Melissa Martin, the President of the American Health Information Management Association (AHIMA) gave a testimony at a recent National Committee on Vital and Health Statistics’ (NCVHS) meeting regarding the HIPAA minimum necessary standard.
The NCVHS subcommittee on privacy, confidentiality, and security held the hearing to discuss whether changes need to be made to the HIPAA minimum necessary standard, and whether HIPAA covered entities should be provided with further guidance to clarify how the standard should be applied.
What is the HIPAA Minimum Necessary Standard?
The HIPAA minimum necessary standard concerns the use of patients’ protected health information. The standard requires covered entities to only disclose or provide enough data for a particular task or service to be conducted. Covered entities are required to “make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended use, disclosure, or request,”. If an entire medical record is provided, the covered entity must justify the need for those data to be provided.
This standard is open to interpretation. It is down to the covered entity to decide how much PHI is required. Martin said in the hearing that this leads to inconsistency. She pointed out that healthcare organizations may even face litigation if patients or their legal representatives believe that too much PHI has been shared.
Since the HIPAA minimum necessary standard was implemented technology has advanced considerably. It is now far easier for covered entities to share only parts of medical records. However, there is increasing pressure on covered entities to improve data accessibility and this is at odds with the HIPAA minimum necessary standard. Martin said at the hearing, “as the paradigm has shifted to enhancing data sharing and improving data accessibility, the amount of PHI necessary to meet the minimum necessary standard has expanded exponentially, so that the concept is associated with fewer transactions.”
Martin recommended that the HHS provides a much clearer definition on the HIPAA minimum necessary standard, possibly including different levels of “minimum necessary” which would be dependent on specific identifiers.
She also suggested that the role of metadata in the HIPAA minimum necessary standard needs to be taken into account.
Martin explained that only 27% of surveyed organizations had a definition for the minimum necessary standard, 38% did not know if they had adopted a definition, and 14% said that they had not yet adopted a definition of the standard.
Martin also suggested the HHS should release further guidance for covered entities and patients and develop additional resources such as FAQs and fact sheets to ensure that the HIPAA minimum necessary standard is understood.