The minimum necessary standard is intended to be consistent with, and not override, professional judgment and standards, and that practices must implement policies and procedures based on their own assessment of what PHI is reasonably necessary for a particular purpose. 

This standard is derived from confidentiality codes and is already in common use today within medical practices. The belief is that a sound practice would not use or disclose PHI that is not necessary to satisfy a request or effectively carry out a function. 

Are there exceptions to the minimum necessary requirement?
As with many rules, there are times when this requirement does not apply. They are:

A. Disclosures to or requests by a health care provider for treatment.
B. Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section. 
C. Uses or disclosures made pursuant to an authorization under § 164.508.
D. Disclosures made to the Secretary of Health and Human Services in accordance with subpart C of part 160 of this subchapter.
E. Uses or disclosures that are required by law, as described by § 164.512(a).
F. Uses or disclosures that are required for compliance with applicable requirements of this subchapter.

In plainer language, the minimum necessary requirement does not apply to disclosures required by law, disclosures made to the individual or based on an authorization initiated by the individual, or requests by a health care provider for treatment purposes. In addition, disclosures are allowed as required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA or disclosure to the Secretary of Health and Human Services (HSS) for purposes of enforcing this Rule.

What is the significance of an individual authorizing release of protected health information (PHI)?
All uses and disclosures made pursuant to any authorization are exempt from the minimum necessary standard.

Can information be released for continuity of care concerns to another provider without an individual authorizing release of protected health information (PHI)?
While it is appropriate to release PHI to a subsequent provider, the Privacy Rule permits a practice to reasonably rely on another practice’s request for PHI as the minimum necessary for the intended disclosure. The practice that holds the information retains the discretion to make its own minimum necessary determination.

What about an individual authorizing release of protected health information (PHI) that includes psychotherapy notes?
The U.S. Department of Health and Human Services clarified that the final Rule does not require a practice to use or disclose PHI as a result of an authorization. If a practice is concerned that a request for an individual’s psychotherapy records is not warranted or excessive, the practice may consult with the individual to determine whether or not the authorization is consistent with the individual’s will for releasing protected health information. 

The Privacy Rule does not permit a health plan or health care provider to condition coverage or treatment on an authorization to use or disclose psychotherapy notes. It is felt that these additional protections appropriately and effectively protect an individual’s privacy with respect to psychotherapy notes.

What should a practice do to implement HIPAA' Minimum Necessary provisions?
Requirements for implementing this standard include developing and implementing appropriate policies and procedures that reasonably minimize the amount of protected health information (PHI) used, disclosed, and requested. These policies and procedures must identify the persons or classes of persons within the practice who need access to PHI to carry our their duties, the categories or types of PHI needed, and the times when it is appropriate to access this information.

For regular or recurring requests and disclosures, the policies and procedures may be standard protocols. Non-routine disclosures or requests for PHI must be reviewed on an individual basis.

What about the release of protected health information (PHI) not made in a routine and recurring manner?
A practice must implement the minimum necessary standard by developing and implementing criteria designed to limit the request for PHI to the minimum necessary to accomplish the intended purpose.