What are TPO Requests?

Treatment, payment, and operations (TPO) medical records requests refer to requests to disclose or release patient health information (PHI) without the authorization of the patient. These particular types of requests are allowed under HIPAA Privacy Rules, but should be fulfilled with care by the records department or release of information (ROI) company – making sure that they meet the correct parameters for TPO. Such requests are usually made by organizations, companies, and individuals who need access to a patient’s PHI for specifically defined core health activities.

While PHI is a highly sensitive issue, there are times when organizations need access to it in order to conduct specific studies or investigations that will benefit the public at large. In such cases, TPO medical records requests can be utilized to get the needed information without compromising the privacy of patients.

TPO Defined

The express definitions of treatment, payment, and healthcare operations are defined in the Privacy Rule 45 CFR 164.501.


In most cases, treatment requests for records are in the best interests of efficient care for the patient. For example, a primary care provider might wish to send a copy of a patient’s record to a specialist who needs the information to provide treatment.

Treatment is defined as:

“The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one provider to another.”

Some examples of allowable TPO disclosures under HIPAA would include:

  • A pulmonologist requesting surgical history records for a patient he/she is consulting on for treatment.
  • A long-term care facility requesting records from a recent hospitalization.
  • A nurse case manager requesting records from recent outpatient visits.


Payment has a lengthy definition under Privacy Rule 45, but generally includes requests by health plans for information needed to obtain premiums or to determine or fulfil its responsibility for coverage and provision of benefits under the health plan.

These payment-related requests may be used to:

  • Determine eligibility or coverage.
  • Determine risk adjustment amounts based on the insured’s health status and demographic information.
  • Information related to billing, claims management, collection activities, and related health care data processing.
  • Review of health care services for medical necessity, coverage under the health plan, appropriateness of care, or justification of charges submitted.
  • Utilization review activities, including precertification and preauthorization of services.
  • Disclosure of name and address, date of birth, social security number, payment history, account number, and name and address of the health care provider or health plan to credit reporting agencies related to collection of premiums or reimbursement.

Insurance companies are specifically prohibited from accessing the following information:

  • Genetic information for underwriting purposes. Insurers are not allowed to access this information as described under subsection 164.502(a)(5)(i).


This category covers a number of core functions that covered entities and providers could request information about, including:

  • Conducting quality assessment and improvement activities, such as development of clinical guidelines and programs to improve patient safety. This also includes population-based activities for improving health, reducing costs, and care coordination.
  • Reviewing the competence of qualifications of health care professionals, including their performance and training programs, licensure, accreditation, certification, and credentialing activities.
  • Conducting or arranging for medical review, legal services, or auditing functions as part of compliance programs and fraud and abuse detection.
  • Business planning and development purposes, such as analyses related to cost management, planning, managing, and operation of the covered entity.
  • Business management activities such as records management; resolution of internal grievances; preparation for the sale, transfer, or merger of parts of the covered entity and its due diligence processes; and the process of creating de-identified data sets for research purposes.

Handle with Care

Just because a request appears to fall under the TPO umbrella, this doesn’t mean to release those records carelessly. For most requests, the Minimum Necessary Rule still applies. This rule requires entities to make a reasonable effort to limit PHI disclosure to:

  • Only the necessary information for the request, and
  • Only to the necessary people who need the information to do their jobs.

A good example would be a treatment request for records from a large group of 12 obstetrical/gynecological (OB/GYN) medical providers. Only one of the providers is treating the patient, therefore per the HIPAA minimum necessary rule, only that medical provider should have access to the records. Also, only the records requested for OB/GYN treatment should be provided, not everything in the record.

When more than the minimum necessary information is disclosed, this is considered a HIPAA violation, which is reportable to HHS and can result in fines and even jail time!

It is important for ROI providers to maintain current knowledge and policies related to TPO requests, ensuring that PHI remains protected, while essential treatment and business functions move forward with efficiency.


The professionals at RecordQuest are knowledgeable and thorough about all types of records requests, fulfilling them quickly and efficiently, at the right level of protection and scrutiny. This knowledge base and attention to detail is what makes us the trusted ROI company for healthcare organizations across the country. For more information, contact us for a consultation and demo.

Start typing and press Enter to search

Minors' Access to Medical Records