

The minimum necessary standard specifies that covered entities must "make reasonable efforts to limit the use of disclosure of, and requests for, protected information to the minimum necessary to accomplish the intended purpose" ( 45 CFR Parts 160 and 164, Final Rule, page 53195). Whenever information is shared, only the minimum information needed to meet the request should be included. In addition, any information about the person's health status, treatments, prognosis, and payment should be protected. Birthdates and dates of service (admission, discharge, etc.).It is anything that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Protected health information, or PHI, is any information that may reasonably allow someone to identify the individual. The Privacy Rule applies to all forms of protected health information, including oral, paper, and electronic. Who needs to comply with the Privacy Rule?Īll HIPAA-covered entities and business associates of covered entities must comply with the Privacy Rule requirements.


Who needs to comply with the Privacy Rule?.Providers should always consult with their privacy and security officer(s) or an attorney when considering their privacy and security policies. This information is provided as guidance only.
