Skip to content

An essential guide to the HIPAA Minimum Necessary Standard

The HIPAA Minimum Necessary Rule applies to all Protected Health Information (PHI). And includes physical documents, spreadsheets, films, and printed images, patient data stored or processed electronically, and information communicated verbally.

Every covered entity and business associate must make reasonable efforts to ensure minimal access to Protected Health Information for a particular use. But how does it work in practice? And how can you interpret “reasonable effort” or “minimum necessary disclosure“? Read our complete guide on the HIPAA Minimum Necessary Standard.

The ABC of HIPAA compliance

Let’s start with what HIPAA is. Passed in 1996 by the US government, the Health Insurance Portability and Accountability Act (HIPAA) obligates every covered entity to protect sensitive health information. Five HIPAA rules define how healthcare professionals should proceed when they handle sensitive data. One of them, the HIPAA Privacy Rule, outlines patients’ rights regarding their health information and regulates who can access it.


HIPAA compliance ensures healthcare providers meet the regulatory requirements for Protected Health Information (PHI). For example, an insurance company can only get the reasonably necessary information on a patient’s clinical history. Or if a journalist requests a plastic surgeon to disclose their celebrity patient data, they can’t do that. In short, every covered entity must follow HIPAA regulations. And restrict access to their PHI. 

Why is it critical to be HIPAA-compliant?

HIPAA compliance is essential for healthcare organizations and patients. Here is why: 

  • It ensures healthcare organizations securely handle sensitive information according to the same rules.

  • It gives patients peace of mind about their sensitive data by keeping strict security checks on who can access it and why. 

So, is complying with the HIPAA Privacy Rule important only because of the law? Violating HIPAA rules indeed results in high penalties. Also, HIPAA compliance builds patients’ trust and your organization’s reputation. And boosts your staff morale. 

What is the HIPAA Minimum Necessary Standard?

The HIPAA Minimum Necessary Standard is a component of the HIPAA Privacy Rule. It states that covered entities must make reasonable efforts to ensure minimum access to physical or electronically protected health information.

But since both terms, “minimum necessary information” and “reasonable efforts,” are not defined in HIPAA, what do they mean? They mean that a covered entity can only share necessary information upon request. And decide about the disclosure or restriction of specific parts of information.

Also, the HIPAA Minimum Necessary Standard states that a rational justification for the decision should always follow.

Sounds complex? Let’s examine some examples to clarify how the HIPAA Minimum Necessary Standard works. 

  • A doctor can only access patient records except for their social security number, billing information, and other sensitive information unrelated to treatment. 

  • A billing specialist can obtain the name of the test that a patient did but not the results.

  • An insurance company can only get information about a patient’s records relevant to the request related to the insured event, not the whole medical history.

  • A physician can’t disclose a patient’s medical diagnosis to unauthorized personnel or third parties. 

Every covered entity must limit unnecessary or inappropriate access and disclosure of their patients’ sensitive data.

When does the HIPAA Minimum Necessary Standard apply?

As we said before, the HIPAA Minimum Necessary Standard applies to all HIPAA-covered entities and healthcare providers, such as:

  • Hospitals.

  • Insurance companies.

  • Healthcare clearing houses.

  • Business associates who provide services to healthcare services providers.

 It compels these organizations to take reasonable actions to limit oversharing of PHI. 

Exceptions to the HIPAA Minimum Necessary Standard 

There is an exception for every rule. And the HIPAA Minimum Necessary Standard is no different. Here we have six exceptions to the uses and disclosures of PHI. 

1. Patient’s access to their medical history

A patient of a covered entity has the right to access their own Protected Health Information. To do so, they need to make a written request.

2. Treatment of a patient

A healthcare provider may access a patient’s PHI for the purpose of treatment. It also applies to consultations between providers regarding a patient.

3. The HIPAA rules enforcement

The Department of Health and Human Services asks for a disclosure of PHI based on the HIPAA Enforcement Rule

4. Consent of the person whose PHI is in question

A patient may allow a covered entity to disclose or use their PHI, but he or she must sign an authorization. 

5. Requests required by law

HIPAA-covered entities may disclose PHI without authorization for judicial or administrative proceedings, for example, in adult abuse, neglect, or domestic violence. 

6. Requests required for compliance with HIPAA

It concerns uses or disclosures needed for compliance with the HIPAA Administrative Simplification Rule that ensures consistent electronic communication and data exchange across the U.S. healthcare system.

How to carry out the HIPAA Minimum Necessary Rule in your company

Before implementing the HIPAA Minimum Necessary Standard, check if your organization has adequate policies and procedures. Here is our guide to HIPAA compliance.

Establish your organization’s policy

The policy and procedures should identify the following:

  • Who within your organization can access sensitive data to perform their duties

  • The categories or types of PHI 

  • The conditions appropriate to access.  

It’s also crucial to consider the exceptions you must make, to whom they apply, and under what circumstances. 

Control access to PHI and monitor compliance

Develop role-based permissions and determine what information various employees or third parties need. Instal monitoring software solutions to ensure your staff can access only the necessary PHI.

Define your business associate’s access to PHI 

Before you sign an agreement with a new business associate, agree on what data they can access. 

Keep documentation

Demonstrate compliance with the HIPAA Minimum Necessary Standard by keeping all the relevant documents, such as policy changes and employee training,

Train employees on HIPAA compliance

Make sure they know how to follow the HIPAA Minimum Necessary Standard and what sensitive data can be transferred, to whom, and in what circumstances. It will help you avoid HIPAA violations.

Who determines the HIPAA Minimum Necessary Standard?

For routine or recurring requests, a covered entity must have a protocol to limit the disclosure of Protected Health Information to the minimum. For non-routine disclosures, covered entities must develop reasonable criteria for determining and limiting the disclosure. Each such request must be reviewed individually.

Here are a few cases when a reasonable judgment is permitted:

  • A researcher asks for information and suitable documentation from an Institutional Review Board or Privacy Board.

  • A workforce member or a covered entity’s business associate requests minimum necessary information for a stated purpose.

  • A covered entity asks another entity for minimum necessary information.

  • A public official or an agency needs minimum necessary information for public health purposes. 

How often is the HIPAA Minimum Necessary Standard violated?

Although the exact number of violations is not specified, HHS Enforcement Highlights claims the HIPAA Minimum Necessary Standard violations are the fifth most common non-compliance events. There is also no data on who reports these violations, whether self-reported or submitted by covered entities, patients, or health plan customers.

So, what kind of situations violate the HIPAA Minimum Necessary Rule?

  • A doctor requires access to a patient’s medical records to treat them and simultaneously accidentally accesses sensitive data, such as their Social Security number or payment details.

  • A gynecologist gossips with their colleague over lunch about a celebrity patient being pregnant. A cafeteria waitress overhears it, and the Minimum Necessary Rule is violated.

  • An IT professional performs maintenance work on a hospital’s database and clicks on a few files with patients’ medical records. Since they didn’t have permission, they violated the Minimum Necessary Rule.

  • A nurse reveals information about a patient having hepatitis C in a hallway. If other patients can hear it, they can file a complaint that his PHI was disclosed without permission.

The effects of sharing more than the minimum necessary PHI

The consequences of HIPAA violations are significant. Apart from financial penalties, organizations lose their reputation, patient trust, and their ability to operate a business. Filefax, a medical storage company, agreed to pay$100,000 to settle potential HIPAA violations of the HIPAA Privacy Rule. And although Filefax shut its doors during the Office for Civil Rights investigation, it still didn’t escape additional fines and penalties.

However, the Privacy Rule allows incidental or accidental disclosures.

Let’s explain it with examples. Suppose an authorized individual, such as a physician, provides a patient’s PHI to another authorized person, also a physician, and by mistake, they share records of another patient. In that case, we are talking about accidental disclosure breaking HIPAA rules. What about incidental exposure? A person visiting their relative at the hospital may see another patient’s x-ray or can overhear nurses talking about a patient. And in this way, they incidentally access Protected Health Information. 

How can NordLayer help?

Storing patient data in a cloud has become the primary archiving method in the healthcare industry. And healthcare organizations need modern security solutions that help them follow HIPAA regulations.

NordLayer’s policies, standards, and procedures were reviewed by independent assessors who concluded we meet the security objectives outlined in the HIPAA Security Rule. And we have the appropriate measures for securing access to Protected Health Information according to HIPAA requirements.

NordLayer’s HIPAA-compliant solutions can protect endpoints with your organization’s sensitive information, adding an extra security layer to access your network, cloud tools, or databases. Contact us if you want to learn more about how we can help.

Disclaimer: This article has been prepared for general informational purposes and is not legal advice. We hope that you will find the information informative and helpful. However, you should use the information in this article at your own risk and consider seeking advice from a professional counsel licensed in your state or country. The materials presented on this site may not reflect the most current legal developments or the law of the jurisdiction in which you reside. This article may be changed, improved, or updated without notice.

Partnership Will Drive Increased Adoption of Portnox’s Cutting-Edge NAC Solution Purpose-Built for Large Distributed Organizations in the Region

LONDON — Portnox, which supplies network access control (NAC), visibility and device risk management to organizations of all sizes, today announced that it has partnered with Distology for the sole distribution and resell of its cloud-delivered NAC-as-a-Service solution in the United Kingdom and Ireland.

We chose to partner with Distology because of their successful history of IT security solution distribution in the UK and Irish markets, said Portnox CEO, Ofer Amitai. Were confident this collaboration will yield tremendous growth for both parties, as Portnox has a unique value proposition and Distology has the market enablement expertise to effectively evangelize our network security offering.

We have a long-established relationship with Portnox and it speaks volumes that the team have decided to choose Distology as their sole UK&I distributor. The technology Portnox brings to the market is incredibly exciting and complements our existing vendor stack effortlessly, said Stephen Rowlands, Head of Sales for Distology. Were especially looking forward to representing and promoting Portnox Clear to our growing partner base, as this brand-new cloud-based technology has potential to completely disrupt the market and we foresee masses of growth potential in this innovative product.

Portnox introduced its cloud-delivered NAC-as-a-Service solution to the UK & Irish markets less than two years go. As the first to bring NAC to the cloud, Portnox has quickly gained a foothold in the region, particularly among large distributed enterprises in the retail, construction and utilities industries.

The adoption of our NAC-as-a-Service product in the UK has been very strong to date, said VP of Products, Tomer Shemer. This is a testament to the fact that the UK is one of the markets leading the trend of cloud security adoption. We expect to see continued growth in the coming years in this area of Europe.

Portnox is set to exhibit at this week’s RSA 2020 Conference (booth #4234) in San Francisco, February 24-28. Additionally, Portnox (booth #G108) and Distology (booth #C40) will both be exhibiting at InfoSec Europe 2020, Europes largest event for information and cyber security, in London, June 2-4.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit, and follow us on Twitter and LinkedIn.。

About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.

These days, cybercrime is rampant. It’s no longer a matter of “if” you’re going to suffer an attack but “when” it will happen. All companies want to be ready for any crisis. And this is where a business continuity plan comes into play.

But what is a business continuity plan exactly? Why is it important? What should one include? Today, we’re exploring all these questions in-depth.

What is a business continuity plan?

A business continuity plan (BCP) is a document that sets guidelines for how an organization will continue its operations in the event of a disruption, whether it’s a fire, flood, other natural disaster or a cybersecurity incident. A BCP aims to help organizations resume operations without significant downtime.

Unfortunately, according to a 2020 Mercer survey, 51% of businesses across the globe don’t have a business continuity plan in place.

What’s the difference between business continuity and disaster recovery plans?

We often confuse the terms business continuity plan and disaster recovery plan. The two overlap and often work together, but the disaster recovery plan focuses on containing, examining, and restoring operations after a cyber incident. On the other hand, BCP is a broader concept that considers the whole organization. A business continuity plan helps organizations stay prepared for dealing with a potential crisis and usually encompasses a disaster recovery plan.

Importance of business continuity planning

The number of news headlines announcing data breaches has numbed us to the fact that cybercrime is very real and frequent and poses an existential risk to companies of all sizes and industries.

Consider that in 2021, approximately 37% of global organizations fell victim to a ransomware attack. Then consider that business interruption and restoration costs account for 50% of cyberattack-related losses. Finally, take into account that most cyberattacks are financially motivated and the global cost of cybercrime topped $6 trillion last year. The picture is quite clear — cybercrime is a lucrative venture for bad actors and potentially disastrous for those on the receiving end.

To thrive in these unpredictable times, organizations go beyond conventional security measures. Many companies develop a business continuity plan parallel to secure infrastructure and consider the plan a critical part of the security ecosystem. The Purpose of a business continuity plan is to significantly reduce the downtime in an emergency and, in turn, reduce the potential reputational damage and — of course — revenue losses.

Business continuity plan template

Password security for your business

Store, manage and share passwords.

30-day money-back guarantee

Business Continuity Plan Example

[Company Name]


I. Introduction

  • Purpose of the Plan

  • Scope of the Plan

  • Budget

  • Timeline

The initial stage of developing a business continuity plan starts with a statement of the plan’s purpose, which explains the main objective of the plan, such as ensuring the organization’s ability to continue its operations during and after a disruptive event.

The Scope of the Plan outlines the areas or functions that the plan will cover, including business processes, personnel, equipment, and technology.

The Budget specifies the estimated financial resources required to implement and maintain the BCP. It includes costs related to technology, personnel, equipment, training, and other necessary expenses.

The Timeline provides a detailed schedule for developing, implementing, testing, and updating the BCP.

II. Risk Assessment

  • Identification of Risks

  • Prioritization of Risks

  • Mitigation Strategies

The Risk Assessment section of a Business Continuity Plan (BCP) is an essential part of the plan that identifies potential risks that could disrupt an organization’s critical functions.

The Identification of Risks involves identifying potential threats to the organization, such cybersecurity breaches, supply chain disruptions, power outages, and other potential risks. This step is critical to understand the risks and their potential impact on the organization.

Once the risks have been identified, the Prioritization of Risks follows, which helps determine which risks require the most attention and resources.

The final step in the Risk Assessment section is developing Mitigation Strategies to minimize the impact of identified risks. Mitigation strategies may include preventative measures, such as system redundancies, data backups, cybersecurity measures, as well as response and recovery measures, such as emergency protocols and employee training.

III. Emergency Response

  • Emergency Response Team

  • Communication Plan

  • Emergency Procedures

This section of the plan focuses on immediate actions that should be taken to ensure the safety and well-being of employees and minimize the impact of the event on the organization’s operations.

The Emergency Response Team is responsible for managing the response to an emergency or disaster situation. This team should be composed of individuals who are trained in emergency response procedures and can act quickly and decisively during an emergency. The team should also include a designated leader who is responsible for coordinating the emergency response efforts.

The Communication Plan outlines how information will be disseminated during an emergency situation. It includes contact information for employees, stakeholders, and emergency response personnel, as well as protocols for communicating with these individuals.

The Emergency Procedures detail the steps that should be taken during an emergency or disaster situation. The emergency procedures should be developed based on the potential risks identified in the Risk Assessment section and should be tested regularly to ensure that they are effective.

IV. Business Impact Analysis

The Business Impact Analysis (BIA) section of a Business Continuity Plan (BCP) is a critical step in identifying the potential impact of a disruption to an organization’s critical operations.

The Business Impact Analysis is typically conducted by a team of individuals who understand the organization’s critical functions and can assess the potential impact of a disruption to those functions. The team may include representatives from various departments, including finance, operations, IT, and human resources.

V. Recovery and Restoration

  • Procedures for recovery and restoration of critical processes

  • Prioritization of recovery efforts

  • Establishment of recovery time objectives

The Recovery and Restoration section of a Business Continuity Plan (BCP) outlines the procedures for recovering and restoring critical processes and functions following a disruption.

The Procedures for recovery and restoration of critical processes describe the steps required to restore critical processes and functions following a disruption. This may include steps such as relocating to alternate facilities, restoring data and systems, and re-establishing key business relationships.

The Prioritization section of the plan identifies the order in which critical processes will be restored, based on their importance to the organization’s operations and overall mission.

Recovery time objectives (RTOs) define the maximum amount of time that critical processes and functions can be unavailable following a disruption. Establishing RTOs ensures that recovery efforts are focused on restoring critical functions within a specific timeframe.

VI. Plan Activation

  • Plan Activation Procedures

The Plan Activation section is critical in ensuring that an organization can quickly and effectively activate the plan and respond to a potential emergency.

The Plan Activation Procedures describe the steps required to activate the BCP in response to a disruption. The procedures should be clear and concise, with specific instructions for each step to ensure a prompt and effective response.

VII. Testing and Maintenance

  • Testing Procedures

  • Maintenance Procedures

  • Review and Update Procedures

This section of the plan is critical to ensure that an organization can effectively respond to disruptions and quickly resume its essential functions.

Testing procedures may include scenarios such as natural disasters, cyber-attacks, and other potential risks. The testing procedures should include clear objectives, testing scenarios, roles and responsibilities, and evaluation criteria to assess the effectiveness of the plan.

The Maintenance Procedures detail the steps necessary to keep the BCP up-to-date and relevant.

The Review and Update Procedures describe how the BCP will be reviewed and updated regularly to ensure its continued effectiveness. This may involve conducting a review of the plan on a regular basis or after significant changes to the organization’s operations or threats.

What should a business continuity plan checklist include?

Organizations looking to develop a BCP have more than a few things to think through and consider. Variables such as the size of the organization, its IT infrastructure, personnel, and resources all play a significant role in developing a continuity plan. Remember, each crisis is different, and each organization will have a view on handling it according to all the variables in play. However, all business continuity plans will include a few elements in one way or another.

  • Clearly defined areas of responsibility

    A BCP should define specific roles and responsibilities for cases of emergency. Detail who is responsible for what tasks and clarify what course of action a person in a specific position should take. Clearly defined roles and responsibilities in an emergency event allow you to act quickly and decisively and minimize potential damage.

  • Crisis communication plan

    In an emergency, communication is vital. It is the determining factor when it comes to crisis handling. For communication to be effective, it is critical to establish clear communication pipelines. Furthermore, it is crucial to understand that alternative communication channels should not be overlooked and outlined in a business continuity plan.

  • Recovery teams

    A recovery team is a collective of different professionals who ensure that business operations are restored as soon as possible after the organization confronts a crisis.

  • Alternative site of operations

    Today, when we think of an incident in a business environment, we usually think of something related to cybersecurity. However, as discussed earlier, a BCP covers many possible disasters. In a natural disaster, determine potential alternate sites where the company could continue to operate.

  • Backup power and data backups

    Whether a cyber event or a real-life physical event, ensuring that you have access to power is crucial if you wish to continue operations. In a BCP, you can often come across lists of alternative power sources such as generators, where such tools are located, and who should oversee them. The same applies to data. Regularly scheduled data backups can significantly reduce potential losses incurred by a crisis event.

  • Recovery guidelines

    If a crisis is significant, a comprehensive business continuity plan usually includes detailed guidelines on how the recovery process will be carried out.

Business continuity planning steps

Here are some general guidelines that an organization looking to develop a BCP should consider:


A business continuity plan should include an in-depth analysis of everything that could negatively affect the overall organizational infrastructure and operations. Assessing different levels of risk should also be a part of the analysis phase.

Design and development

Once you have a clear overview of potential risks your company could face, start developing a plan. Create a draft and reassess it to see if it takes into account even the smallest of details.


Implement BCP within the organization by providing training sessions for the staff to get familiar with the plan. Getting everyone on the same page regarding crisis management is critical.


Rigorously test the plan. Play out a variety of scenarios in training sessions to learn the overall effectiveness of the continuity plan. By doing so, everyone on the team will be closely familiar with the business continuity plan’s guidelines.

Maintenance and updating

Because the threat landscape constantly changes and evolves, you should regularly reassess your BCP and take steps to update it. By making your continuity plan in tune with the times, you will be able to stay a step ahead of a crisis.

Level up your company’s security with NordPass Business

A comprehensive business continuity plan is vital for the entire organization’s security posture. However, in a perfect world, you wouldn’t have to use it. This is where NordPass Business can help.

Remember, weak, reused, or compromised passwords are often cited as one of the top contributing factors in data breaches. It’s not surprising, considering that an average user has around 100 passwords. Password fatigue is real and significantly affects how people treat their credentials. NordPass Business counters these issues.

With NordPass Business, your team will have a single secure place to store all work-related passwords, credit cards, and other sensitive information. Accessing all the data stored in NordPass is quick and easy, which allows your employees not to be distracted by the task of finding the correct passwords for the correct account.

In cyber incidents, NordPass Business ensures that company credentials remain secure at all times. Everything stored in the NordPass vault is secured with advanced encryption algorithms, which would take hundreds of years to brute force.

If you are interested in learning more about NordPass Business and how it can fortify corporate security, do not hesitate to book a demo with our representative.


About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.



Click one of our contacts below to chat on WhatsApp