The HIPAA Privacy Rule permits Optica Vision Care, Inc. to use and disclose protected health information, with certain limits and protections, for treatment, payment, and health care operations.



• “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.​

• “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, common payment activities include, but are not limited to:​​
   

•   Determining eligibility or coverage under a plan and adjudicating claims;

•   Risk adjustments;

•   Billing and collection activities;

•   Reviewing health care services for medical necessity, coverage, justification of charges, and the like;

•   Utilization review activities; and

•   Disclosures to consumer reporting agencies (limited to specified identifying information about

• the individual, his or her payment history, and identifying information about the covered entity).​​
   

• “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities include:

•   Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;

•   Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;

•   Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims

•   Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;

•   Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and

•   Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification

• Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.​​
   

• A covered entity may, without the individual’s authorization:

• Use or disclose protected health information for its own treatment, payment, and health care operations activities. For example:

•   A hospital may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual’s treatment.

•   A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan.

•   A health plan may use protected health information to provide customer service to its enrollees.​​
   

• A covered entity may disclose protected health information for the treatment activities of any health care provider. For example:

•   A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.

•   A hospital may send a patient’s health care instructions to a nursing home to which the patient is transferred.

•   A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. For example:

•   A physician may send an individual’s health plan coverage information to a laboratory that needs the information to bill for services it provided to the physician with respect to the individual.

•   A hospital emergency department may give a patient’s payment information to an ambulance service provider that transported the patient to the hospital in order for the ambulance provider to bill for its treatment.​​
   

• A covered entity may disclose protected health information to another covered entity for certain health care operation activities of the entity that receives the information if:

•   Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship; and

•   The disclosure is for a quality-related health care operations activity. For example, a health care provider may disclose protected health information to a health plan for the plan’s Health Plan Employer Data and Information Set (HEDIS) purposes, provided that the health plan has or had a relationship with the individual who is the subject of the information.​​
   

• A covered entity that participates in an organized health care arrangement (OHCA) may disclose protected health information about an individual to another covered entity that participates in the OHCA for any joint health care operations of the OHCA. For example:

•   The physicians with staff privileges at a hospital may participate in the hospital’s training of medical students. Uses and Disclosures of Psychotherapy Notes. Except when psychotherapy notes are used by the originator to carry out treatment, or by the covered entity for certain other limited health care operations, uses and disclosures of psychotherapy notes for treatment, payment, and health care operations require the individual’s authorization.