If you’ve ever watched a spy movie before, the plotline I’m about to describe ALWAYS happens.

The main character hasn’t been on “active duty” as a super-secret agent for some time now, or maybe they’ve retired altogether. Yet, the scene before set the conflict. The biggest, worst bad guy to ever grace the silver screen has the most diabolical plot the world has ever seen before. It’s such a dangerous mission that the world’s only hope is the main character, who receives a dossier that others received on a “need-to-know basis”. Then, when their closest companion from the agency that they used to work for pleads them to come back. The main character replies something like, “I’m not that person anymore.”

If you’re a scriptwriter, please don’t take that masterpiece of a story I just described.

But, what if I told you that a portion of my plot describes a requirement within the healthcare industry? Can you pick it out?

You probably picked up on what portion of it I’m referring to immediately because it’s identical to the title of this blog post. I’m talking about the portion of that spy movie scene where the main character receives confidential information. It's on a “need-to-know basis.”

Believe it or not, a need-to-know basis is sort of a requirement for healthcare organizations according to the Health Insurance Portability and Accountability Act (HIPAA).

I say, “sort of” because that verbiage isn’t explicitly included within the law itself. Yet, it’s a best practice, and that phrasing makes what’s written out within the law much more understandable.

• The Minimum Necessary Standard

• Where Does Need-To-Know Come In

• Outside of The Organization

• Implementing a Mentality

• Lacking Leads to Consequences

• Conclusion

The Minimum Necessary Standard is a situational section within the HIPAA Privacy Rule that covers how covered entities should use or disclose protected health information (PHI).

In essence, it states that healthcare professionals shouldn’t use or disclose PHI when it isn’t necessary for a specific purpose or function. In a case where professionals decide that they need to disclose or use PHI for a purpose, the rule requires that they only share information that’s relevant and necessary.

Of course, the Minimum Necessary Standard doesn’t apply when holding a discussion with a patient. There are 5 additional nonapplicable scenarios…

• Requests made by another provider for treatment purposes

• When the applicable patient gives permission

• Required for compliance with HIPAA Administrative Simplification Rules

• If the Department of Health and Human Services (HHS) requires disclosures for enforcement purposes

• If the requirements to share come from another law

If you’ve read any of the other blog posts I’ve written about HIPAA, you know how ambiguous the law is as a whole. The Minimum Necessary Standard isn’t any different in that respect, either. Yet, this portion of the law is more so viewed as flexible, rather than enigmatic. In other words, it’s built to cater to scenarios covered entities may find themselves in.

Nowhere within HIPAA does it explicitly say that PHI requires a “need-to-know” basis. Instead, it’s a term that encompasses the Minimum Necessary Standard.

Instead of having to worry about all of the different specifications, requirements and legal vernacular stated within the law and on the HHS’ website. That term summarizes everything.

According to the Cambridge Dictionary, a need-to-know basis means, “...you only tell [people] the facts they need to know at the time they need to know them, and nothing more.” In other words, that definition aligns perfectly with what the Minimum Necessary Standard requires healthcare organizations to implement.

With that, you’re probably thinking, “OK, so why is this section of the blog important? You’re breaking down the definition of a phrase. How does that help me understand HIPAA’s requirements?”

I’m glad you asked, anonymous reader.

Using the phrase “need-to-know basis” makes the Minimum Necessary Standard more comprehensible. Thus, incorporating that phrasing into your policies and/or annual HIPAA training sessions makes it easy for your employees to understand the law. That simple change in vernacular could have a lasting impact on the education of your workforce.

After all, establishing a culture that encourages following the rules given within HIPAA is a requirement itself.

In 2013, the HHS fined Shasta Regional Medical Center (SRMC) $275,000 and mandated a corrective action plan (CAP) for violating HIPAA.

The HHS launched an investigation on SRMC when an article published in the Los Angeles Times stated that two executive leaders from the organization met with media outlets to discuss medical services provided to a patient. After the ruling, a representative of the HHS stated that senior leadership defines the culture of an organization and is also responsible for complying with HIPAA.

Changing the phrasing to make one of the rules within healthcare’s biggest law more understandable for your employees helps establish the culture that the representative referred to almost a decade ago.

If you’re a healthcare professional, you know that there are certain vendors you have to use in order to make your job easier. HIPAA allows practices and facilities to work with vendors, otherwise the burnout situation would be even worse.

Naturally, some vendors that medical organizations work with need to have access to or store PHI in order for their services to work. That’s allowed as long as there’s a business associate agreement (BAA) signed.

At that point, though, both parties are responsible for securing the data that they handle.

Business associates caused nearly 41% of all healthcare breaches in 2020.

In other words, establishing a need-to-know basis within your organization isn’t enough. You also have to ensure that your vendors have safeguards in place that protect your client’s data.

If your business associates experience a breach, both of you have to deal with the blowback. Your affected vendor will have to deal with the brunt force of the HHS’ jurisdiction. Meanwhile, you’ll have to communicate between them and any of your affected clients.

It’s a nightmare scenario where no one comes out unscathed. Prior to making signing an agreement with a business associate, take a deep look into the safeguards they have in place.

One of the telltale signs of a good organization to trust is whether or not they’ve established a well-thought-out and emphasized need-to-know environment.

Now that we know what’s included within the Minimum Necessary Standard and the positive impacts of using the phrase “need-to-know basis”, the next step is to implement safeguards.

As the owner or administrator of a healthcare organization, you want to trust your workforce that they’ll do the right thing. They’ll pay attention during their training sessions and know how to conduct themselves in a manner that protects patient health information.

Yet, in reality, we know that this isn’t a safe mindset to have.

Out of 1,000 business owners, almost 50% of them said that human error was the culprit for a breach that they’ve experienced.

There’s a ton of different things organizations can implement to lessen the risk of human error. Yet, a lot of your woes would disappear if you place an emphasis on the mentality of a “need to know basis”.

Yes, there are electronic safeguards you can put in place that further emphasize this concept. However, it also stretches beyond the cyber world.

People who don’t need to see PHI in order to complete their job’s duties, shouldn’t. If you have a secretary whose duties include forwarding phone calls, greeting guests and delivering packages, they shouldn’t ever receive an x-ray of one of your patients. Seeing an x-ray doesn’t have any effect on their responsibilities.

If you don’t establish a need-to-know basis within your organization, you’ll face consequences. It’s that simple.

Not teaching your employees that they should only share protected health information when it’s absolutely necessary leads to two main consequences.

First, it leads to gossip. Gossiping about your patients is strictly prohibited by HIPAA. Yet, this type of violation still consistently lands at the top of the list as one of the most common every year.

It’s an act that everyone participates in. In fact, there are actual health benefits involved with gossiping. A 2012 study determined that when people gossiped about a person or a situation that they’ve recently experienced, their heart rates went down. In other words, gossiping helps soothe the body.

As a result, it’s essentially a guarantee that you’ll run into a problem where your employees share information with others that they shouldn’t.

Second, not implementing this type of culture within your organization means that it’s also safe to assume that you don’t have a comprehensive training program in place. As a result, both you and your employees miss out on knowing the best practices of protecting and securing the PHI that you work with on a daily basis. In other words, you don’t know how impactful training is in promoting a general sense of awareness.

After all, your employees want training. 70% of employees state that job-related training opportunities influence their decision to stay at their job.

After reading this blog post, you now know that secret agents and healthcare professionals aren't that different. Both of them operate on a need-to-know basis. If they didn’t, they’re risking some of the most private information on the planet.

The spy risks national security secrets while the doctor risks their patient’s information. If either type of data leaks, it leads to massive consequences.

In both cases, entire processes and safeguards need to exist to prevent both purposeful and accidental breaches. But it starts and ends with establishing, communicating and harboring a need-to-know basis.