Treatment, payment, and operations (TPO) medical records requests refer to requests to disclose or release patient health information (PHI) without the authorization of the patient. These particular types of requests are allowed under HIPAA Privacy Rules, but should be fulfilled with care by the records department or release of information (ROI) company – making sure that they meet the correct parameters for TPO. Such requests are usually made by organizations, companies, and individuals who need access to a patient’s PHI for specifically defined core health activities.
While PHI is a highly sensitive issue, there are times when organizations need access to it in order to conduct specific studies or investigations that will benefit the public at large. In such cases, TPO medical records requests can be utilized to get the needed information without compromising the privacy of patients.
The express definitions of treatment, payment, and healthcare operations are defined in the Privacy Rule 45 CFR 164.501.
In most cases, treatment requests for records are in the best interests of efficient care for the patient. For example, a primary care provider might wish to send a copy of a patient’s record to a specialist who needs the information to provide treatment.
Treatment is defined as:
“The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one provider to another.”
Some examples of allowable TPO disclosures under HIPAA would include:
Payment has a lengthy definition under Privacy Rule 45, but generally includes requests by health plans for information needed to obtain premiums or to determine or fulfil its responsibility for coverage and provision of benefits under the health plan.
These payment-related requests may be used to:
Insurance companies are specifically prohibited from accessing the following information:
This category covers a number of core functions that covered entities and providers could request information about, including:
Just because a request appears to fall under the TPO umbrella, this doesn’t mean to release those records carelessly. For most requests, the Minimum Necessary Rule still applies. This rule requires entities to make a reasonable effort to limit PHI disclosure to:
A good example would be a treatment request for records from a large group of 12 obstetrical/gynecological (OB/GYN) medical providers. Only one of the providers is treating the patient, therefore per the HIPAA minimum necessary rule, only that medical provider should have access to the records. Also, only the records requested for OB/GYN treatment should be provided, not everything in the record.
When more than the minimum necessary information is disclosed, this is considered a HIPAA violation, which is reportable to HHS and can result in fines and even jail time!
It is important for ROI providers to maintain current knowledge and policies related to TPO requests, ensuring that PHI remains protected, while essential treatment and business functions move forward with efficiency.
The professionals at RecordQuest are knowledgeable and thorough about all types of records requests, fulfilling them quickly and efficiently, at the right level of protection and scrutiny. This knowledge base and attention to detail is what makes us the trusted ROI company for healthcare organizations across the country. For more information, contact us for a consultation and demo.