Minimum Necessary Requirements

Phi Protected Health Information

This policy applies to all DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing and implementing minimum necessary requirements for uses and disclosures of PHI, as well as requests for PHI from other covered entities.

Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel.

DOEA will make reasonable efforts to limit PHI used, disclosed, or requested from another Covered Entity to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.


The DOEA uses PHI in the normal course of treatment, payment and operations. These activities are limited to three divisions of the agency:

Division of Planning and Evaluation for the purpose of research and evaluation;

Division of Volunteer and Community Services for the purpose of Consumer Directed Care (CDC) program administration, administering Medicaid programs, contract management and volunteer activity, and limited research programs;

Division of Statewide and Community Based Services for the purpose of administering Medicaid programs, Program administration, CARES, limited research programs, and programs specified by the legislature.

These divisions have access to specific client based PHI on a need to know basis. Each program is restricted to the information for its own program. Each Division has the responsibility of identifying work units that have access to PHI and annually verifying the continued need. Individuals in work groups are required to take training to understand confidentiality laws and rules and the need to know basis for having access to PHI.

Each division shall abide by all the policies for confidentiality in conducting their activities, including:

Restricting access based on specific roles of DOEA’s workforce.
Limiting routine disclosures to the minimum necessary to achieve the purpose of the disclosure.
Limiting requests to other covered entities to what are reasonably necessary for the particular use or disclosure. This is particularly critical in program monitoring.

For routine, recurring disclosures, DOEA must:

1. Limit the types of Protected Health Information (PHI) to be disclosed to what is actually necessary to accomplish the programmatic requirements. Sharing of PHI with agencies responsible for treatment, payment or operations is to be limited to the information necessary. Examples of information sharing permitted under normal treatment or operations are:

a. The sharing of PHI for the purpose of consulting on a case management issue or client referral.

b. The verification of client expenditure data to verify services.

c. The monitoring of client files for the purpose of government oversight.

d. The examination of programmatic assignment being appropriate to the client.

2. Limit the types of persons who would receive the PHI to those to whom disclosure is necessary to perform treatment, payment or operation. This includes:

a. AAA staff

b. AHCA staff

c. Business Associate staff

d. Supervisors of program staff if necessary for decision-making purposes

e. State auditors or officials with a need to know for oversight purpose

3. The conditions that would apply to such access are included in the agreements between the AAAs and DOEA.

Routine disclosures are primarily the concern of the CARES and the CDC programs.

For non-routine disclosures, DOEA must limit the amount of information disclosed to the minimum necessary to accomplish the purpose of the disclosure. Use these criteria to review these disclosures on an individual basis:

  1. what specific data is being requested?
  2. does the data have to be client specific in order to accomplish the task?
  3. what is the actual purpose of the disclosure?
  4. is there information that is included but is not specific to the request?
  5. is this the only method of serving the client or accomplishing the governmental responsibility?

Non-routine disclosures must be logged in the WEB DB tracking system and the case file for DOEA clients.

When requesting PHI from another Covered Entity DOEA must limit its request to what is reasonably necessary to accomplish the purpose of the request.

For routine, recurring requests DOEA must:

  1. Describe what information is reasonably necessary for the purpose of the request.
  2. Limit the request for PHI to that information.

For all other requests DOEA must review the request on an individual basis to determine that the PHI requested is limited to the information reasonably necessary to accomplish the purpose of the request.

When the request is for the entire medical records file, it must specifically justified as reasonably necessary, and approved by the CARES supervisor or the CDC Program Administrator.

Minimum necessary does not apply to:

  1. Disclosures to a health care provider for treatment;
  2. Uses or disclosures made to the individual who is the subject of the PHI;
  3. Uses or disclosures made pursuant to a valid authorization;
  4. Disclosures made to the Secretary of HHS in the course of an investigation or compliance review; and
  5. Disclosures that are required by law.

Violations must be reported to the DOEA Privacy Officer.


45 CFR §164.502(b)