§164.502(b) high Severity HIPAA US Federal

HIPAA Privacy Rule — Minimum Necessary Standard

Enforced by: HHS OCR (US)
Current as of March 26, 2013
Plain Language Summary
Only access the PHI you actually need. Employees should not have access to more patient data than their role requires.

A covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This standard applies to all workforce members accessing PHI and to all requests for PHI disclosure to external parties.

Related Enforcement Cases

Advocate Aurora Health — Tracking Pixel HIPAA Settlement ($3M) $3.0M
Banner Health — Network Segmentation Failure HIPAA Settlement ($1.25M) $1.25M