Oklahoma Administrative Code (Last Updated: March 11, 2021) |
TITLE 340. Department of Human Services |
Chapter 2. Administrative Components |
Subchapter 8. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule |
SECTION 340:2-8-10. Minimum necessary standards
Latest version.
- The Oklahoma Department of Human Services (DHS) limits requests for, use of, and disclosure of protected health information (PHI) to that which is reasonably necessary to accomplish the intended purpose of the use, disclosure, or request, per Section 164.502(b) of Title 45 of the Code of Federal Regulations (45 C.F.R. § 164.502(b)). This minimum necessary standard is not used to impede the essential activities of treatment, payment, or health care operations.(1) The minimum necessary standard applies to:(A) the use of PHI within DHS. Employees who:(i) do not need PHI to perform their job duties must not access PHI; and(ii) need PHI to perform their job duties must access PHI to the least extent necessary;(B) disclosure of PHI to a third party in response to a request; and(C) the request of PHI from another covered entity.(2) The minimum necessary standard does not apply to disclosures made:(A) to or requests by a health care provider for treatment;(B) to the individual;(C) with a valid authorization, per 45 C.F.R. § 164.508(c);(D) to the United States Secretary of Health and Human Services for the purposes of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule; or(E) for uses required by law.