Skip to content. | Skip to navigation

Personal tools

Home > Health System Policies > HIPAA > Minimum Necessary Use and Disclosure of Protected Health Information

document HPA-002 : Minimum Necessary Use and Disclosure of Protected Health Information

To provide a minimum necessary standard for the use and disclosure of protected health information (PHI) consistent with the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).

File Attachment Downloads

view  |  PDF document icon HPA-002 Minimum Necessary Use and Disclosure of Protected Health Information 100119.pdf — PDF document, 581 KB (595338 bytes)


  1. effective date:

    October 1, 2019
  2. content:

    Applies To:                        

    The Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office, and the University of Virginia Physicians Group (“UPG”).              

    Reason for Policy:          

    To provide a minimum necessary standard for the use and disclosure of protected health information (PHI) consistent with the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  

    Definition of Terms:      

    Health System - for purposes of this and all other Health System policies, the term “Health System” shall refer to the following entities: the Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office, and UPG (hereinafter referred to collectively as “Entities” or each individually as an “Entity”).

    Team Members – All persons providing clinical, educational, research, administrative, or other services within or for the benefit of the Health System, regardless of employer. 

    Policy Statement:           

    Subject to the exceptions below, when using, disclosing or requesting patients’ protected health information (PHI), and regardless of whether such use, disclosure or request is made internally, or to or by an external source (e.g., an outsider provider, researcher or third party payer), Team Members shall limit the use, disclosure or request to the minimum necessary to accomplish the intended purpose of such use, disclosure or request. 

    Team Members shall access PHI on a need to know basis as determined by the scope of their responsibilities and their clinical, business or operational reason for such access, in furtherance of the Health System’s Tripartite Mission of clinical care, teaching and research; operational reasons include, but are not limited to, quality review, education or training activities, and risk management.

    All guidelines and criteria used to satisfy need-to-know and minimum necessary requirements (“Criteria”) shall be reviewed and approved by the Medical Center’s Corporate Compliance and Privacy Officer and implemented accordingly. Exception: UPG’s Privacy Officer shall establish and review guidelines and criteria for UPG owned facilities.

    The entire medical record, or any portion thereof, may be used, disclosed or      requested only when its contents are reasonably necessary to accomplish the purpose for which the use, disclosure or request is intended. The Health System has    determined that use and disclosure of the medical record, whether in its entirety or some portion thereof, is permissible for the following purposes:

        • Patient care/treatment purposes, for continuity and quality of care
        • Quality improvement, risk management, and corporate compliance purposes, for support of quality improvement, risk reduction, liability defense, and compliance with federal regulations;
        • Licensure, accreditation, certification, and health oversight purposes, as requested by authorized oversight and accreditation entities and as necessary to support these activities;
        • Abuse and neglect investigation response, on request of authorized investigators;
        • Training purposes, for the comprehensive education of medical and nursing students and other clinicians.

     EXCEPTIONS:

    The following disclosures are not subject to the minimum necessary standard or the procedures set forth below:

      • To health care providers for treatment of patients;
      • To the patient or legally authorized representative who requests access to the patient’s PHI;
      • Pursuant to patient’s or legally authorized representative’s authorization;
      • As required by law;
      • As required for compliance with the HIPAA Privacy Standards, including to the Secretary of DHHS for investigation; and
      • Patient Census/Facility Directory information.

     Procedures:     

    1. Internal  Access and Use:
        1. Health System managers shall identify, by job role, those Health System Team Members who need access to electronic PHI, the category of PHI to which access is needed, and any conditions appropriate to such access.
        2. Health Information Technology shall oversee and set guidelines for          requests for access, and make determinations regarding requests for access outside of usual job role descriptions.
        3. Each Health System manager shall identify any special needs outside of normal job role titles and make reasonable efforts to limit staff access to PHI to that the minimum necessary to carry out duties. 
        4. On an annual basis, or more frequently if otherwise determined to be   necessary, Health System managers shall review Team Member access to electronic medical records.
        5. System administrators of databases containing PHI shall implement a  process for granting and terminating access based on need to perform one’s job function.
    2. Disclosures
        1. Consistent with the requirements of this policy, all new requests for routine and recurring disclosures of PHI shall be referred to the Release of Medical Information Section of Health Information Services (HIS) 924-5136, or, as appropriate for UPG owned facilities, to Patient Friendly Billing (PFB)  (See, Medical Center Policy No. 0092 “Release of Patients’ Protected Health Information”, TCH Policy No. 0092 “Release of Patients’ Protected Health Information, and UPG Policy “Verification of Individuals for Release of Information”, which delineate permitted disclosures to third parties at those Entities).
        2. All non-routine disclosure requests shall be evaluated by HIS or UPG’s Office of Legal Affairs, as applicable, on an individual case-by-case basis to determine what is minimally necessary to accomplish the intended purpose of the disclosure, and will consider such factors as:
          1. The requestor’s purpose in seeking PHI;
          2. Whether the PHI requested is reasonable, or whether less PHI or de-identified PHI would satisfy the request
        3. Relying on representations by those requesting disclosures:

          A Team Member may rely on the representation of the party requesting the disclosure as to the minimum amount of information needed if the request is made by:
          1. Another covered entity (a health care provider such as a physician or hospital, or a health insurance plan);
          2. A researcher with appropriate documentation from an institutional review board; a form to document the researcher’s representations is available at  http://hit.healthsystem.virginia.edu/index.cfm/departments/health-information-services/release-of-information/request-for-medical-records-non-patient-care-purposes/
          3. A professional retained by a Health System Entity as a Business Associate who states that the information requested is needed for the stated purpose, when providing services to the Entity (e.g., an attorney, auditor or consultant);
          4. A public health or other governmental official who states that the information requested is needed for the intended purpose, if a disclosure for such intended purpose is permitted under applicable law.
  3. signature(s):

    Pamela M. Sutton-Wallace, Acting Executive Vice President for Health Affairs, UVA Health System

    signature date:

    September 27, 2019