1. HCO Disclosures
As discussed in Part II, the Privacy Rule requires covered entities to
comply with one of three rules before using or disclosing PHI. 74 The first rule
allows covered entities and BAs to use and disclose PHI for their own
treatment, payment, and health care operations (TPO) activities without any
form of prior permission from the individual who is the subject of the PHI. 75
The regulation that allows these uses and disclosures76 is frequently referred
to as the TPO rule.
Although the Privacy Rule allows covered entities to freely use and
disclose PHI to carry out their own TPO under 45 C.F.R. § 164.506(c)( 1), 77
the Privacy Rule strictly regulates covered entities’ disclosures of PHI to
other individuals and institutions for the recipients’ health care operations
(HCO) activities under 45 C.F.R. § 164.506(c)( 4). 78 Under this regulation, a
covered entity may disclose PHI for another individual’s or entity’s HCO
without the prior authorization of the individual who is the subject of the PHI,
but only if five requirements have been satisfied: ( 1) the recipient individual
or entity also is a covered entity; ( 2) both the sending and receiving covered
entities have had in the past or have now a relationship with the individual
who is the subject of the PHI to be disclosed; ( 3) the PHI to be disclosed
pertains to that relationship; ( 4) the purpose of the disclosure is listed in the
first or second paragraph of the definition of HCO79 or is a health care fraud
and abuse detection or compliance activity; and ( 5) the PHI disclosed is
limited to the PHI that is minimally necessary to accomplish the intended
purpose of the disclosure. 80 Most covered entities have a complex policy and
procedure, usually drafted by outside counsel, identifying when the covered
entity may disclose PHI to another entity for that entity’s HCO under the
Privacy Rule. 81
74. See text accompanying notes 45–68 .
75. 45 C.F.R. § 164.506(c)( 1) (2016).
76. See id.
77. See id.
78. See id. § 164.506(c)( 4).
79. The definition of health care operations contains six long paragraphs, some of which
have numerous clauses and/or sub-parts. See id. § 164.501 (defining health care operations).
The first and second paragraphs of the definition include activities relating to quality
assessment and improvement, reviewing the competence or qualifications of health care
professionals, licensing, certification, accreditation, training of health care professionals, and
training of non-health care professionals. See id. The third through sixth paragraph of the
definition include activities such as underwriting, legal services, business planning and
development, fundraising, and creating de-identified health information. See id.
80. See id. § 164.506(c)( 4).
81. See, e.g., Privacy Policies & Procedures: Section 3—Uses and Disclosures to Carry
out Treatment, Payment, or Health Care Operations, OKLA. S T. UNIV. CTR. FOR HEALTH SCI.
(rev. July 1, 2013), https://centernet.okstate.edu/hipaa/privacyprocedures3.php#0301