What is minimum necessary?
The HIPAA Privacy Rule requires covered entities to make their own assessment of what protected health information (PHI) is reasonably necessary for a particular purpose, given the characteristics of their business and workforce. Medical Records Staff/Document Custodians may use and disclose PHI to providers for treatment purposes, to billing office personnel for their billing function, and to patients and other appropriately authorized individuals. Authorized personnel shall disclose only the minimum necessary PHI to accomplish these tasks, based on the authorization to release such information, where applicable. No information shall be disclosed to anyone other than the patient without appropriate authorization or as otherwise permitted by law.