HIPAA Privacy Policies and Procedures
Minimum Necessary Requirements
This policy applies to all DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).
It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing and implementing minimum necessary requirements for uses and disclosures of PHI, as well as requests for PHI from other covered entities.
DOEA will make reasonable efforts to limit PHI used, disclosed, or requested from another Covered Entity to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
The DOEA uses PHI in the normal course of treatment, payment and operations. These activities are limited to three divisions of the agency:
Division of Planning and Evaluation for the purpose of research and evaluation;
Division of Volunteer and Community Services for the purpose of Consumer Directed Care (CDC) program administration, administering Medicaid programs, contract management and volunteer activity, and limited research programs;
Division of Statewide and Community Based Services for the purpose of administering Medicaid programs, Program administration, CARES, limited research programs, and programs specified by the legislature.
These divisions have access to specific client based PHI on a need to know basis. Each program is restricted to the information for its own program. Each Division has the responsibility of identifying work units that have access to PHI and annually verifying the continued need. Individuals in work groups are required to take training to understand confidentiality laws and rules and the need to know basis for having access to PHI.
Each division shall abide by all the policies for confidentiality in conducting their activities, including:
Restricting access based on specific roles of DOEA’s workforce.
Limiting routine disclosures to the minimum necessary to achieve the purpose of the disclosure.
Limiting requests to other covered entities to what are reasonably necessary for the particular use or disclosure. This is particularly critical in program monitoring.
For routine, recurring disclosures, DOEA must:
1. Limit the types of Protected Health Information (PHI) to be disclosed to what is actually necessary to accomplish the programmatic requirements. Sharing of PHI with agencies responsible for treatment, payment or operations is to be limited to the information necessary. Examples of information sharing permitted under normal treatment or operations are:
2. Limit the types of persons who would receive the PHI to those to whom disclosure is necessary to perform treatment, payment or operation. This includes:
3. The conditions that would apply to such access are included in the agreements between the AAAs and DOEA.
Routine disclosures are primarily the concern of the CARES and the CDC programs.
For non-routine disclosures, DOEA must limit the amount of information disclosed to the minimum necessary to accomplish the purpose of the disclosure. Use these criteria to review these disclosures on an individual basis:
Non-routine disclosures must be logged in the WEB DB tracking system and the case file for DOEA clients.
When requesting PHI from another Covered Entity DOEA must limit its request to what is reasonably necessary to accomplish the purpose of the request.
For routine, recurring requests DOEA must:
For all other requests DOEA must review the request on an individual basis to determine that the PHI requested is limited to the information reasonably necessary to accomplish the purpose of the request.
When the request is for the entire medical records file, it must specifically justified as reasonably necessary, and approved by the CARES supervisor or the CDC Program Administrator.
Minimum necessary does not apply to:
Violations must be reported to the DOEA Privacy Officer.
45 CFR 164.502 b
Return to Top