HIPAA Considerations for Infectious Disease Referrals: What You Can Share and When

HIPAA Basics for Referrals

When you refer a patient to an infectious disease specialist, HIPAA permits sharing Protected Health Information (PHI) for treatment without Patient Authorization. This “treatment, payment, and health care operations” pathway—often called TPO—lets you send clinically relevant data so the receiving clinician can diagnose and manage the condition.

Health Information Privacy still governs how you use and disclose PHI. You should verify the recipient’s identity, confirm the referral purpose, and ensure appropriate role-based access on your systems. Security obligations apply to electronic PHI, including Transmission Security during handoffs between organizations and vendors involved in the exchange.

Remember that patient consent forms your organization uses may be policy-based and separate from HIPAA’s legal requirement. Under HIPAA, referrals for treatment do not require written authorization, but your local laws and organizational rules may add steps you need to follow.

Infectious Disease Sharing Protocols

Share the information the consulting specialist needs to assess infectious risks, confirm diagnosis, and begin therapy. In practice, that includes the diagnosis or working differential, symptom onset and severity, vital trends, pertinent labs (cultures, PCR results, serologies, sensitivities), imaging linked to the infection, medications and allergies, immunization status, recent procedures, travel and exposure history, and isolation or contact-precaution status.

Exclude unrelated details that do not inform the infectious disease referral, such as non-pertinent historical problems or social information not tied to transmission or treatment decisions. While the Minimum Necessary Standard does not limit disclosures for treatment, using clinical judgment to avoid extraneous data reduces risk and respects patient expectations.

Apply Transmission Security every time you send electronic PHI. Use encrypted EHR-to-EHR referrals, Direct secure messaging, or encrypted email supported by your organization; confirm recipient addresses, add a need-to-know note in the message, and document what you sent and why.

Disclosures Without Consent

You may disclose PHI without patient authorization in several circumstances relevant to infectious disease:

• Treatment: Sharing among treating providers for consultation, referral, or care coordination.
• Required by law: Disclosures mandated by statutes or regulations, including specified reportable conditions.
• Public health activities: Disclosures to a Public Health Authority authorized to collect information for preventing or controlling disease, such as case reporting, contact tracing support, and immunization updates.
• Serious and imminent threat (Emergency Exception): Disclosures made in good faith to persons able to prevent or lessen a serious and imminent threat to health or safety.
• Individuals involved in care: If the patient agrees or, when incapacitated, if you determine disclosure is in the patient’s best interests and limited to relevant information.
• Business associates: Disclosures to vendors performing services on your behalf under a Business Associate Agreement that safeguards PHI.

For partner or contact notification, coordinate with your Public Health Authority when state or local law requires public health to lead outreach. Do not disclose a patient’s identity directly to third parties unless the law authorizes it or the patient has provided authorization.

Minimum Necessary Rule Application

The Minimum Necessary Standard requires you to limit PHI to the least amount needed to accomplish the purpose—except for treatment. For infectious disease referrals, you may send what the consulting provider needs to treat the patient. Even so, apply judgment and avoid unrelated material, particularly highly sensitive notes that are not relevant to the infection.

For non-treatment disclosures—such as quality improvement, billing, or most public health submissions—the Minimum Necessary Standard applies. Share only the data elements the purpose requires, follow any data field specifications published by the recipient, and use role-based access controls and standard templates to keep transmissions targeted.

Examples: Send full microbiology reports and antimicrobial history for treatment; send only the required case fields (e.g., diagnosis code, specimen date, demographics) to public health; and for internal analytics, use a limited dataset or de-identified information when possible.

Public Health Reporting Requirements

Many infectious diseases are legally reportable. HIPAA permits disclosure of PHI to a Public Health Authority that is authorized by law to receive such reports. Your jurisdiction defines which conditions are reportable, who must report (provider, laboratory, or both), and the timeframe (for example, immediate, 24 hours, or within a defined period).

Report only what the rule or request requires. Typical elements include patient identifiers, diagnosis or lab confirmation, dates of onset and specimen collection, relevant exposures, treating provider details, and treatment status. Where electronic lab reporting is in place, your duty to report as a provider may still remain; verify local requirements and avoid duplicating unneeded data.

Document the legal basis (required by law or authorized public health activity), the recipient, the date, and the specific data disclosed. Apply the Minimum Necessary Standard to public health submissions unless the law requires specific fields in full.

Emergency Situations and Information Sharing

During urgent scenarios—such as a suspected highly transmissible disease with immediate public risk—you may disclose PHI under the Emergency Exception when, in good faith, the disclosure is necessary to prevent or lessen a serious and imminent threat. Share only with persons or entities positioned to reduce the risk, such as receiving clinicians, first responders, or designated public health officials.

If the patient is incapacitated, you may share relevant information with family or others involved in care when, using professional judgment, doing so is in the patient’s best interests. Continue to apply secure workflows and promptly document your rationale, the minimum details shared, and the parties who received them.

Referral Communication Best Practices

Start by confirming the lawful basis for disclosure—treatment, required-by-law reporting, or a public health activity—and note it in the referral record. Assemble only clinically pertinent artifacts: problem summary, timeline of illness, microbiology and imaging, current therapy, allergies, vaccination status, and isolation guidance.

Use secure channels that satisfy Transmission Security. Prefer EHR referral tools, health information exchange pathways, or Direct secure messaging. If you must fax, confirm numbers, use a cover sheet with limited detail, and promptly retrieve misdirected pages. Avoid standard email or texting unless your organization provides encrypted, compliant platforms.

Before sending, verify recipient identity, limit attachments to what the specialist needs, and label messages with the referral purpose. After sending, document the disclosure, retain confirmation receipts when available, and monitor for failed transmissions. Train staff on role-based access, templates, and downtime contingencies.

In summary, you can share what is necessary for treatment without Patient Authorization, report to a Public Health Authority as required or authorized by law, apply the Minimum Necessary Standard outside of treatment, and maintain Health Information Privacy through strong Transmission Security and disciplined documentation.

FAQs

When is it permissible to share infectious disease information without patient consent?

You may disclose PHI without patient consent for treatment (including referrals and consultations), when a law requires reporting, to a Public Health Authority for authorized disease-control activities, to business associates performing services under a proper agreement, and under the Emergency Exception to prevent or lessen a serious and imminent threat. Share only with appropriate recipients and document your rationale.

How does the minimum necessary rule apply to referrals?

The Minimum Necessary Standard does not apply to disclosures for treatment, so you may send what the receiving clinician needs to diagnose and manage the infection. For other purposes—payment, operations, and most public health submissions—limit disclosures to the smallest set of data elements that accomplishes the task, and use role-based access and standardized templates to enforce that limit.

What are the reporting requirements to public health agencies?

Reporting is driven by jurisdictional rules specifying which conditions are reportable, who must report, what fields are required, and the deadline. HIPAA allows you to disclose PHI to a Public Health Authority that is legally authorized to collect it. Submit only the requested or required data elements, meet the timeframe, and keep an audit trail of what you sent and why.

How should providers securely communicate during infectious disease referrals?

Use encrypted, authenticated channels that meet Transmission Security expectations, such as EHR referral modules, health information exchanges, or Direct secure messaging. Confirm recipient identity, verify addresses, include only clinically relevant attachments, and document the disclosure. If alternatives like fax are necessary, apply safeguards—cover sheets, number verification, and prompt retrieval—to reduce risk.