HIPAA TPO Allowable Disclosures

There have been major growing pains as the healthcare industry has collectively struggled to rise to the occasion as HIPAA compliant businesses.

We often hear stories about clinics or hospitals refusing to disclose patient records to the patients themselves or other providers without dealing with extensive red tape and headaches.

Here at Gazelle, we believe that in many cases, the HIPAA laws are misapplied and providers miss critical opportunities to understand what they CAN do with regard to HIPAA TPO Allowable Disclosures.

What does TPO stand for in HIPAA?

TPO stands for Treatment, Payment, and Operations.

It is used to describe some of the circumstances in which covered entities are allowed to disclose patient information without the need to obtain authorization from patients.

From the HHS’s Guidance on the TPO disclosures:

  • “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
  • “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
  • “Health Care Operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

Examples of Allowable TPO disclosures under HIPAA

  • A physician sending a prescription to a pharmacy of the patient’s choice
  • An insurance plan contacting a hospital for details relating to a patient’s claim
  • Quality assurance activities at hospitals or clinics that are needed to assess the effectiveness of treatment plans.

Other Allowable or Permitted Disclosures

Allowable disclosures are not limited to treatment, payment, and healthcare operations (TPO), although the other allowable disclosures are a lot less likely to occur.

For example, you may need to disclose information to the FBI or CIA without obtaining authorization from a patient (although you may decide to obtain authorization for the patient’s personal benefit).

You may be a mandatory reporter, the recipient of a valid subpoena, or providing information to the OCR’s auditors in response to a HIPAA audit.

Each of these atypical scenarios, and many more, are addressed by the HIPAA laws. A full list of allowable, permitted, and required disclosures can be viewed with our friend, VeryWell Health.

How to use HIPAA TPO Allowable Disclosures in your organization

It’s important for organizations that are implementing compliance programs to understand that they DO have options for disclosure.

The law is designed to provide healthcare providers with the flexibility to both protect the confidentiality, integrity, and availability of PHI, as well as facilitating treatment, payment and healthcare operations, which are fundamental to the delivery of healthcare.

HIPAA TPO Allowable Disclosures can be effectively implemented by:

  • Disclosing patient information when requested by a provider who is treating that patient;
  • Disclosing patent information to a payer who is providing coverage to that patient;
  • Limiting the amount of PHI uses and disclosures to the minimum amount necessary for staff to perform their jobs, even when HIPAA TPO allowable disclosures are in play
  • Obtaining patient authorization if your organization does need to disclose patient records for reasons outside of treatment, payment, healthcare operations, or another permitted disclosure. (For more information about how and when to obtain patient authorization, check out our article HIPAA Consent Form – How to Obtain Patient Authorization.)

Are you unsure whether a particular scenario is allowed or permitted by HIPAA?

Give Gazelle Consulting a call at (503) 389-5666 or email us at info@gazelleconsulting.org!

OR contact a healthcare attorney! (I’ll let you in on a little secret, I know which one is cheaper!)

Nav close