HIPAA Guidelines for Care Coordinators: What You Need to Know to Stay Compliant

HIPAA Privacy Rule Overview

As a care coordinator, you routinely access and share Protected Health Information (PHI). The HIPAA Privacy Rule governs how PHI may be used and disclosed, and it grants patients rights over their information. Covered entities (healthcare providers, health plans, and clearinghouses) and business associates must implement policies that ensure Covered Entities Compliance across day-to-day workflows.

PHI is any individually identifiable health information—paper, verbal, or electronic—that relates to a person’s health status, care, or payment. HIPAA permits uses and disclosures without Patient Authorization for treatment, payment, and healthcare operations (TPO). Care coordination typically falls under treatment and, in some circumstances, health care operations, provided you follow the Minimum Necessary Standard when it applies.

Your responsibilities span creating role-based access rules, training staff, documenting decisions, and maintaining auditable records. The HIPAA Security Rule complements the Privacy Rule by requiring safeguards for electronic PHI, so privacy and security must operate together in every coordination pathway.

Electronic PHI Safeguards that work in practice

• Access controls: unique user IDs, multi-factor authentication, and tight role-based permissions aligned to job duties.
• Encryption in transit and at rest, secure messaging, and verified recipient identity before sharing.
• Audit logs and monitoring to track who accessed what, when, and why; investigate anomalies promptly.
• Device and workstation protections, mobile device management, and rapid termination of access on role changes.
• Contingency planning: backups, downtime procedures, and tested incident response for swift recovery.

Sharing PHI for Care Coordination

Start with a quick decision path before you disclose PHI. If the disclosure is to another provider for the patient’s treatment, it is generally permitted without Patient Authorization. If it is for payment or your organization’s healthcare operations, it can be permitted but you must apply the Minimum Necessary Standard. If neither applies, obtain a valid authorization or rely on a specific HIPAA permission (for example, disclosures to family involved in care under professional judgment).

Common coordination scenarios

• Provider-to-provider handoffs and referrals: disclose what the receiving provider needs for treatment; “minimum necessary” does not apply to treatment, but share prudently.
• Health plan case management or utilization review: permitted for payment/operations; disclose the minimum necessary and document your rationale.
• Community or social services: if the organization performs services on your behalf and accesses PHI, treat it as a business associate and execute Business Associate Agreements; otherwise, use Patient Authorization before sharing.
• Family, friends, or caregivers: if the patient agrees or you infer permission in their presence, share information relevant to involvement in care; if the patient is incapacitated, use professional judgment in the patient’s best interest.
• Health information exchanges (HIEs) and coordination platforms: permitted for TPO with appropriate agreements and access controls; honor any applicable state consent requirements.

Applying the Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit uses, disclosures, and requests to the least amount of PHI needed to accomplish the purpose. It typically applies to payment and operations, routine administrative exchanges, and most internal accesses that are not for treatment.

When the standard does and does not apply

• Applies: payment activities, healthcare operations (including many case management tasks), and routine non-treatment disclosures.
• Does not apply: disclosures to or requests by a provider for treatment; disclosures to the individual; uses/disclosures made pursuant to Patient Authorization; disclosures required by law; and to regulators for HIPAA compliance.

Operationalizing “minimum necessary”

• Define role- and task-based access so coordinators see only what is needed for each workflow.
• Use standardized request forms or data views that auto-limit data elements to the purpose.
• Prefer de-identified data or a Limited Data Set with a data use agreement when full identifiers are unnecessary.
• Automate redaction and implement approval steps for atypical or bulk disclosures.
• Train staff with realistic scenarios and audit regularly to verify consistent application.

Managing Mental Health Information

Most mental health information is PHI and follows the general HIPAA rules. You may share for treatment without authorization and for payment/operations subject to the Minimum Necessary Standard and any stricter state laws. Be deliberate about care team need-to-know, especially when coordinating across disciplines.

Psychotherapy Notes

Psychotherapy Notes are the personal notes of a mental health professional documenting or analyzing counseling conversations, kept separate from the medical record. They are given heightened protection and generally require Patient Authorization for disclosure.

• Narrow exceptions include use by the originator for treatment, training programs for students/trainees, defense in a legal action initiated by the patient, certain health oversight activities, disclosures to coroners/medical examiners, to avert a serious and imminent threat, or where otherwise required by law.

Caregiver involvement and safety

With the patient’s agreement—or when you can reasonably infer it—you may share relevant information with family or others involved in care. If the patient is incapacitated, use professional judgment to act in the patient’s best interest and limit disclosures to what is necessary for the situation.

Substance use disorder records

Programs subject to 42 CFR Part 2 impose additional restrictions beyond HIPAA. When coordinating with such programs, confirm whether Part 2 applies and obtain specific Patient Authorization or meet a qualifying exception before any disclosure or re-disclosure.

Establishing Business Associate Agreements

A business associate is any non-workforce person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Many care coordination platforms, analytics vendors, and outsourced case management services are business associates and require executed Business Associate Agreements before sharing PHI.

What your Business Associate Agreements must include

• Clear permitted uses/disclosures tied to coordination purposes and the Minimum Necessary Standard.
• Security requirements aligned with Electronic PHI Safeguards: encryption, access controls, audit logging, risk management, and incident response.
• Prompt reporting of security incidents and breaches, cooperation in investigations, and support for notifications.
• Downstream obligations so subcontractors that handle PHI sign equivalent agreements.
• Return or secure destruction of PHI at contract end and robust termination rights for material breaches.

Due diligence and ongoing oversight

• Maintain a current vendor inventory with risk ratings and the related Business Associate Agreements.
• Review security attestations (for example, third-party audits), assess data flows, and verify least-privilege access.
• Test incident escalation paths and document periodic reviews to demonstrate Covered Entities Compliance.

Navigating State Privacy Regulations

HIPAA sets a federal floor; states may enact more stringent privacy protections that you must follow. Sensitive categories—such as mental health records, HIV/STD information, genetic data, reproductive health, and minors’ records—often carry tighter consent or redisclosure rules.

Practical steps to stay aligned

• Maintain a living “state law matrix” covering consent, redisclosure limits, special authorizations, and breach deadlines.
• Design consent and Patient Authorization templates that capture required state elements and redisclosure warnings.
• Adopt default data minimization and configure systems to respect state-specific restrictions across locations.
• Deliver role-based training focused on the states where you operate and refresh it as laws evolve.

Handling Emergency Disclosures

HIPAA permits disclosures to prevent or lessen a serious and imminent threat to health or safety. In good faith and using professional judgment, you may share pertinent PHI with persons reasonably able to reduce the threat—such as first responders, law enforcement, or at-risk individuals.

If a patient is incapacitated during an emergency or disaster, you may disclose limited information to family, friends, or disaster relief organizations involved in locating or caring for the patient. Share only what is necessary and document the basis for your decision.

• Verify the recipient’s role and need-to-know, then disclose the minimum necessary for the situation.
• Record what you shared, with whom, and why; notify your privacy officer promptly after the event.
• After the emergency, review the exchange, refine protocols, and reinforce training as needed.

Key takeaways

• Anchor every coordination disclosure in a HIPAA permission: treatment, payment/operations with Minimum Necessary, specific exceptions, or Patient Authorization.
• Strengthen Electronic PHI Safeguards and document decisions to demonstrate Covered Entities Compliance.
• Apply heightened protections for Psychotherapy Notes and follow stricter state rules where they exist.

FAQs

What PHI can care coordinators share without patient authorization?

You may share PHI without Patient Authorization for treatment (for example, provider-to-provider coordination), payment, and healthcare operations. For payment/operations, disclose only the minimum necessary. You may also share limited information with family or others involved in care when the patient agrees or when you use professional judgment in the patient’s best interest.

How do business associate agreements affect care coordinators?

When a vendor or partner handles PHI on your behalf, you must execute Business Associate Agreements before sharing. BAAs define permitted uses, require Electronic PHI Safeguards, mandate incident reporting, and flow down obligations to subcontractors—helping you demonstrate Covered Entities Compliance across your coordination ecosystem.

What are the exceptions for disclosing psychotherapy notes?

Psychotherapy Notes generally require Patient Authorization. Limited exceptions allow use or disclosure without authorization—for example, use by the originator for treatment, training programs, defense in a legal action initiated by the patient, certain health oversight activities, disclosures to coroners/medical examiners, to avert a serious and imminent threat, or when required by law.

When can PHI be disclosed in emergency situations?

HIPAA permits disclosures in good faith to prevent or lessen a serious and imminent threat to health or safety. You may share with first responders, law enforcement, at-risk individuals, or disaster relief organizations, and you may inform family or caregivers when the patient is incapacitated—always limiting disclosures to what is necessary and documenting your judgment.