A Guide to Disclosing PHI to Another Provider for Their Treatment or Payment Activities (45 CFR § 164.506(c))

Executive Summary

HIPAA allows healthcare providers to disclose Protected Health Information (PHI) without patient authorization under specific circumstances. One of the most critical allowances is found in § 164.506(c), which permits disclosure of PHI to another provider for their treatment or payment activities. While this provision supports coordination of care and billing, small practices must understand its limits, document appropriately, and ensure disclosures are consistent with the “minimum necessary” standard when applicable. This guide outlines exactly when and how you can share PHI with other providers and includes a real-life case study, a practical checklist, and common pitfalls to avoid.

Introduction

Small healthcare providers routinely interact with specialists, imaging centers, labs, and billing entities. These interactions often involve the exchange of PHI, but under HIPAA, not all disclosures require patient consent. Section 164.506(c) of the Privacy Rule provides a powerful yet commonly misunderstood provision: providers may disclose PHI to another provider for that provider’s own treatment or payment purposes without prior authorization from the patient.

This article explains how to apply this rule compliantly while maintaining patient trust and avoiding unnecessary liability.

Understanding § 164.506(c): Key Provisions

Understanding § 164.506(c): Key Provisions

HIPAA allows a covered entity to use or disclose PHI for:

  1. Its own treatment, payment, or healthcare operations, and

  2. The treatment or payment activities of another covered entity

So long as:

  • The disclosure is permitted under HIPAA, and

  • The recipient is a covered entity or business associate

Treatment Disclosures

Examples include:

  • Referring a patient to a specialist and sharing relevant lab results

  • Sending patient information to a hospitalist before inpatient admission

  • Discussing a patient's condition with another provider involved in that patient's care

No patient authorization is required, although best practice includes informing patients via the Notice of Privacy Practices (NPP).

Payment Disclosures

Permitted disclosures include:

  • Sharing medical codes and visit summaries with a billing company working on behalf of another provider

  • Sending medical records to another provider so they can bill the patient’s insurer

  • Responding to a payer’s request for documentation for pre-authorization of services

These are permitted so long as the recipient is involved in payment activities for the same patient.

Case Study: A Risky Delay Due to Misunderstood HIPAA

In a recent incident, a family practice referred a patient to a cardiologist but withheld critical lab results and EKG findings, incorrectly assuming that HIPAA prohibited sharing protected health information (PHI) without explicit patient authorization. This misunderstanding led the cardiologist to order redundant tests, and more importantly, to miss a key diagnosis that had been documented weeks earlier. Tragically, the patient suffered a cardiac event shortly thereafter.

An investigation revealed some compliance and procedural failures:

  • The referring provider was unaware of Section 164.506(c) of the HIPAA Privacy Rule, which allows disclosures of PHI without patient authorization for treatment purposes, including inter-provider coordination.

  • The practice lacked formal policies and staff training on permissible sharing of PHI between providers to ensure seamless care.

  • The patient had not been informed about their right to expect coordinated care and how their information might be shared to support that care.

Outcome:

The patient’s adverse event resulted in a malpractice claim against the family practice. Additionally, the Office for Civil Rights (OCR) issued technical assistance to the practice, emphasizing the importance of accurate understanding and implementation of HIPAA’s provisions on treatment-related disclosures.

Lesson:

Misinterpreting HIPAA as a barrier to necessary information sharing among healthcare providers can compromise patient safety and lead to legal consequences. Small practices must ensure that all providers understand when and how PHI can be shared to support coordinated, effective treatment.

Conditions for Permitted Disclosures

Conditions for Permitted Disclosures

1. The Purpose Must Be for Treatment or Payment

Disclosures must be directly related to:

  • The care of the patient (diagnosis, treatment, referrals, labs, medication)

  • The payment for healthcare services (billing, claims management, pre-authorization)

2. The Recipient Must Be a Covered Entity or Business Associate

You may only share PHI under this rule with:

  • Licensed healthcare providers

  • Health plans or insurers

  • Business associates performing billing or administrative services

3. Inform Patients via the Notice of Privacy Practices

Although authorization is not required, your NPP must inform patients that their PHI may be used or disclosed for treatment and payment purposes.

Failure to provide an NPP or update it accordingly may constitute a violation.

4. Apply the Minimum Necessary Standard (For Payment Only)

While treatment disclosures are exempt from the "minimum necessary" rule, payment disclosures are not. Only the minimum amount of PHI needed to perform the payment function should be shared.

Common Pitfalls and How to Avoid Them

Common Pitfalls and How to Avoid Them

Pitfall

Consequence

How to Avoid

Assuming all disclosures require patient authorization

Delays in care; underutilization of legal allowances

Train staff on 164.506(c) exceptions

Sharing PHI with non-covered third parties

Unauthorized disclosure

Verify recipient status as covered entity or BA

Applying “minimum necessary” standard to treatment

Incomplete data sharing

Understand that minimum necessary does not apply to treatment

Not updating the NPP to reflect disclosure practices

Noncompliance

Review NPP language annually

Over-disclosing PHI for payment purposes

Privacy breach

Limit payment disclosures to what’s necessary to process claims

 

Checklist: Disclosing PHI to Another Provider Under 164.506(c)

Task

Responsible

Frequency

Ensure recipient is a covered entity or business associate

Provider or Compliance Officer

Per disclosure

Confirm purpose is treatment or payment

Provider or Billing

Per disclosure

Inform patients in NPP

Privacy Officer

Annually

For payment disclosures, apply minimum necessary standard

Billing

Ongoing

Train staff on disclosure types and exceptions

Compliance Officer

Annually

Document disclosures internally when required

HIPAA Contact Person

As needed

 

Frequently Asked Questions

Do I need patient consent to send records to a referred specialist?

No. As long as the disclosure is for treatment, and the recipient is a covered entity, HIPAA allows it under § 164.506(c).

Can I share information with a provider not involved in the patient’s care?

No. The recipient must be involved in the treatment or payment of the patient’s care.

Do I need a Business Associate Agreement for this disclosure?

Only if the recipient is a business associate, not if it’s another provider or health plan.

Can I share records for quality reviews or audits?

Only if it qualifies as a healthcare operation. These activities fall under a separate provision (§ 164.506(a)) and may require additional documentation.

Official Resources

Final Takeaways

Section 164.506(c) of the HIPAA Privacy Rule grants healthcare providers important flexibility by allowing them to disclose protected health information (PHI) without obtaining patient authorization when the disclosure is for treatment or payment purposes involving other providers. This provision recognizes the practical needs of healthcare delivery, where timely information sharing between providers and payers can improve clinical outcomes, streamline billing processes, and create a more integrated healthcare experience for patients.

To comply effectively with this provision, your practice should ensure the following:

  • Understand when disclosures are permitted. Now clearly the scope of permitted uses and disclosures for treatment and payment, distinguishing them from purposes that require patient authorization or consent.

  • Share PHI only with authorized recipients. Disclosures must be made exclusively to covered entities, such as other healthcare providers, health plans, or healthcare clearinghouses, or to their authorized business associates. Sharing PHI outside these entities without authorization risks violating HIPAA.

  • Inform patients through your Notice of Privacy Practices (NPP). The NPP must clearly explain how your practice uses and discloses PHI for treatment, payment, and healthcare operations, including the rights patients have regarding their information.

  • Apply the “minimum necessary” standard for payment disclosures. Even when disclosures are allowed, your practice should limit the information shared to what is necessary to accomplish the intended payment purpose. This reduces unnecessary exposure of sensitive data.

By maintaining a well-informed team and documented procedures, your practice can avoid common pitfalls such as unauthorized disclosures or delayed payments. Clear policies also help reduce liability exposure and foster patient trust by demonstrating your commitment to safeguarding health information while supporting care coordination.

Compliance should never get in the way of care. See how we fixed it