(q) Minimum Necessary Requirement. Subcontrnctor shall comply with the minimum necessary requirement, in accordance with 45 C.F.R. 164.502(b) of the HIPAA Regulations, with respect to the use, disclosure, or request of Protected Health Information by limiting such Protected Health Information, to the extent practicable, to: (i) The Limited Data Set; or (ii) The minirnwn necessary to accomplish the intended purpose of such use, disclosure or request. 3.

Even assuming that HIPAA applied, plaintiffs have not alleged disclosure of the kind of information that it protects. HIPAA’s governing regulations apply only to “protected health information,” 45 C.F.R. § 164.502 (emphasis added), defined as “individually identifiable information” “created or received by a health care provider,” id. § 160.

This argument is at odds with the plain language of 42 U.S.C. § 1320d-6(a) cited above, as well as the regulations enforcing HIPAA. Under 45 C.F.R. § 164.502, a “covered entity … may not use or disclose protected health information, except as permitted or required [by HIPAA].” This requirement is not limited to the instances when a covered entity is engaged in one of the “specific transactions” cited by Defendants.

As for HIPAA, Plaintiff has never declared or sought a federal action under the HIPAA statute. However, HIPAA declares that a covered entity may not “...use or disclose protected health care information, except as permitted or required by this subpart....” 45 C.F.R. 164.502. HIPAA defines protected health care information as “...individually identifiable health information...” as included and excluded in that section.

This rule states that that, when a covered entity discloses PHI in connection with a routine use, it must “make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended Case: 1:09-cv-07274 Document #: 109 Filed: 03/08/11 Page 9 of 15 PageID #:846 10 130069682v2 0907481 07791 purpose of the use, disclosure, or request.” 45 C.F.R. § 164.502(b). Mitchem argues that “necessary” within § 164.

For two reasons, HIPAA allowed the medical creditors to release their patients’ phone numbers to ICS, and therefore they consented to receive ICS’s calls, even if for the sake of argument HIPAA had some bearing on the consent analysis under the TCPA. First, HIPAA only regulates a covered entity’s use and disclosure of PHI (protected health information), 45 C.F.R. §§ 164.502(a); 506(a); 508(a). A patient’s phone number is not PHI.

The Privacy Rule states that, subject to certain exceptions, “[w]hen using or disclosing protected health information, or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 45 C.F.R. § 164.502(b)(1). Each covered entity must determine what it believes constitutes the minimum amount of information necessary based upon the requirements related to disclosures at 45 C.F.R. § 164.

514(d)(1), (d)(3)(i); Monarch Fire Prot. Dist. v. Freedom Consulting & Auditing Srvs., Inc., 678 F. Supp. 2d 927, 932 (E.D. Mo. 2009) (citing 45 C.F.R. §§ 164.502(e)) (“In order to share PHI with third parties . . . HIPAA requires health care plans and providers to enter into business associate agreements, contracts obligating the third parties to abide by HIPAA’s restrictions on PHI disclosures.”) A covered entity and its business associate’s use or disclosure of PHI is limited by HIPAA’s “minimum necessary” requirement as follows: (d)(1) Standard: Minimum necessary requirements.

Three of the initial trial Plaintiffs were selected by the Court on July 6, 2007. Shortly thereafter, on July 12, 2007, Defendants requested from each trial Plaintiff a signed medical authorization meeting the privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996, 45 C.F.R. § 164.502(a)(iv) (“HIPAA”). See Exhibit B. Following Plaintiffs’ failure to respond to Defendants’ initial request for HIPAA authorizations, Defendants, in good faith, repeated their request on August 8, 2007, and again on August 29, 2007.