HIPAA home page | Guidance (FAQ) | Working@Yale article

Can You Keep A Secret?
HIPAA Privacy and You

Minimum Necessary

Last month we talked about some of the times when HIPAA allows us to release patient information. Whether or not information can be released is only half the question however. There is also the question of what information to disclose. For disclosures that aren’t for treatment or to the patient directly, HIPAA generally requires that only the “minimum necessary” information be provided.

One of my patient’s films would be a great example to use in my course. Can I show it to the students during class?
Yes but any unnecessary information should be removed first. As a teaching example there would be no need for the patient’s name, medical record number or any other identifier to be shown in connection to the film.

Can I leave test results on an answering machine or with who ever answers the phone?
It really depends on the test and any prior knowledge of the patient’s home life. Some things to think about are whether or not the test results require a more detailed explanation than can be left on a voice mail and whether it is likely that other household members would be aware of the test. In some cases, a message such as “This is Jane Doe from the pediatrics and your daughter’s throat culture is negative” are fine. When in doubt, err on the side of less information such as “This is Jane Doe from the health plan. Your test results are in. Please call me at …”

A patient has asked for a copy of her records. Can I give her the whole thing?
Yes. Patients have a right to access their entire designated record set and the minimum necessary standard does not apply. In limited circumstances, however, portions of the records may be excluded. For example research records for which the patient-subject has signed an authorization which limits access during the study period can be excluded.

What records should I send the Social Security Administration (SSA) for determination of disability?
Requests from the SSA should be accompanied by their form SSA-827 which constitutes a valid HIPAA authorization. Disclosures based on an authorization are not required to follow the minimum necessary standard.

More information on the minimum necessary standard can be found in HIPAA policy 5037, available at http://www.hipaa.yale.edu/ or by contacting the Privacy Office at 436-3650, hipaa@yale.edu

 

Top of page.
     
Yale University.  
HIPAA at Yale Home.