Part 3: Uses and Disclosures (FAQ 57 of 65)
57. Are Disclosures for Treatment, Payment and Health Care Operations Okay?
At one level, yes. Health care is a complex business that represents a large chunk of America's economy. If you think about it, you may realize that major health care treatment and payment institutions are big businesses that engage in a wide variety of activities just like other businesses. Management and internal controls require access to some records. If we spent the time to list the comparable data-intensive activities engaged in by banks or governments, we would also find a long list of uses and disclosures of personal information that are, for better or worse, a routine part of those functions.
At one level, then, treatment, payment and health care operations (TPO) disclosures are routine. Just about all of the functions supported by TPO uses and disclosures went on before HIPAA, although few health professionals paid attention to them. Before HIPAA, if your consent was sought for the sharing of your records for these purposes -- and it frequently was not sought -- you weren't told any of the specifics. Doctors, hospitals, and insurers asked patients to consent to "any and all disclosures" without telling patients what that meant.
HIPAA eliminated the need for consent for TPO. A covered entity may still seek your consent, but this seems to happen rarely. It is easier to rely on the authority provided by the rule to justify use and disclosure. Some privacy advocates see the lack of consent as a great gap in privacy protection that removes any pretense of patient control over records.