The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What policies and procedures need to be in place to restrict access, uses, and disclosures of PHI?

Covered entities must safeguard PHI by implementing policies and procedures to restrict access to and use of PHI.  Furthermore, a covered entity must only use or disclose the minimum amount of PHI necessary.  Therefore, a covered entity must institute policies and procedures for limiting the use and disclosure to the minimum necessary amount of information.  For internal use of PHI, the covered entity must put into place policies and procedures that restrict access to data to only those employees needing information relevant to the purpose of their jobs.

For routine, recurring disclosures, or requests for disclosures, covered entities must establish policies for limiting the PHI disclosed to the minimum necessary.  For non-routine disclosures, the covered entity must establish criteria that limits the PHI disclosed.

Summary of the HIPAA Privacy Rule: Limiting Uses and Disclosures to the Minimum Necessary- Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003).  This site provides a summary of the HIPAA Privacy Rule.

Request to Restrict Use and Disclosure of Protected Health Information go to exit disclaimer - Developed by the State of California (2007).  This form can be used as a sample form to provide to those who request to restrict access and disclosure of PHI.

Minimum Necessary Use and Disclosure of, and Requests for, Protected Health Information go to exit disclaimer - Developed by Stanford University (2007).  This document represents Stanford's policy, which can be viewed as a sample policy.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed