Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Rule

The following is only a brief introduction to selected aspects of the HIPAA Privacy Rule. TRICARE health care providers should consult the more detailed guidance materials available on the Privacy Practices.

The HIPAA Privacy Rule generally requires individual health care providers, institutional providers such as Military Treatment Facilities (MTFs), their workforce members, and their contractors to use and disclose Protected Health Information (PHI) only as permitted or required by the HIPAA Privacy Rule. PHI is individually identifiable health information, which includes demographic and payment information created and obtained by providers who deliver health services to patients. Examples of PHI include medical-record data (documentation of symptoms, examination and test results, diagnoses, treatments, and plans for future care or treatment) and billing documents.

The HIPAA Privacy Rule permits providers to use and disclose PHI without a patient’s written authorization for purposes of treatment, payment, and health care operations. Health care operations include activities such as quality assessment, quality improvement, outcome evaluation, protocol and clinical guidelines development, training programs, credentialing, medical review, legal services, and insurance.

The HIPAA Privacy Rule also permits uses and disclosures of PHI without a patient’s authorization in various situations not involving treatment, payment, and health care operations. These situations include, for example, public health activities, health oversight activities, judicial and administrative proceedings, decedent situations, and research. In the Military Health System (MHS), one of the most important exceptions to the authorization requirement is the military command exception. This permits limited disclosures of PHI about Active Duty Service Members (ADSMs) to their military commanders to determine fitness for duty or certain other purposes. Similarly, PHI of service members separating from the armed forces may be disclosed to the U.S. Department of Veterans Affairs.

PHI may be used or disclosed for other purposes only with written authorization of the patient or the patient’s personal representative. The authorization form must satisfy specific requirements under the HIPAA Privacy Rule.

Patients must be given the opportunity to agree or object to disclosure of their PHI in facility directories and disclosures to persons involved in their care. Written authorizations are not required in these cases. Under the HIPAA Privacy Rule, beneficiaries have the right to:
  • Receive a copy of the Military Health System Notice of Privacy Practices.
  • Request access to PHI.
  • Request amendment of PHI.
  • Request an accounting of PHI disclosures.
  • Request restrictions on, or confidential communications of, PHI use and disclosure.
  • File a complaint regarding any privacy infractions.
Providers must also establish administrative, physical, and technical safeguards for PHI. Moreover, actual or possible unauthorized use or disclosure of PHI (a breach) may require notifying affected individuals and reporting to TMA and other government entities. For more information on responding to privacy breaches, visit the TMA web site.

Military Health System Notice of Privacy Practices and Other Information Sources

The Military Health System Notice of Privacy Practices informs beneficiaries about their rights regarding PHI and explains how PHI may be used or disclosed, who can access PHI, and how PHI is protected. The notice is published in 11 languages. Braille and audio versions are also available.

Visit the TRICARE web site to download copies of the Military Health System Notice of Privacy Practices.

Privacy officers are available for every MTF. They serve as beneficiary advocates for privacy issues and respond to beneficiary inquiries about PHI and privacy rights. For more information about privacy practices and other HIPAA requirements, visit the TRICARE web site. Beneficiaries and providers may also email inquiries to

Release of Medical Records and Other PHI

PHI may be released to the individual who is the subject of the PHI and, unless contraindicated, to that individual’s personal representative. Personal representatives include parents of unemancipated minors, guardians, and other persons who have legal authority to act on behalf of the individual with respect to health care decisions. Contraindications may include circumstances involving unemancipated minors and applicable state laws, and abuse, neglect, or endangerment situations. Additionally, special care should be taken when PHI includes unusually sensitive medical conditions, such as abortion, pregnancy, AIDS, sexually transmitted diseases, alcoholism or other substance abuse, and behavioral health conditions.

Humana Military representatives must comply with the Privacy Act of 1974 and HIPAA Privacy Rules when TRICARE beneficiaries call regarding claims and other patient benefit information. If a person requests information on behalf of a TRICARE beneficiary, Humana Military may not disclose information until the proper legal paperwork is received. Humana Military will not disclose information to a person who:
  • Calls on behalf of a spouse or adult child (as defined under applicable state law) who has not submitted an Authorization for Release of Information form
  • Is caring for a child whose deployed active duty sponsor has not submitted power of attorney documentation to allow disclosure of the child’s medical information
  • Is the spouse of a ADSM who has not provided a valid power of attorney or other appropriate documentation to allow disclosure of the ADSM’s medical information
  • Is not shown to be the parent or other personal representative of a minor child whose PHI would be disclosed
  • Is the spouse or family member of a deceased sponsor, but legal representative appointment documentation for the estate has not been submitted to Humana Military
    (If there is no legal representative for the estate, the individual seeking the PHI should furnish a written statement of his or her relationship to the deceased, and the provider should confer with legal counsel.)
To download the Authorization for Release of Information, go to the Beneficiary Forms page. For additional questions about the HIPAA Privacy Rule and TRICARE, visit the TMA Privacy Office information or the U.S. Department of Health and Human Services web site.

Back to Top

Created: February 22, 2012