“All this is on a strictly need-to-know basis. As in, nobody else needs to know.” –Kami Garcia.

Tod Ferran, CISSP, QSA
By: Tod Ferran
There aren’t many times in life where you can get away with doing the bare minimum. PHI is one of them. Here are 5 things you should know about the minimum necessary HIPAA requirement.


1. PHI should only be shared on a need-to-know basis.

In military operations, a need-to-know restriction is the control of extremely sensitive information by only those who must know the information to get the job done. Although thousands of personnel are involved in planning battles, only a small number (usually high-ranking officers) have the security clearance to know everything about the operation. The rest are only informed on parts of the plan necessary to get their specific task completed.
Minimum Necessary HIPAA PHI
Protected health information (PHI) is kind of like a sensitive battle plan. Instead of the need-to-know restriction, the HHS calls this control the minimum necessary requirement. The HHS says this requirement is “based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”

Only those who need to see PHI to do their jobs should get to see it, and unless you have a specific need for the information, access must be restricted. For example, a receptionist (or someone that doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do his or her job.
By limiting PHI access to the smallest number of people possible, the likelihood of a breach or impermissible disclosure of HIPAA violation decreases significantly.

2. Limit user access by creating individual user accounts.

The HHS states, “if a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard.”

It’s a covered entity’s responsibility to limit who within the organization has access to each specific part or component of PHI. The easiest way to take charge of the data is by creating individual user accounts.

SEE ALSO: Everyone Is Not Created Equal In Healthcare

In the ideal scenario, each user account in a network, EHR, or computer system, would be given certain privileges based on the job title or role of the user. For example, a “doctor” privilege would get access to all PHI in their patient database, because they need it to do their job. An “IT admin” would have restricted access to PHI, because they are not involved with patient care.

3. Covered entities pass way too much data to their business associates.

The minimum necessary requirement doesn’t just apply to an organization. It applies to the information shared externally, with third parties and subcontractors. Entities are required to limit how much PHI is disclosed based on job responsibilities and nature of the third party’s business.
Minimum Necessary HIPAA PHI and 21 Day Plan for HIPAA
Say a patient needed a prosthetic leg. If a hospital sent the entire patient record to the prosthetic manufacturer (their business associate), the hospital would be violating the minimum necessary requirement. The prosthetic manufacturer doesn’t need to know about the patient’s flu shot 10 years ago. All he needs to know are the specifics for the prosthetic required for him to correctly do his job.

SEE ALSO: You Can't Hide Behind a Business Associate Agreement

Passing too much PHI to a business associate could get your organization slapped with a fine. Be careful about how much data you are sending and receiving.

4. Don’t worry about passing too much data when talking to other doctors.

If you’re communicating doctor to doctor, don’t worry. You get a free pass. The minimum necessary rule is a little different if you’re communicating with someone who actually provides healthcare to patients.

Because many ailments, treatments, and medications are related, most situations require the entire medical history to be sent from doctor to doctor. Just remember to use your best judgment.


5. Both entities and business associates are responsible for the minimum necessary requirement.

I’ve witnessed many business associates tell their covered entity partners they get to decide how much data they receive, and it’s the covered entity’s responsibility to just ship it all over. Au contraire Mr. Business Associate!

Each party (covered entity and business associate) has a minimum necessary responsibility under HIPAA. That means either party can be fined by the HHS for misapplying (or completely disregarding) the minimum necessary rule. If a business associate demands more data than is necessary from its covered entities, it could be fined for ignoring the rules.

Let me clear up any confusion about your responsibility concerning minimum necessary data:
  • Covered entity responsibility: determine what data is the minimum necessary to send, and then only send that data and nothing else.
  • Business associate responsibility: only accept and use the minimum necessary data.
Just remember: Less is more when it comes to sharing PHI.

Did this post help you? If so, please share!

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

A 21-day plan for securing HIPAA PHI webinar