Care Transitions Privacy Considerations: What to Share, When, and How Under HIPAA
During handoffs, referrals, and discharge planning, you must share the right Protected Health Information (PHI) with the right people at the right time. This guide translates the HIPAA Privacy Rule into practical steps for safe, lawful information exchange across care transitions. It is general information and not legal advice.
HIPAA Privacy Rule Overview
Core concepts you need to apply
- Scope: PHI includes any individually identifiable health information in any form, including electronic PHI (ePHI).
- Covered entities and business associates: Providers, plans, and clearinghouses—and vendors that handle PHI for them—must follow the HIPAA Privacy Rule and Security Rule.
- Permitted purposes: You may use or disclose PHI for treatment, payment, and health care operations (TPO) without patient authorization.
- Use vs. disclosure: A “use” stays inside your organization; a “disclosure” sends PHI outside (for example, to a receiving facility or specialist).
Permitted disclosures that enable care transitions
- Treatment: Share PHI with any treating provider to coordinate, manage, or deliver care—no authorization required.
- Operations: Exchange PHI for quality assessment, case management, or population-based activities when requirements for health care operations are met.
- Family and caregivers: With the patient’s agreement—or, if the patient is incapacitated, based on professional judgment—you may share PHI relevant to their involvement in care or payment.
- Safety: Disclose PHI as necessary to avert a serious and imminent threat to health or safety.
- Required by law and public health: Follow mandates such as reportable conditions or mandatory reporting.
What this means for daily transitions
- Do not delay treatment disclosures waiting for an authorization.
- Verify the recipient, send what the next team needs, and document when policy requires.
- Apply the Minimum Necessary Standard to non-treatment purposes; for treatment, share what is clinically relevant.
Value-Based Care Information Sharing
Using PHI within Value-Based Care Arrangements
In Value-Based Care Arrangements (e.g., ACOs, clinically integrated networks, bundled payment programs), sharing PHI supports risk stratification, care management, and quality improvement. Under the HIPAA Privacy Rule, these activities can fall under health care operations or treatment. For operations disclosures, ensure both parties have or had a relationship with the patient and the PHI relates to that relationship.
Governance that keeps you compliant
- Define roles and access: Limit access to PHI based on job duties; favor de-identified data or a limited data set with a data use set with a data use agreement when full identifiers are unnecessary.
- Formalize relationships: Execute business associate agreements where required; clarify whether the arrangement functions as an organized health care arrangement for shared operations.
- Purpose binding: Use PHI only for the stated care coordination or quality purposes; avoid impermissible “sale of PHI.”
- Transparency: Ensure your Notice of Privacy Practices reflects uses for Care Coordination and population health where applicable.
Minimum Necessary Standard Compliance
What the Minimum Necessary Standard requires
For uses and disclosures other than treatment, you must limit PHI to the minimum necessary to accomplish the purpose. Implement policies, role-based access, and queries that return only the data elements needed for the task at hand.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
When the Minimum Necessary Standard does not apply
- Disclosures to or requests by a health care provider for treatment.
- Disclosures to the individual or pursuant to a valid authorization.
- Uses or disclosures required by law, or to HHS for compliance investigations.
Putting it into practice
- Referral scheduling: Share identifiers, contact details, and reason for referral—not the entire chart.
- Pre-authorization: Send diagnoses, orders, and supporting documents needed by the plan; avoid unrelated notes.
- Transitions to post-acute care: Provide the discharge summary, current medications, allergies, and relevant labs/imaging; exclude unrelated historical data.
- Quality reporting: Prefer a limited data set with a data use agreement when feasible.
Mental Health and Substance Use Disorder Protections
Mental health PHI under HIPAA
You may share mental health PHI with other treating providers without authorization. You may also discuss a patient’s condition with family or caregivers involved in care when the patient agrees or, if incapacitated, when your professional judgment finds it in the patient’s best interest. Disclosures may be made to prevent or lessen a serious and imminent threat.
Psychotherapy Notes
Psychotherapy Notes are the clinician’s separate, personal notes documenting or analyzing counseling sessions. They exclude medication lists, session times, care plan summaries, and test results. In most cases, Psychotherapy Notes require the patient’s authorization for use or disclosure and are rarely needed for routine care transitions.
42 CFR Part 2 for substance use disorder records
- Programs subject to 42 CFR Part 2 generally need written patient consent to disclose SUD records, with limited exceptions (e.g., medical emergencies, audit/evaluation).
- Redisclosure is restricted: Recipients must honor the prohibition on redisclosure unless another exception or consent applies.
- Data segmentation: Use tagging (e.g., DS4P) to segregate Part 2 data in EHRs so routine transitions exclude it unless permitted.
Electronic Health Information Security
Secure transmission methods
- Use encrypted channels such as Direct secure messaging, FHIR APIs, or trusted health information exchanges.
- Avoid unencrypted email or SMS for PHI. If verbal communication is necessary (e.g., critical results), verify identity and document appropriately.
Access controls and auditability
- Apply role-based access, unique user IDs, and multi-factor authentication.
- Enable audit logs and “break-the-glass” workflows for emergencies; review access reports regularly.
- Train the workforce on phishing, device security, and incident reporting.
Data segmentation and special protections
- Segment Psychotherapy Notes and 42 CFR Part 2 data so routine exchanges do not inadvertently include them.
- Label sensitive data with redisclosure notices when required.
Devices, vendors, and continuity
- Encrypt endpoints and mobile devices; use mobile device management and remote wipe.
- Execute and manage business associate agreements with vendors and subcontractors.
- Maintain contingency and downtime procedures to preserve continuity of Care Coordination.
Care Coordination and Continuity of Care
Who you can talk to
- Other treating providers across settings (primary care, specialists, hospitals, post-acute, EMS) for treatment—authorization not required.
- Payers for payment and certain operations; disclose only what is necessary.
- Community-based organizations providing health-related services: treat them as business associates or obtain the patient’s authorization when required.
What information is most useful
- Problem list and working diagnoses, allergies, and current medication list (with last doses).
- Recent labs/imaging and key vitals; device or implant information.
- Care plan, pending tests, follow-up needs, and risk factors for readmission.
- Advance directives, code status, isolation/precautions, and safety alerts.
- Language, accessibility, and social needs relevant to the plan of care.
How to make the handoff work
- Send a timely, structured summary (e.g., C-CDA or FHIR-based discharge packet) through a secure channel.
- Use a warm handoff for complex cases: call the receiving team, confirm questions, and note accountability.
- Document the disclosure when policy requires and schedule follow-ups before transfer when possible.
HIPAA Compliance during Hospital Transfers
Immediate treatment disclosures
When transferring a patient to another hospital or post-acute facility, you may disclose PHI needed for treatment without obtaining patient authorization. The Minimum Necessary Standard does not limit treatment disclosures, but you should still focus on relevance to prevent information overload and reduce risk.
High-priority elements to include
- Chief complaint, diagnoses, procedures, and current clinical status.
- Medication reconciliation, allergies, and critical test results.
- Recent imaging, operative notes, consult notes, and device settings.
- Advance directives, code status, infection control precautions, and safety alerts.
- Contacts for the sending team and next steps (follow-up tests, time-sensitive therapies).
Special considerations
- Psychotherapy Notes are excluded unless specifically authorized.
- 42 CFR Part 2 records require patient consent or another applicable exception; segment these before sending.
- Honor patient requests to restrict disclosure to a health plan when the patient has paid in full out of pocket for the restricted item or service.
- For minors and guardianship, follow state law on consent and access in addition to HIPAA requirements.
Documentation and accountability
- Follow your policy for logging non-TPO disclosures and for attaching redisclosure notices when required.
- Verify recipient identity, use secure transmission, and retain proof of transfer when feasible.
- Review incidents promptly and update procedures after any gap is identified.
Conclusion
Effective care transitions balance access and protection: share promptly for treatment, apply the Minimum Necessary Standard to non-treatment purposes, give special handling to Psychotherapy Notes and 42 CFR Part 2 data, and secure every exchange. With disciplined governance and clear workflows, you can support Care Coordination while honoring the HIPAA Privacy Rule.
FAQs.
What PHI can be shared during care transitions under HIPAA?
You may share any PHI reasonably needed to diagnose, treat, and coordinate care with other treating providers—such as problem lists, medications, allergies, relevant labs/imaging, care plans, and safety alerts—without patient authorization. Focus on what the receiving team needs, exclude unrelated history, and segment specially protected data where required.
When is patient authorization required for PHI disclosure?
Authorization is required for most uses and disclosures outside TPO, including marketing, most disclosures to employers, sale of PHI, and release of Psychotherapy Notes. Substance use disorder records governed by 42 CFR Part 2 typically require written consent unless an exception applies. Many routine care transitions do not require authorization because they are for treatment.
How does HIPAA protect mental health and substance use disorder records?
HIPAA allows sharing mental health PHI with treating providers and, when appropriate, with involved family or caregivers. Psychotherapy Notes—kept separate from the medical record—generally require patient authorization. Substance use disorder records from Part 2 programs are more tightly controlled, often requiring written consent and carrying restrictions on redisclosure.
What are the minimum necessary requirements for PHI disclosures?
For non-treatment purposes, disclose only the PHI needed to achieve the objective and limit workforce access accordingly. Establish role-based access, standard document sets, and query filters. The Minimum Necessary Standard does not apply to disclosures for treatment, to the individual, pursuant to an authorization, or when required by law or by HHS for compliance review.
Table of Contents
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.