6.1 Medical Records, HIPAA/HITRUST, Charting & Physician Referral

Key Takeaways

  • HIPAA's Privacy Rule governs use and disclosure of PHI in any form; the Security Rule specifically governs administrative, physical, and technical safeguards for electronic PHI (ePHI).
  • HITRUST CSF is a certifiable control framework, not a law itself, that maps HIPAA requirements into an auditable set of controls for healthcare organizations and vendors.
  • A complete chart review before the first encounter covers the referral reason, past medical/surgical history, medications and allergies, recent labs/diagnostics, and prior exercise-test or rehab records.
  • A valid physician referral specifies diagnosis, functional limitations, relevant medications, and specific orders; ambiguous orders must be clarified with the referring provider, not assumed.
  • SOAP-format documentation (Subjective, Objective, Assessment, Plan) creates a timely, specific, legally defensible record used by the entire care team.
Last updated: July 2026

Medical Records, HIPAA/HITRUST, Charting & Physician Referral

Quick Answer: Before a Clinical Exercise Physiologist (CEP) puts a patient on a treadmill or teaches a single exercise, the medical record must be reviewed, the physician referral must be understood, and every step must be documented in a way that satisfies HIPAA. The Privacy Rule controls who may see and share protected health information (PHI); the Security Rule controls how electronic PHI (ePHI) is technically safeguarded; HITRUST CSF is a certifiable control framework many healthcare organizations use to operationalize HIPAA compliance across systems and vendors.

Why Chart Review Comes Before the Patient Encounter

A CEP practices inside a medical setting, which means every assessment, test, and exercise session happens within a legal and clinical record system, not a standalone fitness log. Reviewing the chart first accomplishes three things: it confirms the patient has a valid referral for the service being delivered, it surfaces conditions or medications that change how testing and exercise should be conducted, and it protects the patient (and the CEP) by grounding decisions in documented history rather than self-report alone, which is frequently incomplete or inaccurate.

HIPAA: The Rules a CEP Must Know Cold

HIPAA is not one rule — for exam purposes, know the difference between the rules most relevant to daily CEP practice:

RuleWhat It GovernsCEP-Relevant Example
Privacy RuleUse and disclosure of PHI in any form — paper, verbal, electronicDiscussing a patient's cardiac history only with staff who need it for that patient's care
Security RuleAdministrative, physical, and technical safeguards for ePHI specificallyPassword-protected EMR login, encrypted messaging, audit logs, automatic screen lock
Breach Notification RuleReporting obligations when PHI is exposedReporting a lost, unencrypted device containing patient records within required timelines

A useful shorthand: the Privacy Rule answers "who is allowed to see or share this information," while the Security Rule answers "how do we technically keep electronic records safe." Both apply whether the CEP is working from an EMR, a paper referral, or a shared telemetry monitoring station.

HITRUST CSF: Operationalizing HIPAA

HITRUST CSF (Health Information Trust Alliance Common Security Framework) is not itself a law — it is a certifiable control framework that maps HIPAA (and other regulatory) requirements into a concrete, auditable set of controls that hospitals, clinics, and health-tech vendors can be certified against. A CEP does not need to personally manage HITRUST certification, but should understand that an employer's HITRUST-certified systems (EMR platforms, telemetry vendors, scheduling software) exist specifically to keep day-to-day documentation practices compliant by design.

The Physician Referral (Exercise Order)

A valid referral is the legal basis for the CEP's scope of action with that patient. A complete referral should specify:

  • Diagnosis / reason for referral (e.g., post-MI, COPD, type 2 diabetes)
  • Functional limitations or precautions (e.g., sternal precautions, non-weight-bearing status, angina threshold)
  • Relevant medications that affect the exercise response (e.g., beta-blockers blunting heart rate)
  • Specific test or program orders (e.g., "symptom-limited GXT with 12-lead ECG" or "cardiac rehab, telemetry")
  • Provider signature and date

If an order is ambiguous or incomplete — for example, a restriction with no stated end date — the CEP's responsibility is to contact the referring provider for clarification before proceeding, not to guess or default to a generic protocol. Practicing outside a referral's stated scope is both a clinical-safety issue and a scope-of-practice violation, expanded further in Chapter 11.

Conducting a Thorough Chart Review

Before the first encounter, a complete chart review should cover:

  1. Reason for referral / primary diagnosis
  2. Past medical and surgical history
  3. Current medication list and documented allergies
  4. Recent labs and diagnostic tests — echocardiogram, cardiac catheterization report, pulmonary function tests, A1C, lipid panel
  5. Prior exercise test results or cardiac/pulmonary rehabilitation records
  6. Relevant social history — tobacco use, occupation, living situation, prior activity level

Documentation Standard: The SOAP Note

Most clinical exercise settings document encounters using the SOAP format:

  • S — Subjective: What the patient reports (symptoms, perceived exertion, adherence)
  • O — Objective: Measured data (vital signs, ECG findings, workload, distance)
  • A — Assessment: The CEP's interpretation of the session relative to the plan of care
  • P — Plan: Next steps, modifications, or provider notifications

Documentation must be timely, legible (or properly entered if electronic), and specific — it becomes part of the permanent medical record, is used by the entire care team, is legally discoverable, and supports medical necessity for reimbursement. Vague notes ("patient did fine") create both clinical and legal risk; objective, specific notes ("Completed 20 min at stage 3, HR 118/145 age-predicted max, RPE 13, no symptoms") do not.

Test Your Knowledge

Which HIPAA rule specifically requires administrative, physical, and technical safeguards for electronic protected health information (ePHI), such as access controls and encryption?

A
B
C
D
Test Your Knowledge

A physician referral for a post-CABG patient reads: 'Cleared for progressive aerobic activity; hold upper-body resistance training until sternal precautions are lifted at 8 weeks.' The surgery date is not documented anywhere in the available chart. What should the CEP do before the first session?

A
B
C
D