This seems to be a common question asked by staff members.  In fact, what often happens is that staff become “paralyzed” by HIPAA and refuse to use or disclose protected health information (PHI) when it is allowed or permitted by the rule itself. This paralytic condition frequently causes disruption to work flow and aggravation to staff and patients alike.  A better approach is to educate your workforce so that “no” is not the default option.  So, let’s look at three basic situations where you can answer “yes” and use or disclose PHI without an authorization from the patient.

Treatment, Payment, and Healthcare Operations (TPO).  These are the basic activities your covered entity (CE) goes through on a daily basis.  Uses and disclosures of PHI for TPO does not require an authorization from the patient and staff may use and disclose PHI when engaged in these activities.

  1. Treatment disclosures are all those activities that involve the provision, coordination, or management of health care. Simply put, these are the activities you engage in when providing care to your patients.  Any activity that is reasonably related to providing health care services to a patient is permitted under treatment.
    • Sharing PHI with the X-ray department
    • Discussing dosage with external pharmacy
    • Conferring over a treatment plan with a specialist
    • Ordering a test with the lab
    • All discussions among staff to provide care
    • Referrals and consultations with third parties
  1. Payment disclosures are all those activities that a healthcare provider (covered entity) engages in to obtain or provide reimbursement for the provision of healthcare.
    • Determinations of eligibility or coverage
    • Billing
    • Claims management
    • Collection activities
    • Review of health care services with respect to medical necessity
    • Utilization review activities
  1. Healthcare Operations involve uses and disclosures of PHI related to improving operations and quality of care to patients.
    • Conducting quality assessment and improvement activities
    • Patient safety activities
    • Protocol development
    • Case management
    • Reviewing the competence or qualifications of healthcare professionals
    • Training programs
    • Accreditation, certification, licensing, or credentialing activities
    • Fraud and abuse detection and compliance programs
    • Conducting or arranging for medical review
    • Business planning and development

While this listing is not exhaustive of all the activities that fall under the TPO umbrella, it does shed light on the many day to day activities a covered entity goes through which involve the use or disclosure of PHI and does not require the authorization of the patient.  You can refer to the 45 CFR for more on TPO disclosures. Training staff about these common uses and disclosures of PHI will change the default answer from “no” to “yes, I can disclose PHI for TPO”.  An educated staff will help you stay HIPAA compliant.

Keep this in mind, HIPAA compliance is a journey, not a destination.  Happy Trekking!