Physicians may disclose protected health information (PHI) under the HIPAA Privacy Rules without obtaining patient authorization if the disclosure is made for purposes of treatment, payment or healthcare operations (TPO). Under the Rules, treatment generally means the provision and management of care (including consultation among health care providers), while the term payment encompasses the various activities of health care providers to obtain payment or reimbursement for their services. Healthcare operations are certain administrative, financial, legal and quality improvement activities necessary to run a medical practice and to support the core functions of treatment and payment. According to the U.S. Department of Health & Human Services, healthcare operations includes arranging for legal services, reporting claims and disclosing PHI to medical professional liability insurers for defense purposes.
In practice, the TPO exception means physicians may consult with one another on a patient's care and bill health insurers for medical services rendered without specific patient authorization. It also means that physicians may defend themselves from medical professional liability claims by disclosing PHI to their professional liability insurers and their defense attorneys without patient authorization. Physicians should carefully evaluate the impact of applicable state laws and HIPAA Privacy Rules on any disclosure of PHI, but it is merely a myth that patient authorization is required for any and all disclosures of PHI under the HIPAA Privacy Rules.
