Minimum Necessary Use and Disclosure Policy & Guidelines (107.010)

Minimum Necessary Use and Disclosure Policy & Guidelines (107.010) - Policies, Administrative, UWMF, UWMF-wide, HIPAA/Privacy


*Supplement to Accounting requirements specified in UWMF “Release & Disclosure of PHI”
Policy / Privacy 001, effective April 14, 2003.
University of Wisconsin Medical Foundation

Policy Name: Minimum Necessary Use and
Disclosure Policy & Guidelines
Policy Number: Privacy #018

__X__ New ____ Revised

If Revised, Supersedes Policy Dated: _________

Effective Date: April 14, 2003*
Approved By (Name): Peter Christman

Title: Executive Vice President

I. Purpose

To establish guidelines to implement standards, which ensure that the minimum necessary
protected health information (PHI) is disclosed when there are reasonable requests or inquiries.

II. Key Definitions

Minimum Necessary Information:
Protected health information should not be used or disclosed when it is not necessary to satisfy a
particular purpose or the carrying out a function. The minimum necessary standard requires
covered entities to evaluate their practices and enhance safeguards as needed to limit
unnecessary or inappropriate access to and disclosure of protected health information. The
“minimum necessary” standard applies to all protected health information whether in paper or
electronic format.

De-Identified Health Information:
Health information that does not identify an individual and with respect to which there is no
reasonable basis to believe that the information can be used to identify an individual is de-
identified health information.

III. Policy

A. It is UWMF’s policy to ensure the privacy and security of PHI by putting a
limitation on the use and disclosure of PHI to what is minimum or reasonably
necessary to accomplish the intended purpose in the following three areas:
1. Uses and disclosures of PHI by UWMF’s staff.
2. Uses and disclosures made in response to requests for PHI from other
3. Uses and disclosures when requesting PHI from other hospitals.

B. The minimum necessary standard does not apply in the following situations:
1. Disclosures to, or requests by, a health care provider for treatment purposes.
2. Disclosures to the individual who is the subject of the information.

3. Uses or disclosures made pursuant to an authorization.
4. Disclosures made to the Secretary of Health and Human Services (HHS) for
compliance and investigation purposes.
5. Uses and disclosures required by law (i.e., mandatory reporting to the CDC,
6. Uses or disclosures which are required for compliance with the HIPAA
Privacy Rule.

IV. Procedure

A. Employee Access
1. For the use of PHI, UWMF has identified authorized employees by the
a. who need to access PHI to carry out their duties;
b. by categories of PHI to which access is needed; and
c. any conditions appropriate to access.
2. UWMF makes reasonable efforts to limit employee access to that which is
needed to carry out their duties. (See Termination of User Access Policy)
3. UWMF employees will only access PHI that they are required to in order to
fulfill their job obligations and duties. Employees will never access PHI for
purposes not relating directly to their job duties or current tasks.
4. Password sharing between employees is not allowed. Employees with access
to PHI must use their own passwords to gain access password-protected
electronic systems.

B. De-Identified PHI
1. A covered entity may use protected health information to create information
that is not individually identifiable health information or disclose protected
health information only to a business associate for such purposes. In cases of
disclosing de-identified PHI, the following apply:
a. Full disclosure of de-identified PHI is permitted.
b. Disclosure of the method of re-coding or re-identifying PHI is not
c. Re-identified PHI may not be disclosed without proper authorization.

C. Requests for Disclosure
1. UWMF must limit any request for PHI to the amount reasonably necessary to
accomplish the purpose for which the request is made. UWMF employees
may rely on a requested disclosure as the minimum necessary for the stated
purpose when disclosing patient’s PHI. The following situations apply:
a. Disclosure to public officials as required by law;
b. To provide information to another health care provider;
c. To a professional staff member of UWMF or a business associate of
UWMF in order to provide professional services to UWMF;
d. To a person requesting information for research purposes if
representations are made by the researcher comply with University of

Wisconsin IRB Board requirements. (See Authorization Use Policy &
Procedure and Release and Disclosure of Protected Health
2. For routine and recurring disclosures of PHI, UWMF departments implement
standard protocols which were developed to limit the PHI disclosed according
to the minimum necessary standard.

D. Making Requests
1. When asking another health care provider for PHI, UWMF employees will
limit any request to reasonably necessary PHI to accomplish the purposes of
the request.
2. Requests made by UWMF for PHI on a routine and recurring basis, involve
departmental standard protocol, which follows and limits the PHI requested to
the minimum necessary.

E. Use of Medical Records
UWMF staff will not use, disclose or request a patient’s entire medical record except
when the entire record is specifically justified as the minimum, or reasonable, amount
necessary to meet the needs of the request to accomplish the purpose of the use.

F. Other Determinations
In some circumstances, UWMF will not be able to determine minimum necessary use.
Instead, determination may be made by another entity, such as by a federal or state
statute, when a patient authorizes the use of more than the minimum necessary, or in the
case of a judicial warrant, court orders or subpoenas.

IV. UReferences
¾ 45 C.F.R. 164.514
¾ 45 C.F.R. 164.502
¾ Termination of User Access Policy
¾ Authorization and Use Policy
¾ Release and Disclosure of Protected Health Information

V. UAuthor & Review

Sponsor: Clinic Ops Privacy Workgroup
Author: Heidi Ziegler
Ericka Watson
Claudia Jane Sanders

Review: Clinic Ops Privacy Workgroup HIPAA Steering Committee
Committee Approval: Clinic Ops Privacy Workgroup HIPAA Steering Committee

Final Approval: Senior Management Team Date: June 21, 2004