HIPAA Q&A: How do CEs comply with the "minimum necessary" requirements under HIPAA?
HIM-HIPAA Insider, September 9, 2013
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.
Q. I am with a fairly large urology group in southern Indiana. We report to the state cancer registry, and local hospitals ask us for follow-up on their patients for reporting purposes. Some hospitals have asked that we provide access to our patient charts so their cancer registry specialists can access the updates. This access would be shared with them as "read-only" information through a secure site. Both hospitals requesting this information are asking for access to all of our charts (not just our cancer patients) to generate their monthly update reports, in case a patient not already labeled under one of our physicians has been referred here since the last follow-up information in his or her file.
The Indiana State Department of Health website states:
The State Cancer Registry is considered an exempt entity according to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule at 45 CFR 164.512(a) because state law mandates cancer reporting. Therefore, HIPAA CEs, such as the health care providers described in Section II.A, are permitted to disclose protected health information (PHI) to the State Registry without patient (or their personal representative's) consent.
Does this mean we are able, by law, to give access to all of our patients' records, even those without cancer, to our local hospitals if it is ultimately for their reporting to the state cancer registry?
A. As a CE, you must comply with HIPAA’s "minimum necessary" requirements. This means you must release the minimum amount of information needed to fulfill the purpose of the request. The information you are required to report to the state cancer registry is considered the minimum necessary because you are required by law to report it. You may share PHI with other CEs (local hospitals) for their healthcare operations (tracking cancer patients), but you must limit the information you share to the minimum necessary. Granting hospitals access to your entire patient database, including patients who do not have cancer, is unacceptable.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’sBriefings on HIPAA newsletter.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- CMS seeks comment on quality measures
- Practice the six rights of medication administration
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Nursing responsibilities for managing pain
- ICD-10-CM coma, stroke codes require more specific documentation
- OB services: Coding inside and outside of the package
- Q&A: Primary, principal, and secondary diagnoses
- Clearing up the confusion: CPT codes 76376 and 76377
- CMS creates web portal for questions about 1135 waivers, PHE
- E-mailed
-
- Coronavirus vaccination: 4 best practices for communicating with patients
- Grievances, Complaints, and Patients’ Rights
- Keyes Q&A: Generator lighting, fire dampers, eyewash stations, ISLM fire drills
- Including 46600 in E/M leveling systems
- How to get reimbursed for restorative nursing
- Fetal non-stress tests represent important part of maternal and fetal health
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Know how to correctly code each procedure an otolaryngologist can perform on turbinates
- Coding Clinic reiterates guidelines for provider documentation
- CMS creates web portal for questions about 1135 waivers, PHE
- Searched