1 / 11

HIPAA Minimum Necessary: Use/Disclosure & Role-based Access

HIPAA Minimum Necessary: Use/Disclosure & Role-based Access. Charlene Dunbar Madonna Rehabilitation Hospital Sheila Wrobel Nebraska Health System. Privacy Regulation Citations. 45 CFR 164.502(b): Minimum Necessary General Standard

nami
Download Presentation

HIPAA Minimum Necessary: Use/Disclosure & Role-based Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Minimum Necessary: Use/Disclosure & Role-based Access Charlene Dunbar Madonna Rehabilitation Hospital Sheila Wrobel Nebraska Health System

  2. Privacy Regulation Citations • 45 CFR 164.502(b): Minimum Necessary General Standard When using or disclosing PHI or when requesting PHI from another CE, a CE must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request

  3. Privacy Regulation Citations • 164.502(b) requirements do not apply to: • Disclosures to or requests by a health care provider for treatment • Uses/disclosures to the individual • Uses/disclosures pursuant to an authorization • Disclosures made to DHHS Secretary • Uses/disclosures required by law (164.512(a)) • Uses/disclosures required to comply with the Privacy Rule

  4. Privacy Regulation Citations • 45 CFR §164.514(d): Minimum Necessary Implementation Specifications (1-5) (d)(1): To comply with 502(b), must follow d(2-5) (d)(2): Role-based Access: A) Identify workforce persons or classes of persons who need PHI to carry out their duties; and B) For each, identify categories of PHI needed, and any conditions appropriate to such access ** CE must make reasonable efforts to limit access of PHI consistent with defined categories

  5. Implementing Role-based Access 1) Create matrix:

  6. ImplementingRole-based Access 2) Incorporate PHI access into job descriptions &/or computer security access matrices & reference them in Use & Disclosure of PHI/Minimum Necessary policy. 3) Other examples?

  7. Minimum Necessary Implementation Specifications • §164.514(d)(3): MN Disclosures of PHI (i): Routine and recurring disclosures - “MN” policies & procedures; protocols (ii): Non-Routine disclosures a. Develop “MN” criteria and b. Review on individual basis • See attached Disclosure flowchart & policy

  8. Minimum Necessary Disclosures of PHI (cont.) (iii) May reasonably rely on requested disclosure as being “MN” if disclosure to: *a. Public official under 164.512 b. Another CE *c. Workforce professional or BA d. Researcher pursuant to 164.512(i) i. IRB/Privacy board waiver ii. Review preparatory to research iii. Research on decedent’s PHI (*must represent information requested is MN for stated purpose)

  9. Minimum Necessary Implementation Specifications • §164.514(d)(4): MN Requests for PHI • When a CE requests PHI from another CE, must limit requests to “MN” (i) Routine/recurring requests: - “MN” policies & procedures; protocols (ii) Non-routine requests: a. Develop “MN” criteria b. Review on individual basis

  10. Minimum Necessary Implementation Specifications • §164.514(d)(5): Other Content Requirement • CE may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as “MN”. • “Re-disclosures”: a CE may disclose a complete medical record, including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule.(10/2/02 OCR FAQ)

  11. Attachments • MRH Disclosure of PHI Flowchart (draft) • MRH Disclosure of PHI - MN Policy (draft) • NHS Request for PHI Worksheet (draft) • NHS Research Preparation Request (draft) Questions?

More Related