The fifth most common cause of federal regulators investigations into HIPAA-covered entity activities concerns compliance with the health privacy law’s “minimum necessary” standard, according to the National Committee on Vital and Health Statistics (NCVHS).
In an effort to help the US Department of Health and Human Services (HHS) develop guidance on this topic, NCVHS’s subcommittee on privacy, confidentiality, and security held a hearing on Thursday, June 16. Melissa Martin, RHIA, CCS, CHTS-IM, president and chair of AHIMA’s Board of Directors testified on behalf of AHIMA Thursday morning.
“More than a decade since enactment of the minimum necessary standard, confusion around compliance still exists throughout the industry,” Martin said. “A clear definition of ‘minimum necessary’ must be developed in future guidance. This includes establishing distinct, objective criteria that would enable stakeholders to meet the minimum necessary standard. An updated definition also could include differing levels of minimum necessary that are dependent on specific identifiers.”
Also testifying at the hearing was Rita Bowen, MA, RHIA, CHPS, a former past president of AHIMA, and vice president of privacy, HIM policy, and education at MRO Corp.
Source of Minimum Necessary Confusion
As explained by HHS, the minimum necessary standard “requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”
The confusion around the minimum necessary requirement stems from the fact that the law allows for covered entities to define it on their own, so it varies from organization to organization.
As Martin’s testimony states, “Since it is up to the covered entity rather than the patient to determine what ‘minimum necessary’ means, this exposes an interpretation loophole which may lead to confusion and potential litigation should a patient and/or their legal representative disagree with what the covered entity defines as ‘minimum necessary.'”
AHIMA offers several key recommendations, including:
- A clear definition of minimum necessary must be developed in future guidance. This includes the development of clear, objective criteria that would enable stakeholders to meet the minimum necessary standard.
- Technology capabilities and limitations associated with achieving the minimum necessary standard must be acknowledged and addressed in any future guidance.
- Enhance focus on the patient’s needs and the role of the steward in the development of future guidance. For example, the existing regulation that allows a patient to limit certain information from disclosure to their respective third-party payer.
- Provide educational resources and materials with the accompanying guidance.
Click here to read Martin’s entire statement.