(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) through (4) or that are prohibited under § 164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.
(b) Standard: Consent for uses and disclosures permitted.
(1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.
(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.
(c) Implementation specifications: Treatment, payment, or health care operations.
(1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for treatment activities of a health care provider.
(3) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.
(4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
There are serious consequences to impermissibly disclosing patients’ protected health information (PHI). This is a paralyzing prospect to many healthcare employees. Consequently, some staff members refuse to use or disclose PHI to the point that their workflow is disrupted. However, HIPAA allows you to disclose PHI for treatment, payment, and healthcare operations (TPO) purposes. These are the basic activities a healthcare organization goes through every day and don’t require patient authorization. Therefore, it’s important that your staff know about TPO disclosures so that they can have confidence to carry out their work while protecting patient privacy.
TPO Disclosures: Treatment
You may disclose PHI to help improve patient treatment, which involves any activities related to providing health care services to patients. Treatment disclosures include:
- Sharing PHI with other departments or an external provider (ex. Pharmacy)
- Consulting specialists or gaining referrals from third parties
- Ordering tests (ex. Labs)
- Communicating with other staff members as needed
TPO Disclosures: Payment
Additionally, you may disclose PHI to provide or obtain reimbursement for healthcare services. Payment disclosures include:
- Billing
- Managing claims
- Determining eligibility for coverage
- Conducting collection or utilization review activities
TPO Disclosures: Healthcare Operations
Lastly, you may disclose PHI to improve operations and quality of patient care. Healthcare operations disclosures include:
- Ensuring patient safety
- Developing protocol
- Completing training or compliance programs
- Conducting quality assessments and improvement activities
- Detecting fraud and abuse
- Planning business activities and development
There are many other activities that fall under the TPO umbrella. The purpose of these guidelines is to allow healthcare staff to do their daily activities smoothly while still protecting PHI from impermissible use or disclosure. Therefore, you must make sure your staff can distinguish between TPO disclosures and impermissible ones. Contact us to learn how the HIPAAtrek platform can help you manage staff training and your HIPAA compliance program.