When is Enough, Enough?

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

An easy to overlook aspect of the HIPAA Privacy Rule is the requirement that all uses and disclosures be of the “minimum necessary” amount of protected health information. That means the least amount of information needed for the intended purpose should be used. That is not always an easy concept to keep in mind or follow.

Before diving into an example of an overreaching request, an overview of the minimum necessary requirements will be helpful. The minimum necessary standards can be found at 45 C.F.R. § 164.502(b), which is part of the general rules governing uses and disclosures of protected health information. As with so many requirements in the Privacy Rule, the initial statement provides that all uses and disclosures should only include the minimum necessary amount of protected health information. The regulation then goes on to state that the following uses and disclosures are exempt from the minimum necessary requirement: (i) request by a health care provider for treatment, (ii) to the individual who is the subject of the protected health information, (iii) pursuant to a valid authorization, (iv) to the Secretary of the Department of Health and Human Services, (v) required by law, and (vi) for compliance with applicable portions of the Privacy Rule.

On the whole, the carve-outs are fairly limited and do not cover all that many instances. In reading between the lines a little bit, the exemptions go to instances where the use or disclosure will benefit the individual or when the law mandates that a use or disclosure occur. As suggested, those make sense because there is an overriding interest driving the use or disclosure.

With background on the minimum necessary requirement out of the way, an interesting example can now be presented. As will happen from time to time (or too frequently depending on one’s particular viewpoint), healthcare providers or organizations will receive requests from payors to provide medical records. The request may be for purposes auditing accuracy or submission or part of a general quality review. A recently increasing reason is for a payor to “need” data from the medical records to gather risk adjustment data in connection with submitting reports required by the Affordable Care Act.

A compliance officer provided such a request to me, but with a nuanced question. Specifically, the request received by this particular compliance officer sought all records concerning a specified list of patients for an entire year. However, the patients were not always covered by the requesting payor for the entire year. For example, one patient may have been on payor X and switched to the requesting payor for only two months of the year. Despite that limitation, the payor wanted all of the patient’s information for the entire year. Could all of the information be disclosed?

While it is possible that the answer would depend, the request certainly seems to be overly broad. Why could a payor seek information about a patient when the patient was not a beneficiary of the payor for the entire year. Seeking all of the information would appear to be beyond the bounds of minimum necessary. As the notice from the payor indicated, the information was needed for that payor’s specific risk adjustment filings. The FAQs included by the payor explain that the risk adjustment is to “identify any gaps in coding that are supported by the documentation” and to help ensure accurate coding. The explanation implies that coding should be accurate to help demonstrate the actual health status of patients covered by the payor. Reviewing coding from claims not covered by the payor would not be needed.

Given the concerns about the scope of information requested, the compliance officer in question contacted a former Office for Civil Rights (OCR) official. That individual agreed that the request overstepped minimum necessary bounds and even suggested that OCR was aware of such issues. Awareness will not necessarily equate to action because it is highly likely that other issues have higher priority and this one will remain toward the bottom the list.

Even if OCR will not be taking action, providers or organizations receiving overly broad requests can push back. It is justified to stand up for one’s interests and seek to ensure that any request is consistent with applicable HIPAA requirements. Minimum necessary is a real requirement and not just superfluous language in the regulation.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.