HIPAA Privacy Rule Checklist for Provider-to-Provider Communication and Disclosures

HIPAA Privacy Rule Overview

Scope and intent

The HIPAA Privacy Rule sets national standards for protecting Protected Health Information (PHI) while allowing necessary provider-to-provider exchanges for treatment, payment, and health care operations. For treatment disclosure between providers, HIPAA generally permits sharing without patient authorization when the purpose is to diagnose, treat, or coordinate care.

Core principles you must apply

• Minimum Necessary Standard: Limit PHI to what’s reasonably needed for the task, except in specific situations outlined below.
• Reasonable Safeguards: Use practical measures—identity verification, secure channels, and access controls—to protect PHI during every exchange.
• Patient Authorization: Obtain written authorization when a disclosure is not otherwise permitted (for example, most uses of psychotherapy notes).

This checklist is educational guidance and not legal advice; consult counsel for organization-specific requirements.

Provider-to-Provider Communication Practices

Permitted treatment disclosures

You may share PHI with another treating provider without patient authorization for consultations, referrals, coverage arrangements, and care coordination. Disclose only information the receiving provider needs to treat the patient effectively.

Apply reasonable safeguards

• Verify recipient identity and role before disclosing PHI (e.g., callback to a known number, directory lookup, secure messaging roster).
• Prefer encrypted channels (EHR-to-EHR exchange, secure messaging) and avoid open text or personal email where possible.
• Use role-based access and include only relevant attachments or record segments.
• Be mindful of incidental disclosures in shared spaces; lower voices, position screens, and use privacy filters.

Channel-specific tips

• Phone/Voicemail: Confirm identity; avoid detailed PHI on voicemail unless necessary and intended; request a secure callback.
• Email/Fax/Text: Use secure, encrypted solutions; double-check recipient details; include a minimal, purpose-specific summary.
• EHR Exchange: Send the specific encounter, summary, or results needed rather than the full chart.

Documentation and accountability

• Record the purpose of disclosure and what was shared when your policy requires it.
• Educate staff on treatment disclosure boundaries and how to handle requests that require patient authorization.

Minimum Necessary Standard Exceptions

When the standard does not apply

• Disclosures to or requests by another health care provider for treatment.
• Uses or disclosures made to the individual patient.
• Uses or disclosures made pursuant to a valid patient authorization.
• Disclosures to the U.S. Department of Health and Human Services for compliance investigations.
• Uses or disclosures required by law (and limited to the law’s mandate).

When the standard does apply

Apply the Minimum Necessary Standard to payment and health care operations, most public interest disclosures, and research with a waiver or data use agreement. Use policies, role-based access, and targeted datasets to ensure you share only what is needed.

Practical approach

• Define typical “need-to-know” elements for common workflows (e.g., referral summaries, imaging results).
• Default to sharing the smallest useful unit (a note, result, or summary instead of the full chart).

Handling Psychotherapy Notes

What they are—and are not

Psychotherapy notes are a mental health professional’s separate, personal notes analyzing counseling conversations. They do not include medication records, session times, modalities, test results, or summaries of diagnosis and treatment, which belong in the medical record.

Patient authorization is the default

Sharing psychotherapy notes generally requires explicit patient authorization that specifically references “psychotherapy notes.” Authorization is separate from general consent and must meet HIPAA content requirements.

Narrow exceptions

• Use by the originator for treatment.
• Training programs for students/trainees under supervision.
• To defend the originator in a legal action or proceeding.
• When required by law or for appropriate oversight.
• To prevent or lessen a serious and imminent threat to health or safety.

Operational safeguards

• Store psychotherapy notes separately from the designated record set.
• Label and restrict access; prevent automatic inclusion in routine disclosures.
• Use tailored workflows to capture and verify patient authorization before disclosure.

Business Associate Agreement Requirements

When a Business Associate Agreement is required

A Business Associate Agreement (BAA) is required when a third party creates, receives, maintains, or transmits PHI on your behalf (for example, cloud EHR, secure messaging platforms, e-fax services, transcription or AI scribe tools, data aggregation, or analytics vendors).

What to include in a BAA

• Permitted and required uses/disclosures of PHI.
• Administrative, physical, and technical safeguards, including breach reporting timelines.
• Downstream obligations for subcontractors handling PHI.
• Return or destruction of PHI at termination and rights to audit or receive assurances.

When a BAA is not required

• Provider-to-provider disclosures for treatment (both are covered entities).
• Limited “conduit” services that merely transmit PHI without persistent storage (a narrow exception—confirm your vendor’s role).

Patient Rights and Restrictions

Access and amendments

Patients have the right to access and obtain copies of their PHI and to request amendments to inaccurate or incomplete information. Respond within required timelines and document approvals or denials with rationale.

Requesting restrictions

Patients may request restrictions on uses or disclosures. While you are not required to agree in most cases, you must honor a restriction when the patient pays in full out of pocket for a specific service and asks you not to disclose related PHI to a health plan for payment or operations.

Confidential communications

Patients can request confidential communications—such as using an alternative address, phone number, or secure portal message. Provide reasonable accommodations that do not impede care or safety.

Accounting of disclosures

Maintain an accounting of certain non-routine disclosures. Ensure your systems and policies capture what must be tracked and exclude disclosures that are not subject to accounting (e.g., most treatment, payment, and operations).

State Law Considerations

HIPAA sets the floor, not the ceiling

HIPAA preempts less-stringent state laws, but more protective state rules control. Always apply the standard that offers greater privacy protection to the patient.

Topics commonly governed by stricter laws

• Minor consent and sensitive services, including reproductive health.
• HIV/AIDS, genetic testing, mental health, and behavioral health records.
• Substance use disorder information (in addition to specialized federal rules).

Operational takeaways

• Map state-specific consent and authorization rules into your disclosure workflows.
• Train teams on jurisdictional differences for cross-state referrals and telehealth.
• Periodically review and update policies as state requirements evolve.

Conclusion

For provider-to-provider exchanges, anchor your workflow in treatment disclosure allowances, apply reasonable safeguards, and default to the Minimum Necessary Standard when it applies. Secure vendors with a solid Business Associate Agreement, respect patient rights—including confidential communications and valid restrictions—and elevate protections where state law is more stringent.

FAQs.

What types of provider-to-provider communications are permitted under HIPAA?

HIPAA permits disclosures between providers for treatment without patient authorization. This includes consultations, referrals, care coordination, and coverage arrangements, provided you share only the PHI the receiving provider needs and use reasonable safeguards.

How does the minimum necessary standard apply to treatment disclosures?

The Minimum Necessary Standard generally does not apply to disclosures for treatment. Even so, you should limit what you share to clinically relevant information and avoid including extraneous records that are not needed for the current purpose.

When is patient authorization required for sharing psychotherapy notes?

Psychotherapy notes usually require explicit patient authorization that specifically references psychotherapy notes. Limited exceptions apply, such as the originator’s use for treatment, training, legal defense, required-by-law disclosures, oversight, serious and imminent threat situations, and certain compliance activities.

Are business associate agreements necessary for all third-party disclosures?

No. A Business Associate Agreement is required when a third party creates, receives, maintains, or transmits PHI on your behalf. Disclosures directly to another treating provider do not require a BAA, and narrow “conduit” services may be exempt, but most service vendors that store or process PHI will need a BAA.