Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to adhere to the minimum necessary standard in regards to the use and disclosure of protected health information (PHI). In essence, healthcare workers must access only the minimum necessary PHI to perform their job functions. As a covered entity, behavioral health practices have an obligation to adhere to this standard.
How to Implement the Minimum Necessary Standard
The following are steps that behavioral health practices can take to ensure that they comply with the HIPAA minimum necessary standard:
- Document all information systems that contain PHI, including what types of PHI are stored on the system
- Identify and categorize PHI for each information system
- Create a list of job roles including what types of PHI each role needs to access
- Implement access levels to PHI based on job roles
- Develop and implement sanction policies for employees that violate the minimum necessary standard
- Train employees to ensure that they are aware of what PHI they should and should not access
- Ensure that access logs are kept and maintained including what information was accessed, who accessed it, and how long they accessed it for
- Enable alerts that notify the compliance team of employee’s attempts to access PHI outside of their job role, and unauthorized attempts to access PHI by external entities
- Audit and review access logs periodically to ensure that employees are not accessing information excessively or accessing PHI that they should not have access to
- Document any instance of unauthorized or excessive access and actions are taken in response
- Before providing access to PHI to business associates, determine what information they need to access to ensure that the minimum necessary standard is upheld
Exceptions to the Minimum Necessary Standard
In certain cases, the minimum necessary standard is not applicable:
- PHI disclosed or requested by a healthcare provider for treatment purposes
- PHI disclosed to the patient
- Uses or disclosures made pursuant to an individual’s authorization
- PHI disclosed to the Secretary of the HHS in accordance with the HIPAA Administrative Simplification Rules
- Uses and disclosures necessary for compliance with HIPAA rules
- Uses or disclosures that are required by law (such as state criminal law or criminal procedure law)
HIPAA Resources
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.