CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
     
Columbia University Medical Center logo, Health Insurance Portability & Accountability Act (HIPAA) Information Students Interacting
 
HIPAA Home
HIPAA Compliance
Columbia University Medical Center
601 West 168th Street
Apt. #22, 2nd Floor
New York, NY 10032
Tel: (212) 342-0059
Fax: (212) 342-5173
HIPAA Policies
Authorization to Release Medical Informationn
Accounting for Disclosures
Disclosures to Family/Friend
Email Policy and Forms
- Email Policy (112K pdf) pdf file
- Provider/Patient Email information (70K pdf) pdf file
- Patient Request for Email Communications (90K pdf) pdf file
Fax
Fundraising
Genetic Information
HIPAA Training
HIV/AIDS Information
Marketing
Minimum Necessary
Minors
Non-Retaliation
Notice of Privacy Practices
Ownership of Medical Record
Patient Complaints
Patient Rights
Research and HIPAA
Psychotherapy Notes
Organ Donation/Coroners
Required by Law
Health and Safety
Sanctions
Telephone Disclosures
Treatment and Payment
HIPAA Security
 

TITLE:

  

MINIMUM NECESSARY

POLICY:
When using or disclosing Protected Health Information (PHI), or when requesting PHI, Columbia University Medical Center will make reasonable efforts to limit the PHI used, disclosed, or requested, to the minimum necessary.

As a general rule, Columbia University Medical Center will not use, disclose, or request the entire medical record of a patient unless the entire medical record is specifically identified as reasonably necessary to accomplish the use, disclosure, or request.


PURPOSE :
Columbia University Medical Center is committed to protecting patient privacy, including protecting the privacy of records that contain PHI, and to ensure quick and efficient delivery of health care services to its patients. This Policy describes the reasonable efforts individuals at Columbia University Medical Center will take to implement the Minimum Necessary Standard required by the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


PROCEDURES:

  1. When the Minimum Necessary Standard Does Not Apply. Columbia University Medical Center will only use and disclose the amount of patient PHI that is minimally necessary except in the following circumstances:

    1. when the PHI is for use by or a disclosure to a healthcare provider for purposes of providing treatment to the patient;


    2. when the disclosure is to the patient or the patient's legally authorized representative in accordance with the HIPAA/Patient Rights Policy;


    3. when the disclosure is pursuant to a valid authorization, in which case, the disclosure will be limited to the PHI specified on the authorization;


    4. when the disclosure is to the Secretary of Health and Human Services; or


    5. when the disclosure is required by law. (See the HIPAA/Disclosures of Protected Health Information Required by Law Policy.)

  2. Accessibility by Department Employees to PHI

    1. Each Department is responsible for identifying those individuals in the Department who need access to PHI in order to carry out their duties and the PHI or types of PHI to which access is needed.


    2. Each Department is responsible for identifying any conditions that would have an impact on a Department employee's ability to access and/or disclose the PHI the employee is authorized to access.


    3. Each Department is responsible for making reasonable efforts to limit the access to PHI by a Department employee to that necessary to carry out the employee's job duties, functions, and/or responsibilities.


    4. Questions about PHI and its access by employees of Columbia University Medical Center will be directed to the HIPAA Privacy Officer.

  3. Requests for PHI
    1. Each Department is responsible for reviewing requests for PHI from internal and/or external sources to determine whether the request is one to which the Minimum Necessary Standard applies.
      1. If the request is made by another health care provider in order to obtain PHI necessary to treat the patient, the Minimum Necessary Standard does not apply, and the PHI that is requested will be released as quickly as possible.


      2. If the request is not made for purposes of providing treatment to the patient, but it is also a type of request to which the Minimum Necessary Standard does not apply, the Department will release the PHI in accordance with the policies of Columbia University Medical Center.


      3. If the request is not made for purposes of providing treatment to the patient, and it is a type of request to which the Minimum Necessary Standard applies, the Department will:
        1. ensure that the request includes a statement of purpose and release only the minimum amount of information necessary to meet the purpose of the request; or


        2. if the request does not include a statement of purpose, call the requester to obtain the statement of purpose for the request, document the call, and take the appropriate action.

    2. If the request for PHI is one that occurs on a routine or recurring basis, the Department is responsible for reviewing the request to determine whether it is one to which the Minimum Necessary Standard applies. Routine or recurring requests need be reviewed to determine whether the Minimum Necessary Standard applies only the first time they are received and after each time they are modified.


    3. Columbia University Medical Center will request only the minimum amount of PHI necessary to accomplish the purpose for which the request is made.
      1. Any questions about how to limit a request for PHI to ask for only the minimum amount necessary should be directed to the HIPAA Privacy Officer.


      2. The HIPAA Privacy Officer is responsible for conducting audits on an "as needed" basis to confirm Columbia University Medical Center is in compliance with the Minimum Necessary Policy.

    4. Columbia University Medical Center will rely on requests for PHI as requesting only that PHI that is minimally necessary to meet the purpose of the request if:
      1. the request is from a public official and the public official represents that the information requested is the minimum necessary for the stated purpose(s); or


      2. the information is requested by another covered entity (health care provider, health care clearinghouse, or health plan); or


      3. the information is requested by an employee or a business associate of Columbia University Medical Center and the individual represents that the information requested is the minimum necessary for the stated purpose(s); or


      4. the information is for research purposes and is requested in accordance with and in the required legal format specified by law.

  4. Responses to Requests for PHI
    1. If a request for PHI is reviewed to determine whether the Minimum Necessary Standard applies to it, but it is then forwarded to someone else at Columbia University Medical Center for processing, the individual forwarding the request is responsible for advising the individual who will respond to the request whether the Minimum Necessary Standard applies.


    2. The person who responds to a request for PHI to which the Minimum Necessary Standard applies is responsible for ensuring the PHI disclosed is limited to the minimum amount of information necessary to meet the stated purpose of the request.

  5. Definitions

    6. Protected Health Information is information about a patient, including demographic information that may identify a patient, that relates to the patient's past, present or future physical or mental health or condition, related health care services or payment for health care services.

    Covered Entity means a health plan, a healthcare clearinghouse, and a health care provider who transmits any PHI in electronic form in connection with one of the HIPAA standard transactions.


RESPONSIBILITY:         Departments, HIPAA Privacy Officer



ISSUED: December 2003
REVIEWED: October 2007

| TOP |

Last updated 3/21/2007



  
CUMC Home | © Columbia University | Affiliated with New York-Presbyterian Hospital | Comments | Text-Only Version