The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
The HIPAA Privacy Rule (Privacy Rule) sets forth standards for safeguarding the protected health information (PHI) of individuals who receive health care or
health care coverage from entities subject to the Rule (covered entities). Significant changes to the HIPAA Privacy Rule were enacted under provisions of the
American Recovery and Reinvestment Act (ARRA) of 2009. These provisions are known as the Health Information Technology for Economic and
Clinical Health (HITECH) Act.
The primary covered entities are health plans and those health care providers that conduct certain health care transactions electronically. The HIPAA Privacy Rule defines health plans to include the health care program for active military personnel under Title 10 of the U.S. Code. Military treatment facilities (MTFs) and the healthcare providers assigned to those MTFs are also covered entities within the Military Health System (MHS).
As a result of the HITECH Act, many aspects of the Privacy Rule apply not only to covered entities but also to business associates that use or disclose PHI under contractual arrangements with covered entities. Managed care support contractors (MCSCs) are business associates of the TRICARE health plan. Individual health care providers who are part of MCSC provider networks are HIPAA covered entities, but they are not part of the MHS.
The Privacy Rule defines when use and disclosure of PHI is permitted without a HIPAA compliant patient authorization. Thus, the Privacy Rule protects PHI while simultaneously permitting the flow of information for purposes of medical care, insurance coverage, research and a variety of other activities.
For the MHS, one of the most important of these activities is determining the fitness of active duty service members for their military duties. Their PHI may be disclosable to military commanders for this purpose under the "Military Command Exception." See the link on the right side of this page for relevant DoD guidance.
The Privacy Rule also establishes a number of individual rights, including:
- the right to access and amend PHI;
- the right to receive an accounting of disclosures of PHI; and,
- the right to receive notification upon the occurrence of certain privacy breaches.
Further, the Privacy Rule requires that individuals are notified of their rights with a formal disclosure called a "Notice of Privacy Practices (NoPP)." Within the MHS, the NoPP specifically describes how specific information may be used or disclosed, with whom it may be shared, and the safeguards in place to protect it. Additionally, the NoPP also informs the individual of the right to approve or refuse the release of specific information outside of the MHS except when the release is required or authorized by law or regulation.
The relationship between HIPAA and the Privacy Rule is sometimes misunderstood. HIPAA is a broad federal statute enacted in 1996 as a Public Law (Pub. L.) 104-191). The Privacy Rule itself is a specific federal regulation authorized by HIPAA, promulgated by the U.S. Department of Health and Human Services (HHS), and codified at 45 CFR Parts 160 and 164. The Privacy Rule is implemented within the MHS by DoD 6025.18-R.
Have a question regarding the HIPAA Privacy Rule?