The Privacy Rule generally requires covered entities to take reasonable steps to limit uses, disclosures, or requests (if the request is to another covered entity) of protected health information (PHI) to the minimum necessary to accomplish the intended purpose. However, in some cases, the Privacy Rule does not require that the minimum necessary standard be applied, such as, for example, to disclosures to or requests by a health care provider for treatment purposes, or to disclosures to the individual who is the subject of the information. For routine requests and disclosures, standard protocols may be used to apply the minimum necessary standard, and individual review of each request or disclosure is not required. For non-routine requests and disclosures, the Privacy Rule requires that criteria be developed for purposes of applying the minimum necessary standard on an individual basis to each request or disclosure. For requests for PHI by another covered entity, the disclosing covered entity may rely, if reasonable under the circumstances, on the requested disclosure as the minimum necessary. See 45 CFR §§ 164.502(b), 164.514(d).
Depending on the type of request or disclosure, it may be that some or many of the requests or disclosures to or through the health information organization (HIO) by a covered entity may not be subject to the Privacy Rule’s minimum necessary standard. This would be true in the case of a HIO whose primary purpose is to exchange electronic PHI between and among several hospitals, doctors, pharmacies, and other health care providers for treatment. However, even though the Privacy Rule does not require that the minimum necessary standard be applied to electronic health information exchanges for treatment purposes, the covered entities participating in the electronic networked environment and the HIO are free to apply the concepts of the minimum necessary standard to develop policies that limit the information they include and exchange, even for treatment purposes. For electronic health information exchanges by a covered entity to and through a HIO that are subject to the minimum necessary standard, such as for a payment or health care operations purpose, the Privacy Rule would require that the minimum necessary standard be applied to that exchange and that the business associate agreement limit the HIO’s disclosures of, and requests for, PHI accordingly. However, as one covered entity may rely, if reasonable, on another covered entity’s request as being the minimum necessary amount of PHI, the HIO’s business associate agreement similarly can authorize and instruct the HIO to rely on the requests of covered entities as the minimum necessary, where appropriate, to help facilitate disclosures between covered entities.
When the minimum necessary standard is required by the Privacy Rule, or the policies of the HIO and participating covered entities, to be applied to certain exchanges of electronic health information, the application of the minimum necessary standard can be automated by the HIO for routine disclosures and requests through the use of standard protocols, business rules, and standardization of data. More complex or non-routine disclosures and requests may not lend themselves to automation, and may require individual review under the Privacy Rule, to the extent the Privacy Rule otherwise applied to the disclosure or request.