A hospital employee in Texas pulls up a patient's full medical record to verify an insurance code. She only needs the diagnosis and the billing number, but the system gives her everything — psychiatric notes, HIV status, substance abuse history, social security number. She glances at the psychiatric notes out of curiosity. Nobody reports it. Nobody notices.

Until someone does.

This is the exact scenario the minimum necessary requirement was designed to prevent. And if you're wondering what is the minimum necessary requirement for PHI, you're asking the right question — because most covered entities I've worked with get it wrong, or ignore it entirely.

What Is the Minimum Necessary Requirement for PHI? A Direct Answer

The minimum necessary requirement is a provision of the HIPAA Privacy Rule that says covered entities and business associates must make reasonable efforts to limit access to protected health information (PHI) to the minimum amount necessary to accomplish the intended purpose. It applies to uses, disclosures, and requests for PHI.

In plain language: don't access or share more patient information than you actually need to do your job.

The rule is codified under 45 CFR §164.502(b) and §164.514(d). HHS published it as part of the original Privacy Rule, and it hasn't gotten less important with time — it's gotten more critical as electronic health records make over-access effortless.

When the Rule Applies — and When It Doesn't

This is where most organizations stumble. The minimum necessary standard applies broadly, but it has specific exceptions. Here's the breakdown.

The Rule Applies To:

  • Uses of PHI within the organization (e.g., an employee accessing a record)
  • Disclosures of PHI to other covered entities for payment or healthcare operations
  • Requests for PHI from other covered entities
  • Disclosures to business associates

The Rule Does Not Apply To:

  • Disclosures to or requests by a healthcare provider for treatment purposes
  • Disclosures to the individual who is the subject of the PHI
  • Uses or disclosures authorized by the individual
  • Disclosures required by law
  • Disclosures to HHS for compliance investigations or enforcement
  • Uses or disclosures required for HIPAA compliance

The treatment exception trips people up. A referring physician can share a patient's full relevant history with a specialist without trimming it down. That's intentional — you don't want a surgeon operating with incomplete information because someone applied the minimum necessary rule too aggressively.

But the billing department? The front desk? The IT team troubleshooting a login issue? They don't get a pass. They should only see what they need.

The $5.5 Million Mistake at Memorial Healthcare System

In 2017, the HHS Office for Civil Rights (OCR) settled with Memorial Healthcare System for $5.5 million after discovering that employees — and a former employee working at an affiliated physician's office — had been accessing patient PHI without authorization. The investigation revealed that login credentials were shared and that the organization lacked adequate access controls to enforce the minimum necessary standard.

The case is publicly documented on the HHS enforcement page. The takeaway? OCR doesn't just look at whether a breach occurred. They look at whether your organization had policies and technical safeguards to limit PHI access in the first place.

If you can't demonstrate that you've implemented minimum necessary controls, you're already out of compliance — even before a breach happens.

How OCR Expects You to Implement the Standard

I've reviewed dozens of corrective action plans published by OCR, and a pattern emerges. Here's what they expect from covered entities and business associates:

1. Role-Based Access Controls

Your EHR and other systems that contain ePHI must limit access based on job function. A billing specialist shouldn't see clinical notes. A nurse on the third floor shouldn't have access to records for patients on the fifth floor unless they're providing care.

This isn't optional. It's the most basic technical implementation of the minimum necessary requirement. And yet, I've seen mid-size practices where every employee has the same login credentials and full access to every record in the system.

2. Written Policies That Identify Who Needs What

Under 45 CFR §164.514(d)(2), your organization must identify the persons or classes of persons who need access to PHI, the categories of PHI they need, and the conditions under which access is appropriate. You need this documented. A verbal understanding among your staff doesn't count.

3. Procedures for Routine vs. Non-Routine Disclosures

For routine, recurring disclosures — like sending claims to a payer — your organization should have standard protocols that limit what goes out. For non-routine requests, you need a process for reviewing each request individually to ensure only the minimum necessary PHI is disclosed.

4. Reasonable Reliance

When another covered entity or a public official requests PHI, you're allowed to rely on their representation that they're only asking for the minimum necessary — as long as that reliance is reasonable. But "reasonable" means you should still apply judgment. If a workers' comp insurer asks for a patient's entire psychiatric history to process a knee injury claim, that's a red flag.

The Workforce Training Gap That Keeps Showing Up

Here's what I see constantly: organizations invest in access controls but skip the training. They configure role-based permissions in their EHR, check the box, and assume they're covered.

They're not.

The minimum necessary requirement isn't just a technical control. It's a behavioral standard. Your workforce needs to understand why they shouldn't pull up a full record when they only need a phone number. They need to understand that curiosity isn't a legitimate business purpose. They need to know that accessing a coworker's medical record — even without malicious intent — is a violation.

OCR has made it clear through enforcement actions that workforce training is a foundational safeguard. If your team hasn't completed role-specific HIPAA training that covers minimum necessary concepts, you have a gap. Our HIPAA training catalog includes courses designed to address exactly this — giving staff practical, scenario-based instruction on how the minimum necessary standard applies to their daily tasks.

Minimum Necessary in the Age of Interoperability

The minimum necessary requirement gets more complicated every year. Health information exchanges, APIs, patient portals, and third-party apps all create new channels where PHI flows. When your organization connects to a health information exchange, are you sending only the minimum necessary data? When a business associate integrates with your EHR through an API, what data elements are exposed?

These are the questions OCR is increasingly focused on. The 21st Century Cures Act pushed interoperability forward, but it didn't eliminate your obligation under the Privacy Rule. You still have to apply the minimum necessary standard to every use and disclosure — even when the data is moving through automated systems.

If your technology team isn't part of your HIPAA compliance conversations, that's a problem. Access controls and data segmentation decisions should involve both IT leadership and your privacy officer.

Practical Steps You Can Take This Week

You don't need a six-month project plan to start closing minimum necessary gaps. Here are concrete actions I recommend to every client:

  • Audit your EHR access logs. Pull a report of who accessed what over the last 90 days. Look for patterns — employees accessing records outside their department, excessive record views, access after termination dates.
  • Review and update your role-based access matrix. When was the last time you verified that each role's access level matches their actual job duties? Staff roles change. Access permissions should change with them.
  • Train your workforce — specifically on minimum necessary. General HIPAA awareness isn't enough. Your staff needs scenario-based training that shows them what minimum necessary looks like in their specific role. Browse our HIPAA compliance training options for courses that cover this standard in depth.
  • Update your policies. Make sure your minimum necessary policies identify specific roles, specific PHI categories, and specific conditions. Vague policies are the same as no policies in OCR's eyes.
  • Create a process for non-routine requests. Designate someone to review and approve any PHI disclosure that falls outside your standard operating procedures.

The Standard OCR Won't Stop Enforcing

The minimum necessary requirement isn't a suggestion. It's baked into the HIPAA Privacy Rule, and OCR has shown through years of enforcement actions that they take it seriously. From the Memorial Healthcare settlement to smaller corrective action plans that never make headlines, the message is consistent: if you're not limiting PHI access to what's necessary, you're inviting regulatory scrutiny.

Your organization has the tools to get this right. Role-based access controls, documented policies, workforce training, and regular audits form the foundation. The question isn't whether you understand what is the minimum necessary requirement for PHI — it's whether you've actually built it into how your organization operates every day.

Start with a training refresh. Review your access controls. Document your policies. And stop giving people access to information they don't need to do their jobs. That's the minimum necessary standard in practice — and it's exactly what OCR expects to see when they come knocking.