Use and Disclosure of PHI for Treatment, Payment and Health Care Operations Purposes (TPO)<\/strong><\/h3>\n\n\n\nPHI may be disclosed without a Patient Authorization for Treatment, Payment, or healthcare Operations (TPO). This includes the following:<\/p>\n\n\n\n
- The Callier Center\u2019s own Treatment, Payment, or healthcare Operations (TPO), including Uses and Disclosures to a UT Dallas Business Associate as permitted by the Business Associate Agreement;<\/li>
- Treatment activities of another Health Care Provider;<\/li>
- The Payment activities of another Covered Entity or Health Care Provider; and<\/li>
- The Healthcare Operation activities of another Covered Entity or Health Care Provider, if each entity has or had a relationship with the individual who is the subject of the PHI being requested, and the disclosure is:<\/li><\/ul>\n\n\n\n
a. For a purpose listed in the definition of health care operations; or<\/p>\n\n\n\n
b. For the purpose of health care fraud and abuse detection or compliance.<\/p>\n\n\n\n
The Minimum Necessary Standard<\/strong><\/h2>\n\n\n\nA limitation placed on uses, disclosures, and requests for PHI. When Using or Disclosing protected health information or when requesting PHI from another Covered Entity or Business Associate, the University and its Business Associates must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.<\/p>\n\n\n\n
The University shall apply the Minimum Necessary Standard subject to the following:<\/strong><\/h3>\n\n\n\nA. Access to patient information by members of the UT Dallas Workforce and business associates of the Center will be provided on a need-to-know basis.<\/p>\n\n\n\n
- Varying levels of access will be provided to employees depending on the scope of their service\/care. Workforce members and business associates will be given access to PHI and\/or PHI will be disclosed to them only when there is a legitimate clinical and\/or business need for the information. Access will be based on the minimum necessary information required to provide care or perform the treatment\/task. Access to electronic records by staff will be documented in the user\u2019s security authorization to the EMR. Each job class shall have an individualized security template defining the level of access to the EMR. Each job class shall have an individualized security template defining the exact level of access to the electronic records. These security designations will also apply to any existing paper records.<\/li>
- Provider workforce members and business associates must not attempt to access PHI unless they have been granted appropriate access rights, the access is within the scope of the responsibilities of their position, and they have a clear clinical or business reason to do so.<\/li><\/ol>\n\n\n\n
B. Technological barriers are implemented to restrict access and use of PHI based on the specific roles within the organization. This process is monitored by Information Technology in collaboration with the Privacy Officer and Information Security Officer to ensure that access to PHI is attempted only by those authorized.<\/p>\n\n\n\n
C. For routine disclosures, Providers will rely on the requested disclosure as the minimum necessary for the stated purpose when requested by:<\/p>\n\n\n\n
- Public officials as required by law, if the public official represents that the information requested is the minimum necessary for the stated purpose;<\/li>
- Another healthcare provider\/ institution, health plan or other entity that is a HIPAA covered entity;<\/li>
- Researchers, provided the requirements of the [Provider] are met; or<\/li>
- A professional who is a member of the organization\u2019s workforce or is a business associate whose request represents the minimum necessary information needed to perform a service on behalf of the organization.<\/li><\/ol>\n\n\n\n
D. Requests for PHI regarding Workers\u2019 Compensation will be limited to the information for the work-related illness or injury unless additional PHI is requested by the employer or third-party payer.<\/p>\n\n\n\n
E. Providers will develop departmental procedures as necessary to specify minimum-necessary guidelines for routine disclosures that are not related to treatment, payment, or healthcare operations of the provider.<\/p>\n\n\n\n
F. Non-routine requests for information must be reviewed on an individual basis by the Privacy Officer to determine whether the PHI requested is the minimum necessary. The Privacy Officer will respond in accordance with criteria designed to limit the information disclosed to the information reasonably necessary to accomplish the purpose of the request. The Privacy Officer will consider such factors as:<\/p>\n\n\n\n
- The requestor\u2019s purpose in seeking PHI;<\/li>
- Whether the PHI requested is reasonable or whether less PHI or de-identified PHI would satisfy the request.<\/li><\/ol>\n\n\n\n
G. Providers will also limit and monitor their requests for information to other healthcare institutions or health plans. Entities will request only the minimum necessary information needed to accomplish the purpose for which the request is being made. Monitoring of this process will occur through the Medical Records Department.<\/p>\n\n\n\n
H. All guidelines and criteria used to satisfy need-to-know and minimum necessary requirements must be reviewed and approved by the Privacy Officer.<\/p>\n\n\n\n
Exceptions<\/strong><\/h2>\n\n\n\nThe following disclosures are not subject to the Minimum Necessary Rule or the procedures set forth above:<\/p>\n\n\n\n
- Disclosure to or requests by a health care provider for treatment (students and trainees are included as health care providers for this purpose);<\/li>
- Information regarding the Patient requested by the Patient or to a third party for Use on behalf of the Patient;<\/li>
- Uses and Disclosures based upon a valid Authorization to use and disclose PHI;<\/li>
- Disclosures made to the Secretary of Health and Human Services;<\/li>
- Uses and disclosures required by law;<\/li>
- Uses and disclosures required by other sections of the HIPAA privacy regulations.<\/li><\/ul>\n\n\n\n
Disclosures for Payment<\/strong><\/h2>\n\n\n\nOnly the Minimum Necessary PHI shall be Disclosed for payment functions;<\/p>\n\n\n\n
Persons handling PHI in a payment context shall not provide patient information unless required to accomplish a payment transaction; including the preparation of checks collected, credit card paper receipts, and envelopes.<\/p>\n\n\n\n
Disclosures <\/strong>for <\/strong>Student Use<\/strong><\/strong><\/h2>\n\n\n\nStudents and trainees must understand and comply with the Minimum Necessary Rule. Students are considered to be part of the Treatment process if they are actively involved in the Patient\u2019s healthcare. In such instances, they are not limited in their access or Use of the patient\u2019s medical information.<\/p>\n\n\n\n
Use and Disclosure for Educational Purposes<\/strong><\/h2>\n\n\n\nFaculty, staff, students, and trainees are to use de-identified information at all times, including the classroom setting unless the Patient\u2019s identifying information (i.e., name, DOB, address, etc.) is required for a specific educational purpose.<\/p>\n\n\n\n
Good Faith Reliance<\/strong><\/h2>\n\n\n\nUT Dallas may reasonably rely on a requested disclosure as the Minimum Necessary for the stated purpose when:<\/p>\n\n\n\n
- Making disclosure to public officials that do not require patient authorization or an opportunity for the patient to agree or object, and the public official represents that the information is the minimum necessary for the stated purpose;<\/li>
- The information is requested by another Covered Entity or its Business Associate as provided by its Business Associate Agreement;<\/li>
- The information is requested by a Health Care Component professional (such as an attorney or accountant) providing professional services to the Callier Center; or<\/li>
- A researcher is requesting PHI through appropriate IRB documentation.<\/li><\/ul>\n\n\n\n
HIPAA Regulatory Citations: 45 CFR \u00a7 164.502(b), \u00a7 164.514(d) <\/p>\n\n\n\n
Effective:\u00a011\/13\/2003
Revised:\u00a005\/15\/2015
Reviewed: 10\/17\/2022, 03\/16\/2021,\u00a006\/09\/2015<\/p>\n\n\n\n![\"\"](\"https:\/\/calliercenter.utdallas.edu\/wp-content\/uploads\/2022\/10\/zimmerman.png\")
<\/figure>\n\n\n\nHeather Zimmerman, HIPAA Privacy Officer
UT Dallas Callier Center<\/p>\n","protected":false},"excerpt":{"rendered":"
Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy…<\/p>\n","protected":false},"featured_media":0,"parent":0,"menu_order":4,"template":"","meta":{"schema":"","fname":"","lname":"","position":"","credentials":"","placeID":"","no_match":false,"name":"","company":"","review":"","address":"","city":"","state":"","zip":"","lat":"","lng":"","phone1":"","phone2":"","fax":"","mon1":"","mon2":"","tue1":"","tue2":"","wed1":"","wed2":"","thu1":"","thu2":"","fri1":"","fri2":"","sat1":"","sat2":"","sun1":"","sun2":"","hours-note":"","footnotes":""},"doc_category":[47],"yoast_head":"\n
Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders\" \/>\n<meta property=\"og:description\" content=\"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/\" \/>\n<meta property=\"og:site_name\" content=\"Callier Center for Communication Disorders\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-01T23:59:19+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","og_description":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy...","og_url":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","og_site_name":"Callier Center for Communication Disorders","article_modified_time":"2022-11-01T23:59:19+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","url":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","name":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","isPartOf":{"@id":"https:\/\/calliercenter.utdallas.edu\/#website"},"datePublished":"2019-10-28T18:20:18+00:00","dateModified":"2022-11-01T23:59:19+00:00","breadcrumb":{"@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/calliercenter.utdallas.edu\/"},{"@type":"ListItem","position":2,"name":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard"}]},{"@type":"WebSite","@id":"https:\/\/calliercenter.utdallas.edu\/#website","url":"https:\/\/calliercenter.utdallas.edu\/","name":"Callier Center for Communication Disorders","description":"The University of Texas at Dallas","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/calliercenter.utdallas.edu\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873"}],"collection":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc"}],"about":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/types\/doc"}],"version-history":[{"count":9,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873\/revisions"}],"predecessor-version":[{"id":9317,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873\/revisions\/9317"}],"wp:attachment":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/media?parent=4873"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc_category?post=4873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
a. For a purpose listed in the definition of health care operations; or<\/p>\n\n\n\n
b. For the purpose of health care fraud and abuse detection or compliance.<\/p>\n\n\n\n
The Minimum Necessary Standard<\/strong><\/h2>\n\n\n\nA limitation placed on uses, disclosures, and requests for PHI. When Using or Disclosing protected health information or when requesting PHI from another Covered Entity or Business Associate, the University and its Business Associates must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.<\/p>\n\n\n\n
The University shall apply the Minimum Necessary Standard subject to the following:<\/strong><\/h3>\n\n\n\nA. Access to patient information by members of the UT Dallas Workforce and business associates of the Center will be provided on a need-to-know basis.<\/p>\n\n\n\n
- Varying levels of access will be provided to employees depending on the scope of their service\/care. Workforce members and business associates will be given access to PHI and\/or PHI will be disclosed to them only when there is a legitimate clinical and\/or business need for the information. Access will be based on the minimum necessary information required to provide care or perform the treatment\/task. Access to electronic records by staff will be documented in the user\u2019s security authorization to the EMR. Each job class shall have an individualized security template defining the level of access to the EMR. Each job class shall have an individualized security template defining the exact level of access to the electronic records. These security designations will also apply to any existing paper records.<\/li>
- Provider workforce members and business associates must not attempt to access PHI unless they have been granted appropriate access rights, the access is within the scope of the responsibilities of their position, and they have a clear clinical or business reason to do so.<\/li><\/ol>\n\n\n\n
B. Technological barriers are implemented to restrict access and use of PHI based on the specific roles within the organization. This process is monitored by Information Technology in collaboration with the Privacy Officer and Information Security Officer to ensure that access to PHI is attempted only by those authorized.<\/p>\n\n\n\n
C. For routine disclosures, Providers will rely on the requested disclosure as the minimum necessary for the stated purpose when requested by:<\/p>\n\n\n\n
- Public officials as required by law, if the public official represents that the information requested is the minimum necessary for the stated purpose;<\/li>
- Another healthcare provider\/ institution, health plan or other entity that is a HIPAA covered entity;<\/li>
- Researchers, provided the requirements of the [Provider] are met; or<\/li>
- A professional who is a member of the organization\u2019s workforce or is a business associate whose request represents the minimum necessary information needed to perform a service on behalf of the organization.<\/li><\/ol>\n\n\n\n
D. Requests for PHI regarding Workers\u2019 Compensation will be limited to the information for the work-related illness or injury unless additional PHI is requested by the employer or third-party payer.<\/p>\n\n\n\n
E. Providers will develop departmental procedures as necessary to specify minimum-necessary guidelines for routine disclosures that are not related to treatment, payment, or healthcare operations of the provider.<\/p>\n\n\n\n
F. Non-routine requests for information must be reviewed on an individual basis by the Privacy Officer to determine whether the PHI requested is the minimum necessary. The Privacy Officer will respond in accordance with criteria designed to limit the information disclosed to the information reasonably necessary to accomplish the purpose of the request. The Privacy Officer will consider such factors as:<\/p>\n\n\n\n
- The requestor\u2019s purpose in seeking PHI;<\/li>
- Whether the PHI requested is reasonable or whether less PHI or de-identified PHI would satisfy the request.<\/li><\/ol>\n\n\n\n
G. Providers will also limit and monitor their requests for information to other healthcare institutions or health plans. Entities will request only the minimum necessary information needed to accomplish the purpose for which the request is being made. Monitoring of this process will occur through the Medical Records Department.<\/p>\n\n\n\n
H. All guidelines and criteria used to satisfy need-to-know and minimum necessary requirements must be reviewed and approved by the Privacy Officer.<\/p>\n\n\n\n
Exceptions<\/strong><\/h2>\n\n\n\nThe following disclosures are not subject to the Minimum Necessary Rule or the procedures set forth above:<\/p>\n\n\n\n
- Disclosure to or requests by a health care provider for treatment (students and trainees are included as health care providers for this purpose);<\/li>
- Information regarding the Patient requested by the Patient or to a third party for Use on behalf of the Patient;<\/li>
- Uses and Disclosures based upon a valid Authorization to use and disclose PHI;<\/li>
- Disclosures made to the Secretary of Health and Human Services;<\/li>
- Uses and disclosures required by law;<\/li>
- Uses and disclosures required by other sections of the HIPAA privacy regulations.<\/li><\/ul>\n\n\n\n
Disclosures for Payment<\/strong><\/h2>\n\n\n\nOnly the Minimum Necessary PHI shall be Disclosed for payment functions;<\/p>\n\n\n\n
Persons handling PHI in a payment context shall not provide patient information unless required to accomplish a payment transaction; including the preparation of checks collected, credit card paper receipts, and envelopes.<\/p>\n\n\n\n
Disclosures <\/strong>for <\/strong>Student Use<\/strong><\/strong><\/h2>\n\n\n\nStudents and trainees must understand and comply with the Minimum Necessary Rule. Students are considered to be part of the Treatment process if they are actively involved in the Patient\u2019s healthcare. In such instances, they are not limited in their access or Use of the patient\u2019s medical information.<\/p>\n\n\n\n
Use and Disclosure for Educational Purposes<\/strong><\/h2>\n\n\n\nFaculty, staff, students, and trainees are to use de-identified information at all times, including the classroom setting unless the Patient\u2019s identifying information (i.e., name, DOB, address, etc.) is required for a specific educational purpose.<\/p>\n\n\n\n
Good Faith Reliance<\/strong><\/h2>\n\n\n\nUT Dallas may reasonably rely on a requested disclosure as the Minimum Necessary for the stated purpose when:<\/p>\n\n\n\n
- Making disclosure to public officials that do not require patient authorization or an opportunity for the patient to agree or object, and the public official represents that the information is the minimum necessary for the stated purpose;<\/li>
- The information is requested by another Covered Entity or its Business Associate as provided by its Business Associate Agreement;<\/li>
- The information is requested by a Health Care Component professional (such as an attorney or accountant) providing professional services to the Callier Center; or<\/li>
- A researcher is requesting PHI through appropriate IRB documentation.<\/li><\/ul>\n\n\n\n
HIPAA Regulatory Citations: 45 CFR \u00a7 164.502(b), \u00a7 164.514(d) <\/p>\n\n\n\n
Effective:\u00a011\/13\/2003
Revised:\u00a005\/15\/2015
Reviewed: 10\/17\/2022, 03\/16\/2021,\u00a006\/09\/2015<\/p>\n\n\n\n<\/figure>\n\n\n\nHeather Zimmerman, HIPAA Privacy Officer
UT Dallas Callier Center<\/p>\n","protected":false},"excerpt":{"rendered":"
Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy…<\/p>\n","protected":false},"featured_media":0,"parent":0,"menu_order":4,"template":"","meta":{"schema":"","fname":"","lname":"","position":"","credentials":"","placeID":"","no_match":false,"name":"","company":"","review":"","address":"","city":"","state":"","zip":"","lat":"","lng":"","phone1":"","phone2":"","fax":"","mon1":"","mon2":"","tue1":"","tue2":"","wed1":"","wed2":"","thu1":"","thu2":"","fri1":"","fri2":"","sat1":"","sat2":"","sun1":"","sun2":"","hours-note":"","footnotes":""},"doc_category":[47],"yoast_head":"\n
Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders\" \/>\n<meta property=\"og:description\" content=\"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/\" \/>\n<meta property=\"og:site_name\" content=\"Callier Center for Communication Disorders\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-01T23:59:19+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","og_description":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy...","og_url":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","og_site_name":"Callier Center for Communication Disorders","article_modified_time":"2022-11-01T23:59:19+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","url":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","name":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","isPartOf":{"@id":"https:\/\/calliercenter.utdallas.edu\/#website"},"datePublished":"2019-10-28T18:20:18+00:00","dateModified":"2022-11-01T23:59:19+00:00","breadcrumb":{"@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/calliercenter.utdallas.edu\/"},{"@type":"ListItem","position":2,"name":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard"}]},{"@type":"WebSite","@id":"https:\/\/calliercenter.utdallas.edu\/#website","url":"https:\/\/calliercenter.utdallas.edu\/","name":"Callier Center for Communication Disorders","description":"The University of Texas at Dallas","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/calliercenter.utdallas.edu\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873"}],"collection":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc"}],"about":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/types\/doc"}],"version-history":[{"count":9,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873\/revisions"}],"predecessor-version":[{"id":9317,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873\/revisions\/9317"}],"wp:attachment":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/media?parent=4873"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc_category?post=4873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
A. Access to patient information by members of the UT Dallas Workforce and business associates of the Center will be provided on a need-to-know basis.<\/p>\n\n\n\n
- Varying levels of access will be provided to employees depending on the scope of their service\/care. Workforce members and business associates will be given access to PHI and\/or PHI will be disclosed to them only when there is a legitimate clinical and\/or business need for the information. Access will be based on the minimum necessary information required to provide care or perform the treatment\/task. Access to electronic records by staff will be documented in the user\u2019s security authorization to the EMR. Each job class shall have an individualized security template defining the level of access to the EMR. Each job class shall have an individualized security template defining the exact level of access to the electronic records. These security designations will also apply to any existing paper records.<\/li>
- Provider workforce members and business associates must not attempt to access PHI unless they have been granted appropriate access rights, the access is within the scope of the responsibilities of their position, and they have a clear clinical or business reason to do so.<\/li><\/ol>\n\n\n\n
B. Technological barriers are implemented to restrict access and use of PHI based on the specific roles within the organization. This process is monitored by Information Technology in collaboration with the Privacy Officer and Information Security Officer to ensure that access to PHI is attempted only by those authorized.<\/p>\n\n\n\n
C. For routine disclosures, Providers will rely on the requested disclosure as the minimum necessary for the stated purpose when requested by:<\/p>\n\n\n\n
- Public officials as required by law, if the public official represents that the information requested is the minimum necessary for the stated purpose;<\/li>
- Another healthcare provider\/ institution, health plan or other entity that is a HIPAA covered entity;<\/li>
- Researchers, provided the requirements of the [Provider] are met; or<\/li>
- A professional who is a member of the organization\u2019s workforce or is a business associate whose request represents the minimum necessary information needed to perform a service on behalf of the organization.<\/li><\/ol>\n\n\n\n
D. Requests for PHI regarding Workers\u2019 Compensation will be limited to the information for the work-related illness or injury unless additional PHI is requested by the employer or third-party payer.<\/p>\n\n\n\n
E. Providers will develop departmental procedures as necessary to specify minimum-necessary guidelines for routine disclosures that are not related to treatment, payment, or healthcare operations of the provider.<\/p>\n\n\n\n
F. Non-routine requests for information must be reviewed on an individual basis by the Privacy Officer to determine whether the PHI requested is the minimum necessary. The Privacy Officer will respond in accordance with criteria designed to limit the information disclosed to the information reasonably necessary to accomplish the purpose of the request. The Privacy Officer will consider such factors as:<\/p>\n\n\n\n
- The requestor\u2019s purpose in seeking PHI;<\/li>
- Whether the PHI requested is reasonable or whether less PHI or de-identified PHI would satisfy the request.<\/li><\/ol>\n\n\n\n
G. Providers will also limit and monitor their requests for information to other healthcare institutions or health plans. Entities will request only the minimum necessary information needed to accomplish the purpose for which the request is being made. Monitoring of this process will occur through the Medical Records Department.<\/p>\n\n\n\n
H. All guidelines and criteria used to satisfy need-to-know and minimum necessary requirements must be reviewed and approved by the Privacy Officer.<\/p>\n\n\n\n
Exceptions<\/strong><\/h2>\n\n\n\n
The following disclosures are not subject to the Minimum Necessary Rule or the procedures set forth above:<\/p>\n\n\n\n
- Disclosure to or requests by a health care provider for treatment (students and trainees are included as health care providers for this purpose);<\/li>
- Information regarding the Patient requested by the Patient or to a third party for Use on behalf of the Patient;<\/li>
- Uses and Disclosures based upon a valid Authorization to use and disclose PHI;<\/li>
- Disclosures made to the Secretary of Health and Human Services;<\/li>
- Uses and disclosures required by law;<\/li>
- Uses and disclosures required by other sections of the HIPAA privacy regulations.<\/li><\/ul>\n\n\n\n
Disclosures for Payment<\/strong><\/h2>\n\n\n\n
Only the Minimum Necessary PHI shall be Disclosed for payment functions;<\/p>\n\n\n\n
Persons handling PHI in a payment context shall not provide patient information unless required to accomplish a payment transaction; including the preparation of checks collected, credit card paper receipts, and envelopes.<\/p>\n\n\n\n
Disclosures <\/strong>for <\/strong>Student Use<\/strong><\/strong><\/h2>\n\n\n\n
Students and trainees must understand and comply with the Minimum Necessary Rule. Students are considered to be part of the Treatment process if they are actively involved in the Patient\u2019s healthcare. In such instances, they are not limited in their access or Use of the patient\u2019s medical information.<\/p>\n\n\n\n
Use and Disclosure for Educational Purposes<\/strong><\/h2>\n\n\n\n
Faculty, staff, students, and trainees are to use de-identified information at all times, including the classroom setting unless the Patient\u2019s identifying information (i.e., name, DOB, address, etc.) is required for a specific educational purpose.<\/p>\n\n\n\n
Good Faith Reliance<\/strong><\/h2>\n\n\n\n
UT Dallas may reasonably rely on a requested disclosure as the Minimum Necessary for the stated purpose when:<\/p>\n\n\n\n
- Making disclosure to public officials that do not require patient authorization or an opportunity for the patient to agree or object, and the public official represents that the information is the minimum necessary for the stated purpose;<\/li>
- The information is requested by another Covered Entity or its Business Associate as provided by its Business Associate Agreement;<\/li>
- The information is requested by a Health Care Component professional (such as an attorney or accountant) providing professional services to the Callier Center; or<\/li>
- A researcher is requesting PHI through appropriate IRB documentation.<\/li><\/ul>\n\n\n\n
HIPAA Regulatory Citations: 45 CFR \u00a7 164.502(b), \u00a7 164.514(d) <\/p>\n\n\n\n
Effective:\u00a011\/13\/2003
Revised:\u00a005\/15\/2015
Reviewed: 10\/17\/2022, 03\/16\/2021,\u00a006\/09\/2015<\/p>\n\n\n\n<\/figure>\n\n\n\nHeather Zimmerman, HIPAA Privacy Officer
UT Dallas Callier Center<\/p>\n","protected":false},"excerpt":{"rendered":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy…<\/p>\n","protected":false},"featured_media":0,"parent":0,"menu_order":4,"template":"","meta":{"schema":"","fname":"","lname":"","position":"","credentials":"","placeID":"","no_match":false,"name":"","company":"","review":"","address":"","city":"","state":"","zip":"","lat":"","lng":"","phone1":"","phone2":"","fax":"","mon1":"","mon2":"","tue1":"","tue2":"","wed1":"","wed2":"","thu1":"","thu2":"","fri1":"","fri2":"","sat1":"","sat2":"","sun1":"","sun2":"","hours-note":"","footnotes":""},"doc_category":[47],"yoast_head":"\n
Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders\" \/>\n<meta property=\"og:description\" content=\"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/\" \/>\n<meta property=\"og:site_name\" content=\"Callier Center for Communication Disorders\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-01T23:59:19+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","og_description":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard HIPAA regulations require Covered Entities to maintain the confidentiality of its patients through the proper Use and Disclosure of patients\u2019 PHI. All UT Dallas Workforce members have a duty to follow the procedures in this policy...","og_url":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","og_site_name":"Callier Center for Communication Disorders","article_modified_time":"2022-11-01T23:59:19+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","url":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/","name":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard - Callier Center for Communication Disorders","isPartOf":{"@id":"https:\/\/calliercenter.utdallas.edu\/#website"},"datePublished":"2019-10-28T18:20:18+00:00","dateModified":"2022-11-01T23:59:19+00:00","breadcrumb":{"@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/calliercenter.utdallas.edu\/doc\/section-5-maintaining-patient-confidentiality-through-the-appropriate-use-and-disclosure-of-phi-application-of-the-minimum-necessary-standard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/calliercenter.utdallas.edu\/"},{"@type":"ListItem","position":2,"name":"Section 5: Maintaining Patient Confidentiality through the Appropriate Use and Disclosure of PHI; Application of the Minimum Necessary Standard"}]},{"@type":"WebSite","@id":"https:\/\/calliercenter.utdallas.edu\/#website","url":"https:\/\/calliercenter.utdallas.edu\/","name":"Callier Center for Communication Disorders","description":"The University of Texas at Dallas","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/calliercenter.utdallas.edu\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873"}],"collection":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc"}],"about":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/types\/doc"}],"version-history":[{"count":9,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873\/revisions"}],"predecessor-version":[{"id":9317,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc\/4873\/revisions\/9317"}],"wp:attachment":[{"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/media?parent=4873"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/calliercenter.utdallas.edu\/wp-json\/wp\/v2\/doc_category?post=4873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}