This policy will provide instruction regarding Missouri State’s obligations relating to the HIPAA requirement to use, disclose, or request only the minimum amount of protected health information (PHI) necessary to accomplish the intended purpose of the use, disclosure or request. 45 CFR § 164.502
The University’s HCC
- Definitions. As used in this operating regulation, the following terms shall mean:
- Protected Health Information (PHI) (45 CFR § 164.501): means individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. See HIPAA Procedure 1.005, 1.b. and c.
- Workforce Members (45 CFR § 160.103): employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Missouri State HCC, is under the direct control of the HCC, regardless of whether they are paid by the HCC.
- The Missouri State HCC and its workforce, will make reasonable efforts to ensure that the minimum necessary protected health information (PHI) is disclosed, used, or requested. Exceptions to the minimum necessary requirement include:
- Disclosures to the individual who is the subject of the information;
- Disclosures made pursuant to an authorization;
- Disclosures to or requests by healthcare providers for treatment purposes;
- Disclosures required for compliance with the standardized HIPAA transactions;
- Disclosures made to HHS/OCR pursuant to a privacy investigation; or
- Disclosures otherwise required by the HIPAA regulations or other law.
- Each user of PHI will be subject to the provisions of policy 8.040 relating to staff access to PHI.
- Reasonable efforts will be made to limit each PHI user’s access to only the PHI that is needed to carry out his/her duties. These efforts will include the Unit Privacy Officer or designee monitoring staff use and disclosure of PHI.
- For situations where PHI use, disclosure or request for PHI occurs on a routine and recurring bases, the University or Unit Privacy Officer or designee may issue directives as to what information constitutes the minimum necessary amount of PHI needed to achieve the purpose of the use, disclosure or request.
- For non-routine disclosures (other than pursuant to an authorization), staff should address questions to the Unit Privacy Officer or designee or the University Privacy Officer, or designee, to assure that PHI is limited to that which is reasonably necessary to accomplish the purpose for which disclosure is sought. Examples of non-routine disclosures include providing PHI to accrediting bodies; insurance carriers, research entities, funeral homes, etc.
- Any questions related to this policy should be directed to the Unit Privacy Officer or the University Privacy Officer.
- Sanctions. Failure to comply or assure compliance with this policy shall result in disciplinary action, up to and including dismissal.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
History: Effective March 21, 2003.