Pulmonology Referrals: HIPAA Considerations Providers Need to Know
Permitted Uses and Disclosures
Under HIPAA, you may share Protected Health Information (PHI) for Treatment, Payment, and Healthcare Operations without patient authorization. For pulmonology referrals, “treatment” covers disclosing clinical details needed for diagnosis, consultation, and ongoing care with the receiving specialist.
Typical PHI appropriate for a pulmonology referral includes referral reason, problem list, medications, allergies, smoking and exposure history, spirometry and PFTs, imaging reports, relevant labs, prior procedures, and decision-support notes. Limit sharing to what the specialist truly needs to coordinate care.
Other permitted disclosures include those required by law, public health reporting, health oversight, and to avert a serious and imminent threat. Be mindful of Sensitive Health Information—such as substance use disorder records, certain mental health notes, HIV status, and genetic data—which may carry stricter federal or state protections.
Minimum Necessary Standard
Apply the Minimum Necessary Disclosure standard to non-treatment uses (payment, operations, many third-party requests). For treatment, HIPAA does not require minimum necessary, but you should still practice data minimization to reduce risk and respect patient expectations.
Operationalize minimum necessary by using role-based access, pre-approved referral templates, and data segmentation (e.g., share the radiology report rather than the full chart). Redact unrelated history, exclude raw device logs that add no clinical value, and de-identify when full identifiers are not essential.
Before transmitting, double-check that no extraneous attachments are included, and honor any patient-imposed restrictions—especially when a patient has paid out-of-pocket and requested that information not be shared with a health plan.
Patient Authorization Requirements
A written patient authorization is required when disclosure falls outside Treatment, Payment, and Healthcare Operations. Common examples include most marketing activities, the sale of PHI, many research uses without a waiver, and sharing psychotherapy notes. Certain Sensitive Health Information (e.g., substance use disorder treatment under specific federal rules) can require explicit consent even for coordination.
A valid authorization should specify what PHI will be disclosed, to whom, for what purpose, an expiration date or event, the right to revoke, and the potential for re-disclosure. Use clear, plain language; avoid conditioning treatment on signing unless allowed; and store the signed authorization with the referral record.
Secure Communication Methods
Choose channels that provide Encrypted Communication and robust PHI Transmission Security. Preferred options include EHR-to-EHR Direct messaging, secure referral portals, encrypted email with enforced TLS and message-level encryption when needed, and secure file transfer systems with access controls and audit trails.
If you must fax, use verified numbers, a clear cover sheet, and physical safeguards to prevent misdirection; for cloud fax, ensure encryption and a Business Associate Agreement. Avoid standard SMS, personal email, or consumer messaging apps; if mobile messaging is necessary, use a healthcare-grade secure messaging tool with authentication, remote wipe, and logging.
Strengthen PHI Transmission Security by enforcing strong authentication (preferably MFA), verifying recipient identity before sending, double-checking addresses, limiting PHI in message bodies, and confirming receipt. Encrypt ePHI in transit and at rest using current protocols, and retain only what policy requires.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Business Associate Agreements
A Business Associate Agreement (BAA) is required with vendors that create, receive, maintain, or transmit PHI on your behalf—such as referral management platforms, cloud fax providers, secure email gateways, e-signature tools, and cloud storage. You do not need a BAA to share PHI with another treating provider or a health plan for TPO purposes.
Effective BAAs define permitted uses and disclosures, require security safeguards, mandate breach notification timelines, bind subcontractors to the same duties, and outline termination, return, or destruction of PHI. Conduct due diligence on vendor security, review audit reports, and document risk decisions.
Compliance Best Practices
Embed privacy into your referral workflow: maintain clear policies, perform regular risk analyses, train staff on HIPAA basics and referral-specific dos and don’ts, and standardize referral content to promote Minimum Necessary Disclosure. Use least-privilege access and routinely review distribution lists.
Implement technical controls such as data loss prevention for outbound messages, encryption by default, automatic address validation, and audit logging. Keep an accounting of certain disclosures, monitor for failed transmissions, and have a documented breach response plan with quick containment and notification steps.
Periodically rehearse referral scenarios, including after-hours and emergency pathways. Update procedures when regulations, technology, or vendor contracts change, and coordinate with your privacy officer to resolve edge cases.
Coordination of Care Protocols
Pre-referral
- Define the clinical question and the pulmonology service needed.
- Assemble only the PHI the specialist needs; flag Sensitive Health Information that may require added consent.
- Check for patient restrictions or preferences and obtain authorization when required.
- Verify recipient identity, contact details, and preferred secure channel.
Transmission
- Use an encrypted, authenticated channel; protect attachments and avoid PHI in subject lines.
- Apply a standardized cover sheet or header specifying purpose and sender contacts.
- Confirm delivery and receipt; if uncertain, follow up via a verified number.
Post-referral
- Document what was sent, to whom, when, and by which method; store any authorization.
- Track consult reports, reconcile medications, and close the loop with the patient.
- Log exceptions, near-misses, or misdirected messages and remediate promptly.
Conclusion
For pulmonology referrals, share PHI for treatment, minimize what you send, obtain authorization when required, secure every transmission, bind your vendors with a solid Business Associate Agreement, and standardize workflows. These steps protect patients, reduce risk, and keep care moving smoothly.
FAQs
What information is allowed to be shared without patient authorization?
You may share PHI needed for Treatment, Payment, and Healthcare Operations. For a pulmonology referral, that typically includes the referral reason, pertinent history, diagnostics (e.g., PFTs, imaging), medications, allergies, and progress notes that inform the specialist’s evaluation and care.
How should providers secure PHI during pulmonology referrals?
Use Encrypted Communication with verified recipients, favoring EHR Direct messaging, secure portals, or encrypted email with enforced TLS and message-level encryption when necessary. Limit PHI in message bodies, protect attachments, confirm receipt, maintain audit logs, and ensure PHI Transmission Security at rest and in transit.
When is patient authorization required for PHI disclosure?
Authorization is required when the disclosure is not for Treatment, Payment, or Healthcare Operations—such as most marketing, sale of PHI, many research disclosures without a waiver, psychotherapy notes, and certain categories of Sensitive Health Information governed by stricter laws. Obtain and retain a valid, specific authorization before sharing.
What are Business Associate Agreements and why are they important?
A Business Associate Agreement is a contract with vendors that handle PHI for you. It establishes permitted uses, security obligations, breach notification, and subcontractor compliance. BAAs reduce legal and operational risk, set clear expectations, and are essential when using referral platforms, cloud fax, secure email services, or cloud storage.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.