The privacy regulations give covered entities permission to use and disclose PHI for treatment, payment, and health care operations (TPO), without obtaining specific authorization.
- A covered entity may disclose PHI to other covered entities such as reference laboratories, and home care services, which are providing services to the primary covered entity. (Each entity must either have or have had a relationship with the individual who is the subject of the PHI being requested).
- The service that the other covered entity is providing must fall within treatment, payment, or health care operations (TPO).
- If the service being provided does not fall within TPO, an authorization is generally required.
- An authorization form must state the specific disclosures of PHI to be made, what the information will be used for, and must be signed and dated by the patient.
- A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.