HIPAA Minimum Necessary Standard Violations

566 Words2 Pages
Minimum Necessary Standard
The HIPAA Rules require that when a HIPAA covered entity a provider, a plan, a clearinghouse or a business associate of a covered entity uses or discloses PHI, or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make "reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." (Duane Morris LLP , 2013) Under the HIPAA Rules, covered entities and business associates are required to identify which workforce members need access to what kind of PHI to carry out their job functions. In addition under the HIPAA Rules, covered entities and business associates are required to establish protocols that define the minimum necessary amount of PHI for routine uses, disclosures and requests, and how to apply the minimum necessary standard with respect to non-routine uses, disclosures and requests. Minimum necessary violations should be investigated and, if appropriate, reported according to the new breach notification rules. Business associates may be directly liable for minimum necessary standard violations. Covered entities may be liable for business associates' minimum necessary standard violations.
Important Employee Notes:
• Staff access to information must be based on the positions duties.
• Minimum information needed to do ones job is standard.
• All employees are expected to exercise reasonable efforts not to use or
Get Access