4.00 - MINIMUM NECESSARY USE

I. Purpose:
To issue instructions regarding ADAMH's obligations relating to the HIPAA requirement to use, disclose or request only the minimum amount of protected health information (PHI) necessary to accomplish the intended purpose of the use, disclosure or request.

II. Applicability:
This policy applies to all ADAMH workforce members.

III. Authority Source:
45 CFR Parts 160 & 164

IV. Definitions:

Covered Entity (CE) means a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form relating to any health care transaction.

Protected Health Information (PHI) means individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

PHI System means any electronic information system or database that contains PHI and therefore must comply with all laws, rules and security standards related to the stewardship of that data.

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Use means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Workforce Members means Board of Trustees members, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for ADAMH, is under the direct control of the ADAMH regardless of whether they are paid by ADAMH.

V. Policy:

1. The ADAMH Board will make reasonable efforts to ensure that the minimum necessary protected health information (PHI) is disclosed, used, or requested. Exceptions to the minimum necessary requirement include:
   1. disclosures to the individual who is the subject of the information;
   2. disclosures made pursuant to an authorization requested by the individual;
   3. disclosures to healthcare providers for treatment purposes;
   4. disclosures required for compliance with the standardized HIPAA transactions;
   5. disclosures made to the U.S. Department of Health and Human Services pursuant to a privacy investigation;
   6. disclosures otherwise required by the HIPAA regulations or other law.
2. Workforce members will be trained on the policy and procedures developed to apply these principles around the use or disclosure of, or requests for, PHI.

VI. Procedures:

The following procedures will be implemented to ensure that this policy is enforced effectively across all parts of the organization:

1. Each user of a PHI System will be identified and the category or categories of PHI to which access is needed and any conditions appropriate to such access will be established.
2. Reasonable efforts will be made to limit each PHI user's access to only the PHI that is needed to carry out his/her duties. These efforts will include internal staff to staff use of PHI.
3. For situations where PHI disclosure occurs on a routine and recurring basis, the PHI disclosed will be limited to the amount of information reasonably necessary to achieve the purpose of the disclosure.
4. Individual requests for disclosure (other than pursuant to an authorization, for instance to accrediting bodies, insurance carriers, research entities, etc.) will be reviewed by ADAMH staff to limit the information disclosed to that which is reasonably necessary to accomplish the purpose for which disclosure is sought. A request may be presumed to be limited to the minimum necessary if the request is from a public official, another Covered Entity, or a professional for the purpose of providing services to the Covered Entity, and the request states that the PHI requested is the minimum necessary.
5. Requests for disclosure from external non-covered entities will be reviewed to ensure that the response limits the disclosed information to that which is reasonably necessary to accomplish the purpose for which disclosure is sought.
6. All workforce members must be trained on a regular basis regarding this policy.
7. Questions regarding these procedures should be directed to the ADAMH Board's Privacy Officer.