Skip to main content

Confidential Information: Setting the Minimum Necessary

Analysis  |  By Credentialing Resource Center  
   September 21, 2020

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare employees to use or share only the "minimum necessary" information they "need to know" to do their jobs. 

A version of this article was first published September 21, 2020, by HCPro's Credentialing Resource Center, a sibling publication to HealthLeaders.

Physicians, nurses, therapists, dietitians, and others use confidential information about patients to determine how to treat them, but they are not the only ones who access such data.

Coders and billing department employees use confidential information to bill patients, their insurance companies, Medicare, or Medicaid for services.

Staff performing quality assurance or performance improvement activities review confidential information to make sure patients are receiving high-quality care.

Transcriptionists must access information to transcribe it, and scanners will unavoidably access information in the course of doing their jobs.

Confidential information includes all identifying information patients provide and information about their treatment, in any format (written or verbal), including the following:

  • Address
  • Age
  • Diagnoses
  • Medical history
  • Medications
  • Name
  • Observations of health status
  • Photographs that include faces
  • Social Security number

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare employees to use or share only the “minimum necessary” information they “need to know” to do their jobs.

For example, a coder needs to look at the entire record of a patient’s hospital stay to apply all the correct codes. However, perusing the correspondence section of the record is unnecessary and inappropriate.

Remind staff to ask themselves before handling any patient information:

  • Do I need to know this to do my job?
  • Do I need to share this information with my colleague to get the job done?
  • What is the least amount of information I need to access or share to do my job?

Use this sample form to help set a minimum necessary policy for your organization:

Click here to download the sample form

Editor’s note: This article was adapted from The Contemporary Guide to Health Information Management.

The Credentialing Resource Center (CRC) is the premier destination for credentialing, privileging, and peer review expertise. Membership provides MSPs, quality professionals, and medical staff leaders with a collection of continuously updated tools, best practice strategies, and compliance tips developed by industry experts. With three membership tiers, you can customize your access level depending on your education and training needs. Learn more

Get the latest on healthcare leadership in your inbox.