Minimum Necessary Standard Policy

Effective: March 8, 2026

1. Purpose

This policy implements the Minimum Necessary standard as required by 45 CFR §164.502(b) and 45 CFR §164.514(d) of the HIPAA Privacy Rule. The Minimum Necessary standard requires that when using, disclosing, or requesting protected health information (PHI), a covered entity or business associate must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

H33's architecture is uniquely positioned to enforce this standard through fully homomorphic encryption (FHE), which enables computation on encrypted data without ever exposing plaintext PHI. This policy documents the organizational and technical controls that ensure Minimum Necessary compliance across all H33 systems and workforce interactions.

2. Scope

This policy applies to:

• All H33 workforce members, including full-time employees, part-time employees, temporary workers, interns, and volunteers
• All contractors, consultants, and third-party service providers who access, process, or come into contact with PHI on behalf of H33
• All H33 information systems that create, receive, maintain, or transmit PHI, including H33-Vault, H33-Share, Auth1, and supporting AWS infrastructure
• All media, formats, and transmission methods through which PHI may be accessed, including electronic, paper, and oral communications

3. Policy Statements

3.1 Minimum Necessary Access

Access to PHI shall be limited to the minimum amount of information necessary for each workforce member or system component to perform its designated function. No individual or system shall be granted access to PHI beyond what is required for their specific role, task, or transaction.

3.2 Role-Based Access Control

H33 implements role-based access control (RBAC) with tiered permissions that map directly to job functions. Each role is assigned a predefined set of access privileges that represent the minimum necessary PHI access for that role. Access permissions are reviewed upon hiring, role change, and termination, and no less than quarterly.

3.3 FHE Encryption as a Structural Safeguard

H33's BFV fully homomorphic encryption ensures that PHI fields are never accessible in plaintext during routine processing. All PHI is encrypted at the point of extraction and remains encrypted throughout the processing pipeline. Decryption requires an explicit administrative action with biometric step-up authentication (FHE-encrypted biometric templates verified via CRYSTALS-Dilithium signatures). This architecture enforces the Minimum Necessary standard at the cryptographic level — even authorized operators cannot access plaintext PHI during normal operations.

3.4 Biometric Step-Up for Decryption

H33-Vault operator access to decrypted PHI requires biometric step-up authentication within a 15-minute freshness window. If the freshness window expires, the operator must re-authenticate before any decryption operations can proceed. Biometric templates are stored exclusively in FHE-encrypted form; no plaintext biometric data is stored at any point in the system.

3.5 Encrypted Velocity Counters

H33 uses FHE-encrypted velocity counters to track access patterns without exposing actual access counts to operators or supervisors. This allows the system to detect anomalous access patterns and enforce rate limits while maintaining the Minimum Necessary standard — even the monitoring infrastructure cannot observe plaintext access metrics.

4. Access Tiers

H33 defines four access tiers, each representing the minimum necessary PHI access for a category of workforce function:

5. Technical Controls

5.1 FHE Encryption at Extraction

All PHI fields are encrypted using BFV fully homomorphic encryption at the point of extraction. The encryption uses H33-128 parameters (N=4096, single Q=56-bit modulus, t=65537) for standard operations and H33-256 for enhanced security requirements. Once encrypted, PHI can be processed, validated, and analyzed without decryption, enforcing the Minimum Necessary standard structurally.

5.2 Dilithium-Signed Audit Trails

Every PHI access event — including encrypted field access, decryption requests, decryption approvals, and audit log views — is recorded in an immutable audit trail signed with CRYSTALS-Dilithium (NIST FIPS 204) post-quantum digital signatures. These signatures ensure that audit records cannot be tampered with, repudiated, or backdated, even by a quantum-capable adversary.

5.3 Session Management

Authenticated sessions are subject to a 30-minute idle timeout with automatic logout, in compliance with HIPAA session management requirements. Active sessions are terminated upon role change, access revocation, or detection of anomalous behavior. Re-authentication is required after timeout and for any privilege escalation.

5.4 Biometric Step-Up for Sensitive Fields

Access to PHI fields classified as Critical or High sensitivity requires biometric step-up authentication. Biometric verification uses FHE-encrypted templates with a 15-minute freshness window. The step-up requirement applies regardless of the user's access tier — even Tier 4 users must complete biometric verification to access sensitive PHI.

6. Exceptions

Exceptions to the Minimum Necessary standard may be granted only under the following conditions:

• The exception is documented in writing with a specific business justification tied to a legitimate HIPAA-permitted purpose
• The exception is approved by the HIPAA Security Officer (or, in their absence, the CTO acting in an interim capacity)
• The exception is time-limited, with a defined expiration date not to exceed 90 days
• The exception is logged in the Dilithium-signed audit trail with the approver's identity, justification, scope, and expiration
• The exception is reviewed at or before expiration and renewed only if the justification remains valid

Exceptions do not apply to the following, which are exempt from the Minimum Necessary standard under HIPAA:

• Disclosures to or requests by a health care provider for treatment purposes
• Disclosures to the individual who is the subject of the PHI
• Uses or disclosures made pursuant to a valid HIPAA authorization
• Disclosures required by law
• Disclosures required for compliance with HIPAA regulations

7. Violations

Violations of this policy are subject to progressive discipline, up to and including termination of employment or contract. The disciplinary framework is as follows:

• First violation (minor): Written warning, mandatory retraining on Minimum Necessary requirements, and documented counseling session with the Security Officer.
• Second violation or first serious violation: Suspension of PHI access privileges, formal investigation, and written corrective action plan with defined milestones.
• Third violation or first critical violation: Termination of employment or contract, and referral to the Compliance team for potential reporting obligations under HIPAA.

All violations, regardless of severity, are documented in the workforce member's file and reported to the Compliance team. Violations that constitute or contribute to a Breach of Unsecured PHI are handled in accordance with H33's Breach Notification Policy and applicable HIPAA regulations (45 CFR §§164.404–164.410).

8. Review

This policy shall be reviewed and updated on a semi-annual basis. The next scheduled review is September 2026.

Interim reviews shall be conducted upon:

• Any change to HIPAA regulations, HHS guidance, or OCR enforcement priorities affecting the Minimum Necessary standard
• Any breach or security incident involving unauthorized PHI access
• Significant changes to H33's systems, architecture, or workforce structure
• Findings from internal or external audits that identify gaps in Minimum Necessary compliance
• Addition of new product lines or services that process PHI