Skip Navigation

Minimum Necessary

A provider might have a patient's medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary?

Are providers required to make a minimum necessary determination to disclose to Federal or State agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals' applications for Federal or State benefits?

Do the HIPAA Privacy Rule's minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patient medical information in the course of their training?

Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?

Doesn't the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?

How are covered entities expected to detemine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule's minimum necessary requirements?

Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of protected health information it makes to another covered entity?

May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary?

Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual?

Won't the HIPAA Privacy Rule's minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?

May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation?

Won't the HIPAA Privacy Rule's minimum necessary standard impede the ability of workers' compensation insurers, State administrative agencies, and employers to obtain the health information needed to pay injured or ill workers the benefits guaranteed them under State workers' compensation system?

Does the minimum necessary standard apply to research permissions that qualify for the transition provisions of the Privacy Rule (e.g., an informed consent document that was obtained prior to April 14, 2003)?

Back to Top

Back to HIPAA - Frequently Asked Questions