Page 1 of 5
Administrative (Non-Clinical) Policy
UWHC only (Hospital Administrative-entity wide) UWMF only (entity wide)
UWHC Departmental (indicate name) UWMF Departmental (indicate name)
UWHC and UWMF (shared)
Policy Title: The Minimum Necessary Rule
Policy Number: 6.30
Effective Date: March 1, 2015
Chapter: Medical Records
To establish guidelines for applying the "minimum necessary" requirement under the Health Insurance
Portability and Accountability Act of 1996.
UWHC will only use, disclose, or request the minimum amount of protected health information as is
necessary to accomplish the intended use or disclosures. This is known as the "minimum necessary" rule.
The minimum necessary rule does not apply to the following:
A. Disclosures to or requests for protected health information by a health care provider for treatment
B. Disclosures of protected health information to the patient or the patient's legally authorized
C. Uses or disclosures of protected health information made pursuant to an authorization signed by
the patient or the patient's legally authorized representative.
D. Uses or disclosures of protected health information that are required by law.
E. Uses or disclosures of protected health information that may be required for compliance with
HIPAA (including disclosures made in responses to an investigation of our compliance with
A. Protected Health Information ("PHI") - individually identifiable health information that is
transmitted or maintained in any form, including oral, written, or electronic. Protected health
information includes demographic, health, and financial information.
B. Use - the sharing, application, utilization, examination, or analysis of PHI by employees and other
staff working for UWHC related entities.
C. Disclosure/Release - "Disclosure" and "release" of information mean the same thing: the
releasing, transferring, providing access, or divulging information to any person or organization
outside of UW Affiliated Entities.
Page 2 of 5
D. Legally Authorized Representative - a person with authority to act on behalf of an adult,
emancipated minor, unemancipated minor, or deceased individual in making decisions related to
health care. The legally authorized representative of unemancipated minors includes a parent,
guardian, or other persons acting in place of the parents of the minor.
E. Role - the category or class of person or persons doing a type a job, defined by a set of similar or
F. Need-to-know - limiting access to information to just the information for which an individual has
a legitimate clinical or business need.
G. UWHC Related Entities - includes persons and organizations affiliated with UWHC and those in
an organized health care arrangement with UWHC.
A. Minimum Necessary as it Applies to Access to and Use of Protected Health Information
1. All access to patient protected health information, whether it be electronic or hardcopy,
must be limited to individuals who have a legitimate clinical or business need-to-know
the information. Accessing or using more information than is necessary to do one's job is
2. Department Directors or their designees are responsible for identifying roles within their
department. A role is defined as the category or class of person or persons doing a job,
defined by a set of similar or identical responsibilities. Roles are generally defined by job
3. Department Directors or their designees must analyze each role and determine to what
degree staff in that role require access to PHI.
a. Access to the highest level of PHI may be justified only in the following
i. The "role" provides direct clinical care (nurses, physicians, physical
therapists, pharmacists, social, dieticians, and health care science
students) and access to different parts the medical record for different
patients may vary from patient to patient depending on the circumstances
surrounding the provision of care.
ii. The "role" conducts quality assurance, peer review and related functions
and access to potentially all protected health information is necessary
because different review processes may require access to different parts
of a patient's medical record.
iii. The "role" is legal or risk management function and access to potentially
all of a patient's protected health information is necessary. Review and
use of the PHI may require access to different parts of the medical record
depending on the circumstances surrounding the legal or risk
iv. Various "roles" within the department of Health
Information Management (HIM) as necessary to code, release, file,
transport, and secure medical records.
v. Roles in Patient Accounting or Admissions in which access to potentially
the entire medical record is necessary to provide third party payors with
information related to payment of a claim.
vi. The "role" needs access to potentially the entire medical record because
the individuals in those roles need to investigate employee or patient
issues or complaints (e.g. Directors, Managers, Supervisors, Patient
Page 3 of 5
vii. Senior management and administrative staff who potentially need access
to the entire medical record for treatment, payment, or health care
b. Varying levels of access to PHI may be appropriate, depending upon role
definition, for the following.
i. The "role" provides support to direct clinical providers (e.g. unit clerks,
clinic assistants, clerical support staff, and physician secretaries) and
access needs to varying levels of PHI depend on the type of support
provided (e.g. ordering tests, supplies, and etc. for patients, maintenance
of charts, data collection related to treatment, completion of billing or
ii. Business management roles, such as business planning & analysis, fiscal
affairs, and hospital administration, in which access to limited PHI (e.g.
demographic and financial information) is necessary for business and
operations analysis and decision-making.
iii. Information Management Analysts who need access to electronic
systems to provide technological support to these systems.
iv. Central supply staff who need access to limited PHI to process requests
for patient supplies and to deliver those supplies.
v. Certain ancillary clinical staff (e.g. laboratory and pharmacy technicians)
whose job only requires access to limited parts of the medical record.
vi. Admissions and registration staff who need access to limited PHI to
process admissions documents, provide information to payors for
benefits information and related purposes, and to schedule clinic visits or
vii. Pastoral care staff who need to access PHI to provide and document
provision of services.
viii. Physician Liaison staff who need to access PHI to coordinate treatment
and to coordinate payment of services.
ix. Public Affairs staff who need access to limited PHI to handle inquiries
from outside sources and to manage UWHC initiated marketing and
c. Minimal access to use of PHI is appropriate for the following roles depending on
i. Some culinary services staff who need to access PHI to process and
deliver patient trays.
ii. Patient Escort staff who need minimal access to PHI to receive and reply
to requests for transporting patients.
iii. Some volunteers who need minimal access to PHI to assist families and
friends with directory information, to provide information in the surgical
waiting room, and to deliver items to patients.
d. Access to use of PHI is inappropriate for the following roles:
i. Environmental services
ii. Transportation staff who handle and deliver PHI.
iii. Plant engineering/facility management
iv. All other culinary services employees
v. All other volunteers
e. Changes or additions to roles and designated levels of access may only be made
by UWHC's Compliance & Privacy Officer.
Page 4 of 5
4. Directors and managers are responsible for assuring that staff in their areas have access to
only the appropriate level of PHI for their roles. This includes access to PHI in any form,
whether electronic or paper.
B. Minimum Necessary as it Applies to Disclosures of PHI
1. Routine Disclosures. When responding to requests for disclosures made on a periodic or
recurring basis, UWHC must limit the disclosures to the amount reasonably necessary to
achieve the purpose. A "routine" disclosure is one made on routine or recurring basis,
and/or are relatively straight forward and appropriate to release per state and federal
law. Disclosures in response to routine requests must be evaluated and released according
to the following limiting measures:
a. By what is specifically authorized
b. By what is specifically requested
c. Documents (e.g. procedure notes, test results etc.) related to specific dates
Note* See Hospital Administrative Policy 4.13-Uses and Disclosures of
Protected Health Information for more information on procedures governing
disclosures or releases of PHI.
2. Non-Routine Disclosures. When responding to requests for non-routine disclosures
UWHC must limit the disclosures to the amount reasonably necessary to achieve the
purpose based on the criteria established below. Non-routine means the disclosure is
made infrequently (e.g. less than three times a year) or processing the request often
requires legal assistance. All non-routine disclosures shall be directed to HIM for review
and processing. When necessary, HIM will consult with the Legal or Compliance
departments to aid in the review and processing of a request. UWHC will apply the
following criteria when reviewing requests for non-routine disclosures:
a. Specificity of the request
b. Purpose/importance of the request
c. Impact on patients
d. Impact on UWHC
e. Extent to which disclosures would extend number of individuals or
organization with access to PHI
f. Likelihood of re-disclosure
g. Ability to achieve the same purpose with de-identified information
h. Technology available to limit the disclosures of the PHI
i. Cost of limiting the disclosure of PHI
The following are examples of non-routine disclosures:
i. Out of state subpoena
ii. Out of state court order
iii. Federal or state governmental agency
iv. County/investigating agency, protective services
v. Foster care, group home, childcare institutions, or correctional facility for
vi. Emancipated minor
vii. Military for purposes other than recruitment
viii. Releasing hard copies of PHI to law enforcement for investigation of
abuse or crime where the patient is a minor.
Sr. Management Sponsor: SVP, General Counsel
Author: Compliance and Privacy Officer
Page 5 of 5
Approval Committee: Administrative Policy & Procedure Committee
President & CEO
Previous revision: March 2012
Next revision: March 2018