HIPAA requires that uses and disclosures of PHI be limited to the minimum necessary to accomplish the intended purpose. This is the rule that drives most of what feels restrictive about working with health data: it's not that you can't access information you have a clinical or operational reason for — it's that you shouldn't access information you don't.
In practice this means a few things:
- Access is scoped to your role. A care coordinator does not need the diagnostic reasoning in a 90791. A billing analyst does not need session notes. CareHub's roles and surfaces are designed so that the default view shows you what your work requires.
- Distribution is scoped to the document. When a report is served, the recipients are chosen by document type — defense, claims examiner, applicant attorney — not by case. You do not include people on a distribution because they "might be interested."
- Searches and exports are last resorts, not first ones. Pulling a list of cases, exporting a CSV, or running a cross‑case report all expand the audience of PHI. Do them only when the task in front of you actually requires the wider view, and ask first if you're not sure.
The "minimum" in minimum necessary is judged against the purpose of the access, not the curiosity of the person. A colleague's case is not yours to read because you happen to have system access. A friend's claim is not yours to look up because you happen to recognize the name. The audit trail records every access; the rule sets the expectation.
Where CareHub enforces this automatically — role gating, document‑typed distribution, audit logs — you don't need to think about it. Where the platform lets you do something broader (search, export, screenshot, copy), the decision is yours, and the rule still applies.