Understanding the PHI “Minimum Necessary” Rule

Join Our Mailing List

Protected Health Information and HIPAA

By Richard J. Mata; MD, MIS, CMP™ [Hon]

Dr. Mata

One important concept of the Health Insurance Portability and Accountability Act [HIPAA] is the “minimum necessary” rule, which states the minimum use of Protected Health Information [PHI] to identify a person, such as a social security number, home address, or phone number.

Only the essential elements are to be used in transferring information from the patient record to anyone else that needs this information.

Financial Information Included

This is especially important when financial information is being addressed. Only the minimum codes necessary to determine the cost should be provided to the financial department. No other information should be accessed by that department. Many institutions have systems where a registration or accounting clerk can pull up as much information as a doctor or nurse, but this is now against HIPAA policy and subject to penalties. The “minimum necessary” rule is also changing the way software is set up and vendor access is provided.

Human Resources

Another challenging task is keeping up with the number of people who access PHI, because the privacy regulations allow a patient to receive an accounting of anyone who has accessed their information, both internally (within your hospital, Emerging Healthcare Organization, or medical entity) and externally (such as through your business associates).  The patient has the right to know who in the lengthy data chain has seen their PHI.  This sets up an audit challenge for the medical organization, especially if the accountability is programmed internally.  When other business associates use this PHI without documenting access to a specific patient’s PHI, no one would be accountable for a breach in privacy.


One way to track access is through a designated record set, which contains medical or mixed billing records, and any other information that a physician and/or medical practice utilizes for making decisions about a patient.  It is up to the hospital, EHO, or healthcare organization to define which set of information comprises “protected health information” and which does not, though logically this should not differ from locale to locale.


Overlaps from the privacy regulations that are also addressed in the security regulations are access controls, audit trails, policies on e-mail and fax transmissions, contingency planning, configuration management, entity and personal authentication, and network controls. For more information about the Security Standards final rule; reference the Federal Register.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com


DICTIONARIES: http://www.springerpub.com/Search/marcinko
PHYSICIANS: www.MedicalBusinessAdvisors.com
PRACTICES: www.BusinessofMedicalPractice.com
HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
CLINICS: http://www.crcpress.com/product/isbn/9781439879900
BLOG: www.MedicalExecutivePost.com
FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Product DetailsProduct DetailsProduct Details

Product DetailsProduct Details

Product Details

%d bloggers like this: