130 likes | 763 Views
HIPAA Minimum Necessary: Use/Disclosure & Role-based Access. Charlene Dunbar Madonna Rehabilitation Hospital Sheila Wrobel Nebraska Health System. Privacy Regulation Citations. 45 CFR 164.502(b): Minimum Necessary General Standard
E N D
HIPAA Minimum Necessary: Use/Disclosure & Role-based Access Charlene Dunbar Madonna Rehabilitation Hospital Sheila Wrobel Nebraska Health System
Privacy Regulation Citations • 45 CFR 164.502(b): Minimum Necessary General Standard When using or disclosing PHI or when requesting PHI from another CE, a CE must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
Privacy Regulation Citations • 164.502(b) requirements do not apply to: • Disclosures to or requests by a health care provider for treatment • Uses/disclosures to the individual • Uses/disclosures pursuant to an authorization • Disclosures made to DHHS Secretary • Uses/disclosures required by law (164.512(a)) • Uses/disclosures required to comply with the Privacy Rule
Privacy Regulation Citations • 45 CFR §164.514(d): Minimum Necessary Implementation Specifications (1-5) (d)(1): To comply with 502(b), must follow d(2-5) (d)(2): Role-based Access: A) Identify workforce persons or classes of persons who need PHI to carry out their duties; and B) For each, identify categories of PHI needed, and any conditions appropriate to such access ** CE must make reasonable efforts to limit access of PHI consistent with defined categories
Implementing Role-based Access 1) Create matrix:
ImplementingRole-based Access 2) Incorporate PHI access into job descriptions &/or computer security access matrices & reference them in Use & Disclosure of PHI/Minimum Necessary policy. 3) Other examples?
Minimum Necessary Implementation Specifications • §164.514(d)(3): MN Disclosures of PHI (i): Routine and recurring disclosures - “MN” policies & procedures; protocols (ii): Non-Routine disclosures a. Develop “MN” criteria and b. Review on individual basis • See attached Disclosure flowchart & policy
Minimum Necessary Disclosures of PHI (cont.) (iii) May reasonably rely on requested disclosure as being “MN” if disclosure to: *a. Public official under 164.512 b. Another CE *c. Workforce professional or BA d. Researcher pursuant to 164.512(i) i. IRB/Privacy board waiver ii. Review preparatory to research iii. Research on decedent’s PHI (*must represent information requested is MN for stated purpose)
Minimum Necessary Implementation Specifications • §164.514(d)(4): MN Requests for PHI • When a CE requests PHI from another CE, must limit requests to “MN” (i) Routine/recurring requests: - “MN” policies & procedures; protocols (ii) Non-routine requests: a. Develop “MN” criteria b. Review on individual basis
Minimum Necessary Implementation Specifications • §164.514(d)(5): Other Content Requirement • CE may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as “MN”. • “Re-disclosures”: a CE may disclose a complete medical record, including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule.(10/2/02 OCR FAQ)
Attachments • MRH Disclosure of PHI Flowchart (draft) • MRH Disclosure of PHI - MN Policy (draft) • NHS Request for PHI Worksheet (draft) • NHS Research Preparation Request (draft) Questions?