Subcommittee on Privacy, Confidentiality & Security
National Committee on Vital and Health Statistics

“Minimum Necessary and the Health Insurance Portability and Accountability Act (HIPAA)”

 June 16, 2016
 Capital Hilton Hotel
1001 16th Street, NW
Washington, DC 20036
Federal A Room

Meeting Minutes

Meeting Transcript


The HIPAA Privacy Rule requires that when a covered entity or a business associate uses or discloses protected health information, or when it requests protected health information (PHI) from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 

The minimum necessary standard is the fifth most common HIPAA compliance issue investigated by the HHS Office for Civil Rights (OCR), due in part to insufficient awareness or lack of clarity about this requirement, the fact that personnel are not properly trained in this area and/or because entities lack policies and procedures to comply with this requirement.  The NCVHS Privacy, Confidentiality and Security Subcommittee will hold a one day hearing to review current policies and practices of the HIPAA Privacy Minimum Necessary provisions and identify and discuss issues and challenges that the industry is facing when addressing this requirement, in preparation for developing recommendations to the Secretary for policy and practice guidance addressing compliance with the minimum necessary standard.

The objectives of this meeting are as follows:

  • Understand current industry policies and practices involving minimum necessary;
  • Understand challenges and potential areas of clarification in light of these practices, new and emerging technology developments, and new and evolving policy directions since the Privacy Rule became effective, and
  • Identify areas where outreach, education, technical assistance, or guidance may be useful.

Thursday, June 16, 2016



8:15 – 8:30 a.m. Introductions and Opening Remarks Linda Kloss, MA, Chair
8:30 – 9:15 a.m. Overview and framing of current issues

9:15 – 10:30 a.m. Panel I – Policy Interpretations of HIPAA’s Minimum Necessary Standard

10:30 – 10:45 a.m. Break  
10:45 – 12:15 p.m. Panel II – Practical Implementation of HIPAA’s Minimum Necessary Standards – Approaches for Compliance

12:15 – 1:15 p.m. Lunch  
1:15 – 2:45 p.m. Panel III – Minimum Necessary: Challenges and Opportunities

2:45 – 3:00 p.m. Public Comments  
3:00 – 3:15 p.m. Break  
3:15 – 4:15 p.m. Subcommittee Discussion: Review themes, identify potential recommendations and additional information needs  
4:15 – 5:00 p.m. Subcommittee Discussion: Frame letter to the Secretary, reach consensus on the timeline and next steps, if any  
5:15 p.m. Adjourn  

Written Testimony

Questions for Panelists

Panel 1 – Policy Interpretation of HIPAA’s Minimum Necessary Standard

  • What is the current, basic understanding of the Minimum Necessary Standard?
  • How does it apply to various scenarios?
    • Clinical exchanges between providers for purposes of treatment (via EHRs, for example)
    • Exchange of mental health related data and other sensitive health information?
    • Release of information processes and other administrative transactions
    • Access, use and disclosure for purposes of health care operations (such as utilization review, quality analysis)
    • Research
    • Public health disclosures considerations
    • Collection/use/exchange of data from/with medical devices/mobile devices
    • Other

Panel 2 – Practical Implementation – Approaches to Compliance

  • How does your organization implement the Minimum Necessary standard in general?
  • How is it implemented in the scenarios mentioned above?

Panel 3 – Issues and Challenges

  • What are the most challenging issues currently faced by the industry regarding the implementation of the Minimum Necessary standard?
  • How have the more recent advances in health IT (including adoption and use of EHRs, HIEs, mobile health, telemedicine, etc) affected the implementation of Minimum Necessary?
  • What needs to be clarified, changes or updated regarding the requirement?