HIPAA: The Treatment, Payment, and Healthcare Operations (TPO) Exception

HIPAA: The Treatment, Payment, and Healthcare Operations (TPO) Exception

A lot of people get the Treatment, Payment, and Healthcare Operations (TPO) Exception wrong. So in this episode of Talking with the Toothcop, Andrea and I dissect what it is. We also talk about what to do if you need patient authorization and the importance of informed consent for treatment. Don’t miss it! 

Outline of This Episode

  • [0:21] Coffee + Rom-Coms
  • [4:07] Learn more about ProEdge Dental!
  • [5:24] The treatment exception
  • [10:00] The payment exception 
  • [11:01] The operations exception 
  • [12:14] If you NEED authorization
  • [13:25] Informed consent for treatment
  • [17:49] Learn more about protectit dental!

The treatment exception

You can communicate with other healthcare providers (i.e. dentists/specialists) to care for a patient (consults, discussions, coordination of care, etc.). Under HIPPA you don’t need authorization from your patient to communicate with healthcare providers regarding treatment. Some state laws are more restrictive. For example, in Minnesota, this does not apply and you are required to get authorization. Federal HIPPA laws allow communication if your state does not have more restrictive requirements. 

The payment exception 

If Grandma stops by to pay a patient’s bill, you may have to follow the minimum necessary principle (that a legal guardian is the only one allowed access to patient information). So you may not be able to close the date of service or the procedure but you sure can take payment. If it’s necessary to state a balance to get paid, it’s perfectly fine. 

The operations exception 

The operations exception allows dental offices to access and use/disclose their patient‘s information. You don’t need authorization from the patient or legal guardian. How does that look in practice? Duane is allowed to access a patient’s records without them being notified because it’s for compliance purposes. 

If you NEED authorization 

If you need authorization from a patient to disclose PHI to a third party, there is a form you need them to complete with specific elements that need to be on it. Most information release forms don’t have the necessary information. So what’s needed?

  • It must clearly identify your entity and who you’re allowed to release information to
  • What part of the patient’s record you’re authorized to use or disclose
  • The explicit purpose for the disclosure
  • A notice that informs the patient they have the right to revoke the authorization at any time (this is what most dental offices are missing)
  • A signature on the form by the patient or legal guardian 

NOTE: Get familiar with your state's recommendations to make sure they don’t have specific requirements for authorizations. If you’re from MN hit me up at toothcop(at)dentalcompliance.com for a template for the form you need!

Informed consent for treatment

This seems like an ongoing issue I encounter regularly. Different states have different requirements for informed consent. Common sense dictates—to protect yourself and your practice—you should obtain informed consent from your patients. They should know the potential risks of a procedure and alternative treatments that could be appropriate (including no treatment). They should also be informed of the potential consequences if they choose not to have a procedure done. 

If you practice in multiple states, follow the most stringent standard in all of your locations. Then you’ll never run the risk of being out of compliance. In Texas, you need consent for everything that comes with a risk. In Texas, Medicare requires consent for every procedure on the date of service it’s being completed. If you don’t get consent, the insurance companies can recoup what they paid for the services. 

Have any good coffee bean recommendations? Send me an email with your suggestions! 

Resources & People Mentioned

Connect With Duane

Previous Article Next Article