Minimum Necessary requests for protected health information

§164.514(d)(4) Implementation specifications: Minimum necessary requests for protected health information. (i) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.
(ii) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
(iii) For all other requests, a covered entity must:
(A) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and
(B) Review requests for disclosure on an individual basis in accordance with such criteria.

Audit Inquiry

Are policies and procedures in place to limit the PHI requested by the entity being audited to the amount minimally necessary to achieve the purpose of the disclosure?

Obtain and review policies and procedures related to minimum necessary requests and evaluate the content relative to the specified criteria.
Obtain and review a sample of requests made on a routine and recurring basis and determine if they are limited to the PHI reasonably necessary to achieve the purpose of the disclosure, as required by §164.514(d)(4).