Health Information Management

HIPAA Q&A: TPO disclosures to a business associate

HIM-HIPAA Insider, May 21, 2012

A. The disclosure of PHI to a business associate does not need to be included in the disclosure accounting log as long as the disclosure is related to treatment, payment, and healthcare operations (TPO).

Disclosures of PHI to a business associate are not necessarily classified as disclosures only for healthcare operations. As an example, if a health plan discloses PHI to a third-party administrator, the disclosure would likely be for payment purposes. A covered entity must execute a valid business associate contract or other written arrangement (government entities) before disclosing any PHI to the business associate, though.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum. 

Most Popular