Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 2 – Confidentiality and Privacy

View All Sections >

2.2.4 Minimum Necessary Use and Disclosure of Protected Health Information

  • Policy

    • California Correctional Health Care Services (CCHCS) and its workforce shall make reasonable efforts to limit the use, access, request, and disclosure of Protected Health Information (PHI) to the minimum necessary to accomplish the intended purpose.  CCHCS shall determine what access to PHI is relevant and necessary by workforce members to carry out job duties.

  • Purpose

    • To ensure CCHCS workforce members have appropriate access to PHI and only use, request, or disclose the minimum necessary PHI required to accomplish the missions, goals, and objectives of CCHCS while maintaining compliance with privacy and related health information law.

  • Responsibility

    • The Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of PHI maintained by CCHCS.

  • When Minimum Necessary Uses or Disclosures of PHI Applies

    • Unless an exception set forth in this policy applies, CCHCS workforce members may only use, access, request, and disclose the minimum amount of PHI necessary to perform their duties including the fulfillment of a request for the use or disclosure of PHI.

      • Uses or disclosures of entire health records

        • CCHCS workforce members shall not use, access, request, or disclose a patient’s entire health record except when use or disclosure of the entire health record is specifically justified as reasonably necessary to accomplish the use, request, or disclosure.

      • Routine and recurring disclosures

        • CCHCS program areas shall determine the minimum PHI accessible to staff that is reasonably necessary to achieve the purpose of the disclosure or in order for staff to fulfill their job duties.

      • Non-routine disclosures

        • CCHCS program areas  shall determine the minimum PHI accessible to staff that is reasonably necessary to achieve the purpose of the disclosure . Requests for non-routine disclosures shall be reviewed on an individual basis in accordance with such criteria.

    • Reasonable Reliance

      • CCHCS workforce members may rely on the judgment of the party requesting a disclosure in determining the minimum amount of information that is needed when:

      • Making disclosures to public officials pursuant to the Health Care Department Operations Manual (HCDOM), Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions, if the public official represents that the PHI requested is the minimum necessary for the stated purpose.

      • The information is requested by another covered entity.

      • The information is requested by a professional who is a member of the CCHCS workforce or is a CCHCS business associate for the purpose of providing professional services if the professional represents that the information requested is the minimum necessary for the stated purpose.

    • Role Based Access and Use

      • CCHCS program areas shall establish role-based access controls that provide only the minimum amount of information necessary for workforce members to perform their job duties.  CCHCS program areas shall safeguard information accessible by computer, information kept in files, or other forms of information consistent with CCHCS policy.

  • When Minimum Necessary Uses or Disclosures of PHI Does Not Apply

    • Disclosures to or requests by a health care provider for treatment.

    • Disclosures to the patient who is the subject of the information.

    • Uses and disclosures based upon a valid authorization to use and disclose PHI, limited to the scope of what is covered by the authorization.

    • Uses and disclosures required for compliance with the Health Insurance Portability and Accountability Act Administrative Simplification Rule.

    • Disclosures to the Secretary of the U.S. Department of Health and Human Services when disclosure of information is required under the Privacy Rule for enforcement purposes.

    • Uses or disclosures required by law.

  • References

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, Section 160.103 – Definitions

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.502(b)

    • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.514(d)(1)

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.1, General Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.2, Use and Disclosure of Protected Health Information Based on Patient Authorization

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.5, Administrative, Technical, and Physical Safeguards

    • Health Care Department Operations Manual, Chapter 2, Article 2, Section 2.2.6, Use and Disclosure of Protected Health Information: Special Exceptions

    • Health Care Department Operations Manual, Chapter 5, Article 3, Section 5.3.14, Access Control

    • Health Care Department Operations Manual, Chapter 5, Article 9, Section 5.9.1, General Training Requirements

    • Statewide Health Information Policy Manual, Section 2.7.1, Minimum Necessary

  • Revision History

    • Effective: 02/2012
      Revised: 12/10/2025