Health Information Compliance Alert

Published on Thu Jan 03, 2013 PDF

Coming to grips with the minimum necessary standard of the Health Insurance Portability and Accountability Act’s privacy standard isn’t a matter of learning new rules — it’s a matter of changing organizational cultures.

The minimum necessary principle isn’t brand new to health care organizations. But the privacy rule will go much further than need-to-know standards of the past and force frontline information handlers to make some tricky determinations as to exactly what is the minimum necessary.

Coming to grips with the minimum necessary standard of the Health Insurance Portability and Accountability Act’s privacy standard isn’t a matter of learning new rules — it’s a matter of changing organizational cultures.

The minimum necessary principle isn’t brand new to health care organizations. “Most of us have been applying what we call a ‘need-toknow’ release policy,” explains Gwen Hughes, a practice manager with the American Health Information Management Association, based in Chicago. But the privacy rule will go much further than need-to-know and force frontline information handlers to make some tricky  determinations as to exactly what is the minimum necessary.

“Yes, it’s absolutely going to be a problem — you don’t want to convey more than somebody needs to know,” says Tom Stevens, president of Enterprise Systems Group in Miami.

The privacy rule will require that health care organizations identify the employees who need access to protected health information — and what categories of information they need. “There may be some friction in facilities where they’ve had a looser interpretation of minimum necessary,” Hughes tells Eli. For example, some facilities provide access to the whole health record to the business office in order to help show that certain services were provided. Unless the facility can show it’s necessary, that practice will have to change.“Quite frankly, we all resist change and there may be some friction when we decide to restrict somebody’s access,” says Hughes.

Compliance Starts At the Top

Fortunately there are some techniques to help smooth that friction. The most important technique comes from the top of the organization. “The CEO and the COO of the organization have to make it clear that it’s a priority,” explains Hughes. “Even though the law talks about training employees when they come on staff, this is a perpetual awareness problem that must be kept in the forefront of people’s minds.” Therefore, covered entities need their higher ups to role model the appropriate behavior.

“This is an executive level ownership issue,” agrees Stevens. “I’m very concerned that administrations — often for valid reasons — are delegating this subject into a level in the organization that really doesn’t have the responsibility and the authority to ensure compliance.”

One of the problems with the minimum necessary requirement is that it will demand small changes that may on the surface seem tedious or unimportant. Managers and executives need to remind staff — and themselves — that “it’s inappropriate to talk in the elevators or the cafeteria and you should keep your voice low in the hallways,” says Hughes. And while it may be fun to gossip about an
unusual procedure or a well-known patient, it’s unacceptable.

With many medical records — especially paper records — it will be impossible to use technology to limit access to only certain parts of the file. That’s when HIPAA awareness and cultural change are most necessary. Covered entities “must train their people so that when they go into the medical record they are constantly cognizant of the fact that they can’t be rummaging through the material — they’ve got to go in, get what they need and get out,” counsels Michael Roach, an attorney with Michael Best & Friedrich in Chicago.

Keep in mind that the protected health information as defined by the privacy rule is not just the medical record, says Hughes. Organizations need to revisit their billing department’s protocols for releasing health information. According to Hughes, most billers use restraint and common sense when disclosing PHI, “what’s been cost effective and good ethical practice needs to be made a way of life.”

Covered entities need to take long looks at themselves to see where PHI might be leaking from, says Hughes. Other hotspots for PHI disclosures include social workers trying to continuing care for a patient or radiology and imaging departments. “They need to apply the minimum necessary standard in all those areas and make sure that training happens in all those areas — not just medical records,” says Hughes.

Likewise, on the other end, health plans “are going to have to stop this practice of saying, ‘Send us the medical record,’ unless they’ve got a reasonable need for the whole record,” says Roach.