HIPAA Rules for Care Coordinators: What You Can Share, With Whom, and When

HIPAA Privacy Rule Overview

As a care coordinator, you handle Protected Health Information (PHI)—any information that identifies a patient and relates to their health, care, or payment. HIPAA governs how covered entities and their business associates use and disclose PHI to protect privacy while enabling safe, efficient care coordination.

Under the Privacy Rule, you may use or disclose PHI without patient authorization for three core purposes: treatment, payment, and healthcare operations. You may also disclose PHI when required by law and for specific public interest purposes. When working with vendors or other non-workforce partners, ensure a Business Associate Agreement is in place before they receive PHI.

HIPAA sets a federal baseline. If State Privacy Regulations are more protective, you must follow the stricter rule. Your role is to balance information sharing that supports patient care with safeguards that limit who sees what, and when.

Treatment Payment and Healthcare Operations Sharing

Treatment

You may share PHI with any treating provider—inside or outside your organization—to coordinate, manage, or refer care. This includes exchanging medications lists, recent labs, discharge summaries, and care plans necessary to ensure continuity and safety across teams.

The Minimum Necessary Standard does not apply to disclosures for treatment. Still, good practice is to send only what the recipient needs to provide or coordinate care effectively.

Payment

You may disclose PHI to health plans and billing services to verify coverage, obtain prior authorizations, submit claims, and resolve denials. Share only the minimum necessary details, such as dates of service, diagnosis and procedure codes, and supporting documentation required by the payer.

Healthcare Operations

For healthcare operations—quality improvement, case management, utilization review, credentialing, and population health—you may use or disclose PHI to support system performance. Apply the Minimum Necessary Standard and prefer de-identified or limited data sets when full identifiers are not essential.

Business Associates

If an external partner performs payment or healthcare operations on your behalf (for example, a care management platform or analytics vendor), execute a Business Associate Agreement before sharing PHI. The BAA defines permitted uses, safeguards, and breach duties.

Minimum Necessary Rule Compliance

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the task. It applies to payment, healthcare operations, most administrative uses, and many public interest disclosures.

Exceptions include disclosures for treatment, to the individual, pursuant to a valid authorization, and when required by law or for HHS compliance reviews. Even where the rule does not formally apply, using the smallest effective data set reduces risk.

How to operationalize “minimum necessary”

• Adopt role-based access so staff can view only the PHI needed for their duties.
• Standardize request templates that specify required data elements—not entire charts.
• Prefer de-identified data or a limited data set with a Data Use Agreement when full identifiers are unnecessary.
• Document your rationale when unusual or broader disclosures are warranted.

Sharing PHI with Family and Friends

With the patient present, you may share PHI with family, friends, or caregivers involved in the patient’s care if the patient agrees or does not object when given a clear opportunity. Limit the discussion to information directly relevant to that person’s involvement.

If the patient is not present, is incapacitated, or an emergency prevents obtaining agreement, you may use professional judgment to disclose PHI in the patient’s best interests. Share only what is necessary for the person to assist with current care or payment.

Verify identity before discussing PHI, be cautious with voicemail or shared devices, and document material decisions. Some State Privacy Regulations restrict disclosures for sensitive services or for certain minors; follow the stricter rule.

Disclosures to Personal Representatives

A Personal Representative is someone legally authorized to act on the patient’s behalf (for example, a parent of a non-emancipated minor, legal guardian, or an adult named in a health care proxy). Treat a verified Personal Representative as the individual for PHI access, unless doing so could endanger the patient.

Request and review appropriate documentation (proxy, guardianship, or court order) and record the authority in the chart. Note exceptions: minors who can consent to specific services under state law may control related PHI, and you may limit access if there is a reasonable belief of abuse, neglect, or harm.

Handling Mental Health Information

Mental health information is PHI and generally follows the same HIPAA rules as other clinical data. You may share for treatment, payment, and healthcare operations, applying the Minimum Necessary Standard where required and professional judgment for care coordination.

Psychotherapy Notes—clinician’s separate, personal notes from counseling sessions—receive heightened protection and usually require a patient’s specific authorization before use or disclosure. They are distinct from mental health information in the medical record (diagnoses, medications, treatment plans), which may be shared for TPO as permitted by HIPAA.

Additional federal rules may apply to certain substance use disorder records, and State Privacy Regulations can impose stricter limits for behavioral health, reproductive health, or HIV-related information. Confirm the most protective rule before disclosing.

Emergency Situations and PHI Sharing

During emergencies, you may disclose PHI to clinicians, first responders, and others as needed to treat the patient or to prevent or lessen a serious and imminent threat to health or safety. Base disclosures on professional judgment and share only what is necessary in the moment.

You may also coordinate with disaster relief organizations to help locate or notify family and caregivers, unless the patient objects where feasible. When the emergency resolves, return to standard HIPAA decision pathways and document the basis for urgent disclosures.

Conclusion

Effective care coordination under HIPAA means sharing the right information with the right people at the right time. Use TPO to enable care, apply the Minimum Necessary Standard to limit exposure, validate Personal Representatives, treat Psychotherapy Notes with special care, and heed stricter State Privacy Regulations. When in doubt, narrow the scope, document your judgment, and keep the patient’s interests at the center.

FAQs

What PHI can care coordinators share under HIPAA?

You may share PHI for treatment, payment, and healthcare operations. For treatment, coordinate freely with treating providers; for payment and operations, limit disclosures to the Minimum Necessary Standard. If using third-party vendors, execute a Business Associate Agreement before sharing. Outside TPO, obtain patient authorization unless another HIPAA permission or legal requirement applies.

When can PHI be shared with family members?

Share with family or friends involved in care when the patient agrees or does not object in the moment. If the patient is unavailable or incapacitated, disclose what is directly relevant using professional judgment and only in the patient’s best interests. Personal Representatives have broader access, but state laws and safety concerns can limit disclosures, especially for sensitive services or certain minors.

How does the minimum necessary rule affect care coordinators?

It requires you to use, disclose, and request only the smallest amount of PHI needed for payment, operations, and many administrative tasks. Implement role-based access, standardized data requests, and prefer limited or de-identified data when possible. The rule does not apply to treatment disclosures, but keeping information targeted remains best practice.

When is patient authorization not required for PHI disclosures?

Authorization is not required for treatment, payment, and healthcare operations; when disclosing to the individual; for certain public health and safety activities; when required by law; for health oversight; for specific law enforcement and judicial processes; for decedents to coroners or funeral directors; for organ and tissue donation; for workers’ compensation; and to HHS for compliance. Always apply the Minimum Necessary Standard where applicable and document your rationale.