What Does TPO Stand for in HIPAA?
In HIPAA, TPO stands for Treatment, Payment, and Healthcare Operations – activities in which HIPAA covered entities and business associates are generally permitted to use and disclose Protected Health Information without an individual’s consent or authorization. However, there are exceptions, and conditions are attached to certain types of uses and disclosures.
One of the purposes of the HIPAA Privacy Rule is to distinguish between which uses and disclosures of Protected Health Information (PHI) are required, which are permitted, and which require the consent or authorization of the subject of the PHI or their personal representative. Generally, required uses and disclosures of PHI are limited to:
- Disclosures to an individual exercising their HIPAA Rights.
- Disclosures to HHS agencies (i.e., Office for Civil Rights).
- Disclosures required by law (i.e., reporting child abuse).
Permitted uses and disclosures of PHI include disclosures by whistleblowers, disclosures for public health activities, and disclosures to law enforcement agencies. Covered healthcare providers can also disclose PHI to a patient’s employer if the employer needs information about the patient’s medical condition to comply with §1904.39 of the Occupation Safety and Health Act.
Treatment, Payment, and Healthcare Operations
Treatment
In the context of answering the question what does TPO stand for HIPAA, the definitions of Treatment, Payment, and Healthcare Operations in §164.501 of the Privacy Rule are broader than some people realize. For example, the definition of Treatment does not only cover the provision of health care but also:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“[The] coordination or management of health care and related services by one or more healthcare providers, including the coordination or management of health care by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for health care from one healthcare provider to another.”
Payment
Similarly the definition of Payment is not limited to payments for healthcare by an individual or health plan. The definition includes disclosures of PHI for determining a patient’s eligibility for treatment, for reviewing healthcare services to justify the medical necessity and cost of treatment, and for arranging stop-loss insurance (for employers’ self-funded insurance plans).
In addition, covered entities are permitted to disclose limited PHI to consumer reporting agencies in relation to the collection of premiums and/or healthcare payments from individuals. These agencies only include companies such as Equifax, TransUnion, and Experian. They can also include employment screening, tenant screening, and bank account screening agencies.
Healthcare Operations
The definition of Healthcare Operations is relatively brief considering the number of activities this category can include. The most common activities in which disclosures of PHI are permitted include business planning and development, cost management, quality assessments, HIPAA training, performance reviews, and the resolution of internal grievances.
While many of the above activities are likely to be conducted “in-house”, some healthcare operations are more likely to be subcontracted out. These include legal and auditing services, and external healthcare compliance programs. When healthcare operations are subcontracted out, it is necessary for disclosures of PHI to be covered by a Business Associate Agreement.
What Does TPO Stand for in HIPAA? Other Considerations
As mentioned in the introduction to this article, there are exceptions to the definitions used to explain what does TPO stand for in HIPAA and conditions attached to certain types of uses and disclosures. For example, it is not permissible to disclose psychotherapy notes for treatment purposes without a valid HIPAA authorization from the subject of the psychotherapy notes.
It is also necessary for there to be a Business Associate Agreement in place when PHI is disclosed for treatment purposes if there is not an existing direct treatment relationship between the parties. In all circumstances, individuals have the right to request restrictions of what PHI is used and disclosed in Treatment, Payment, and Healthcare Operations (§164.522 ).
With regards to Payments, the definition of Payments in the explanation of what does TPO stand for in HIPAA does not mention payment processors. This is because financial institutions are exempt from HIPAA under §1179 of the Act. However, disclosures of PHI to financial institutions must be limited to those required for payment processing. If a financial institution provides other services for a covered entity (i.e., invoicing, accounts receivable, etc.), disclosures of PHI must be covered by a Business Associate Agreement.
Finally, uses and disclosures of PHI for Payment and Healthcare Operations (but not Treatment) must be limited to the minimum necessary to achieve the purpose of the use or disclosure. Covered entities and business associates who need advice about HIPAA compliance in Treatment, Payment, and Healthcare Operations, or who require further information about what does TPO stand for in HIPAA, are advised to speak with an independent compliance professional.
