Provider Handbook - HIPAA Privacy Rule

Home » Provider » Tools & Resources » Handbook and Materials » Handbook Table of Contents » Provider Information » HIPAA Privacy Rule

Provider Information Policy Resources SSN Reduction Plan HIPAA Overview HIPAA Privacy HIPAA Rules Signature on File Requirements TRICARE Provider Types Certification & Credentialing Provider Responsibilities PCM Role Specialty Care Balance Billing Non-Covered Services Updating Provider Information Beneficiary Expectations

Adjust Text Size:

HIPAA Privacy Rule

The following is only a brief introduction to selected aspects of the HIPAA Privacy Rule. TRICARE health care providers should consult the more detailed guidance materials available on the TMA Privacy Office web site.

The HIPAA Privacy Rule generally requires individual health care providers, institutional providers such as MTFs, their workforce members, and their contractors to use and disclose protected health information (PHI) only as permitted or required by the HIPAA Privacy Rule. PHI is individually identifiable health information, which includes demographic and payment information created and obtained by providers who deliver health services to patients. Examples of PHI include medical-record data (documentation of symptoms, examination and test results, diagnoses, treatments, and plans for future care or treatment) and billing documents.

The HIPAA Privacy Rule permits providers to use and disclose PHI without a patient’s written authorization for purposes of treatment, payment, and health care operations. Health care operations include activities such as quality assessment, quality improvement, outcome evaluation, protocol and clinical guidelines development, training programs, credentialing, medical review, legal services, and insurance.

The HIPAA Privacy Rule also permits uses and disclosures of PHI without a patient’s authorization in various situations not involving treatment, payment, and health care operations. These situations include, for example, public health activities, health oversight activities, judicial and administrative proceedings, decedent situations, and research. In the MHS, one of the most important exceptions to the authorization requirement is the military command exception. This permits limited disclosures of PHI about active duty service members to their military commanders to determine fitness for duty or certain other purposes. Similarly, PHI of service members separating from the armed forces may be disclosed to the U.S. Department of Veterans Affairs.

PHI may be used or disclosed for other purposes only with written authorization of the patient or the patient’s personal representative. The authorization form must satisfy specific requirements under the HIPAA Privacy Rule.

Patients must be given the opportunity to agree or object to disclosure of their PHI in facility directories and disclosures to persons involved in their care. Written authorizations are not required in these cases.

Under the HIPAA Privacy Rule, beneficiaries have the right to:

Receive a copy of the Military Health System Notice of Privacy Practices
Request access to PHI
Request amendment of PHI
Request an accounting of PHI disclosures
Request restrictions on, or confidential communications of, PHI use and disclosure
File a complaint regarding any privacy infractions

Providers must also establish administrative, physical, and technical safeguards for PHI. Moreover, actual or possible unauthorized use or disclosure of PHI (a breach) may require notifying affected individuals and reporting to TMA and other government entities. For more information on responding to privacy breaches, visit the TMA Privacy Office's Breach Response web page.

Military Health System Notice of Privacy Practices and Other Information Sources

The Military Health System Notice of Privacy Practices informs beneficiaries about their rights regarding PHI and explains how PHI may be used or disclosed, who can access PHI, and how PHI is protected. The notice is published in 11 languages. Braille and audio versions are also available. Visit TMA Privacy Office's Notice of Privacy Practices web page to download copies of the Military Health System Notice of Privacy Practices for you and your staff.

Privacy officers are available for every MTF. They serve as beneficiary advocates for privacy issues and respond to beneficiary inquiries about PHI and privacy rights. More information about privacy practices and other HIPAA requirements is available at TMA's HIPAA General Information web page. Beneficiaries and providers may also e-mail inquiries to privacymail@tma.osd.mil.

Release of Medical records and Other PHI

PHI may be released to the individual who is the subject of the PHI and, unless contraindicated, to that individual’s personal representative. Personal representatives include parents of unemancipated minors, guardians, and other persons who have legal authority to act on behalf of the individual with respect to health care decisions. Contraindications may include circumstances involving unemancipated minors and applicable state laws, and abuse, neglect, or endangerment situations. Additionally, special care should be taken when PHI includes unusually sensitive medical conditions, such as abortion, pregnancy, AIDS, sexually transmitted diseases, alcoholism or other substance abuse, and mental health conditions.

Humana Military representatives must comply with the Privacy Act of 1974 and HIPAA Privacy Rules when TRICARE beneficiaries call regarding claims and other patient benefit information. If a person requests information on behalf of a TRICARE beneficiary, Humana Military may not disclose information until the proper legal paperwork is received. Humana Military will not disclose information to a person who:

Calls on behalf of a spouse or adult child (as defined under applicable state law) who has not submitted an Authorization for Release of Information form
Is caring for a child whose deployed active duty sponsor has not submitted power of attorney documentation to allow disclosure of the child’s medical information
Is the spouse of a deployed active duty service member (ADSM) who has not provided a valid power of attorney or other appropriate documentation to allow disclosure of the ADSM’s medical information
Is not shown to be the parent or other personal representative of a minor child whose PHI would be disclosed
Is the spouse or family member of a deceased sponsor, but legal representative appointment documentation for the estate has not been submitted to Humana Military (If there is no legal representative for the estate, the individual seeking the PHI should furnish a written statement of his or her relationship to the deceased and the provider should confer with legal counsel.)

Visit the TRICARE Forms page to download the Authorization for Release of Information form. If you have additional questions about the HIPAA Privacy Rule and TRICARE, visit the TMA Privacy Office web site or the HHS Health Information Privacy web portal.

Last Update: January 15, 2011