HIPAA Compliance Plan
« Previous PageHIPAA Regulations Table of ContentsNext Page »

Download a FREE copy of the HIPAA Survival Guide 4th Edition.


Contact us: Mature Compliance Programs Made Easier!

HIPAA Survival Guide Note: TPO Exception.

References: § 164.506. This section contains the general rule for sharing PHI pursuant to the Treatment, Payment, and Operations ("TPO") exception between covered entities, business associates, and care coordinators (the latter under the proposed 2021 Privacy Rule) as dictated by applicable law.

Description: This Item addresses requirements covered entities and business associates have when sharing information for TPO purposes. There is no Authorization (§ 164.508) required on the part of the patient to allow the sharing of PHI under this exception. However, in most cases the "minimum necessary" principle continues to apply (excepts as it pertains to care coordinators).

§164.506 Uses and disclosures to carry out treatment, payment, or health care operations.

(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.

(b) Standard: Consent for uses and disclosures permitted.

(1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.

(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.

Treatment, Payment & Operations: What is this?You need not have a BAA to share PHI with other covered entities for treatment, payment, and operation business reasons.

(c) Implementation specifications: Treatment, payment, or health care operations.

(1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.

(2) A covered entity may disclose protected health information for treatment activities of a health care provider.

(3) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.

(4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:

(i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or

(ii) For the purpose of health care fraud and abuse detection or compliance.

(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

[67 FR 53268, Aug. 14, 2002]

Download our Free HIPAA Project Plan.

« Previous PageHIPAA Regulations Table of ContentsNext Page »