Health Information Management

HIPAA Q&A: How do CEs comply with the "minimum necessary" requirements under HIPAA?

HIM-HIPAA Insider, September 9, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at and we will work with our experts to provide you with the information you need.

Q. I am with a fairly large urology group in ­southern Indiana. We report to the state cancer ­registry, and local hospitals ask us for ­follow-up on their patients for reporting purposes. Some hospitals have asked that we ­provide access to our patient charts so their ­cancer registry specialists can access the updates. This access would be shared with them as "read-only" information through a secure site. Both hospitals requesting this information are asking for ­access to all of our charts (not just our cancer patients) to generate their monthly update reports, in case a patient not already labeled under one of our physicians has been referred here since the last follow-up ­information in his or her file.

The Indiana State Department of Health website states:
The State Cancer Registry is considered an exempt entity according to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule at 45 CFR 164.512(a) because state law mandates ­cancer reporting. Therefore, HIPAA CEs, such as the health care providers described in Section II.A, are permitted to ­disclose protected health information (PHI) to the State Registry without patient (or their personal representative's) consent.

Does this mean we are able, by law, to give access to all of our patients' records, even those without cancer, to our local hospitals if it is ultimately for their reporting to the state cancer registry?

A. As a CE, you must comply with HIPAA’s "­minimum necessary" requirements. This means you must release the minimum amount of ­information needed to fulfill the purpose of the request. The information you are required to report to the state cancer registry is considered the mini­mum necessary because you are required by law to ­report it. You may share PHI with other CEs (local hospitals) for their healthcare operations (tracking cancer ­patients), but you must limit the ­information you share to the minimum necessary. Granting hospitals access to your entire patient database, including patients who do not have cancer, is unacceptable.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’sBriefings on HIPAA newsletter.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular