Under HIPAA, you do not need patient permission to use or disclose patient information for the everyday activities of Treatment, Payment, and health care Operations (TPO). Here are some common examples of TPO:
- Treatment use example: A UW Health nurse discusses a patient's lab result with a UW Health physician.
Treatment disclosure example: A UW Health medical records employee faxes a patient's medical records to a non-UW Health physician, for purposes of referral.
- Payment use example: A UW Health billing employee uses patient information to create a bill.
- Payment disclosure example: A UW Health nurse discusses a patient's medical procedure with an insurance company over the phone.
Health Care Operations
- Operations use example: A UW Health administrative employee reviews a patient's medical record to evaluate the performance of UW Health clinical workers who treated the patient.
- Operations disclosure example: A UW Health medical records employee faxes patient information to a non-UW Health physician, so the physician can evaluate the performance of her own staff.
In case you are still wondering whether some of your work activities fall under TPO, here are more detailed HIPAA definitions of treatment, payment, and health care operations.
Treatment: Treatment is defined as the provision, coordination, or management of health care and related services by one or more health care providers, and includes:
- Coordination or management of health care by a provider with a third party
- Consultation between providers
- Referral of a patient from one provider to another
Payment: Payment means those activities undertaken by a provider to obtain reimbursement for the provision of health care; and those activities undertaken by a health plan to obtain premiums or to fulfill its responsibilities for coverage and the provision of benefits under the plan. Examples of payment activities include:
- Eligibility determinations
- Adjudication of claims
- Billing, claims management and collection
- Related health care data processing
- Review of services relative to medical necessity
- Utilization review activities risk adjusting amounts due based on enrollee health status
Health Care Operations: Health Care Operations includes most all other activities necessary to the operation of a covered entity (e.g., health care provider, health plan or clearinghouse). These activities include:
- Quality assessment and improvement
- Development of clinical guidelines
- Case management and care coordination
- Credentialing and peer review activities
- Conducting training programs for students, trainees, practitioners in health care
- Accreditation, certification and licensing activities
- Underwriting, premium rating
- Conducting or arranging for medical review
- Legal services
- Auditing functions
- Fraud and abuse detection programs
- Compliance programs
- Business management and general administrative activities
- Customer service
- Resolution of internal grievances
- Due diligence in connection with sale or transfer of interests of a covered entity
Under HIPAA, you don't have to get patient permission if you are doing any activity that falls under these broad TPO definitions. However, some of you are currently getting permission for certain TPO activities, because state laws or UW Health provider policies require it.
And this brings up an important point about HIPAA. HIPAA sets a minimum standard for patient privacy. If state law or UW Health providers' own policies require us to do more for patients, then we must do more. So if you are already getting written permission for an activity, keep it up: HIPAA does not remove any of our current patient permission and signature rules. Workers involved with TPO will receive additional HIPAA training.