c. For any type of disclosure that it makes on a routine and recurring basis, the department shall implement policies and procedures (which may be standard protocols) that limit the amount of the protected health information disclosed to that reasonably necessary to achieve the purpose of the disclosure. For all other disclosures, the department shall develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought. The department shall review requests for disclosure on an individual basis in accordance with the criteria.
The department may rely, if reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:
(1) Making permitted disclosures to a public official, provided the public official indicates that the information requested is the minimum necessary for the stated purposes;(2) The information is requested by another covered entity; or(3) The information is requested for the purpose of providing professional services to the department by a professional who is a workforce member or business associate of the department if the professional indicates that the information requested is the minimum necessary for the stated purpose.