Standard for HIPAA Minimum Necessary Uses and Disclosures of PHI

Purpose

Ohio University will use and disclose, or request from another covered entity, the minimum amount of PHI necessary to achieve the particular use or disclosure unless an exception applies.  

Scope

This standard will apply to all Ohio University operating units that store, process, or transmit protected health information.  

Standard

  1. Role-Based Access: Ohio University providers will have role-based access to PHI per a job description, which should specify:
    1. People or classes of people in Ohio University’s workforce who need access to PHI to carry out their duties; and
    2. The category or categories of PHI for which access is needed, including any conditions that may be relevant to such access.
  2. Routine Disclosures: Ohio University, for any type of disclosure or request for disclosure that is made on a routine and recurring basis, will limit the disclosed PHI, or the request for disclosure, to that which is reasonably necessary to achieve the purpose of the disclosure or request.
  3. Non-Routine Disclosures: Ohio University, for disclosures or requests that are not made on a routine and recurring basis, will review the request to verify that PHI disclosed or requested is the minimum necessary.
  4. Exceptions to Minimum Necessary Requirements: Ohio University may release information without concern for the minimum necessary standard as follows:
    1. Disclosures to or requests by a health care provider for treatment;
    2. Uses or disclosures made to the individual who is the subject of the PHI;
    3. Uses or disclosures made pursuant to an authorization signed by the individual;
    4. Disclosures made to the Secretary of the U.S. Department of Health and Human Services;
    5. Disclosures that are required by law; and
    6. Uses and disclosures that are required for compliance with the HIPAA privacy regulations.
  5. Entire Medical Record: Ohio University my use or disclose an individual’s entire medical record only when such use or disclosure is specifically justified as the amount that is reasonably necessary to accomplish the intended purpose or one of the exceptions noted above applies.
  6. Reasonable Reliance: Ohio University may rely on a requested disclosure as minimum necessary for the stated purpose(s) when:
    1. Making disclosures to public officials, if the official represents that the information is the minimum necessary for the stated purpose(s);
    2. The information is requested by another covered entity;
    3. The information is requested by a professional who is a member of the workforce of an Ohio University designated covered health care component or, is a business associate of an Ohio University designated covered health care component, if the professional represents that the information requested is the minimum necessary for the stated purpose(s);

    4. The information is requested for research purposes and the person requesting the information has provided documentation or representations to Ohio University that meet the requirements of the HIPAA privacy regulations. Additionally, researchers must meet with the HIPAA Privacy Officer for HIPAA guidance prior to submitting a research project to the Institutional Research Board (IRB).

      Contact the HIPAA Privacy Officer to assist in the determination of whether such requirements have been met.

  7. Disclosure: Ohio University, upon determination that the use, disclosure, or request for PHI is the minimum necessary for one of the above exceptions, may release the PHI to the requestor.
  8. Ohio University Requests for PHI: When requesting PHI from another covered entity, Ohio University must limit its request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made.
    1. For requests that are made on a routine or recurring basis, Ohio University shall take reasonable steps to ensure that the request is limited to the amount of PHI reasonably necessary to accomplish the purpose for which the request is made.
    2. For requests that are not on a routine or recurring basis, Ohio University shall evaluate the request according to the following criteria:
      1. Whether the purpose of the request is stated with specificity.
      2. Whether the amount of PHI to be disclosed is limited to the intended purpose.
      3. Whether the requirements for supporting documentation, statements, or representations have been satisfied. Whether all applicable requirements of the HIPAA privacy regulations have been satisfied with respect to the request.

  9. PHI disclosures related to Psychotherapy notes, Drug and Alcohol treatment and records involving Sexually Transmitted Diseases have more stringent regulatory requirements. Consult with the Ohio University HIPAA Privacy Officer or designee prior to releasing records pertaining to the aforementioned topics.

    *Mental health notes are the mental health provider’s private notes and are not a part of the “medical record”. Such records are for the personal use of the mental health provider.

Governance

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates. 

Status: Approved

Effective: August 9, 2019