Minimum Necessary Rule

Columbia University has established safeguards to limit unnecessary or inappropriate access to, and use or disclosure of, Protected Health Information (PHI). PHI will be used or disclosed when it is necessary to satisfy an approved purpose and in compliance with the Minimum Necessary requirements of the HIPAA Privacy Rule.

Reason(s) for the Policy

To comply with the Minimum Necessary standard for the Use or Disclosure of PHI, as required by the HIPAA Privacy Rule.

Primary Guidance To Which This Policy Responds

HIPAA Privacy Rule 45 CFR § 164.502(b), 164.514(d)

Who is Governed by This Policy

All Columbia University Healthcare Component (CUHC) workforce members with access to Protected Health Information (PHI).

Who Should Know This Policy

All CUHC workforce members with access to Protected Health Information (PHI).

Columbia must make reasonable efforts to limit PHI used, accessed, disclosed or requested to the minimum necessary to accomplish the intended purpose.

When Minimum Necessary Rule Applies

The Minimum Necessary Rule applies in three HIPAA circumstances:

  • When using PHI internally within the Covered Entity
  • When disclosing PHI to an external party in response to a request (except for treatment-related disclosures)
  • When requesting PHI from another HIPAA Covered Entity
When the Minimum Necessary Rule Does Not Apply

The Minimum Necessary Rule does not apply in the following situations:

  • Disclosures to or requests by a health care provider for treatment purposes (Note: A provider’s internal uses of PHI for treatment are subject to the Minimum Necessary Rule)
  • Use or disclosure made to the individual to whom the PHI pertains, including in response to a request for access or an accounting
  • Use or disclosure made pursuant to a valid authorization to release medical information
  • Disclosures made to the Secretary of the Department of Health and Human Services for the purposes of compliance and enforcement of the HIPAA Privacy and Security Regulations
  • Use or disclosure of PHI to the extent that such use or disclosure is required by law, complies with and is limited to the relevant requirements of such law
  • Use or disclosure required for compliance with the HIPAA Privacy Regulation
Access to or Use of PHI by Workforce Members

Columbia has identified the persons or groups who require access to PHI to carry out their duties and assigned role-based access to these individuals appropriate to their job functions. These persons or groups may include, but are not limited to, the following categories:

  • Physicians who are employed by Columbia;
  • Nursing staff
  • Ancillary staff including medical assistants, laboratory staff and others supporting patient care activities
  • Administrative staff including: health information management, business offices, quality, compliance, administration, information systems, human resources and other workforce as need to support the covered entity
  • Students
  • Columbia Researchers with approval from the Office of Human Research Protections (OHRP) or (IRB)
  • Authorized individuals in Columbia's OHCA; and 
  • Authorized business associates acting within the scope of their agreement with Columbia.

The list above is not intended to be all-inclusive and may be modified as necessary.
The Chief Medical Information Officer (CMIO) or their designee is responsible for identifying the individuals or groups of workforce members who require access to PHI to carry out their duties and designating the types of PHI needed for each individual or group to carry out their work duties.

This designation should:
  • List the job duties of each person or group of workforce members identified;
  • Identify access granted using a role-based approach, delineating the category or categories of PHI to which each person or group of workforce members requires access and when such is access needed;
  • Limit the access of each person or groups of workforce members to the Minimum Necessary PHI;
  • Comply with Information Security policies including, but not limited to; Information Access Management, Workstation Use and Security, Technical Access Controls, Person or Entity Authentication as appropriate; and
  • Be documented, periodically reviewed and permanently maintained.
  • Review subsequent designations or changes in access to the Minimum Necessary PHI.
  • Where the use of the entire medical record is reasonably necessary, the designation must state so explicitly and include a documented justification.
Minimum Necessary designations must be documented.

This includes:

  • The initial designation for a person or group of workforce members;
  • Changes or updates to the designation for a person or group of workforce members resulting from:
    • changes in the role or responsibilities of the person or group
    • changes in employment, or
    • changes in technology used or methods in place for limiting access to PHI, including changes in computer systems, applications or the physical environment where PHI is stored; and
  • Designations for new persons or groups of workforce members.
Disclosures of and Requests for PHI

Columbia may not disclose an entire medical record unless:

  • Authorized in writing by the patient or his/her personal representative; or
  • The entire medical record is specifically justified as the amount of information that is reasonably necessary to accomplish the purpose of the disclosure, which justification should be documented, if appropriate.

The Director of Health Information Management or his/her designee is responsible for developing appropriate procedures to apply the Minimum Necessary standard for disclosures of and requests for PHI. These standards pertain to the following types of disclosures:

  • Routine and recurring disclosures of and requests for PHI to limit the PHI; and
  • Non-routine disclosures of and requests for PHI

All workforce members are required to comply with this policy

  • Department Administrators are responsible for identifying any conditions that would have an impact on a workforce member’s ability to access and/or disclose the PHI they are authorized to access.
  • Department Administrators are responsible for making reasonable efforts to limit the access to PHI necessary to carry out the workforce members job duties, functions and responsibilities.

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Protected health information is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years