Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard
HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients’ PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy and report any suspected breaches of patient privacy to the Privacy Officer. While the Minimum Necessary Standard is not required for treatment purposes, there is an understanding that the Workforce should only access information that is necessary to perform their jobs. This policy identifies the basic requirements for establishing the minimum amount of PHI for internal and routine disclosures as well as establishes a process for responding to non-routine requests for PHI.
Protected Health Information shall not be Used or Disclosed absent a valid Authorization unless a specific exception permitted by HIPAA and adopted by this Manual would permit its Use or Disclosure. The University shall apply the Minimum Necessary Standard to all Uses and Disclosures of PHI.
Employees acknowledge confidentiality requirements as part of the Information Security and Acceptable Use Policy (http://policy.utdallas.edu/utdbp3096). All users are required to acknowledge this policy annually when they reset their computer password. If a user does not acknowledge the policy, their access to UT Dallas Information Resources is automatically blocked.
Use and Disclosure of PHI for Treatment, Payment and Health Care Operations Purposes (TPO)
PHI may be disclosed without a Patient Authorization for Treatment, Payment, or healthcare Operations (TPO). This includes the following:
- The Callier Center’s own Treatment, Payment, or healthcare Operations (TPO), including Uses and Disclosures to a UT Dallas Business Associate as permitted by the Business Associate Agreement;
- Treatment activities of another Health Care Provider;
- The Payment activities of another Covered Entity or Health Care Provider; and
- The Healthcare Operation activities of another Covered Entity or Health Care Provider, if each entity has or had a relationship with the individual who is the subject of the PHI being requested, and the disclosure is:
a. For a purpose listed in the definition of health care operations; or
b. For the purpose of health care fraud and abuse detection or compliance.
The Minimum Necessary Standard
A limitation placed on uses, disclosures, and requests for PHI. When Using or Disclosing protected health information or when requesting PHI from another Covered Entity or Business Associate, the University and its Business Associates must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.
The University shall apply the Minimum Necessary Standard subject to the following:
A. Access to patient information by members of the UT Dallas Workforce and business associates of the Center will be provided on a need-to-know basis.
- Varying levels of access will be provided to employees depending on the scope of their service/care. Workforce members and business associates will be given access to PHI and/or PHI will be disclosed to them only when there is a legitimate clinical and/or business need for the information. Access will be based on the minimum necessary information required to provide care or perform the treatment/task. Access to electronic records by staff will be documented in the user’s security authorization to the EMR. Each job class shall have an individualized security template defining the level of access to the EMR. Each job class shall have an individualized security template defining the exact level of access to the electronic records. These security designations will also apply to any existing paper records.
- Provider workforce members and business associates must not attempt to access PHI unless they have been granted appropriate access rights, the access is within the scope of the responsibilities of their position, and they have a clear clinical or business reason to do so.
B. Technological barriers are implemented to restrict access and use of PHI based on the specific roles within the organization. This process is monitored by Information Technology in collaboration with the Privacy Officer and Information Security Officer to ensure that access to PHI is attempted only by those authorized.
C. For routine disclosures, Providers will rely on the requested disclosure as the minimum necessary for the stated purpose when requested by:
- Public officials as required by law, if the public official represents that the information requested is the minimum necessary for the stated purpose;
- Another healthcare provider/ institution, health plan or other entity that is a HIPAA covered entity;
- Researchers, provided the requirements of the [Provider] are met; or
- A professional who is a member of the organization’s workforce or is a business associate whose request represents the minimum necessary information needed to perform a service on behalf of the organization.
D. Requests for PHI regarding Workers’ Compensation will be limited to the information for the work-related illness or injury unless additional PHI is requested by the employer or third-party payer.
E. Providers will develop departmental procedures as necessary to specify minimum-necessary guidelines for routine disclosures that are not related to treatment, payment, or healthcare operations of the provider.
F. Non-routine requests for information must be reviewed on an individual basis by the Privacy Officer to determine whether the PHI requested is the minimum necessary. The Privacy Officer will respond in accordance with criteria designed to limit the information disclosed to the information reasonably necessary to accomplish the purpose of the request. The Privacy Officer will consider such factors as:
- The requestor’s purpose in seeking PHI;
- Whether the PHI requested is reasonable or whether less PHI or de-identified PHI would satisfy the request.
G. Providers will also limit and monitor their requests for information to other healthcare institutions or health plans. Entities will request only the minimum necessary information needed to accomplish the purpose for which the request is being made. Monitoring of this process will occur through the Medical Records Department.
H. All guidelines and criteria used to satisfy need-to-know and minimum necessary requirements must be reviewed and approved by the Privacy Officer.
The following disclosures are not subject to the Minimum Necessary Rule or the procedures set forth above:
- Disclosure to or requests by a health care provider for treatment (students and trainees are included as health care providers for this purpose);
- Information regarding the Patient requested by the Patient or to a third party for Use on behalf of the Patient;
- Uses and Disclosures based upon a valid Authorization to use and disclose PHI;
- Disclosures made to the Secretary of Health and Human Services;
- Uses and disclosures required by law;
- Uses and disclosures required by other sections of the HIPAA privacy regulations.
Disclosures for Payment
Only the Minimum Necessary PHI shall be Disclosed for payment functions;
Persons handling PHI in a payment context shall not provide patient information unless required to accomplish a payment transaction; including the preparation of checks collected, credit card paper receipts, and envelopes.
Disclosures for Student Use
Students and trainees must understand and comply with the Minimum Necessary Rule. Students are considered to be part of the Treatment process if they are actively involved in the Patient’s healthcare. In such instances, they are not limited in their access or Use of the patient’s medical information.
Use and Disclosure for Educational Purposes
Faculty, staff, students, and trainees are to use de-identified information at all times, including the classroom setting unless the Patient’s identifying information (i.e., name, DOB, address, etc.) is required for a specific educational purpose.
Good Faith Reliance
UT Dallas may reasonably rely on a requested disclosure as the Minimum Necessary for the stated purpose when:
- Making disclosure to public officials that do not require patient authorization or an opportunity for the patient to agree or object, and the public official represents that the information is the minimum necessary for the stated purpose;
- The information is requested by another Covered Entity or its Business Associate as provided by its Business Associate Agreement;
- The information is requested by a Health Care Component professional (such as an attorney or accountant) providing professional services to the Callier Center; or
- A researcher is requesting PHI through appropriate IRB documentation.
HIPAA Regulatory Citations: 45 CFR § 164.502(b), § 164.514(d)
Reviewed: 03/16/2021, 06/09/2015
Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center