Minimum Necessary Standard

When using, disclosing or requesting PHI, the Health Plan shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose.

Access to PHI

The Health Plan requires relevant staff to have access only to the minimum necessary PHI required by their job functions.

It is the responsibility of the HIPAA Privacy Officer to limit the access of relevant staff to only the minimum necessary PHI required by their job function. The HIPAA Privacy Officer may delegate certain job functions to be performed by other individuals; however, the ultimate responsibility for compliance with HIPAA remains with the HIPAA Privacy Officer.

Where Minimum Necessary Standard Does Not Apply

Limiting use, disclosure or request of PHI to the minimum necessary does NOT apply in the following situations:

• Disclosures or requests by a health care provider for treatment;
• Uses or disclosures made to the individual or requested and authorized by the individual;
• Disclosures made to the Secretary of Health and Human Services (HHS) or to the Office of Civil Rights (OCR);
• Uses or disclosures required by law; and/or
• Uses or disclosures required for compliance with the Privacy Rule.

Disclosures of PHI by

Health Plan

From time to time relevant staff of the Health Plan will be asked to disclose PHI to other Covered Entities, regulatory agencies, law enforcement authorities and others. Many of these disclosures are permitted or required by law and do not require authorization of the individual. Others may require authorization of the individual whose PHI is to be disclosed. Except for those instances identified previously, the Health Plan will apply the minimum necessary standard to all disclosures.

Relevant staff of the Health Plan may treat a request for a disclosure as being for the minimum necessary PHI when the request is:

• A permitted disclosure to a public official who states that the disclosure is the minimum necessary;
• From another Covered Entity;
• From a professional who is a member of the Health Plan or is a Business Associate of the Health Plan if he/she states that the information is the minimum necessary needed; and
• For research purposes when the required documentation is provided.

Requests for PHI

by Health Plan

Relevant staff of the Health Plan must limit requests made by them for PHI to that which is reasonably necessary to accomplish the purpose of the request.

Entire Medical Record

The Health Plan will not use, disclose or request an entire medical record unless the entire medical record is specifically justified as reasonably necessary. Unjustified use, disclosure or request of an entire medical record will be considered a violation of this policy. The only exception regarding the entire medical record is when the information is provided to persons involved in the treatment of the individual.

Record Retention

A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both.

HIPAA Privacy Officer

The HIPAA Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The HIPAA Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (651) 696-6280.

Violations

Violations of this policy will be subject to discipline.