Skip to site content

Indian Health Service The Federal Health Program for American Indians and Alaska Natives


     Indian Health Manual
Share This Page >

Part 2, Chapter 7:  Manual Exhibit 2-7-K

Policy and Procedure for Limiting the use or Disclosure of and
Requests for Protected Health Information
to the Minimum Necessary


  1. PURPOSE.  To publish the Indian Health Service (IHS) policy and procedures for limiting protected health information (PHI) to the minimum necessary:

    1. The use or disclosure of PHI; and

    2. All PHI requested by the IHS from other health care providers and health plans.

  2. AUTHORITY.  45 Code of Federal Regulations (CFR) 164.502(b)

  3. POLICY.  The medical record shall be maintained confidentially and shall not be disclosed except as provided by the Privacy Act of 1974 as amended, 5 United States Code (U.S.C.) 552a; the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Parts 160 and 164); the Freedom of Information Act as amended (5 U.S.C. 552); and other relevant Federal laws and guidance.

  4. RESPONSIBILITIES.

    1. Chief Executive Officer.  The Chief Executive Officer (CEO) or his or her designee shall identify, in writing, individual staff or classes of staff who have a need to know for access to PHI in order to perform their official duties.

      1. For Areas that provide contract health services directly through the Area Office, references to the CEO should be considered references to the Area Director’s designee, as applicable.

      2. The CEO or designee shall identify, in writing, the category or categories of PHI for each staff person or class of staff who have a need to know for access, and any conditions appropriate for such access.

    2. Designated IHS Staff Person.  The responsible IHS staff person, as designated by the CEO shall monitor compliance with the “minimum necessary” requirements.

  5. PROCEDURES.  The IHS must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary in order to accomplish the intended purpose of the use, disclosure, or request.

    1. Minimum Necessary Requirement.  The “minimum necessary” requirement does not apply to:

      1. disclosures to or requests by a healthcare provider for treatment purposes;

      2. disclosures to the patient;

      3. uses or disclosures made pursuant to a valid authorization signed by the patient or personal representative, so long as the use or disclosure is consistent with the authorization;

      4. uses or disclosures that are required by federal law, including applicable provisions of the HIPAA Privacy Rule;

      5. disclosures to the Secretary, HHS, required under HIPAA Privacy Rule for enforcement purposes.

    2. Reasonable Requests for Disclosures.  Although the IHS retains the right to make its own minimum necessary determination for disclosures, the IHS may rely on the judgment of the party requesting the disclosure as to the minimum amount of information needed, when the request is reasonable and made by:

      1. A public official for a disclosure permitted under 45 CFR §164.512 (Uses and disclosures for which an authorization or opportunity to agree or object is not required), if such official represents that the information requested is the minimum necessary for the stated purpose;

      2. Another covered health care provider, health plan, or health care clearinghouse;

      3. A professional who is an employee or contractor (business associate) of IHS, for the purpose of providing professional services to IHS, if the professional represents that the information requested is the minimum necessary for the stated purpose; or

      4. A researcher with appropriate documentation from an Institutional Review Board.

    3. Requesting PHI.

      1. When requesting PHI from other covered entities, the IHS must limit any such request to that which is reasonably necessary to accomplish the purpose for which the IHS is making the request.

      2. For requests made on a routine and recurring basis, the IHS must limit the PHI requested to the amount reasonably necessary to accomplish the purpose for which the request is made.

      3. All other requests must be reviewed on an individual basis to determine that the PHI sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made.

      4. The entire medical record shall only be disclosed when specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.


Back To Top  |  Previous Page
CPU: 57ms Clock: 0s