Home of the Big Red One
Notice of Privacy Practices
Military Health System
Effective Oct. 1, 2013
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
This Notice of Privacy Practices is required by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. If you have any questions about this notice, please contact the HIPAA Privacy Officer at your military treatment facility (MTF) or, if necessary, the Defense Health Agency (DHA) Privacy and Civil Liberties Office (DHA Privacy Office). See “Contact Information” at the end of this notice.
MHS Practices Regarding Protected Health Information (PHI)
This notice describes MHS practices regarding your PHI. The terms “we” and “our” in this notice refer to the MHS. The MHS includes the following:
Our Duties to You Regarding Your PHI
The HIPAA Privacy Rule requires the MHS to:
Our Right to Revise This Notice. We may change this notice and our privacy practices at any time. Any revised notice will apply to the PHI we already have about you at the time of the change and any PHI we create or receive after the change takes effect. We will advise you of important changes and post the revision on our website.
How to Obtain a Copy of This Notice. This notice is available in paper copy at your MTF and is also available on our website. You can ask for a paper copy at your next appointment, or call and request that we mail a copy to you, even if you have previously agreed to receive this notice electronically.
How We May Use or Disclose Your PHI Without Your Authorization
Treatment. To provide, coordinate, or manage your health care. For example, we may disclose your PHI to another MTF, physician, or health care provider, such as a specialist, pharmacist, or laboratory, who, at the request of your provider, becomes involved with your health care.
Payment. To obtain payment for your health care services. This may include certain activities needed to approve or pay for your health care services, such as using or disclosing your PHI to obtain approval for a hospital stay.
Health Care Operations. To support the daily activities related to health care. These activities include, but are not limited to, quality assessment activities, patient safety, investigations, oversight of staff performance, practitioner training, licensing, communications about a product or service, and conducting or arranging for other health care related activities. We do not use or disclose any genetic information for underwriting purposes.
Business Associates. To certain companies (“business associates”) that provide various services to the MHS (for example, billing, transcription, software maintenance, legal services, and managed care support). The law requires that business associates protect your PHI and comply with the same HIPAA Privacy standards that we do.
Armed Forces PHI for Military Activity and National Security. To certain officials and for special government functions including:
Public Health. To public health authorities and parties regulated by them, as permitted by law. Examples of why they may need your PHI include prevention or control of disease, injury, or disability.
Reporting Victims of Abuse, Neglect, or Domestic Violence. To government authorities that have authority to receive such information, including a social service or protective service agency.
Communicable Diseases. To a person who might be at risk of contracting or spreading a communicable disease or condition.
Workers’ Compensation. To workers’ compensation programs.
Health Oversight. To a health oversight agency legally authorized for audits, investigations, and inspections. Such activities may include the health care system, government benefit programs, civil rights laws, and other government regulatory programs.
Required by Law. To government and other entities as required by federal or state law (including DoD and Military Department regulations). For example, we may be required to disclose your PHI to the Department of Health and Human Services (HHS) investigating HIPAA violations or to a DoD Inspector General conducting other investigations.
Legal Proceedings. To parties and entities in proceedings of courts and administrative agencies, including in response to a court order or subpoena.
Inmates. To a correctional facility with respect to inmates.
Coroners, Funeral Directors, and Organ Donations. To coroners, medical examiners, or funeral directors, and to determine the cause of death or for the performance of other duties. PHI also may be used and disclosed for cadaver organs, eyes, or tissue donations.
Law Enforcement. To law enforcement authorities. For example, to investigate a crime involving the MHS or its patients.
Research. To researchers. The MHS reviews research proposals and protocols to ensure the privacy of your PHI requested for such research activities.
Avert Threats. To prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Disclosures by the Health Plan. To parties that need your PHI for health plan purposes such as enrollment, eligibility verification, coordination of coverage,
or other benefit programs.
Minors and Other Represented Beneficiaries. To parents, guardians, and other personal representatives, generally consistent with the law of the state where treatment is provided.
How We May Use or Disclose Your PHI Unless You Object
MTF Directories. To individuals who ask for you by name at an MTF (disclosures are limited to your name, where you are receiving care, and your general condition). We may also tell members of the clergy your religious affiliation.
Individuals Involved in Your Health Care. To the following persons or entities:
Uses and Disclosures Requiring Your Authorization
Any use or disclosure of your PHI not described in this notice requires your written authorization. Some uses and disclosures, even if included in this notice, would not be permitted without your written authorization. These include the following three activities in which the MHS does not engage:
If you authorize us to share your PHI, you can revoke your authorization at any time by contacting your MTF HIPAA Privacy Officer, but your revocation will only apply to information not already disclosed.
Your Rights Regarding Your Health Information
You may exercise the following rights through a written request to you MTF Privacy Officer. If your request does not relate to an MTF, please go to the “Contact Us” page of the TRICARE website, which will provide additional information on submitting your written request. Depending on your request, you may also have rights under the Privacy Act of 1974.
Right to Inspect and Copy. As allowed by law, you may inspect and request a copy of your medical or billing records (including an electronic copy, if we maintain the records electronically). You have the right to have the information sent directly to a party you designate, such as your physician. In limited situations, we may deny your request or part of it, but if we do, we will tell you why in writing and explain your right to review, if any.
Right to Request Restrictions. You may ask us not to share any part of your PHI for treatment, payment, or health care operations. You may also request that we limit the information we share about you to someone who is involved in your care or the payment of your care. In your request, you must tell us what information you want restricted, and to whom you want the restriction to apply. Neither the MTF nor DHA is required to agree to your request. We will not deny a request to restrict disclosure of your PHI to a health plan (including a TRICARE health plan), where the PHI relates to the care which you paid for in full out of pocket. We will not use or disclose your PHI in violation of a restriction to which we agreed, unless your PHI is needed for emergency treatment. We permit you, the MTF, or DHA to end a previously agreed-upon restriction at any time by providing written notice.
Right to Request Confidential Communications. You may request that we communicate with you in a certain way or at a certain location (e.g., only at home or only by mail). We will accommodate reasonable requests.
Right to Request Amendment. You may request an amendment to your PHI if you believe there is an error. You must tell us what you would like corrected or added to your information and why. If we approve your request, we will make the correction
or addition to your PHI. If we deny your request, we will tell you why and explain your right to file a written statement of disagreement.
Right to an Accounting of Disclosures. You may request that we provide you with an accounting of when your PHI was disclosed outside the MHS, but an accounting will not include certain disclosures (e.g. for treatment purposes). You are entitled to one disclosure accounting in a 12- month period at no charge. We may charge a fee for additional requested accountings. Your request must state the time period for which you want to receive the accounting, which may be up to six years before the date of your request.
If you believe that an MTF or other MHS component has violated the HIPAA Privacy Rule, you may file a written complaint with your MTF HIPAA Privacy Officer, the DHA Privacy and Civil Liberties Office, or HHS. We will not take any action against you for filing a complaint.
You may contact your MTF HIPAA Privacy Officer at the address and phone number provided in the online MTF Locator or the DHA Privacy and Civil Liberties Office for further information about the complaint process, or for further explanation of this notice. The DHA Privacy and Civil Liberties Office may be contacted via telephone at (703) 681-7500 or:
DHA Privacy and Civil Liberties Office
7700 Arlington Boulevard Suite 5101 Falls Church, VA 22042