HIPAA Considerations for Addiction Medicine Referrals: What Providers Need to Know

When you coordinate addiction medicine referrals, you balance timely care with strict privacy duties. This guide clarifies HIPAA considerations for addiction medicine referrals and shows how to move information efficiently while safeguarding Protected Health Information (PHI).

You will learn where HIPAA’s treatment, payment, and operations rules help, how 42 CFR Part 2 heightens Substance Use Disorder (SUD) confidentiality, when Patient Authorization is required, and what secure workflows keep you compliant.

HIPAA Privacy Rule Treatment Exceptions

HIPAA permits you to use and disclose PHI without patient authorization for treatment, payment, and health care operations (TPO). For a referral, you may share clinically relevant PHI with another provider to coordinate and manage care.

Key points for referrals:

• Treatment: You may disclose needed PHI to the receiving clinician or program to evaluate, accept, or treat the patient.
• Payment and operations: You may share the Minimum Necessary information to obtain prior authorization, verify eligibility, or manage quality and utilization review.
• Psychotherapy notes and specially protected categories require extra caution and typically separate authorization.

Important overlay: If the information is a SUD record protected by 42 CFR Part 2, HIPAA’s TPO allowances alone are not enough. Part 2 rules control unless an exception applies or you have proper consent.

42 CFR Part 2 Confidentiality Requirements

Part 2 establishes stricter confidentiality for SUD records from federally assisted SUD programs and certain lawful holders. Its purpose is to prevent stigma and deter legal or insurance consequences from treatment-seeking behavior.

Core requirements you must respect during referrals:

• Consent first: Most disclosures of identifiable SUD treatment information require the patient’s written consent—even for treatment with outside providers.
• Redisclosure Prohibitions: Include a prohibition-on-redisclosure notice with every disclosure. Recipients may not further disclose unless Part 2 allows it or the patient consents.
• Narrow exceptions: Emergencies posing an immediate threat, qualified audits or evaluations, certain research with oversight, and court orders meeting specific safeguards.
• Segmentation: Label or segment SUD data so staff can apply Part 2 controls without blocking non-SUD care information.

Think “Part 2 first” whenever your referral involves SUD diagnosis, treatment, or referral records originating from a Part 2 program.

Patient Consent for SUD Referrals

For SUD information, obtain a Part 2–compliant consent in addition to any HIPAA Patient Authorization needs. Use clear language so patients understand what will be shared and why.

Essential elements to include

• Patient name and identifiers.
• Specific description of the information to be disclosed (e.g., assessment, medication list, discharge summary).
• Name(s) or a reasonably specific description of the recipient(s) (e.g., the addiction specialist, referral network, or care coordination team).
• Purpose of disclosure (treatment, placement, coordination, or payment).
• Expiration date, event, or condition.
• Notice of the right to revoke and how to do so.
• Signature and date (plus legal representative requirements where applicable).

Explain how consent affects care coordination and redisclosure limits. Revisit consent when the scope of the referral expands, or when the patient changes providers or services.

Secure Communication Methods for PHI

Choose channels designed for Encrypted Electronic Transmission and verify the recipient before sending. Match each method to the sensitivity and volume of PHI.

• EHR-to-EHR exchange or Direct secure messaging for structured, encrypted provider-to-provider transfers.
• Secure portals or SFTP for large packets (e.g., records sets, imaging, or lab histories).
• Encrypted email with enforced TLS or message-level encryption; avoid personal email accounts.
• Modern eFax solutions that encrypt in transit and at rest and restrict access on shared devices.
• Verified phone handoffs for time-sensitive summaries—authenticate identity, limit details, and follow with a secure written transfer.

Execute Business Associate Agreements (BAAs) with any vendor that creates, receives, maintains, or transmits PHI on your behalf. Confirm that vendors handling SUD records can honor Part 2 restrictions and preserve redisclosure controls throughout their workflows.

Minimum Necessary Standard in Referrals

The Minimum Necessary Requirement applies to HIPAA uses and disclosures for payment and operations, and to most routine, non-treatment requests. It does not apply to disclosures for treatment; however, sending only what the receiving provider truly needs is still a sound risk-reduction practice.

Applying “minimum necessary” effectively

• Send targeted clinical details: referral reason, relevant diagnoses, current medications (e.g., MOUD), allergies, recent labs, and safety concerns.
• Avoid full-chart transfers unless clinically justified and documented, especially for SUD notes protected by Part 2.
• Use standardized referral forms with required fields and optional attachments to control scope.
• De-identify data when identity is not needed (e.g., analytics, panel management) to reduce re-identification risk.

Documentation and Record-Keeping Practices

Strong documentation proves compliance and speeds audits while preserving patient trust. Build auditable trails for each referral.

• Maintain copies of all consent/authorization forms, revocations, and expiration tracking.
• Log each disclosure: date/time, sender, recipient, legal basis (consent or exception), purpose, and the exact data elements shared.
• Attach the redisclosure notice to every Part 2 disclosure and store the version used.
• Segregate SUD records within the EHR and enable auditing, access controls, and “break-the-glass” alerts for sensitive content.
• Retain HIPAA-related policies, logs, and BAAs for required periods; align with state medical record retention rules.
• Document referral outcomes and any corrections or addenda to ensure downstream accuracy.

Compliance with Part 2 Final Rule

Align your HIPAA program with the modernized Part 2 framework to reduce friction in addiction medicine referrals while maintaining SUD protections.

• Reassess whether you are a Part 2 program or a lawful holder and map all SUD data flows.
• Update consent templates to clearly describe permitted disclosures, scope, expiration, and revocation.
• Standardize prohibition-on-redisclosure language and ensure it follows the record wherever it goes.
• Harmonize HIPAA and Part 2 policies on access controls, breach response, and patient notice to avoid conflicting procedures.
• Revise BAAs and vendor onboarding to confirm technical safeguards, workforce training, and the ability to honor Part 2 restrictions.
• Implement EHR features for consent management, record segmentation, redisclosure warnings, and disclosure accounting.
• Train staff routinely, audit referral samples, and apply sanctions for noncompliance to reinforce culture and accountability.
• Monitor state law overlays that may be more protective than federal standards and update workflows accordingly.

Conclusion

To refer patients confidently, pair HIPAA’s flexible TPO framework with Part 2’s heightened SUD confidentiality. Obtain clear consent, transmit PHI securely, apply the Minimum Necessary Requirement thoughtfully, and document each step. These practices protect patients and keep your organization compliant while ensuring timely access to addiction medicine care.

FAQs.

What information can be shared without patient consent under HIPAA?

Under HIPAA, you may disclose PHI without authorization for treatment, payment, and health care operations. Share only the Minimum Necessary for payment and operations. If the information is Part 2–protected SUD data, obtain consent or meet a Part 2 exception before disclosing.

How does 42 CFR Part 2 affect addiction medicine referrals?

Part 2 imposes stricter SUD confidentiality than HIPAA. Most identifiable SUD disclosures—including for treatment with outside providers—require written consent, and recipients must receive a prohibition-on-redisclosure notice. Limited exceptions apply for emergencies, qualifying audits/evaluations, certain research, or specific court orders.

What are the secure methods to transmit PHI during referrals?

Use Encrypted Electronic Transmission such as EHR-to-EHR exchange, Direct secure messaging, secure portals, SFTP, encrypted email, and modern encrypted eFax. Verify recipient identity, limit data to what is needed, and ensure BAAs are in place for vendors handling PHI and SUD records.

When is patient consent required for sharing SUD records?

In most cases, before you disclose identifiable SUD information outside the Part 2 program. Consent is not typically required for true medical emergencies, qualifying audits/evaluations, certain research under oversight, or a court order that meets Part 2 safeguards. When in doubt, obtain consent and include the redisclosure prohibition notice.