- The National Committee on Vital and Health Statistics’ (NCVHS) subcommittee on privacy, confidentiality, and security held a hearing last week to help the Department of Health and Human Services (HHS) develop better guidance on the HIPAA minimum necessary standard.
This standard requires covered entities to “make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request,” according to HHS’ website. Furthermore, organizations cannot “use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.”
American Health Information Management Association (AHIMA) President and Board of Director’s Chair Melissa Martin, RHIA, CCS, CHTS-IM, testified at the hearing, saying that a clearer definition of the standard is necessary for future guidance.
Letting the covered entity determine what is an appropriate definition of the “minimum necessary” can be inconsistent, according to Martin, and could even “lead to confusion and potential litigation should a patient and/or their legal representative disagree” with that definition.
The continued evolution of technology can also create problems, Martin added. When the minimum necessary standard was first implemented, technology was nowhere near what it is today.
“Stakeholders are increasingly focused on the data or health information itself,” she explained. “Consequently, this raises other issues including the ability to sequester data or parts of the record, the use of standardized metadata to allow for sequestering, the ability to allow for disclosure of de-identified information for purposes of research and improvement, as well as the ability of patients, consumers, caregivers, and patient representatives to access their information.”
However, EHR systems often lack the capabilities to perform these types of queries.
There are also regulatory challenges, according to Martin. For example, healthcare organizations are working to s improve interoperability and also advance the access and use of clinical research data. The regulations and legislative mandates on how data can be shared and PHI accessed can make it more difficult to adhere to the minimum necessary requirement.
“AHIMA has long advocated for the need to improve and enhance the flow of data throughout the healthcare system,” she maintained. “However, as the paradigm has shifted to enhancing data sharing and improving data accessibility, the amount of PHI necessary to meet the minimum necessary standard has expanded exponentially, so that the concept is associated with fewer transactions.”
AHIMA recommends that a clear and objective minimum necessary definition be created. This could also include different levels of minimum necessary, that are dependent on specific identifiers.
Additionally, metadata’s role in the minimum necessary standard has to be taken into account, Martin added, as there is a large focus in the industry on sharing and improving data access.
The technological capabilities and potential limitations should also be taken into account.
“Enhance focus on the patient’s needs and the role of the steward in the development of future guidance,” Martin stated. “For example, the existing regulation that allows a patient to limit certain information from disclosure to their respective third-party payer.”
Patients should also clearly understand from all data holders that their PHI “will not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a related function.”
Finally, educational resources and materials should be created along with the updated guidance. Frequently asked questions, fact sheets, and other similar materials could be greatly beneficial, according to Martin.
“Such materials should also include consumer-friendly resources to help consumers understand the minimum necessary standard.”
AHIMA also conducted its own survey on the minimum necessary standard, and interviewed members who work in data analytics, clinical documentation improvement, education, and/or privacy and security.
Citing data from those interviews, Martin explained that 38 percent of those surveyed did not know if they had adopted a definition for minimum necessary, while 14 percent said they did not have one. Twenty-seven percent of respondents reported that they did have a minimum necessary definition.