When talking about HIPAA and protected health information (PHI) the phrase “minimum necessary” is used quite often. But what does that really mean and how do we ensure that is what we are doing?
“Minimum necessary” when referring to HIPAA’s privacy rule requires that we make reasonable efforts to limit PHI to the minimum information necessary to accomplish our purpose.
HIPAA makes it very clear that its goal is not to interfere with medical treatment but HIPAA isn’t limited to doctors and nurses; what about other non-medical staff who need patient information to do their job?
Coders, billers and IT personnel need access to PHI but how do we ensure we are limiting them to the minimum necessary? The rule also requires us to identify those individuals or groups of individuals who have access to PHI as well as provide details about exactly what type of access they have.
As always with HIPAA we also need to document our policies and procedures regarding this.
So where do we start?
One of the ways is to set up “roles” in your facility that define exactly what patient information can be seen by each employee and vendor. The first step is to define the roles by examining each job and determining exactly how much PHI is needed.
Examine each job or department and find out how they use PHI now and then determine if they are using the minimum necessary or if they are possibly viewing more than they need. This is a step that should not be rushed and should be really researched to correctly determine the exact amount of PHI needed for each job.
Once this has been accomplished you can create different “roles” based on different access to PHI. For example Role 1 may only need access to patient’s contact information while Role 2 may need the complete medical chart. By predetermining what “role” each job is you can now match your employees and vendors by job into a role.
This also allows new employees to be given the correct access when they start with your organization as well as to help with correctly removing access when an employee leaves. A nice benefit of this process is you have now provided the documentation that you need to comply.
No related posts.