|
Minimum Necessary: The Privacy Principle in Action Access Only What You Need Every time you access patient data, you are saying, "I need this to do my job." Even if your system allows access, that does not mean it is permitted. Workforce members are only permitted to view the minimum necessary PHI that is necessary for your role whether it’s oral, written, or electronic. When accessing patient information, ask yourself:
Role-based access, authorization controls, and audits help enforce the minimum necessary standard. But it is up to you to use access responsibly. Failure to apply the minimum necessary requirements may result in a violation and sanctions being applied. Reminders for Responsible Access Routine vs. Non-Routine Requests: Routine disclosures must follow standard protocols that limit PHI to what’s reasonably necessary. Non-routine disclosures require individual review using established criteria. Confidential Information belongs to the Company. That means:
Never post confidential information even if it seems harmless or anonymized. When minimum necessary does not apply
Please reach out to your Facility Privacy Official (FPO) and Ethics & Compliance Officer (ECO) for questions and guidance. Announcements: Corporate Privacy Policies are currently unavailable through the Privacy Community SharePoint Site, as we are in the process of renumbering and relocating to the Ethics & Compliance SharePoint site. Facility Model Privacy Policies are currently still available on the Privacy Community SharePoint site. Should you need a copy of a Corporate Privacy Policy. Please contact the Corporate Privacy Department via the URGENT Privacy RI Message mailbox. We appreciate your patience during this transition and will notify you once access is restored. Looking for the latest updates from the Office for Civil Rights (OCR)? Visit the OCR Press Room for official news, enforcement actions, and policy updates, by clicking here. Email the URGENT Privacy RI Message mailbox. |