Statutes, codes, and regulations
New Mexico Administrative Code
Title 8 - SOCIAL SERVICESChapter 300 - MEDICAID GENERAL INFORMATION
Part 2 - HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) POLICIES
Section 8.300.2.16 - MINIMUM NECESSARY

N.M. Admin. Code § 8.300.2.16

Download
PDF
Current through Register Vol. 36, No. 1, January 14, 2025
Section 8.300.2.16 - MINIMUM NECESSARY

The HCC shall apply minimum necessary criteria to limit PHI for the use, disclosure, or request for PHI to the amount necessary to accomplish the task, except for disclosures to or requests by a health care provider for treatment purposes. The minimum necessary criteria do not apply with respect to disclosures to or requests by a health care provider for treatment. 45CFR 164.514(d)(2)-(5), 45 CFR 164.502(b) (2).

A. HCC's use of protected health information:
(1) An HCC supervisor shall determine the minimum necessary PHI needed by each HCC employee to perform their job duties and shall:
(a) grant appropriate medical record access;
(b) grant appropriate access to billing and payment information;
(c) grant appropriate access to other files containing PHI; or
(d) grant appropriate electronic access to PHI and set security levels.
(2) Members of the HCC authorized workforce shall use PHI as authorized. Requests for additional access to PHI shall be forwarded to the supervisor if needed to perform job duties.
B. HCC disclosures of protected health information:
(1) Prior to making any disclosures of PHI, an authorized HCC employee shall determine the minimum necessary PHI to disclose by applying the following.
(a) If the disclosure request is made for a medical record maintained within the supervisor's organizational unit, the request must specifically justify in writing why the entire medical record is needed. The HCC employee shall apply professional judgment in determining whether all PHI requested is necessary to be disclosed. Absent such justification, the request shall be denied. The written request and disposition shall be maintained within the medical record.
(b) If a request for PHI to be disclosed is pursuant to a state or federal statute, administrative rule, court order, contract or grant and the disclosure is routine or recurring, the HCC employee shall determine if a MAD protocol for that disclosure exists.
(c) If it does, the HCC employee shall follow the protocol established for that routine and recurring disclosure.
(d) For any other routine or recurring disclosures, the HCC employee shall contact the PSO with a proposed standard protocol that details the minimum necessary PHI to be disclosed, to whom and for what purpose. Once developed and approved, the HCC employee shall follow the protocol established for such routine and recurring disclosures. By following such protocol, the minimum necessary requirement will be met.
(e) If the disclosure is not routine or recurring, the minimum necessary PHI to disclose is the PHI that has been requested by any of the following:
(i) a health care provider or health plan;
(ii) a business associate of the HCC, if the business associate represents that the PHI is the minimum necessary needed; or
(iii) a researcher whose request for PHI is consistent with the documentation of approval of such research by an IRB or privacy board, and which documentation was provided to, and approved by the PSO, in accordance with 8.300.2 NMAC and 45CFR 164.512(h).
(2) When determining the minimum necessary PHI for all other disclosures, the HCC shall:
(a) review each request and if necessary make appropriate inquiries of the requestor to determine why the PHI is needed;
(b) apply professional judgment in determining whether all of the PHI requested is necessary to be disclosed to accomplish the identified purpose of the requested disclosure;
(c) limit the disclosure to the appropriate PHI to accomplish the identified purpose;
(d) if the disclosure is less than requested, provide an explanation of the limitation.when the disclosure is made;
(e) refer questions concerning the minimum necessary disclosure of PHI to the PSO;
(f) if proposed standard protocols are received, the PSO reviews and approves or disapproves the standard protocol, keeps a copy of all approved standard protocols and notifies the supervisor of the decision; and
(g) authorized HCC employees shall:
(i) follow the standard protocols that have been approved by the PSO;
(ii) forward the request to their immediate supervisor, if disclosure requests are received other than from the recipient;
(iii) provide the minimum necessary PHI that the recipient requested, if the disclosure request is from the recipient; and
(iv) record the disclosure in the PSO's database.
C. HCC requests for protected health information: HCC employees shall determine the minimum necessary PHI to request by applying the following guidelines.
(1) If the request is made for a medical record, the request shall specifically justify why the entire medical record is needed. If the medical record is disclosed to or requested by a health care provider for treatment purposes, minimum necessary does not apply and justification is not required.
(2) If the request for PHI is not routine or recurring, the request shall be limited to the minimum necessary PHI to accomplish the task.
(3) All requests for PHI shall be in writing and a copy given to the PSO for audit purposes.
(4) For any PHI requests that are routine or recurring, employees shall send the proposed standard protocol to the PSO that details the minimum necessary PHI needed to accomplish the task.
(5) The PSO shall maintain written PHI requests and perform audits as necessary.
(6) If proposed standard protocols are received, the PSO shall review and approve or disapprove the standard protocol, keep a copy of all approved standard protocols, and notify the supervisor of the decision.

N.M. Admin. Code § 8.300.2.16

8.300.2.16 NMAC - N, 7-1-03, Adopted by New Mexico Register, Volume XXXV, Issue 12, June 25, 2024, eff. 7/1/2024