The HIPAA Privacy Standards require that some Uses or Disclosures of PHI be limited in their scope.
4.9(1) When Minimum Necessary Standard Must be Applied
To the extent that the Use or Disclosure of PHI may be approved as a permissive use without an Authorization under this Policy, System may Use or Disclose only the PHI that is reasonably necessary to accomplish the purpose for which the Use or Disclosure is sought. This is known as the “Minimum Necessary Standard.”
4.9(2) Disclosure of Entire Record
If a Use or Disclosure by System involves an Individual’s entire medical record, the Privacy Officer shall document the justification for such Use or Disclosure, in accordance with Section 9.2 of this Manual.
4.9(3) Exceptions from Application
A contemplated Use or Disclosure of PHI is not subject to the minimum necessary standard if the Use or Disclosure is approved as a reasonable response to one of the following:
4.9(4) Incidental Disclosures
A Use and Disclosure that occurs incidentally to another Use or Disclosure permitted by this Policy shall be acceptable, provided that the Plan employs reasonable safeguards to limit incidental Uses and Disclosures.
45 CFR §164.502(b), §164.514(d)