HIPAA Cheat Sheet for Referral Coordinators: Do's, Don'ts, and PHI Sharing Rules

HIPAA Overview for Referral Coordinators

This HIPAA cheat sheet is designed for referral coordinators who handle Protected Health Information (PHI) daily. Your role touches every part of the referral lifecycle—collecting data, sharing it with receiving providers, and working with health plans—so knowing what you can use or disclose, and how to protect it, is essential.

The HIPAA Privacy Rule governs who may use or disclose PHI and for what purposes. The Security Rule requires safeguards for electronic PHI (ePHI). The Breach Notification Rule outlines what to do if PHI is compromised. HIPAA’s Administrative Simplification standards also cover Referral Certification Transactions (the X12 278), which you may use for prior authorization and certification activities.

HIPAA allows certain incidental disclosures that occur as a by-product of an otherwise permitted use or disclosure, provided you apply reasonable safeguards and follow the Minimum Necessary Rule where it applies. Throughout, aim to share only the information needed to accomplish the task.

Roles and Responsibilities

Core responsibilities

• Verify patient identity, coverage, and benefits; capture accurate demographics and relevant clinical data.
• Coordinate with referring and receiving providers, and health plans, using secure channels to transmit PHI.
• Obtain and document patient preferences and any required authorizations when uses fall outside Treatment, Payment, and Healthcare Operations (TPO).
• Prepare and submit prior authorizations or referral certifications, including the X12 278 transaction when supported.
• Maintain logs or records of disclosures as required, and support HIPAA Compliance Audits.

Do’s

• Confirm the recipient’s identity and role (e.g., NPI, organization) before sending PHI.
• Use secure, approved systems (EHR-to-EHR exchange, encrypted email, secure portals) to transmit ePHI.
• Limit what you disclose to the Minimum Necessary Rule when it applies, especially for payment and operations.
• Document authorizations, restrictions, and patient communication preferences in the record.
• Escalate uncertain disclosures to compliance or privacy officers before releasing PHI.

Don’ts

• Don’t send entire charts when a concise referral summary suffices.
• Don’t use personal email, unapproved texting apps, or unsecured cloud storage for PHI.
• Don’t disclose PHI to non-covered third parties without proper Authorization Requirements met.
• Don’t ignore misdirected faxes or emails—report, mitigate, and document.

Permitted Uses and Disclosures of PHI

Treatment

You may disclose PHI without authorization to coordinate care—e.g., sending the referral, clinical notes, problem list, relevant labs, and imaging to the receiving specialist. Disclosures for treatment are not subject to the Minimum Necessary Rule, though right-sizing the data set remains a good practice.

Payment

You may disclose PHI for payment activities such as eligibility checks, prior authorization, and utilization review. Referral Certification Transactions (X12 278) support these workflows. For payment and operations, apply the Minimum Necessary Rule to limit what you send.

Healthcare Operations

Limited disclosures are allowed for operations such as quality improvement, care coordination programs, and audits. Disclose only what’s necessary and ensure any business associates have executed a Business Associate Agreement.

Authorization Requirements

Obtain a valid patient authorization when the disclosure is not for TPO or otherwise permitted by law. Common cases include marketing communications, many requests from attorneys or employers, and certain sensitive records. Psychotherapy notes and some substance use disorder information often require specific consent; always follow your organization’s policy and applicable federal or state rules.

Incidental Disclosures

Incidental disclosures (e.g., a name seen on a sign-in sheet) may occur despite safeguards. They are permitted only when they cannot reasonably be avoided and when primary uses/disclosures are compliant and properly safeguarded.

Minimum Necessary Standard

The Minimum Necessary Standard (also called the Minimum Necessary Rule) requires you to limit PHI to the least amount needed to accomplish the purpose. It applies to most uses and disclosures for payment and operations, and to requests you make of others.

• Not subject to minimum necessary: disclosures for treatment, disclosures to the individual, uses/disclosures pursuant to a valid authorization, and disclosures required by law.

Practical steps

• Use role-based access so staff see only what they need.
• Standardize referral packets to the essentials; avoid auto-attaching large chart downloads.
• When possible, send a limited data set or de-identified data for non-clinical purposes.
• Apply “reasonable reliance” on requests from known covered entities but still validate scope.

Referral-ready data set

• Patient identifiers and demographics needed for scheduling and matching.
• Reason for referral, relevant history, problem list, allergies, meds, and pertinent labs/imaging.
• Prior authorization or certification details (diagnosis/procedure codes, plan requirements) for payment workflows.

Safeguards for Electronic PHI

Administrative safeguards

• Policies and procedures for access, authorization, and termination; workforce training and sanctions.
• Vendor risk management and Business Associate Agreements for all third parties handling ePHI.
• Contingency planning (backups, disaster recovery, downtime procedures).

Technical safeguards

• Unique user IDs, strong authentication, and role-based access; enable MFA where available.
• Encryption in transit and at rest; use secure messaging, encrypted email, or EHR exchange.
• Audit logs and monitoring; automatic logoff and session timeouts.
• Integrity controls to prevent unauthorized alteration of ePHI.

Physical safeguards

• Secure workstations and mobile devices; screen privacy filters in shared spaces.
• Device and media controls for laptops, USB drives, and copiers; secure disposal of media.

Channel guidance

• Prefer EHR-to-EHR exchange, Direct secure messaging, secure portals, SFTP, and the X12 278 for Referral Certification Transactions.
• If using email, enable encryption and verify recipient addresses; avoid public Wi‑Fi without a VPN.
• Avoid standard SMS or consumer chat apps for PHI unless your organization has an approved, compliant solution.

Patient Rights under HIPAA

Patients have key rights you help facilitate:

• Access: provide copies of records in the requested format when readily producible, generally within 30 days.
• Amendment: route requests to update inaccurate or incomplete information.
• Accounting of disclosures: help your privacy team track non-routine disclosures.
• Restrictions: honor approved requests, including a patient’s request to restrict disclosures to a health plan for services they paid for out-of-pocket.
• Confidential communications: use alternate addresses, emails, or phone numbers when requested and reasonable.
• Notice of Privacy Practices: ensure availability and that patient preferences are recorded.

Common HIPAA Violations and Prevention

Frequent pitfalls

• Misdirected faxes or emails; wrong patient attachments; over-sharing beyond the Minimum Necessary Rule.
• Sending PHI via unapproved apps or personal devices; storing PHI on unsecured media.
• Disclosing PHI to third parties without appropriate Authorization Requirements or BAAs.
• Public or hallway conversations about patients; visible screens or documents.
• Delays in patient access or ignoring documented restrictions and preferences.

Prevention checklist

• Use standardized referral templates and recipient verification steps.
• Adopt Electronic PHI Safeguards: encryption, MFA, audit logging, and secure transmission methods.
• Train routinely; test procedures with spot checks and mock HIPAA Compliance Audits.
• Document authorizations, restrictions, and disclosures consistently.
• Report incidents immediately; follow your breach response plan.

Conclusion

As a referral coordinator, you can confidently share PHI for treatment and payment while applying the Minimum Necessary Rule where required, using secure channels, and honoring patient rights. Consistent safeguards, precise documentation, and readiness for audits will keep your workflows efficient and compliant.

FAQs

What information can referral coordinators share without patient authorization?

You may share PHI without authorization for Treatment, Payment, and Healthcare Operations. Examples include sending the referral packet and pertinent clinical data to the receiving provider, submitting eligibility and prior authorization information to a health plan (including via Referral Certification Transactions), and limited operational uses. Apply the Minimum Necessary Rule to payment and operations, and always use secure transmission methods.

How does the minimum necessary standard apply to referrals?

The Minimum Necessary Standard does not apply to disclosures for treatment, so you may send the information needed for the specialist to treat the patient. It does apply to payment and operations: limit disclosures to the essentials (identifiers, reason for referral, relevant notes, and required codes). Use role-based access, standardized referral summaries, and avoid auto‑attaching full charts when a concise packet suffices.

What safeguards must be implemented to protect electronic PHI?

Implement administrative safeguards (policies, training, BAAs, contingency plans), technical safeguards (unique IDs, MFA, encryption at rest and in transit, audit logs, auto‑logoff, integrity controls), and physical safeguards (secured workstations and devices, media controls). Prefer secure channels like EHR exchange, Direct secure messaging, encrypted email, secure portals, SFTP, and the X12 278 for prior authorization workflows.