In limiting access, do we have to redesign clinical and other office spaces to comply with the Minimum Necessary and other HIPAA Privacy requirements?
(A) No. HIPAA is not specific as to environmental requirements and defers to the provider to make reasonable efforts to limit PHI access to DMH employees, officers, volunteers who need access to do their job. The HIPAA Security requirements, expected late this year, will likely have specific protections for electronic storage, transmittal and access (e.g. passwords, screensavers, etc.). However, overall, HIPAA Privacy requirements should only expand what should be existing DMH practices and environmental safeguards, including as applicable good practices recognized by JCAHO, CARF etc. in protecting consumer information from unnecessary disclosure. Although redesigns should not be necessary, individual offices may need to adjust work areas to minimize access, such as isolating and locking file cabinets or records rooms, turning computer screens away from public or common areas, reasonable phone, fax and e-mail practices to limit disclosure of PHI, and when practical to de-identify infor
Related Questions
- HIPAA regulations say that each employee should access only the minimum amount of protected health information. How does CPC comply with this regulation?
- In limiting access, do we have to redesign clinical and other office spaces to comply with the Minimum Necessary and other HIPAA Privacy requirements?
- Is a covered entity required to apply the HIPAA Privacy Rules minimum necessary standard to a disclosure of PHI it makes to another covered entity?
