The minimum necessary standard is a key protection of the HIPAA Privacy Rule. It requires an entity to make reasonable efforts to disclose or request only the minimum amount of protected health information needed to accomplish for the purpose of use or disclosure.

When creating policies and procedures for the access and uses of protected health information, covered entities should ensure that their workforce should only have access to information intended for their job function. Access to information not pertinent to their job function should be denied.