HIPAA bundles a large number of functions into the term "health care operations." This expansive list is important for many reasons, most notably because HIPAA requires no permission from patients for uses and disclosures of protected health information (PHI) for "treatment, payment or health care operations (TPO)."

Covered entities may obtain a consent for TPO-related uses and disclosures, but the practice is optional under HIPAA. (It may nonetheless be required by state law.)

Health care operations include:

• conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines or protocols, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies (i.e., research);

• population-based activities relating to improving public health or reducing health care costs;

• case management and care coordination;

• contacting of health care providers or patients with information about treatment alternatives;

• reviewing the competence or qualifications of health care professionals;

• evaluating practitioner and provider performance;

• evaluating health plan performance;

• conducting training programs for students, trainees, or practitioners (health or non-health);

• accreditation, certification, licensing, or credentialing activities;

• underwriting, premium rating, and other activities relating to health insurance contracting;

• conducting or arranging for medical review, legal services, auditing functions or other compliance programs;

• business planning and development, cost-management and planning-related analyses;

• development or improvement of methods of payment or coverage policies;

• business management and general administrative activities of the entity;

• business activities relating to compliance with HIPAA;

• customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers (provided that protected health information is not disclosed);

• resolution of internal grievances;

• the sale, transfer, merger, or consolidation of all or part of the covered entity to or with another covered entity, or an entity that will become a covered entity as a result of the transaction, as well as the due diligence activities in connection with such transaction; and

• consistent with the applicable requirements of 45 CFR 164.514, creating de-identified health information, fundraising for the benefit of the covered entity, and activities meeting the exceptions to the marketing rules.

Information uses and disclosures not falling under the TPO unbrella, and not otherwise exempted by other parts of the regulations, require a supplemental authorization.

See also:

• 45 CFR 164.501, 45 CFR 164.506
• OCR HIPAA Privacy Guidance: Treatment, Payment and Health Care Operations (3 Apr 2003)

  Last modified: 11-May-2005 [RC]