Covered entities must safeguard PHI by implementing policies and procedures to restrict access to and use of PHI.  Furthermore, a covered entity must only use or disclose the minimum amount of PHI necessary.  Therefore, a covered entity must institute policies and procedures for limiting the use and disclosure to the minimum necessary amount of information.  For internal use of PHI, the covered entity must put into place policies and procedures that restrict access to data to only those employees needing information relevant to the purpose of their jobs.

For routine, recurring disclosures, or requests for disclosures, covered entities must establish policies for limiting the PHI disclosed to the minimum necessary.  For non-routine disclosures, the covered entity must establish criteria that limits the PHI disclosed.

Resources: 
Summary of the HIPAA Privacy Rule: Limiting Uses and Disclosures to the Minimum Necessary- Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003).  This site provides a summary of the HIPAA Privacy Rule.

Request to Restrict Use and Disclosure of Protected Health Information  - Developed by the State of California (2007).  This form can be used as a sample form to provide to those who request to restrict access and disclosure of PHI.

Minimum Necessary Use and Disclosure of, and Requests for, Protected Health Information  - Developed by Stanford University (2007).  This document represents Stanford's policy, which can be viewed as a sample policy.