HIPAA Considerations for Palliative Care Referrals: A Clinician’s Guide

Palliative care referrals often happen quickly, across settings, and with many stakeholders. This guide shows you how to share Protected Health Information (PHI) for care coordination while meeting HIPAA requirements and honoring patient preferences.

HIPAA Privacy Rule Overview

What counts as PHI and why it matters in referrals

PHI includes any individually identifiable health information in any form. When you refer a patient for palliative care, you may disclose PHI to another treating provider for treatment purposes without Patient Authorization, as permitted by the Privacy Rule.

Permitted disclosures for treatment and care coordination

• You may share relevant clinical details for diagnosis, treatment, and Care Coordination with the receiving palliative team.
• Disclosures to family or caregivers involved in the patient’s care are allowed when the patient agrees or you determine it is in the patient’s best interest; limit details to what is necessary.
• Psychotherapy Notes are treated separately and generally require explicit authorization for disclosure, even for treatment.

Applying the Minimum Necessary Standard

The Minimum Necessary Standard does not apply to disclosures for treatment, but you should still limit workforce access and routine disclosures to what is reasonably necessary. Build role-based access in your Electronic Health Records (EHR) and standardize referral datasets to reduce over-sharing.

Special considerations in palliative contexts

• End-of-life preferences, advance directives, and goals of care can be shared for treatment.
• Substance use disorder records governed by 42 CFR Part 2 typically require specific consent before disclosure.
• Honor patient restrictions when they request limits on certain recipients or data elements and document those choices.

HIPAA Security Rule Compliance

Risk-based safeguards for ePHI

Complete a risk analysis that maps where ePHI flows during referrals (EHR, secure messaging, e-fax, cloud storage). Update it when workflows, vendors, or locations change.

Administrative, physical, and technical controls

• Administrative: workforce training, sanctions for violations, vendor management, incident response, and contingency plans.
• Physical: device and media controls, secure work areas, and procedures for lost or stolen devices.
• Technical: unique user IDs, multi-factor authentication, automatic logoff, encryption in transit, and audit logs that capture access and transmission events.

Practical security tips for referrals

• Prefer encrypted channels for transmitting referral packets and set TLS as required for outbound email gateways.
• Enable audit trails in your EHR and review them for anomalous access around high-risk referrals.
• Use data segmentation or sensitivity flags (when available) to avoid unnecessary disclosure of restricted data.

Secure Communication Methods

EHR-to-EHR exchange

Use certified EHR exchange tools for direct, encrypted transmission of referral summaries, medication lists, and goals-of-care notes. Confirm the recipient endpoint and include only what the receiving team needs.

Secure email and messaging

• Use encrypted email or secure clinical messaging platforms with access controls, message expiration, and remote wipe.
• Avoid standard SMS for PHI. If you must communicate with a patient via unencrypted email at their request, counsel them about risks and document their preference.

Fax and phone with safeguards

• Fax is permitted but verify numbers, use a cover sheet, and minimize content; confirm receipt when appropriate.
• Telephone handoffs should verify identity on both ends and be followed by a secure written summary.

Content discipline

• Share a concise referral packet: problem list, recent notes, meds, allergies, goals of care, and key labs—omit extraneous history.
• Include flags for special protections (e.g., Psychotherapy Notes excluded; Part 2 data shared only with consent).

Patient Authorization Requirements

When you do not need authorization

• Disclosures to another provider for treatment and Care Coordination generally do not require authorization.
• Internal Quality Improvement and some healthcare operations may proceed without authorization, applying Minimum Necessary.

When you must obtain authorization

• Psychotherapy Notes, most marketing uses, and many research disclosures.
• Substance use disorder records protected by 42 CFR Part 2 (typically require specific written consent).
• State-law–restricted categories (e.g., certain mental health, HIV, genetic, reproductive health, and minors’ records) when state rules are stricter.
• Disclosures to non-covered community partners that are not your Business Associates.

What a valid authorization includes

• Specific description of information, recipient, purpose, expiration, signature/date, and a notice of the right to revoke.
• No conditioning of treatment on authorization unless permitted; provide copies and store in the EHR.

Documentation Practices for Referrals

Referral record essentials

• Referral purpose and clinical rationale; date/time sent; recipient identity and transmission method.
• Data elements disclosed; legal basis (e.g., treatment) or Patient Authorization attached with expiration.
• Any patient-imposed restrictions or sharing preferences and how you honored them.
• Verification steps (e.g., endpoint confirmation) and receipt confirmation when feasible.

Accounting and retention

• Maintain an accounting of disclosures upon request for those not related to treatment, payment, or healthcare operations, and those made under authorization.
• Retain authorizations, BAAs, and relevant logs per your policy and state retention rules.

Quality checks

• Use standardized referral templates to avoid over-disclosure.
• Audit sample referrals for Minimum Necessary adherence and correct exclusion of Psychotherapy Notes.

Business Associate Agreements

When a BAA is required

• Vendors that create, receive, maintain, or transmit PHI for you—e-fax, secure messaging, cloud EHR hosts, transcription, data analytics, and archiving.
• Subcontractors of your Business Associates must also sign downstream agreements.

When a BAA is not required

• Disclosures to another treating provider (e.g., the receiving palliative care program) for treatment.
• Disclosures to individuals designated by the patient, consistent with the Privacy Rule.

What to include in a BAA

• Permitted uses/disclosures, Minimum Necessary obligations, safeguards, breach reporting timelines, subcontractor flow-downs, access/accounting support, and termination with return or destruction of PHI.
• Due diligence: verify security controls and monitor performance; keep a current BAA inventory.

State Law Restrictions

Preemption and stricter rules

HIPAA sets a federal floor; state laws that are more protective of privacy control. Build a simple matrix for your service areas that flags stricter consent rules and mandated forms affecting referrals.

Common state-law sensitive categories

• Mental health and psychotherapy materials, HIV/STD results, genetic information, reproductive health, and minors’ records.
• Many states require explicit written patient consent—even for treatment—before sharing some of these categories.

Operational tips

• Tag sensitive data in your EHR when possible; segment or redact before transmission if consent is absent.
• Standardize authorization forms that capture state-required elements; track expirations and revocations.
• Coordinate with compliance counsel when referrals routinely cross state lines or involve mixed federal/state protections.

Conclusion

Effective palliative care referrals balance timely information sharing with patient privacy. Use treatment-based disclosures, apply the Minimum Necessary Standard to routine workflows, secure your transmission channels, obtain Patient Authorization when required, manage Business Associate Agreements, and account for stricter state rules. Consistent processes make compliance repeatable and care safer.

FAQs.

When is patient authorization required for palliative care referrals?

You typically do not need authorization to share PHI with a receiving palliative care provider for treatment and Care Coordination. You do need authorization for Psychotherapy Notes, many marketing or research uses, disclosures to non-covered community organizations that are not your Business Associates, and for records with heightened protections such as those governed by 42 CFR Part 2 or stricter state laws.

How should PHI be securely transmitted in palliative care referrals?

Prefer EHR-to-EHR exchange or encrypted messaging. If using email, require TLS or a secure portal; avoid standard SMS. For fax, verify the number, use a cover sheet, and limit content. Confirm the recipient’s identity, document transmission details, and retain audit logs.

What documentation is necessary for HIPAA compliance in referrals?

Record the referral purpose, data sent, legal basis (treatment vs. authorization), date/time, recipient, and transmission method. Store any signed Patient Authorization, note patient restrictions, and maintain logs for non-TPO disclosures. Retain BAAs and review audit trails for access to referral materials.

Are there state-specific laws affecting palliative care information sharing?

Yes. States may impose stricter consent rules for categories like mental health, HIV/STD, genetic, reproductive health, and minors’ records. When state law is more protective than HIPAA, follow the stricter rule, and use state-compliant authorization language before sharing those records.