Federal regulations provide that staff at all times make a reasonable effort to limit PHI to the minimum necessary to carry out the intended purpose of use, disclosure or request. Consequently, staff must ensure that PHI is not unnecessarily or inappropriately accessed or disclosed. The following are examples:
- A pharmacy calls to verify a foster child’s MO HealthNet number. The purpose is for providing a service to the child and for billing the state for those services. Giving the provider the child’s MO HealthNet number and current eligibility gives the minimum necessary information and is appropriate. It would be inappropriate to share additional information such as why the child is in foster care or other PHI.
- A Children’s Service Worker following confidentiality procedures as outlined in the appropriate Child Welfare Manual sections calls a local food pantry to secure an emergency food order for a family. The worker provides the food pantry with the family members’ names, ages, and a brief description that the family is in need because they were recently robbed. The Children’s Service Worker does not provide information that the mother is schizophrenic or that the father is currently in outpatient alcohol treatment. Sharing of the mother’s diagnosis or father’s diagnosis/treatment (both considered PHI) was not necessary to securing an emergency food order (as Protected Heath Information is not being shared, a client authorization specifically for release of heath information is not necessary).
- A Children’s Service Worker is expecting a psychological evaluation of a client he is currently serving and alerts the office clerk to this fact. The office clerk who receives the evaluation in the mail only needs to verify from the name of the client and the worker who currently has that client in his caseload. The caseworker and the person who distributed the mail followed the minimum necessary standard. However, it would have been inappropriate for the clerk to read the evaluation contents.
When “Minimum Necessary” Does Not Apply
The requirement for disclosing the “Minimum Necessary” information to accomplish the intended purpose does not apply to the following:
- Disclosures to or requests by a health care provider for treatment;
- Uses or disclosures made to the individual;
- Uses or disclosures made pursuant to an authorization (refer to section on Authorizations for Disclosures for Protected Health Information);
- Uses or disclosures that are required by law; and
- Investigations of complaints made to the Secretary of the Department of Health and Human Services and/or compliance reviews conducted by the Department.