Provider-to-Provider Communication Under the HIPAA Privacy Rule: What’s Permitted, Explained

When you coordinate care with other clinicians, the HIPAA Privacy Rule allows important exchanges of Protected Health Information (PHI) while maintaining patient trust. This guide explains what you may disclose, when Written Authorization is required, and how to apply safeguards—especially in value-based care arrangements and team-based models.

Permitted Disclosures for Treatment

Covered Health Care Providers may use and disclose PHI to another provider for treatment without patient authorization. This includes consultations, referrals, care coordination, discharge planning, and cross-coverage communications aimed at diagnosing or treating the individual.

These disclosures support modern, interdisciplinary teams and Value-Based Care Arrangements. You can share relevant labs, imaging, medication histories, allergies, problem lists, and care plans with treating providers so the patient receives timely, coordinated services.

Examples of permitted provider-to-provider sharing

• A primary care clinician sends recent labs and medication list to a cardiologist for an e-consult.
• An emergency physician phones a patient’s oncologist to confirm chemotherapy cycles before urgent imaging.
• Hospitalists coordinate with community specialists on discharge summaries and follow-up plans.

When authorization is still needed

While treatment disclosures generally do not require authorization, some information—such as psychotherapy notes—has heightened restrictions. Uses not tied to treatment (for example, certain marketing communications) fall outside these Privacy Rule exceptions and typically require Written Authorization.

Definition of Treatment

Treatment means the provision, coordination, or management of health care and related services by one or more providers. It includes consultations between providers and referrals from one provider to another, whether synchronous (phone/video) or asynchronous (EHR-based messaging).

In practice, individual-focused care coordination and case management often qualify as “treatment.” Population-level analytics or activities primarily aimed at business operations usually fall under health care operations, not treatment, and may trigger the Minimum Necessary Requirement.

Treatment vs. operations at a glance

• Treatment: sharing PHI about a specific patient to diagnose, treat, or coordinate that patient’s care.
• Operations: quality improvement, utilization review, or population-level reporting; these are not treatment and invoke different rules.

Psychotherapy Notes Restrictions

Psychotherapy notes receive special protection under the Privacy Rule. They are the personal notes of a mental health professional analyzing the details of counseling sessions and kept separate from the medical record.

Using or disclosing psychotherapy notes generally requires the patient’s Written Authorization. Limited exceptions exist (for example, use by the originator for treatment, certain training activities, or to defend a legal action), but they are narrow and should be applied cautiously.

What is not a psychotherapy note

• Medication prescriptions and monitoring
• Session start/stop times and modalities
• Results of clinical tests and diagnostics
• Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress

Those items are part of the medical record and, when relevant, may be shared with other treating providers consistent with the treatment provisions of the Privacy Rule.

Reasonable Safeguards for Communication

The Privacy Rule allows incidental disclosures that occur despite reasonable safeguards. You should implement practical measures that reduce the risk of unintended exposure during provider-to-provider conversations.

Practical safeguards

• Verify recipient identity before sharing PHI by phone or in person.
• Use private areas or lower your voice when discussing cases on rounds or at nursing stations.
• Limit visible PHI on whiteboards and sign-in sheets to what is necessary for workflow.
• Confirm fax numbers and use cover sheets; retrieve printouts promptly.
• Document only the PHI needed for the communication, and store notes securely.

Electronic Communications Security

When exchanging PHI electronically with other providers, apply HIPAA Security Rule safeguards. Encryption is an addressable specification—meaning you should adopt it when reasonable and appropriate—and it is a best practice for email, direct messaging, and file exchange.

Channel-specific guidance

• Email: Use encrypted transport; double-check addresses; include only necessary PHI.
• Texting: Prefer secure clinical messaging platforms over standard SMS; enable device lock and remote wipe.
• EHR/HIE: Use built-in secure messaging or Direct protocols; maintain audit logs for access and disclosures.
• Fax and scanning: Confirm numbers, use cover sheets, and secure multifunction devices.
• Telehealth/teleconsults: Use platforms with encryption, access controls, and session timeouts.

If a third-party service enables your communications, ensure a Business Associate Agreement is in place and that the vendor aligns with your risk analysis, access controls, and audit requirements. Always honor any patient’s request for confidential communication (for example, alternative address or channel) that is reasonable.

Minimum Necessary Standard

The Minimum Necessary Requirement applies to uses and disclosures for payment and operations, and to most requests from others. It does not apply to disclosures for treatment between providers, though you should still share only the information reasonably relevant to the consultation.

Applying the standard effectively

• Use role-based access so team members see only what they need.
• For operations or analytics (including some value-based reporting), limit data to the narrowest scope—consider de-identified data, limited data sets, or aggregation where feasible.
• Document protocols that define what elements are typically necessary for common exchanges (e.g., medication list and last A1C for diabetes consults).

State Laws and HIPAA Compliance

HIPAA generally preempts contrary state laws, but if a state law is more protective of privacy, that law controls. Many states impose stricter rules for sensitive information such as mental health, HIV/STI results, genetic testing, reproductive health, or minors’ consented services.

You should also be mindful of other privacy frameworks that may apply alongside HIPAA (for example, stricter federal rules for substance use disorder records). Build workflows that respect the most stringent applicable rule across jurisdictions where you practice.

Operational tips for multistate or networked care

• Maintain a state-law matrix highlighting stricter consent or redisclosure limits.
• Tag sensitive data elements in the EHR to support granular access controls.
• Train clinicians and staff on when Written Authorization is required despite treatment-related sharing.

Conclusion

Provider-to-provider sharing under the HIPAA Privacy Rule is designed to enable safe, coordinated care. Share PHI freely for treatment, protect psychotherapy notes with heightened care, apply reasonable safeguards, secure electronic channels, and follow the Minimum Necessary Requirement for non-treatment uses—always checking for stricter state rules. These practices align privacy with high-quality, value-based care.

FAQs

What information can providers share without patient authorization?

You may share PHI needed for an individual’s treatment—such as problem lists, medications, allergies, labs, imaging, consult notes, and discharge summaries—with other treating providers without Written Authorization. Share only what is relevant to the consultation, and document the disclosure when your policy requires it.

How should providers safeguard oral communications?

Use reasonable safeguards: verify the recipient, speak quietly in semi-public areas, move sensitive conversations to private spaces, avoid discussing identifiable details in hallways or elevators, and minimize PHI on whiteboards. Incidental disclosures are permitted when you have taken these precautions.

Are psychotherapy notes protected differently?

Yes. Psychotherapy notes—kept separate from the medical record—generally require Written Authorization for use or disclosure. Narrow exceptions exist (such as use by the originator for treatment or certain training/defense purposes), but routine sharing with other providers is not permitted without authorization.

How do state laws affect HIPAA communications?

HIPAA sets a national baseline, but more stringent state laws govern when they offer greater privacy protection. If state rules require consent for certain disclosures (for example, HIV, genetic, reproductive, or minors’ services), you must follow those state requirements in addition to HIPAA.