In information security, the principle of the least privilege is a key concept that helps organizations minimize their cyber attack surface. It does so by limiting users’ access rights to resources that are absolutely required to do their jobs, whether it’s files, applications, systems, or processes.
The Health Insurance Portability and Accountability Act, or HIPAA, has its own answer to this principle: the minimum necessary rule. No wonder: cyber security breaches in healthcare have just hit a new record. In 2021, 45 million people’s protected health information was exposed, marking a 221% growth from 2018.
Stolen health credentials are a hot commodity in the black market, with a going price of up to $1,000. But for healthcare, the Center for Internet Security points out, the ramifications of cyber attacks can go far beyond financial loss and breach of privacy. Destroyed or corrupted patient data can actually put lives at risk.
In this article, we’re taking a deep dive into what the minimum necessary standard is and how it helps industry players curb the risk of protected health information exposure and privacy damage.
What is the minimum necessary rule in HIPAA?
The HIPAA minimum necessary rule is a cornerstone of the HIPAA Privacy Rule. The Health Insurance Portability and Accountability Act was passed by the US Congress and signed into law by President Bill Clinton in 1996. Originally, it was devised to help more Americans get health insurance coverage, prevent employees from losing their health insurance between jobs, and minimize waste, fraud, and abuse in health insurance and healthcare delivery.
But advances in technology had already brought along new risks to the privacy of personal information in the healthcare space. This called for policymakers to create and introduce the HIPAA Privacy Rule, the first national standard to protect medical records, give patients more control over their health information, and set boundaries on the use and release of such records. It also laid down safeguards healthcare providers must have in place to protect the privacy of health information.
The principle of minimum necessary disclosure refers to §164.514(d) of the HIPAA, which stipulates that PHI, short for protected health information, should not be used or disclosed if it’s not strictly necessary to fulfill a legitimate purpose or carry out a particular function. It requires HIPAA-covered entities to assess their practices and boost safeguards as needed to limit unnecessary or unwanted access to protected health information.
Covered entities can be both individuals and organizations, such as health plans and healthcare providers or clearinghouses. According to HIPAA Journal: “The HIPAA minimum necessary standard applies to uses and disclosures of PHI that are permitted under the HIPAA Privacy Rule, including the accessing of ePHI by healthcare professionals and disclosures to business associates and other covered entities. The standard also applies to requests for protected health information from other HIPAA covered entities.”
How does the minimum necessary standard work?
As a general requirement under the Privacy Rule, covered entities have to make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum required to fulfill the intended purpose. The HIPAA minimum necessary standard applies to all forms of protected health information, including those contained in physical documents, stored electronically, recorded on tape, or communicated verbally. Entities must create and maintain security controls to keep access to ePHI to the minimum necessary, along with access logs. If paper records need to be provided that contain more PHI than necessary, additional information should be redacted, HIPAA Journal advises.
For the use of protected health information, covered entities’ policies and procedures must define the people or classes of people within the organization who need access to the information to carry out their jobs, the exact categories or types of PHI needed as well as the appropriate conditions to such access. For example, a hospital might grant doctors, nurses and other staff members involved in treatment access to a patient’s entire medical record without having to do a case-by-case review of each use. However, the entity’s protocols must explicitly say when the entire medical record can be disclosed and include a justification.
In the case of routine or recurring information requests and disclosures, standard protocols can be applied that keep the protected health information shared or requested to the minimum amount necessary to complete those specific requests. No individual case review is prescribed here. When it comes to non-routine requests and disclosures, however, covered entities must set up reasonable criteria for gauging and limiting the disclosure to the minimum amount of information necessary. Plus, these requests must be reviewed on an individual basis in light of these criteria and limited accordingly.
In some cases, the covered entities can rely on the judgment of the requesting party regarding the amount of information needed. Reasonable reliance is permitted when the request is made by a public official or agency who states that the information asked for is the minimum necessary for a purpose listed under 45 CFR 164.512 of the rule; another covered entity; a workforce member or business associate holding the information who states that the information required is the minimum necessary for the given purpose; or a researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
Overall, there are no blueprints for the measures that covered entities should implement to comply with the minimum necessary standard. Each organization should strive to create protocols that reflect their specific business practices and workforce. In fact, the privacy rule’s requirements for minimum necessary are flexible enough by design to accommodate different circumstances and scenarios. Policymakers, the US Department of Health and Human Services (HHS) in particular, have also pledged to continually monitor the rule’s workability to make sure it doesn’t obstruct or interfere with quality health care provision.
Follow-up question: what are reasonable efforts?
Again, that’s pretty much open to interpretation. In fact, the standard requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, and to tailor protocols and processes accordingly. According to the HHS, the minimum necessary rule is not an absolute standard but a “reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.”
As per the amended regulations published in August 2002, the “reasonableness” of limiting particular uses or disclosures should be determined based on the following factors:
● The extent to which the use or disclosure would extend the number of persons with access to the PHI;
● The likelihood that further uses or disclosures of the protected health information could occur;
● The amount of protected health information that would be used or disclosed;
● The importance of the use or disclosure;
● The potential to achieve substantially the same purpose with de-identified information;
● The technology available to limit the amount of PHI used or disclosed;
● The cost of limiting the use/disclosure;
● Any other factors that the covered entity believed were relevant to the determination.
When the minimum necessary standard doesn’t apply: 6 scenarios
The HIPAA minimum necessary rule does not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes;
- Disclosures to the individual who is also the subject of the information;
- Uses or disclosures made after an individual’s authorization;
- Uses or disclosures needed to comply with the Administrative Simplification Rules;
- Disclosures to the HHS under the Privacy Rule for enforcement purposes;
- Uses or disclosures that are required by other law.
What if you share more than the minimum necessary information?
Unfortunately, that means you’re in violation of the HIPAA Privacy Rule. The resulting penalties mostly depend on two factors: whether the disclosure happened on purpose and how many times it had been committed. In the case of willful violations, civil penalties can go from $100 per incident to $25,000 for multiple violations of the same type. If there’s no willful infringement and the violation is remedied within 30 days, civil penalties won’t be imposed. However, it’s important to note here that HIPAA breaches can also result in criminal penalties of up to $250,000 in individual fines and a maximum prison term of 10 years depending on intent.
Putting the minimum necessary requirement into practice: 3 pieces of advice
1. Document everything, then document some more
Start with creating a written policy where you clearly outline what the HIPAA minimum necessary rule aims to achieve, what it means for your organization and what protocols you have in place to ensure compliance. Also include all the systems that contain electronic PHI, the types of information that can be accessed depending on roles and responsibilities in and outside the organization as well as sanctions for non-compliance.
2. Go for the granular
Role-based permissions and granular controls are your best bet against oversharing protected health information. By only allowing employees and business associates access to certain types of information assets and systems, you can essentially nip potential HIPAA violations in the bud. It’s also crucial to keep logs of who accessed – or attempted to access PHI and when – as well as to perform periodic log and permission audits.
3. Turn employers into your strongest allies
Bulletproofing your organization against cyberattacks and hefty HIPAA fines starts with building a culture of vigilance. Develop a training program for staff, old and new, so everyone’s on the same page about how to observe the minimum necessary standard successfully, no matter their duties or department. Regularly assess the effectiveness of employees’ compliance efforts and how well they retain HIPAA knowledge.