Home > Property & Casualty > HIPAA disclosure laws: understanding the “standard of minimum necessity”

HIPAA disclosure laws: understanding the “standard of minimum necessity”

hipaaEarlier this year, reports surfaced of a hospital employee facing criminal charges for violating HIPAA privacy requirements, prompting discussion about the intense scrutiny and punishment being handed down by courts in these cases. The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by covered entities and gives patients an array of rights with respect to that information. But at the same time, the rule also permits the disclosure of health information (without a patient’s express written authorization) that may be needed for patient care and other important purposes, such as law enforcement purposes or to facilitate treatment, payment and health care operations. In light of the recent Ebola outbreak in West Africa and the subsequent infection of U.S. and other foreign aid workers with the disease, it’s important for hospitals, physicians and other health care providers across the country to familiarize themselves with these specific exceptions to the law.

For example, HIPAA regulations permit the disclosure of information without a patient’s consent for certain public health activities, including public health surveillance, investigations, interventions and reports of the disease. The law allows covered entities to disclose PHI to authorized public health officials for the purposes of preventing or controlling the disease. However, the release of this information is subject to HIPAA’s minimum necessary standard, which states that the covered entity “will limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.” The law goes on to say that when making these disclosures, the covered entity may rely on a standard of minimum necessity, whereby the public official confirms that the requested PHI is the minimum necessary in order to carry out the public health activity.”

However, it’s critical to remember that HIPAA guidelines mandate that covered entities must notify patients of these disclosures. Furthermore, covered entities must be careful to protect a patient’s right to privacy in cases where PHI has been the subject of a public health report. This includes concealment of the patient’s identity during the public activity, and covered entities may not release the patient’s information without valid authorization signed by the patient or a representative of the patient.

Employers of HIPAA covered entities should provide regular trainings and seminars that include an overview of the Rule’s requirements including cases where PHI has been the subject of a public health report. Employers should review their policies and check for any exclusions, including those that deny coverage in the case of  release of PHI due to a public health report. This type of exclusion would be uncommon, but in light of recent events, insurers may try to limit their exposures to these risks. Since most Management Liability policies limit coverage for investigations and violations of HIPAA, employers should negotiate a higher sublimit or request defense cost coverage for HIPAA investigations. This may come at a much higher premium, but would limit the Insured’s exposure for claims resulting from violations of HIPAA.


About the Author

Mark Stiles is an Assistant Vice President at WGA and a member of the ExecutiveRisk Practice. He works with private and nonprofit organizations to assist them and their executives with protection for their exposures to Directors’ & Officers’ Liability, Employment Practices Liability, Fiduciary Liability, Crime, Kidnap & Ransom and Extortion.

617.646.6743 | Mstiles@wgains.com | Connect with Mark on LinkedIn |

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s