Page 41 - Privacy_Program
P. 41
DISCLOSING AND REQUESTING THE MINIMUM NECESSARY [DP162]
Back to Table of Contents
Scope: Enterprise
Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; Directors, Managers
and Supervisors; All Services and Programs Employees; and Other Employees with Access to Protected Health Information and
Other Privacy‐Restricted Participant Information (includes Contractors, temporary employees and Interns)
Purpose: To ensure the organization requests and discloses to third parties only the minimum Protected Health Information and
Other Privacy‐Restricted Participant Information necessary to meet its stated business objectives.
External Regulation or Standard: 45 C.F.R. §§164.502(b) & 164.514(d) ‐ minimum necessary
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Employees with Access P162.1 The organization will follow proper procedures to ensure that only the minimum
to Protected Health amount of Protected Health Information (PHI) and Other Privacy‐ Restricted
Information (PHI) and Participant Information (PRPI) necessary to accomplish the specific purpose of a
Other Privacy‐ Restricted use or disclosure is used or disclosed.
Participant Information
(PRPI)
Employees and others DP162.2 The organization will request from participants and other entities only the
with Access to PHI and minimum amount of information necessary to accomplish the services that
other PRPI organization is providing to the participant.
Employees with Access DP162.3 This policy does not apply to the following uses or disclosures:
to PHI and other PRPI
DP162.3a (a) disclosure to or requests by a provider for treatment;
DP162.3b (b) uses or disclosure made to the individual who is the subject of the
information;
DP162.3c (c) uses or disclosure pursuant to an authorization;
DP162.3d (d) disclosure made to the Department of Health and Human Services;
DP162.3e (e) uses or disclosures required by law; and
DP162.3f (f) uses or disclosure required for compliance with applicable laws and
regulations.
Employees and others DP162.4 All new proposed uses or disclosures of PHI and other PRPI will be reviewed by
persons understanding the organization’s privacy policies and practices and
with Access to PHI and
sufficient expertise to understand and weigh the necessary factors.
other PRPI, with
Director of Information
Technology, Privacy and
Data Security and Legal
if Needed
DP162.5 The organization will only use, disclose, or request an entire medical record when
Employees and others
the entire medical record is specifically justified as being reasonably necessary to
with Access to PHI
accomplish the purpose of the use, disclosure, or request.
DP162.6 The organization will use the following criteria in limiting the amount of
Employees and others
participant information requested and disclosed by the organization staff:
with Access to PHI and
other PRPI
GES CONFIDENTIAL 35
