Scope
Policy Statement
Reason for the Policy
Definitions
History
Related Information
Minimum Necessary
About This Policy
Effective: 07/22/2013
Last Updated: 04/02/2025
Responsible University Office:
Office of the Chief Privacy Officer
Responsible University Administrator:
Chief Privacy Officer
mawerlin@iu.edu
Policy Contact:
HIPAA Privacy Officer
HIPAA Security Officer
hipaa@iu.edu
- Print or view a PDF of this policy
- Many policies are quite lengthy. Please check the page count before deciding whether to print.
Scope
This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and Critical Health Data Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all of the above will be referred to as workforce members.
Policy Statement
Workforce members shall limit the amount of PHI requested, used, or disclosed to others to the minimum amount necessary to achieve the specific purpose of that use, request, or disclosure.
This limitation does not apply when PHI is:
- Disclosed to or requested from another health care provider for the purpose of treatment;
- Disclosed as required by federal or state law;
- Disclosed to the patient of record or the patient’s personal representative;
- Disclosed in compliance with a valid authorization;
A. Use of Protected Health Information (PHI)
- Workforce members shall only access the minimum information necessary to perform their assigned duties or to accomplish a stated purpose.
- Routine disclosures of PHI shall be limited to the pre-determined and established criteria of the workforce member’s roles, the information used and disclosures required or necessary.
- Non-routine disclosures of PHI shall be reviewed on a case-by-case basis.
B. Disclosures of Protected Health Information (PHI)
- Workforce members shall limit the disclosure of PHI to that which is minimally necessary in each situation in order to achieve the purpose of the disclosure.
- Disclosures for research purposes will rely on documentation from an Institutional Review Board (IRB) that describes the PHI needed for research purposes. The documentation shall sufficiently describe the PHI needed.
C. Requests for Protected Health Information (PHI)
- Requests for PHI shall be limited and reviewed on a case-by-case basis to determine what PHI is reasonably necessary for the particular use or disclosure.
- Workforce members shall limit requests for PHI to the minimum necessary to accomplish a particular tasks or purpose.
- Researchers shall limit requests for PHI for research purposes to the minimum necessary for the described research, including PHI to be released pursuant to an authorization. Documentation must sufficiently describe the PHI needed.
Note: Uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of § 164.502(b) and §164.514(d), may qualify as breaches.
Reason for the Policy
This policy establishes limits regarding the amount of PHI which may be used or disclosed for an intended purpose to the minimum necessary, in accordance with HIPAA and HITECH privacy regulations, in-conjunction with existing state laws, federal laws, and Indiana University Policy covering human subjects, security and privacy.
Definitions
Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
Minimum Necessary: A standard that requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to certain uses or disclosures such as those requests by a health care provider for treatment purposes, disclosures to the individual who is the subject of the information or pursuant to an individual’s authorization.
Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or medium, whether electronic, on paper or oral.
See Glossary of HIPAA Related Terms for complete list of terms.
History
7/22/2013 – Effective Date
1/13/2016 – Updated Definitions Section
08/01/2016 – Added link to Glossary, updated bad links
11/10/2016 – Added links to IU Policies
06/xx/2017 – Published on University Policies site
12/13/2021 – Updated policy contacts and links
04/02/2025 – Updated the term "HIPAA Affected Areas" to "Critical Health Data Areas"
Related Information
HIPAA Regulations
45 CFR §164.502
45 CFR §164.514(d)
HITECH Regulations
42 CFR: Part 412
42 CFR: Part 413
42 CFR: Part 422
42 CFR: Part 495
45 CFR: Subtitle A Subchapter D
Related IU Policies
HIPAA-P01 – Uses and Disclosures of Protected Health Information
HIPAA-P04 – IU Fundraising
IT-12 – Security of Information Technology Resources
IT-12.1 – Security of Mobile Devices