HIPAA
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Congress enacted the Health Insurance Portability and Accountability Act to:
- Combat waste, fraud and abuse
- Improve portability of health insurance coverage
- Simplify health care administration
Who must comply with HIPAA?
All military and civilian health care plans, health care clearinghouses and health care providers who electronically conduct financial and administrative transactions must comply with HIPAA. TRICARE, military hospitals and clinics, providers, regional contractors, subcontractors and other business associate relationships fall within these categories. HIPAA's Privacy Rule and Security Rule relate specifically to the privacy and security of your protected health information (PHI).
How the Privacy Rule Protects You
The HIPAA Privacy Rule lets medical staff use and disclose your PHI for treatment, payment and health care operations without written authorization. Your permission is required for most other uses and disclosures.
Under the Privacy Rule, you have the right to:
- Receive a copy of the Military Health System Notice of Privacy Practices
- Request access to PHI
- Request amendment of PHI
- Request an accounting of PHI disclosures
- Request restriction on PHI use and disclosure
- File a complaint regarding privacy infractions.
Privacy Officers
Each military hospitals and clinic has a privacy officer who ensures health care information remains private, but available to you and your provider. The privacy officer can answer any questions you may have about HIPAA rules. The Defense Health Agency (DHA) also has a privacy office you can contact for information or assistance. In addition, your regional contractor has valuable information about privacy on its website.
What if my privacy is violated?
If you think your privacy rights have been violated, you may submit a written complaint to your military hospital or clinic or DHA Privacy Officer. You may call the general information number at your local military hospitals or clinic, visit their Web site.
Notice of Privacy Practices
When you receive treatment at a military hospitals or clinic, you will be given a copy of the Notice of Privacy Practices. This document details how your medical information may be used and with whom it may be shared. If you see civilian TRICARE-authorized providers, they may have their own privacy practices guidelines that they will share with you at the time of your appointment. It's important that you carefully read any information about privacy practices.
Health Information Forms:
-
DHA Form 107, “Request for Amendment of Health Information”. This form is used to provide a formal, written mechanism for patients to exercise their HIPAA granted right to request corrections or updates to their protected health information (PHI) within the Defense Health Agency's (DHA) designated record set. This form allows individuals to request changes to medical records they believe are inaccurate, incomplete, or outdated. If a request is granted, the DHA will amend the record and inform the individual. If denied, the form helps initiate the process for including a statement of disagreement in the medical record.
-
HIPAA Complaint Form. All HIPAA complaints must be received in writing. Filing a complaint with the Defense Health Agency (DHA) is voluntary; however, without the information requested, we may be unable to proceed with your complaint. We will use the information you provide to determine if we have jurisdiction and, if so, how we will process your complaint. Information submitted on this form is treated confidentially and is protected under the provisions of the Privacy Act of 1974. Names or other identifying information about individuals are disclosed when it is necessary for investigation of information outside the Military Health System/TRICARE for purposes associated with health information privacy compliance and as permitted by law. It is illegal for a covered entity to intimidate, threaten, coerce, discriminate, or retaliate against you for filing this complaint or for taking any other action to enforce your rights under the HIPAA Privacy Rule. Complete, sign, and date this form and submit to the Keller ACH HIPAA Privacy Officer.
-
DHA Form 448, “Notice of Privacy Practices (NoPP) Acknowledgment”. This form is used by the Military Health System (MHS) to document that patients have received information regarding how their protected health information (PHI) is used, shared, and accessed under HIPAA and DOD regulations. It serves as patient acknowledgment of MHS privacy policies. You will be asked to sign this form upon registering for care at Keller ACH for the first time, acknowledging that you received a copy of the MHS Notice of Privacy Practices. If you choose not to sign this acknowledgement, Keller ACH will still provide your health care, and your rights described in this notice will not be affected.
-
DD Form 2005, “Privacy Act Statement – Health Care Records”. Information may be collected from you to provide and document your medical care; determine your eligibility for benefits and entitlements; adjudicate claims; determine whether a third party is responsible for the cost of Military Health System (MHS) provided healthcare and recover that cost; evaluate your fitness for duty and medical concerns which may have resulted from an occupational or environmental hazard; evaluate the MHS and its programs; and perform administrative tasks related to MHS operations and personnel readiness.
-
DD Form 2569, "Third Party Collection Program/Medical Services Account/Other Health Insurance". This form is used by the DoD to collect other health insurance (OHI) information from beneficiaries (excluding active duty) to bill private insurance for care received at Military Treatment Facilities. Non-active duty DoD beneficiaries, including retirees and family members, must complete it to document their OHI. Even if you do not have other insurance, you must still submit the form. This form is required annually or whenever your insurance information (e.g., policy names, numbers, and coverage types, etc.) changes.
-
DD Form 2870, "Authorization for Disclosure of Medical or Dental Information". This form is used by Military Treatment Facilities and TRICARE to authorize the release of a beneficiary's protected health information (PHI) to a third party, such as insurance companies, schools, or personal representatives. It ensures compliance with the Privacy Act of 1974. The form is voluntary, but failure to sign it will prevent the release of information.
-
“Authorization to Release Medical Records”. When a patient completes a DD Form 2870 for the purpose of a personal request for their medical treatment records, only the patient may receive copies of their PHI. This authorization is only intended to facilitate delivery of medical record information in the event that the patient who completed the DD Form 2870 is unable to do it themselves or in the event of an emergency only.