DHA Home About DHA Human Resources Contact Us FOIA Site Map
Skip Navigation LinksDHA Home > Clinical Operations and Patient Care > TMA Privacy Office > HIPAA > The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
Infinite Menus, Copyright 2006, OpenCube Inc. All Rights Reserved.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The HIPAA Privacy Rule (Privacy Rule) sets forth standards for safeguarding the protected health information (PHI) of individuals who receive health care or health care coverage from entities subject to the Rule (covered entities). Significant changes to the HIPAA Privacy Rule were enacted under provisions of the American Recovery and Reinvestment Act (ARRA) of 2009. These provisions are known as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The primary covered entities are health plans and those health care providers that conduct certain health care transactions electronically. The HIPAA Privacy Rule defines health plans to include the health care program for active military personnel under Title 10 of the U.S. Code. Military treatment facilities (MTFs) and the healthcare providers assigned to those MTFs are also covered entities within the Military Health System (MHS).

As a result of the HITECH Act, many aspects of the Privacy Rule apply not only to covered entities but also to business associates that use or disclose PHI under contractual arrangements with covered entities. Managed care support contractors (MCSCs) are business associates of the TRICARE health plan. Individual health care providers who are part of MCSC provider networks are HIPAA covered entities, but they are not part of the MHS.

The Privacy Rule defines when use and disclosure of PHI is permitted without a HIPAA compliant patient authorization. Thus, the Privacy Rule protects PHI while simultaneously permitting the flow of information for purposes of medical care, insurance coverage, research and a variety of other activities.

For the MHS, one of the most important of these activities is determining the fitness of active duty service members for their military duties. Their PHI may be disclosable to military commanders for this purpose under the "Military Command Exception." See the link on the right side of this page for relevant DoD guidance.

The Privacy Rule also establishes a number of individual rights, including:

  • the right to access and amend PHI;
  • the right to receive an accounting of disclosures of PHI; and,
  • the right to receive notification upon the occurrence of certain privacy breaches.

Further, the Privacy Rule requires that individuals are notified of their rights with a formal disclosure called a "Notice of Privacy Practices (NoPP)." Within the MHS, the NoPP specifically describes how specific information may be used or disclosed, with whom it may be shared, and the safeguards in place to protect it. Additionally, the NoPP also informs the individual of the right to approve or refuse the release of specific information outside of the MHS except when the release is required or authorized by law or regulation.

The relationship between HIPAA and the Privacy Rule is sometimes misunderstood. HIPAA is a broad federal statute enacted in 1996 as a Public Law (Pub. L.) 104-191). The Privacy Rule itself is a specific federal regulation authorized by HIPAA, promulgated by the U.S. Department of Health and Human Services (HHS), and codified at 45 CFR Parts 160 and 164. The Privacy Rule is implemented within the MHS by DoD 6025.18-R.

Have a question regarding the HIPAA Privacy Rule?

“On October 1, 2013, the Department of Defense established the Defense Health Agency (DHA) to manage the activities of the Military Health System. These activities include those previously managed by TRICARE Management Activity (TMA), which was disestablished on the same date. During the next several months, all TMA websites will change to reflect the new DHA. We appreciate your patience during this transition."
DoD Seal
7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101
The appearance of hyperlinks to external Web sites does not constitute endorsement by the TRICARE Management Activity of these Web sites or the information, products or services contained therein. For other than authorized government activities, TRICARE Management Activity does not exercise any editorial control over the information you may find at other locations. Such links are provided consistent with the stated purpose of this DoD Web site. Accessibility/Section 508