Limits on What Information is Released
The core of the HIPAA privacy rule is limiting disclosure to the minimum amount necessary for the purpose of the disclosure.[45 CFR 164.502(b), 164.514(d)] With traditional paper medical records, when someone needed information from the record they would either be given the entire record, or copies of relevant pages, which would have information about other aspects of the care that were not necessary for the request. Anyone writing an entry in the record would have access to the entire record.
HIPAA requires that the medical care provider only supply the needed information, rather than the entire record or unedited parts of the record. While this requirement can be difficult to meet for paper records, it anticipates that most medical information will eventually be managed electronically. Electronic records can be segmented so that individuals only have access to the specific information that they need. Individuals can be given the authority to add information to an electronic record without giving them the right to read the record. This could allow a lab tech to record that the blood was drawn for a test or to post the result of the test without being given the right to read other sections of the record. Covered entities must also document when information is released so that a patient can find out who has had access to his/her medical information.
The major exception is that information that is released for patient care is not subject to the minimum necessary standard. This exception is critical because most medical records are still on paper. With traditional paper medical records, it is very difficult to extract information for specific purposes. It would require that someone read through and abstract the record, which would be prohibitively expensive and very time consuming. Electronic medical records make it easier to limit access to parts of the records, but it will be years before all routine care is based on electronic records. Medical care providers need quick and simple access to the patient's medical information. From a privacy advocate's perspective, however, this exception is a major weakness of HIPAA because, as our earlier example illustrates, there are a lot of people involved with medical information in contemporary hospital care. Allowing all of them access to the full information creates many opportunities for mistaken or malicious disclosures.