Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH
Treatment, Payment, and Health Care Operations (TPO)

Treatment, Payment, and Health Care Operations (TPO)


In general, a CE may use and disclose protected health information, without authorization, for treatment, payment, and health care operation activities.  Treatment includes the provision, coordination, or management of health care and related services among health care providers; consultation between providers regarding a patient; or patient referrals from one provider to another.19  A CE may disclose PHI for its own treatment activities and the treatment activities of any another health care provider.20  Payment  includes all health plan activities associated with obtaining premiums, fulfilling coverage responsibilities, providing plan benefits, and obtaining reimbursement for furnished health care and provider activities related to payment and reimbursement.21  A CE may use PHI for its own payment activities and may disclose PHI to another covered entity or health care provider for the payment activities of the entity receiving the information.22


Health care operations include a CE’s administrative, financial, and quality improvement activities that are essential to maintaining the entity’s business and supporting treatment and payment transactions.23 The rule limits the definition to the following activities:  1) conducting quality assessment and improvement activities, including outcome evaluation and development of clinical guidelines, so long as generalized knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs; and case management and care coordination; 2) evaluating provider and health plan performance, reviewing the competence or qualifications of health care professionals; training to students, providers, and non-health care professionals; and activities involving accreditation, certification, and licensing; 3) specified health insurance functions, such as underwriting, premium rating, and reinsuring risk; 4) conducting or arranging for medical reviews, legal services, and audits, including fraud and abuse detection and compliance programs; 5) business planning and development; 6) business management and general administrative activities of the entity (including de-identifying protected health information and creating an LDS);24 and 7) patient safety activities, including efforts to improve patient safety and the quality of health care delivery.25


A CE may disclose PHI for its own health care operations.26  It may also disclose PHI to another CE for health care operations if the following terms are met: 1) each entity has or had a relationship with the individual who is the subject of the requested PHI; 2) the PHI pertains to that relationship; and 3) the disclosure is for one of the following purposes: conducting quality assessment and improvement activities, as described in the “health care operations” definition; evaluating provider performance, as described in the “health care operations” definition; or health care fraud and abuse detection or compliance. 27




  • 19. Id. at § 164.501.
  • 20. Id. at § 164.506(c)(1)-(2).
  • 21. Id. at § 164.501.
  • 22. Id. at § 164.506(c)(1)-(2).
  • 23. Id. at § 164.501; see also, Uses and Disclosures for Treatment, Payment, and Health Care Operations,
  • 24. 45 C.F.R. § 164.506(3).
  • 25. HHS proposed this modification in its Proposed Rule on July 14, 2010.  See Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,914 (to be codified at 45 C.F.R. § 164.501). 
  • 26. 45 C.F.R. § 164.506(1).
  • 27. Id. at § 164.506(4).