A nurse in the obstetrics unit, for example, does not have access to emergency department information," Sager said. "When they sign on, what they have access to is already predetermined."

He said that, in the past, Olympic had problems with some floor nurses reviewing emergency department records "to see how busy they were going to be the next day," which was stopped with access controls. Now, only charge nurses or others who need to know such information can get it.

Olympic routinely conducts three different kinds of audits to check for inappropriate access. The medical records system randomly generates a list of 10 to 20 patients three times a week, and an audit is run on each to see who accesses their records.

Secondly, audits are run for any patients whose names have appeared in the local paper. And thirdly, any time an employee requests an audit on a patient access, one can be done.

Minimum Necessary Used to Nix Disclosures

Sometimes CEs purposely hide behind minimum necessary to avoid releasing information, Nahra said.

"There have been all kinds of reports about situations where people say [PHI] hasn't been provided but it should have been," he said. But he noted that "the rules are almost all permissive," meaning that the information may be disclosed, not that it must be.

For example, some hospitals have struggled with whether to release patient information to third-party payers that may be looking for ways to deny payment based on a pre-existing condition.

Hospitals have taken to contacting patients to request that they sign an authorization permitting the release of the information — while secretly (or not so secretly) hoping that the patient doesn't respond to the authorization request.

"My opinion on this wavers," said Sager. "Technically you would not need an authorization because the information is for payment." He said that if such a request were submitted to his billing department, those employees would not comply because the request is not necessary to support current or pending charges, but applies to old information.

However, the insurance company could request the information from the hospital's health information management department, which would likely grant it, Sager said.

"Keep in mind there are almost no mandatory disclosures under the rule," Nahra said. "It is hard to say to someone, `you have done that wrong.'" But he added that, for the benefit of patients, it is better to send more information rather than less to a provider, because a physician might find a relevant piece of data that he or she didn't know about.

"I might be a doctor who likes to take in more information because I have a more holistic sense of treatment. When [the exchange of PHI] is for treatment, I don't want a strict ruling on what minimum necessary is. I want a pretty expansive definition," Nahra said.

Advertise With AIS

Privacy

Site Map