Given hipaa`s expanded requirements as part of the 2013 changes for business partners and the increased focus on reporting and enforcing violations, the minimum policies required should now more than ever become a key part of the policies and procedures of every company and business partner involved. This includes policies that apply to the wireless use and disclosure of PHI, i.e., through health information technology (“PHI”). Affected companies and business partners may also want to stay informed – HHS announced in the final omnibus rule that it will issue future guidance on the minimum standard required, including addressing additional issues raised by trading partners applying the minimum required standard. In the meantime, specific and practical minimum standards and procedures, as well as the integration of these policies and procedures into agreements with trading partners, are essential to maintain compliance with the required minimum standard. Affected businesses and business partners are required by the Standards for the Confidentiality of IndividualLy Identifiable Health Information (Confidentiality Rule)[1] to make reasonable efforts to limit the disclosure of PSRs to the minimum necessary to achieve the intended purpose of the request,[2] often referred to as the “Minimum Necessary Standard”. It is designed to be flexible and bring together the agency and the covered entity to determine implementation. [3] In addition to the HIPAA training that every employee of a captured company must take, it may also be beneficial to provide them with a process to analyze their own actions according to the minimum required standard. Here are some questions that employees should ask themselves before dealing with PSR or ePHI: As outlined in the 2013 amendments, the minimum standard also applies to new regulations regarding genetic information, disclosure to public health officials and fundraising. For example, if a person is claiming benefits under a plan and the plan needs genetic information to determine the medical suitability of treatment, the plan may use or disclose the minimum genetic information required to determine the medical adequacy of the particular benefit. Similarly, the 2013 Amendments empower affected companies to disclose the minimum required PSRs to health authorities or other designated persons or entities without the person`s approval for certain public health purposes set out in the 2013 Amendments. Finally, the minimum standard required applies in full to the disclosure of PSRs under the new fundraising donation disclosure rule.
The 2013 amendments stipulate that permitted uses for fundraising purposes include screening and eliminating fundraising requests for individuals achieving suboptimal results, as well as disclosure to business partners or foundations affiliated with institutions only if such a selection function is performed by those parties. Essentially, for these situations, this means that if an individual accesses PSR, ePHI, or shares one of these groups with another (authorized) group upon request, they should consider sharing only the portion of the information that is needed directly. For example, organizations should not allow access to or disclosure of an entire medical record unless they can justify that access to the entire record is necessary. The same applies to trading partners. Where business partners are entrusted with the performance of a specific function on behalf of a registered entity, only the information must be provided to the business partner in order for this operation to be carried out. When analyzing the likelihood that improper use or disclosure has compromised PSRs, affected companies and business partners should consider whether the person who used the information or to whom the disclosure was made was an unauthorized person. If the necessary minimal impairment occurs in a disclosure to a business partner or as an internal use within a business or registered business partner, the fact that the information was not obtained from a third party would be part of the risk assessment and would support that there is a low probability that the PHI has been compromised. While some minimum required violations may fall within the exceptions to the definition of non-compliance, these exceptions must be carefully analyzed before an entity or business partner concerned decides not to report a minimum required violation of the standard. Prior to the hearing, AHIMA conducted a survey of its members working in the areas of privacy and security, data analysis, improving clinical documentation and education. 38% were unsure whether a definition of the minimum standard had been adopted, and 14% of respondents said they did not have a definition of the minimum standard.
21% were in the process of developing a definition. One-third of respondents said they did not have policies and procedures regarding HIPAA. The necessary minimum rule states that covered companies (healthcare providers, healthcare clearing houses and insurance companies) can only access, transfer or process the minimum amount of PHI required to perform a particular task. This means that sending complete copies of a patient`s medical record by email, if only part of it is relevant to that task, is a violation of this rule. The 2013 amendments impose significant obligations on affected businesses and business partners to notify HHS of potential PSR violations. While some commentators have requested an exemption from the violation reporting requirements for minimally necessary violations, HHS has rejected this restriction. Therefore, in accordance with HIPAA rules, an affected company or business partner must investigate any minimal violations required to determine the likelihood that the IHP has been compromised and whether notification of a violation is required. .
