The Privacy Rule permits covered entities to use and disclose PHI for treatment, payment, and health care operations (TPO) without obtaining specific authorization.
- A covered entity may disclose PHI to other covered entities that provide services to the primary covered entity.
- Each entity must have or have had a relationship with the patient who is the subject of the PHI being requested.
- E.g., a reference laboratory that performs tests for a clinical laboratory
- The service that the other covered entity provides must fall within treatment, payment, or health care operations (TPO).
- A covered entity may disclose PHI to another covered entity for the payment activities of the entity that receives the information.
If the service provided does not fall within TPO, authorization is generally required. An authorization form must state the specific disclosures of PHI to be made and for what the information will be used. It must be signed and dated by the patient.