P2

SNO Policy 500: Information Subject to
Special Protection

Purpose and Principles: This model policy promotes the privacy principles of purpose specification and minimization, security safeguards and controls, use limitation, data integrity and quality, collection limitation, and individual participation and control. This recommended provision facilitates individualized privacy protections by requiring Participants to heed any special protections of certain information set forth under applicable law. In complying with these special protections, Participants’ collection, use and disclosure of health information is limited to legitimate purposes. Moreover, in guaranteeing deference to the law or policy most protective of privacy, the provision below echoes HIPAA’s federal preemption requirements which defer to state laws that are more protective than HIPAA’s own privacy provisions.³¹

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide or make available health information through the SNO.

Policy: Some health information may be subject to special protection under federal, state, and/or local laws and regulations (e.g., substance abuse, mental health, and HIV). Each Participant shall determine and identify what information is subject to special protection under applicable law prior to disclosing any information through the SNO. Each Participant is responsible for complying with such laws and regulations.

SNO Policy 600: Minimum Necessary

Purpose and Principles: To promote the privacy principles of collection limitation, use limitation, data integrity and quality, and security safeguards and controls, this recommended model policy incorporates HIPAA’s requirement that entities may disclose only the amount of information reasonably necessary to achieve a particular purpose.³² The policy exempts treatment disclosures from this minimum necessary requirement to balance the protection of privacy and the provision of quality health care. In assessing the smallest amount of information that is necessary to accomplish a particular purpose, Participants are less likely to collect, use or disclose information for an unauthorized purpose. Minimal collection, access, use and disclosure increases public confidence in the privacy practices of Participants, enhances information privacy, and diminishes the potential for data corruption and security violations.

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide, make available, or request health information through the SNO.

Policy:

1. Uses. Each Participant shall use only the minimum amount of health information obtained through the SNO as is necessary for the purpose of such use. Each Participant shall share health information obtained through the SNO with and allow access to such information by only those workforce members, agents, and contractors who need the information in connection with their job function or duties.
2. Disclosures. Each Participant shall disclose through the SNO only the minimum amount of health information as is necessary for the purpose of the disclosure. Disclosures to a health care provider for treatment purposes and disclosures required by law are not subject to this Minimum Necessary Policy.
3. Requests. Each Participant shall request only the minimum amount of health information through the SNO as is necessary for the intended purpose of the request. This Minimum Necessary Policy does not apply to requests by health care providers for treatment purposes. 
4. Entire Medical Record. A Participant shall not use, disclose, or request an individual’s entire medical record except where specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. This limit does not apply to disclosures to or requests by a health care provider for treatment purposes or disclosures required by law.