(b) Standard: Minimum necessary
(1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not apply to:
(i) Disclosures to or requests by a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;
(iii) Uses or disclosures made pursuant to an authorization under § 164.508;
(iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;
(v) Uses or disclosures that are required by law, as described by § 164.512(a); and
(vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
§164.514(d)(2) Implementation specifications: Minimum necessary uses of protected health information.
(i) A covered entity must identify: (A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and (B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.

(ii) A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.

Audit Inquiry

Has the covered entity implemented policies and procedures consistent with the requirements of the established performance criterion to identify need for and limit use of PHI?

Obtain and review policies and procedures for limiting access to PHI. Elements to consider include, but are not limited to:-
-Criteria for determining what level of access a person or class of persons will need
-Criteria for modifying, reviewing, or terminating an individual’s access
–Efforts to limit access consistent with the needs and conditions described for each person or class of persons
-Whether the policies and procedures take into account access to both PHI and ePHI.

Obtain and review the access of a sample of workforce members with access to PHI for their corresponding job title and description to determine whether the access is consistent with the policies and procedures.

NOTE: The rule requires that the class/job functions that need to use or disclose PHI be determined and the information be limited to what is needed for that job classification.