What Is TPO in HIPAA? Treatment, Payment, and Operations Explained (2026)

What TPO Means Under HIPAA

TPO is a shorthand term used in healthcare privacy compliance. It stands for Treatment, Payment, and Healthcare Operations. These three categories represent the core activities that keep the healthcare system functioning, from delivering patient care to processing insurance claims to running the administrative side of a medical practice.

The HIPAA Privacy Rule, codified at 45 CFR Part 164, Subpart E, recognizes that healthcare providers, health plans, and clearinghouses need to share protected health information (PHI) to carry out everyday functions. Without a workable framework for routine information sharing, the healthcare system would grind to a halt. TPO provides that framework.

Under 45 CFR 164.506, covered entities may use and disclose PHI for treatment, payment, and healthcare operations without obtaining written authorization from the patient. This is one of the most significant provisions in the Privacy Rule because it allows the routine flow of health information that medical care depends on, while still maintaining privacy protections.

The formal definitions of all three TPO categories appear in 45 CFR 164.501. Understanding exactly what falls within each category is essential for compliance, because disclosures that go beyond TPO typically require patient authorization or another specific legal exception.

Treatment: The First Element of TPO

Definition Under Federal Law

The Privacy Rule defines "treatment" as the provision, coordination, or management of health care and related services by one or more health care providers. This includes coordination or management of health care by a provider with a third party, consultation between providers relating to a patient, and the referral of a patient from one provider to another (45 CFR 164.501).

Treatment is the broadest and most frequently invoked element of TPO in day-to-day clinical practice. Every time a physician reviews a patient's chart, orders a lab test, or discusses a case with a specialist, that activity falls under the treatment prong.

Examples of Treatment Disclosures

A primary care physician refers a patient to a cardiologist and sends the patient's medical records to the specialist's office. This disclosure of PHI for treatment purposes requires no patient authorization.

A hospital emergency department contacts a patient's primary care physician to obtain the patient's medication history during an emergency visit. The primary care physician can share this information without needing the patient's written permission.

A laboratory receives a blood sample along with relevant clinical information from the ordering physician. The lab processes the sample and sends results back. Both the sending and receiving of PHI in this scenario qualify as treatment disclosures.

Pharmacists consulting with prescribing physicians about potential drug interactions, nurses coordinating post-discharge home health care, and mental health providers discussing treatment plans with a patient's case manager all represent treatment activities under the Privacy Rule.

Treatment and the Minimum Necessary Standard

One of the most important distinctions in the Privacy Rule involves how the minimum necessary standard applies to treatment disclosures. Under 45 CFR 164.502(b)(2), the minimum necessary requirement does not apply to disclosures made for treatment purposes.

This means a provider can share the full medical record with another treating provider when clinically appropriate. The rationale is straightforward: providers need access to complete information to deliver safe, effective care. Restricting what a treating provider can see could result in misdiagnosis, harmful drug interactions, or other patient safety issues.

Payment: The Second Element of TPO

Definition Under Federal Law

"Payment" under 45 CFR 164.501 encompasses activities undertaken by a health plan to obtain premiums, determine or fulfill its coverage responsibilities, and provide benefits. It also covers activities by health care providers or health plans to obtain or provide reimbursement for the provision of health care.

The payment definition is deliberately broad because the billing and reimbursement process involves multiple steps and multiple parties. From the moment a provider documents a service to the final adjudication of a claim, numerous payment-related disclosures of PHI occur.

Specific Payment Activities

The Privacy Rule lists specific activities that fall under the payment category. These include determinations of eligibility or coverage, coordination of benefits, and adjudication or subrogation of health benefit claims. Risk adjustments based on enrollee health status and demographic characteristics also qualify.

Billing, claims management, and collection activities fall under payment. So does obtaining payment under a contract for reinsurance, including stop-loss insurance and excess of loss insurance. Related health care data processing activities are also included.

Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges constitutes a payment activity. Utilization review, including precertification and preauthorization of services, as well as concurrent and retrospective review of services, all fall within this category.

How Payment Disclosures Work in Practice

A hospital submits a claim to a patient's health insurance company that includes diagnosis codes, procedure codes, and dates of service. This PHI disclosure is a payment activity that requires no patient authorization.

A health plan requests medical records from a provider to determine whether a procedure was medically necessary before approving reimbursement. The provider can send those records under the payment exception.

A physician's billing department sends a patient's account to a collection agency after the patient fails to pay an outstanding balance. The information shared with the collection agency for collection purposes qualifies as a payment disclosure, though the collection agency would typically need a business associate agreement in place.

The Minimum Necessary Standard and Payment

Unlike treatment disclosures, the minimum necessary standard does apply to payment-related uses and disclosures. A covered entity must limit the PHI disclosed for payment purposes to the minimum amount reasonably necessary to accomplish the intended purpose.

For example, when a health plan requests records to verify a claim, the provider should send only the records relevant to the specific service being reviewed, not the patient's entire medical history. Covered entities are required to develop and implement policies and procedures that identify the minimum necessary information for routine and recurring payment disclosures.

Healthcare Operations: The Third Element of TPO

Definition Under Federal Law

Healthcare operations represent the administrative, financial, legal, and quality improvement activities that a covered entity needs to run its business and support the core functions of treatment and payment. The definition at 45 CFR 164.501 provides an exhaustive list of six categories of activities that qualify.

Unlike treatment and payment, healthcare operations is a closed list. Only the activities specifically enumerated in the regulation qualify. If an activity does not appear on the list, it cannot be justified as a healthcare operation under TPO.

The Six Categories of Healthcare Operations

Quality assessment and improvement. This includes outcomes evaluation, development of clinical guidelines, patient safety activities as defined in 42 CFR 3.20, population-based activities relating to improving health or reducing costs, protocol development, case management, care coordination, and contacting providers and patients with information about treatment alternatives. The key limitation: if the primary purpose of a study is to produce generalizable knowledge, it crosses into research territory and no longer qualifies as healthcare operations.

Professional competency review. Covered entities may use PHI for reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, evaluating health plan performance, conducting training programs for students and practitioners, training non-health care professionals, and supporting accreditation, certification, licensing, or credentialing activities.

Underwriting and insurance activities. Health plans may use PHI for underwriting, enrollment, premium rating, and other activities related to creating, renewing, or replacing contracts for health insurance or health benefits. This also includes ceding, securing, or placing contracts for reinsurance of risk relating to health care claims.

Medical review, legal, and auditing functions. Conducting or arranging for medical review, legal services, and auditing functions falls under healthcare operations. This category specifically includes fraud and abuse detection and compliance programs.

Business planning and development. Cost-management analyses, planning activities related to managing and operating the entity, formulary development and administration, and development or improvement of payment methods or coverage policies all qualify.

Business management and general administration. This broad final category covers activities related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, the sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Healthcare Operations and the Minimum Necessary Standard

Like payment, the minimum necessary standard applies to healthcare operations. A covered entity must develop role-based access policies that limit which workforce members can access PHI for healthcare operations, and must limit disclosures to only the information reasonably necessary for the specific operational purpose.

What Does Not Fall Under TPO

Understanding the boundaries of TPO is just as important as understanding what it covers. Several categories of PHI use and disclosure fall outside TPO and require separate patient authorization under 45 CFR 164.508.

Marketing

The HIPAA Privacy Rule requires written patient authorization for virtually all uses and disclosures of PHI for marketing purposes. Marketing means a communication about a product or service that encourages the recipient to purchase or use the product or service. Only two narrow exceptions exist: face-to-face communications between the covered entity and the individual, and promotional gifts of nominal value. If a covered entity receives financial remuneration from a third party for making a marketing communication, the authorization must disclose that fact.

Research

Using PHI for research is not a TPO activity, even when the research takes place within a healthcare organization. Research requires either patient authorization or a waiver of authorization granted by an Institutional Review Board (IRB) or Privacy Board. The distinction between quality improvement (which can qualify as healthcare operations) and research (which cannot) hinges on whether the primary purpose is to produce generalizable knowledge.

Psychotherapy Notes

Psychotherapy notes receive special protection under HIPAA. These are notes recorded by a mental health professional that document or analyze the contents of a counseling session. They are maintained separately from the medical record. Using or disclosing psychotherapy notes requires patient authorization even when the use or disclosure would otherwise fall under TPO, with very limited exceptions such as the originating provider's own treatment use or certain law enforcement situations.

Sale of PHI

The sale of protected health information requires patient authorization under HIPAA. A covered entity cannot sell PHI without first obtaining a valid authorization that states the disclosure will result in remuneration to the entity. Limited exceptions exist for treatment and payment purposes, public health activities, and certain research activities, but the general rule prohibits the commercial sale of patient information without authorization.

Notice of Privacy Practices and TPO

Every covered entity must provide patients with a Notice of Privacy Practices (NPP) that explains how the entity may use and disclose PHI. The NPP must specifically describe the entity's TPO-related uses and disclosures, along with at least one example of each category.

Distribution Requirements

Health care providers with a direct treatment relationship must provide the NPP to patients no later than the date of the first service delivery. The provider must make a good faith effort to obtain a written acknowledgment from the patient that they received the notice. Health plans must send the NPP to new enrollees at the time of enrollment and must redistribute the notice at least once every three years if there have been material changes.

What the NPP Must Include

The NPP must contain a description of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations. It must describe the individual's rights under the Privacy Rule, including the right to request restrictions on certain uses and disclosures. The notice must also identify a contact person or office responsible for receiving complaints and providing further information.

Patients have the right to request that a covered entity restrict how it uses or discloses their PHI for TPO purposes. However, a covered entity is generally not required to agree to such a request, with one exception: a covered entity must comply with a request to restrict disclosure to a health plan for payment or healthcare operations purposes if the patient paid for the service entirely out of pocket.

TPO and Business Associates

When a covered entity engages a third party to perform TPO functions on its behalf, that third party typically qualifies as a business associate. The covered entity must enter into a business associate agreement (BAA) before disclosing PHI to that third party for TPO purposes.

Common business associates involved in TPO activities include billing companies that process claims (payment), transcription services that prepare medical records (treatment), and accounting firms that audit financial records containing PHI (healthcare operations). The BAA establishes what the business associate can and cannot do with the PHI, requires appropriate safeguards, and mandates breach reporting in the event of unauthorized access or disclosure.

A covered entity may disclose PHI to a business associate and may allow the business associate to create, receive, maintain, or transmit PHI on its behalf, provided the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. These assurances must be documented in a written agreement that meets the requirements of 45 CFR 164.504(e).

Enforcement and Penalties for Misusing TPO

Covered entities that disclose PHI outside the bounds of TPO without proper authorization face enforcement action from the HHS Office for Civil Rights (OCR). As of 2025, OCR has investigated over 31,000 cases and imposed civil money penalties or settlements totaling more than $144 million.

Penalties for HIPAA Privacy Rule violations follow a tiered structure. Violations due to reasonable cause carry penalties ranging from $137 to $68,928 per violation. Violations due to willful neglect that are corrected within 30 days carry penalties from $13,785 to $68,928 per violation. Willful neglect violations that are not timely corrected carry a minimum penalty of $68,928 per violation, up to an annual maximum of $2,067,813 per identical provision.

Criminal penalties also apply in cases of knowing violations. The Department of Justice can pursue criminal charges that carry fines up to $250,000 and imprisonment up to 10 years for violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Organizations that improperly classify a disclosure as falling under TPO when it actually requires authorization expose themselves to these enforcement actions. Maintaining clear policies about what constitutes treatment, payment, and healthcare operations, and training staff accordingly, is a core compliance obligation for every covered entity.

For more information about HIPAA privacy requirements, visit the HIPAA overview page or consult an attorney for advice specific to your situation.