• E-mail
• Print
• RSS

HIPAA Q&A: How do CEs comply with the "minimum necessary" requirements under HIPAA?

HIM-HIPAA Insider, September 9, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.

Q. I am with a fairly large urology group in ­southern Indiana. We report to the state cancer ­registry, and local hospitals ask us for ­follow-up on their patients for reporting purposes. Some hospitals have asked that we ­provide access to our patient charts so their ­cancer registry specialists can access the updates. This access would be shared with them as "read-only" information through a secure site. Both hospitals requesting this information are asking for ­access to all of our charts (not just our cancer patients) to generate their monthly update reports, in case a patient not already labeled under one of our physicians has been referred here since the last follow-up ­information in his or her file.

The Indiana State Department of Health website states:
The State Cancer Registry is considered an exempt entity according to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule at 45 CFR 164.512(a) because state law mandates ­cancer reporting. Therefore, HIPAA CEs, such as the health care providers described in Section II.A, are permitted to ­disclose protected health information (PHI) to the State Registry without patient (or their personal representative's) consent.

Does this mean we are able, by law, to give access to all of our patients' records, even those without cancer, to our local hospitals if it is ultimately for their reporting to the state cancer registry?

A. As a CE, you must comply with HIPAA’s "­minimum necessary" requirements. This means you must release the minimum amount of ­information needed to fulfill the purpose of the request. The information you are required to report to the state cancer registry is considered the mini­mum necessary because you are required by law to ­report it. You may share PHI with other CEs (local hospitals) for their healthcare operations (tracking cancer ­patients), but you must limit the ­information you share to the minimum necessary. Granting hospitals access to your entire patient database, including patients who do not have cancer, is unacceptable.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’sBriefings on HIPAA newsletter.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive