PHI Uses and Disclosures for Treatment, Payment, or Healthcare Operations
Under the HIPAA Privacy Rule, covered entities and business associates (BA) may disclose patients’ protected health information (PHI) without a signed authorization for treatment, payment, or healthcare operations (TPO) reasons. Examples include:
- Doctors and/or hospitals (that are covered entities) may share information with one another for treatment reasons.
- Patients’ information may also be released to insurance companies to receive payment for services provided.
- Healthcare operations can include a variety of business activities including quality assessment, employee review, licensing, etc.
The Privacy Rule’s definition of “healthcare operations” includes activities that enable you to conduct a viable business, and to perform “covered functions” that make you a BA or healthcare provider. Examples of healthcare operations include:
- Scheduling appointments, surgeries, and pre-admission activities
- Population-based analyses or records reviewed for treatment protocol development or modification
- Supervised healthcare training
- Activities related to the improvement of payment and coverage methods
Payment encompasses the various activities of BAs and healthcare providers to obtain reimbursement for their services. In addition to the general definition, the Privacy Rule provides examples of common payment activities that include:
- Determining eligibility or coverage under a plan and adjudicating claims
- Risk adjustments
- Billing and collection activities
- Reviewing healthcare services for medical necessity, coverage, justification of charges, etc.
- Utilization review activities
- Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity)
An authorization is required for use and disclosure of PHI not otherwise allowed by the Privacy Rule. An authorization is a customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. BAs and covered entities may not condition treatment or coverage on the individual providing an authorization. An authorization is detailed. It covers only the uses and disclosures and only the PHI stipulated in the authorization, it has an expiration date, and it also states the purpose for which information may be used or disclosed.
All BAs and covered entities, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes. For example, a covered entity would need authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose for eligibility for life insurance.
The authorization for HIPAA Privacy uses and disclosures should not be confused with the consent to treat form. The consent to treat form gives the healthcare provider permission to treat the patient and is governed by state law. It is not governed at all by HIPAA.