Maintaining the security of protected health information (PHI) is a critical aspect in providing quality health care to TRICARE beneficiaries. It is essential that you and your staff understand the rules governing the release of PHI so that you can maintain its security and confi dentiality, and reduce the risk of unauthorized disclosure.
 
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the release of PHI without patient authorization for purposes of treatment, payment and health care operations. However, the HIPAA Privacy Rule requires that providers make reasonable effort to disclose only the minimum amount of PHI that is necessary for these purposes.
 
PHI is any individually identifiable health information relating to a patient’s past, present or future physical or mental health and related health care services. PHI may include demographics, documentation of symptoms, examination and test results, diagnoses and treatments.
 
Written authorization is not needed to send copies of a patient’s medical records to a specialist or other health care provider who is treating him or her. Providers are allowed to disclose PHI to primary care managers and other health care providers for treatment purposes. PHI also may be disclosed without the patient’s authorization in a medical emergency to provide the necessary treatment.
 
Release of a minor’s PHI is dependent on state or other applicable laws. These laws may allow you to release PHI to a parent or guardian without the patient’s consent. When state law does not address this issue, you may use your professional discretion in the release of PHI. There are, however, some exceptions, such as releasing sensitive diagnoses and psychotherapy notes.
 
For more information about PHI and HIPAA, visit TRICARE's Web site.