Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosures that are authorized by an individual?
No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. For example, if a covered health care provider receives an individual’s authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of 45 CFR 164.508.
Date Created: 12/19/2002