IU HIPAA Affected Areas shall limit the amount of PHI requested, used, or disclosed to others to the minimum amount necessary to achieve the specific purpose of that use, request, or disclosure. The standard also applies when an area is a business associate to another IU HIPAA Affected Area or an external covered entity.
This limitation does not apply when PHI is:
- Disclosed to or requested from another health care provider for the purpose of treatment;
- Disclosed as required by federal or state law;
- Disclosed to the patient of record; or
- Disclosed in compliance with a valid authorization.
Use of Protected Health Information (PHI)
- IU HIPAA Affected Areas shall only access the minimum information necessary to perform their assigned duties or to accomplish a stated purpose
- Routine disclosures of PHI shall be limited to the pre-determined and established criteria of the workforce member’s roles, the information used and disclosures required or necessary
- Non-routine disclosures of protected health information shall be reviewed on a case-by-case basis
Disclosures of Protected Health Information (PHI)
- IU HIPAA Affected Areas shall limit the disclosure of PHI to that which is minimally necessary in each situation in order to achieve the purpose of the disclosure.
- Disclosures for research purposes will rely on documentation from an Institutional Review Board (IRB) that describes the protected health information needed for research purposes. The documentation shall sufficiently describe the PHI needed.
Requests for Protected Health Information (PHI)
- Request for PHI shall be limited and reviewed on a case-by-case basis to determine what PHI is reasonable necessary for the particular use or disclosure.
- IU HIPAA Affected Areas shall limit request for PHI to the minimum necessary to accomplish a particular tasks or purpose.
- Researchers shall limit request for PHI for research purposes to the minimum necessary for the described research, including PHI to be released pursuant to an authorization. Documentation must sufficiently describe the PHI needed.
Note: Uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d), may qualify as breaches
07/22/2013 Effective Date