Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Minimum Necessary
Policy Number: IM-02
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Drexel University (DU) requires that employee and faculty access to patient information and disclosure of patient information be limited to that information necessary to perform an authorized job function. Access is limited by the assignment of an assigned access category (AAC) by departmental administration. Disclosures in all cases, other than disclosures: (i) to a healthcare provider for treatment purposes; (ii) to the Secretary of Health and Human Services to evaluate compliance; (iii) to individuals upon a valid request for a copy of his/her medical record (iv) made pursuant to an authorization; (v) required by law (including under HIPAA), shall be limited to the minimum necessary.
Need to know is the principle that states that a user should access only the specific information necessary to perform a particular function in the exercise of his/her appointed duties. Once an assigned access category is selected by the Department, the authorized data user is obligated to assess the appropriateness of each specific access on a "need to know" basis as determined by the assigned access category.
Minimum necessary is the principle that states that the minimum amount of information necessary to complete a task should be utilized to limit disclosure of unnecessary information.
This policy applies to all University faculty and non-faculty employees, volunteers, students and trainees.
Information that falls under this policy may, subject to the exceptions set forth above, include:
- Rendering direct clinical care to specific patients;
- Disease management and prevention activities;
- At the request of the patient or when friends or relatives have a form signed by the patient authorizing release of the information;
- Administrative support activities, i.e. physician credentialing;
- Financial analysis to assess the business impact of patient care;
- Performing reimbursement analysis on specific patients;
- Performing activities in the course of development/fundraising, organizational strategic planning, organizational legal defense, or follow-up on a compliance complaint;
- Institutional Review Board approved research;
- Educational, research or teaching purposes or instructional requirement criteria;
- Performing quality assurance and/or regulatory compliance activities;
- Provision of educational materials for patients, given at the direction of their health care provider; and/or
- Other duties as necessary.
- The administrator/manager/supervisor is responsible for the communication of the University's Minimum Necessary Policy.
- The administrator/manager/supervisor is responsible for determining the "need to know" by considering assigned duties and determining the appropriate assigned access category for each employee.
- The administrator/manager/supervisor will ensure that each employee will complete the training required of each employee as determined by the assigned access category.
- With respect to disclosures, the administrator/manager/supervisor is responsible for determining the minimum necessary to disclose and for determining whether an exception to minimum necessary applies.
- The administrator/manager/supervisor is responsible for counseling an employee about this policy and for taking corrective action for violations of this policy, which includes termination.
- The Chief Privacy Officer and Compliance Office are charged with the implementation, staff support and audit of the DU Privacy and Information Management Program Policies and to ensure the Minimum Necessary and Need to know principles are being adopted.
- For routine and recurring disclosures, the administrator/manager/ supervisor is responsible for developing policies with respect to the amount reasonably necessary to disclose. Non-routine disclosures shall be evaluated on a case by case basis.
- Requests for protected heath information will be made to covered entities using the same minimum necessary standards that apply to disclosing protected health information.
- When appropriate, protected health information will be disclosed in the form of a limited data set, and to the extent applicable, pursuant to a data use agreement.
Back to Top