Why is “Minimum Necessary” Standard important in Healthcare?
Department of Health and Human Services takes protecting patient data very seriously. Consistent with the Privacy Rule standard, limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule also requires Information Access Management processes to be in place to include policies and procedures for authorizing access to ePHI based on the job role.
Accessing patient information without authorization is a serious violation as Mayo Clinic recently experienced. In October 2020, Mayo Clinic had a now-former employee, who inappropriately accessed the health records of more than 1,600 patients, specifically images and including name, demographic information, birth date, medical record number, and clinical notes.
Situations like this cry out for better controls over who has access to this data.
Healthcare IT News announced that there is an increase in cases involving unauthorized record access. Some of them are external hacking, but many of them are internal employees snooping into medical records. This year alone, HHS currently has 88 cases under review for Unauthorized Disclosure from compromised email, network servers and electronic medical records with the majority being emailed.
WHAT ARE THE CONSEQUENCES?
There is currently a class-action suit against Mayo Clinic. One patient is seeking damages in excess of $50,000 for her and other class members, where explicit photos and other information were accessed. HHS can also impose a large fine and rigorous corrective action plans.
WHAT IS THE SOLUTION?
Appropriate controls for access to PHI and monitoring those access is one remedy. Although training and policy are a good deterrent, it is not a guarantee that patient data is not accessed in an unauthorized manner.
The following steps are recommended to move towards compliance with the HIPAA “Minimum Necessary” Standard:
- Restrict access based on job responsibilities.
- Review logs for employees accessing PHI outside of their responsibilities.
- Document any instance of unauthorized access and actions taken.
Manual processes can be a daunting task, but there is an automated solution that will do the work for you. Check out our ePHI Access Monitoring solution here.