Is a covered entity required to apply the HIPAA Privacy Rules minimum necessary standard to a disclosure of protected health information it makes to another covered entity?
Covered entities are required to apply the minimum necessary standard to their own requests for protected health information. One covered entity may reasonably rely on another covered entitys request as the minimum necessary, and then does not need to engage in a separate minimum necessary determination. See 45 CFR 164.514(d)(3)(iii). However, if a covered entity does not agree that the amount of information requested by another covered entity is reasonably necessary for the purpose, it is up to both covered entities to negotiate a resolution of the dispute as to the amount of information needed. Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with another covered entity making a request, and negotiating an information exchange that meets the needs of both parties. Such discussions occur today and may continue after the compliance date of the Privacy Rule. Are providers required to make a minimum necessary determination to disclose to Federal or State
Related Questions
- What are a covered entity’s obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?
- Is a covered entity required to apply the HIPAA Privacy Rules minimum necessary standard to a disclosure of protected health information it makes to another covered entity?
- Is a covered entity required to apply the HIPAA Privacy Rules minimum necessary standard to a disclosure of PHI it makes to another covered entity?
