What are Treatment, Payment, and Healthcare Operations Activities Under HIPAA?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  

Individuals often expect that their protected health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity’s healthcare business. To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections, for treatment, payment, and health care operations activities.  This article covers when and how the Privacy Rule permits a covered entity to use and disclose PHI for these activities. 

What are Treatment Activities?
“Treatment” generally means the provision, coordination, or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party, consultation between healthcare providers regarding a patient, or the referral of a patient from one healthcare provider to another.

What are Payment Activities?
"Payment” encompasses the various activities of healthcare providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare.  In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

• Determining eligibility or coverage under a plan and adjudicating claims; 
• Risk adjustments; 
• Billing and collection activities; 
• Reviewing health care services for medical necessity, coverage, justification of charges, and the like; 
• Utilization review activities; and 
• Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity). 

What Are Healthcare Operations Activities?
“Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:

• Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing healthcare costs, and case management and care coordination; 
• Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-healthcare professionals, accreditation, certification, licensing, or credentialing activities; 
• Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims
• Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; 
• Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and 
• Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. 

Is Patient Consent Required for Treatment, Payment, and Healthcare Operations Activities?
NO. 

A covered entity may voluntarily choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations. A covered entity that chooses to have a consent process (e.g., should the process consist of providing a patient with a written consent form? Can consent be provided verbally and then documented?) has complete discretion under the Privacy Rule to design a process that works best for its business and consumers. A “consent” document is not a valid permission to use or disclose protected health information for a purpose that requires an “authorization” under the Privacy Rule, or where other requirements or conditions exist under the Rule for the use or disclosure of protected health information.

Is Written Patient Authorization Required for Treatment, Payment, and Healthcare Operations Activities?
Generally, no - A covered entity may, without the individual’s authorization:

• Use or disclose protected health information for its own treatment, payment, and health care operations activities. For example:
  • A hospital may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual’s treatment. 
  • A healthcare provider may disclose protected health information about an individual as part of a claim for payment to a health plan. 
  • A health plan may use protected health information to provide customer service to its enrollees. 
• A covered entity may disclose protected health information for the treatment activities of any healthcare provider (including providers not covered by the Privacy Rule). For example:
  • A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual. 
  • A hospital may send a patient’s health care instructions to a nursing home to which the patient is transferred. 
• A covered entity may disclose protected health information to another covered entity or a health care provider (including providers not covered by the Privacy Rule) for the payment activities of the entity that receives the information. For example:
  • A physician may send an individual’s health plan coverage information to a laboratory who needs the information to bill for services it provided to the physician with respect to the individual. 
  • A hospital emergency department may give a patient’s payment information to an ambulance service provider that transported the patient to the hospital in order for the ambulance provider to bill for its treatment 
• A covered entity may disclose protected health information to another covered entity for certain healthcare operation activities of the entity that receives the information if:
  • Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship; and 
  • The disclosure is for a quality-related health care operations activity (i.e., the activities listed in paragraphs (1) and (2) of the definition of “health care operations” at 45 CFR 164.501) or for the purpose of health care fraud and abuse detection or compliance. For example: < A health care provider may disclose protected health information to a health plan for the plan’s Health Plan Employer Data and Information Set (HEDIS) purposes, provided that the health plan has or had a relationship with the individual who is the subject of the information. 
• A covered entity that participates in an organized healthcare arrangement (OHCA) may disclose protected health information about an individual to another covered entity that participates in the OHCA for any joint healthcare operations of the OHCA. For example:
  • The physicians with staff privileges at a hospital may participate in the hospital’s training of medical students. 

Does The Minimum Necessary Rule Apply to Treatment, Payment, and Healthcare Operations?
A covered entity must develop policies and procedures that reasonably limit its disclosures of, and requests for, protected health information for payment and healthcare operations to the minimum necessary. A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment, and healthcare operations, based on those who need access to the information to do their jobs. However, covered entities are not required to apply the minimum necessary standard to disclosures to or requests by a health care provider for treatment purposes.