HIPAA Considerations for Transplant Surgery Referrals: What Providers Need to Know

Transplant referrals move quickly and involve many teams, systems, and data handoffs. This guide explains what you need to know under the HIPAA Privacy Rule when you share Protected Health Information to coordinate transplant evaluations, listings, and surgeries.

By aligning your Electronic Health Record workflows, Secure Messaging practices, and Referral Documentation with HIPAA requirements, you can enable safe, timely information exchange without unnecessary delays for patients.

HIPAA Privacy Rule Overview

HIPAA protects the privacy of Protected Health Information (PHI) and permits its use and disclosure for treatment, payment, and health care operations. A transplant referral is a treatment activity, so you may disclose PHI to the receiving transplant center, labs, and related providers involved in coordinating care.

PHI includes any individually identifiable health information in any form. You may also share PHI with an Organ Procurement Organization to facilitate organ, eye, or tissue donation and transplantation when relevant to the referral process.

HIPAA allows incidental disclosures that occur as a byproduct of an otherwise permitted use, provided you implement reasonable safeguards. When feasible, de-identify data or limit identifiers, especially for case reviews or preliminary suitability checks.

Referral Authorization Procedures

Start with a simple rule: if the disclosure is for treatment, patient authorization is generally not required. That covers most transplant referral communications between the referring provider, transplant center, Organ Procurement Organization, and supporting clinicians or facilities.

Authorization is required when the disclosure is not for treatment, payment, or operations, or when another law imposes stricter protections. Examples include certain mental health or substance use disorder records, and sensitive results (e.g., HIV or genetic data) when state law requires patient permission. In those cases, obtain a written authorization before sharing.

Elements of a valid authorization

• Description of the PHI to be disclosed and the purpose.
• Names or categories of persons authorized to disclose and receive the PHI.
• Expiration date or event (e.g., “completion of transplant episode”).
• Statement of the individual’s right to revoke and potential for redisclosure.
• Signature and date from the patient or authorized representative.

Store the authorization in the Electronic Health Record and include it in your Referral Documentation. Reassess the need for fresh authorization if the scope changes or the referral enters a new phase, such as living donor workup.

Minimum Necessary Information Standard

The Minimum Necessary Standard requires you to limit PHI to the least amount reasonably needed for non-treatment uses and disclosures. Although this standard does not apply to disclosures for treatment, many organizations adopt “minimum necessary” as a best practice even for treatment to reduce risk.

Apply role-based and purpose-based limits

• Share data that directly supports transplant suitability, listing, and perioperative planning.
• Use role-based access so team members see only what they need to do their jobs.
• Prefer data views or abstracts over full records when appropriate.

Typical data elements for transplant referrals

• Demographics and key identifiers for matching and coordination.
• Primary diagnosis, organ failure severity (e.g., relevant scoring), allergies, medications, and comorbidities.
• Compatibility data: blood type, HLA typing, crossmatch results, infectious disease screening, and vaccination status.
• Imaging, procedures, and consult notes essential to candidacy decisions.
• Functional, nutritional, and psychosocial assessments when pertinent.

Covered Entities in Transplant Referrals

Covered entities include health care providers that transmit health information in standard electronic transactions, health plans, and health care clearinghouses. In a transplant referral, the referring clinic or hospital, the transplant center, dialysis facilities, and diagnostic laboratories typically qualify as covered entities.

Organ Procurement Organizations often function as health care providers and may be covered entities when they conduct HIPAA standard transactions. Whether or not an individual OPO is a covered entity, you may disclose PHI to it to facilitate donation and transplantation as permitted by HIPAA.

Health information exchanges and other intermediaries may be involved in routing data. Their status depends on function; many act as business associates and must meet HIPAA requirements through a Business Associate Agreement.

Business Associate Responsibilities

Vendors that create, receive, maintain, or transmit PHI on your behalf—such as EHR hosting providers, cloud storage services, patient engagement tools, Secure Messaging platforms, or health information exchanges—are business associates. You must have a Business Associate Agreement (BAA) in place before they handle PHI for transplant referrals.

What a strong BAA should cover

• Permitted and required uses/disclosures of PHI tied to referral workflows.
• Administrative, physical, and technical safeguards, including encryption at rest and in transit.
• Reporting timelines for incidents and confirmed breaches, plus cooperation on investigations.
• Subcontractor compliance, minimum necessary controls, and role-based access.
• Return or destruction of PHI at contract end and rights to audit or receive attestations.

Review BAAs when you add new features that touch PHI (e.g., integrating transplant-specific modules in the Electronic Health Record). Ensure each vendor’s obligations align with your policies and the referral use case.

Secure Communication Methods

Choose the most secure, efficient path that all parties can use reliably. Build communication playbooks so staff know which channel to use for each step of the referral.

Recommended options

• EHR-to-EHR exchange using standardized interfaces for orders, results, and clinical summaries.
• Direct Secure Messaging or comparable encrypted messaging for sending referral packets and updates.
• Secure portals for document upload and status tracking with audit logs.
• Encrypted file transfer for large imaging or data sets, with separate transmission of passwords.
• Telephone calls for urgent coordination; minimize PHI on voicemail and verify recipient identity.
• Fax only when necessary; confirm numbers, use cover sheets, and promptly file or destroy received pages.

Practical safeguards

• Verify recipient addresses, routing IDs, and organization names before sending.
• Use multi-factor authentication and strong access controls on all systems.
• Label datasets to reflect sensitivity and intended use (e.g., “Transplant Referral—Minimum Necessary”).
• Maintain audit trails for send/receive events and document reconciliation in the EHR.

Documentation and Compliance Requirements

HIPAA expects you to demonstrate how your program protects PHI throughout the referral lifecycle. Build documentation into daily workflows so compliance is automatic, not an afterthought.

Referral Documentation checklist

• Referral order, reason for referral, and the data elements shared.
• Any patient authorizations obtained, including scope and expiration.
• Disclosures outside treatment, payment, or operations, recorded for accounting when required.
• Verification steps (identity checks, secure channel confirmation, receipt acknowledgments).
• Care team assignments, access logs, and notes on Minimum Necessary Standard decisions.

Program-level compliance artifacts

• Policies and procedures for transplant referral privacy and security.
• Completed risk analyses and mitigation plans for systems handling referral PHI.
• Training records for staff who initiate, process, or receive referrals.
• Executed Business Associate Agreements for all relevant vendors and intermediaries.
• Breach response plan, including notification workflows and timelines.
• Record retention processes—retain required HIPAA documents for at least six years from creation or last effective date.

Summary

Transplant referrals qualify as treatment, allowing necessary PHI sharing with the transplant center, labs, and the Organ Procurement Organization. Apply the Minimum Necessary Standard thoughtfully, secure every transmission path, and keep clear Referral Documentation. With strong BAAs and routine audits, you can protect patient privacy while moving urgently toward life-saving surgery.

FAQs

What PHI can be shared without patient authorization for transplant referrals?

You may share PHI needed for treatment without authorization, including with the transplant center, participating specialists, diagnostic labs, and the Organ Procurement Organization to facilitate donation and transplantation. Limit disclosures to what is reasonably necessary for evaluation, listing, and perioperative planning, and document what you sent and why.

How should providers secure PHI in transplant referral communications?

Use encrypted EHR-to-EHR exchange or Direct Secure Messaging for referral packets and updates. Verify recipient identity, restrict access using roles, and store all artifacts in the Electronic Health Record. For large files, use encrypted transfer with separate password delivery. Avoid consumer email or texting; if fax is unavoidable, confirm the number and use a cover sheet.

Are Organ Procurement Organizations covered entities under HIPAA?

Many Organ Procurement Organizations function as health care providers and can be covered entities when they conduct standard electronic transactions. Regardless of an individual OPO’s status, HIPAA permits covered entities to disclose PHI to OPOs to facilitate organ, eye, or tissue donation and transplantation without patient authorization, subject to reasonable safeguards.

What documentation is required for HIPAA compliance in transplant referrals?

Maintain Referral Documentation that shows what PHI you shared, with whom, and for what purpose; store any patient authorizations obtained; and keep access logs and routing confirmations. At the program level, retain policies, risk analyses, training records, Business Associate Agreements, breach response materials, and required records for at least six years or longer if your state law or accreditor requires it.