Gazelle Consulting

HIPAA TPO Allowable Disclosures

HIPAA TPO Allowable Disclosures

There have been major growing pains as the healthcare industry has collectively struggled to rise to the occasion as HIPAA compliant businesses.

We often hear stories about clinics or hospitals refusing to disclose patient records to the patients themselves or other providers without dealing with extensive red tape and headaches.

Here at Gazelle, we believe that in many cases, the HIPAA laws are misapplied and providers miss critical opportunities to understand what they CAN do with regard to HIPAA TPO Allowable Disclosures.

What does TPO stand for in HIPAA?

TPO stands for Treatment, Payment, and Operations.

It is used to describe some of the circumstances in which covered entities are allowed to disclose patient information without the need to obtain authorization from patients.

From the HHS’s Guidance on the TPO disclosures:

  • “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
  • “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
  • “Health Care Operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

Examples of Allowable TPO disclosures under HIPAA

  • A physician sending a prescription a pharmacy of the patient’s choice
  • An insurance plan contacting a hospital for details relating to a patient’s claim
  • Quality assurance activities at hospitals or clinics that are needed to assess the effectiveness of treatment plans.

Other Allowable or Permitted Disclosures

Allowable disclosures are not limited to treatment, payment, and healthcare operations (TPO), although the other allowable disclosures are a lot less likely to occur.

For example, you may need to disclose information to the FBI or CIA without obtaining authorization from a patient (although you may decide to obtain authorization for the patient’s personal benefit).

You may be a mandatory reporter, the recipient of a valid subpoena, or providing information to the OCR’s auditors in response to a HIPAA audit.

Each of these atypical scenarios and many more are addressed by the HIPAA laws. A full list of allowable, permitted, and required disclosures can be viewed at our friends VeryWell Health.

How to use HIPAA TPO Allowable Disclosures in your organization

It’s important for organizations that are implementing compliance programs to understand that they DO have options for disclosure.

The law is designed to provide healthcare providers with the flexibility to both protect the confidentiality, integrity, and availability of PHI, as well as facilitating treatment, payment and healthcare operations, which are fundamental to the delivery of healthcare.

HIPAA TPO Allowable Disclosures can be effectively implemented by:

  • Disclosing patient information when requested by a provider who is treating that patient;
  • Disclosing patent information to a payer who is providing coverage to that patient;
  • Limiting the amount of PHI uses and disclosures to the minimum amount necessary for staff to perform their jobs, even when HIPAA TPO allowable disclosures are in play
  • Obtaining patient authorization if your organization does need to disclose patient records for reasons outside of treatment, payment, healthcare operations, or another permitted disclosure. (For more information about how and when to obtain patient authorization, check out our article HIPAA Consent Form – How to Obtain Patient Authorization.)

If you are unsure whether a particular scenario is allowed or permitted by HIPAA give Gazelle Consulting a call at (503) 389-599 or contact a healthcare attorney. (I’ll let you in on a little secret, I know which one is cheaper!)

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!