Yundra
← All articlesCompliance Basics

HIPAA Minimum Necessary Standard: What Solo Therapists Need to Know

9 min read

The HIPAA minimum necessary standard is one of those rules that sounds simple but trips up therapists in everyday practice. The principle: when you use, disclose, or request Protected Health Information, you should limit it to the minimum amount necessary to accomplish the intended purpose.

In other words: don't share more than you need to, and don't access more than you need to.

What the Rule Says

The Privacy Rule (45 CFR § 164.502(b)) requires covered entities to make "reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

This applies to:

  • Uses — how you access and use PHI internally
  • Disclosures — what you share with others
  • Requests — what you ask others to share with you

Important Exception: Treatment

The minimum necessary standard does not apply to disclosures for treatment purposes. When you're communicating with another provider about a shared patient's care, you can share the full clinical picture without applying minimum necessary limitations.

This exception exists because limiting clinical information during treatment could harm patient care. OCR has consistently maintained this exemption.

However, this exception applies specifically to treatment. It doesn't cover:

  • Billing (share only what's needed for the claim)
  • Insurance authorisation requests (share only what's needed for the review)
  • Legal proceedings (share only what's ordered or relevant)
  • Research (follow the study protocol's data requirements)

How This Applies to Solo Therapists

Scenario 1: Insurance authorisation

An insurance company requests information to authorise continued treatment. The minimum necessary standard applies — send the clinical information needed to justify medical necessity, not the patient's entire chart.

Do: Send the treatment plan, diagnosis, functional assessment, and specific clinical justification for continued sessions.

Don't: Send three years of session notes, the full psychosocial history, and every assessment you've ever administered.

Scenario 2: Referral to another provider

You're referring a patient to a psychiatrist for medication management. The treatment exception applies — you can share the clinical information the psychiatrist needs to provide appropriate care.

Do: Send a comprehensive referral summary with relevant history, current symptoms, diagnoses, and treatment to date.

Scenario 3: Responding to a subpoena

An attorney subpoenas your patient's records for a legal proceeding. The minimum necessary standard applies — disclose only the records specifically described in the subpoena.

Do: Provide exactly what's requested. If the subpoena asks for "treatment records from January 2025 to present," provide only those records from that date range.

Don't: Send the entire chart from the beginning of treatment.

Scenario 4: Staff access

If you have a billing assistant, they should only access the PHI they need for billing — not full clinical notes. This is why role-based access controls in your EHR matter.

Do: Configure your EHR so billing staff can see demographic and insurance information but not clinical notes.

Scenario 5: Your own access

Even as the treating therapist, the minimum necessary principle applies to non-treatment uses. If you're pulling data for a quality improvement project, only access the specific data points you need — not every patient's full chart.

Policies You Should Have

Your HIPAA policies and procedures should address minimum necessary by:

  1. Defining role-based access — who in your practice can access what types of PHI, and for what purposes
  2. Setting disclosure standards — what information is included in standard disclosures (insurance requests, referrals, legal responses)
  3. Training your workforce — everyone who handles PHI should understand the principle and how to apply it

For a solo practice, this might seem like overkill — "I'm the only one here." But documenting your policies demonstrates to OCR that you've thought about minimum necessary and have a framework for applying it.

Common Mistakes

Over-sharing with insurance companies. Sending the full chart when a utilisation review only needs a treatment summary. This is the most common minimum necessary violation for therapists.

No role-based access controls. If your billing assistant has the same EHR access level as you, they can see clinical notes they don't need for billing.

Forwarding entire charts for referrals. The treatment exception covers referral communications, but best practice is still to send a focused referral summary rather than dumping the entire record.

Ignoring the standard for internal uses. Even within your own practice, non-treatment uses (quality improvement, training, marketing) are subject to minimum necessary.

Documentation

Document your minimum necessary practices in your policies and procedures manual. Specifically:

  • How you determine what constitutes "minimum necessary" for different types of requests
  • What standard disclosures include (and exclude) for common scenarios
  • How access levels are configured in your EHR
  • How you train staff on applying the standard

Your Compliance Pack includes these policies, personalised to your practice's specific vendor setup and workflow.

Not sure if your practice applies the minimum necessary standard correctly? Take the free assessment to check this and 39 other compliance areas.

Take the free HIPAA Risk Assessment →

Find out where your practice stands.

Our free 25-minute assessment checks 40 areas of HIPAA compliance and shows you exactly where your gaps are. See your score instantly.

Free · See your score instantly