User login


Minimum Necessary Rule

Effective Date: May 2019


Policy Statement

Columbia University has established safeguards to limit unnecessary or inappropriate access, use or disclosure of Protected Health Information (PHI).  PHI will be used or disclosed when it is necessary to satisfy an approved purpose and in compliance with the Minimum Necessary requirements of the HIPAA Privacy Rule.  


Reason(s) for the Policy

To comply with the Minimum Necessary standard for the Use or Disclosure of PHI, as required by the HIPAA Privacy Rule.  


Primary Guidance to Which This Policy Responds

HIPAA Privacy Rule 45 CFR § 164.502(b), 164.514(d)


Responsible University Office & Officer

Office of HIPAA Compliance, Chief Privacy Officer


Revision History

Issued:       December 2003

Revised:    October 2007, December 2009, November 2018, May 2019


Who is governed by This Policy

All Columbia University Healthcare Component (CUHC) workforce members with access to Protected Health Information (PHI)


Who Should Know This Policy

All CUHC workforce members with access to Protected Health Information (PHI)



To see the full text of this policy, please use the link on the right.