TRICARE Provider News image

  Print
              
Safeguarding Patient Information  (Article 2)

Safeguarding protected health information (PHI) is an important part of providing quality care to TRICARE beneficiaries. Understanding the rules that govern the release of PHI is essential to maintaining the security and confidentiality of PHI and will reduce the risk of unauthorized disclosure. Providers are required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which includes detailed instructions on the use and disclosure of PHI.
      

PHI is any individually identifiable health information (in any format) that relates to a patient’s past, present or future physical or mental health and related health care services. PHI also includes demographics, documentation of symptoms, examination and test results, diagnoses, treatments and payment information.
 

HIPAA permits the release of PHI without written authorization for purposes of treatment, claims payment and health care operations. However, the HIPAA Privacy Rule requires providers to limit the amount of information disclosed for claims payment and health care operations to the minimum necessary.
 

Release of Patient Information

Providers generally don’t need a patient’s written authorization to send a copy of the patient’s medical record to a specialist or other health care provider for treatment purposes. However, treatment information may not be disclosed in cases of substance abuse, behavioral health treatment or other specifically protected health conditions without the express written consent of the patient.
 
If an inquiry is made by a beneficiary (including a dependent child, regardless of age), the reply should be addressed to the beneficiary, not the beneficiary’s parent or guardian.
 
If a parent writes on behalf of a minor child (under age 18), or a guardian writes on behalf of a physically or mentally incompetent eneficiary, the reply should be addressed to the parent or guardian.
 
Depending on state laws, if a minor is not competent to make health care decisions, a provider may or may not release a minor’s information to parents or guardians without the minor’s consent.
 
If a patient is unconscious or incompetent, the provider may use his or her professional discretion regarding the release of information; or in the case of minors, the guardian or other person authorized to act on the patient’s behalf may give the consent.
 
Regarding responses to a parent of a minor or to the guardian of an incompetent beneficiary, the Privacy Act of 1974 precludes disclosure of sensitive information, which, if released, could have an adverse effect on the beneficiary. Providers must not release information to the parents or guardians of minors or incompetents, without express written consent from the patient, when the services have diagnostic codes related to the following: 
  • Abortion
  • AIDS
  • Alcoholism
  • Drug Abuse
  • Sexually transmitted diseases
For more information about PHI and HIPAA compliance, visit TMA Privacy.

  
Back to Top


Created: November 15, 2007