Frequently Asked Questions

What is the Health Information Technology for Economic and Clinical Health (HITECH) Act?
The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the "Stimulus Bill," was enacted on February 17, 2009. ARRA contains extensive provisions seeking to improve the current U.S. health care information technology infrastructure, promote electronic data exchange and encourage greater use of electronic health records (EHRs). Collectively referred to as the "Health Information Technology for Economic and Clinical Health Act" or the "HITECH Act," these provisions also include important changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The Department of Health and Human Services (HHS) is in the process of issuing regulations and other guidance, which will continue for several years. The TRICARE Management Activity (TMA) Privacy and Civil Liberties Office (Privacy Office) is monitoring the HHS regulations and guidance and related Department of Defense (DoD) policy. As necessary, the Privacy Office will update existing policies and communicate with the Military Health System (MHS) to ensure compliance with applicable HITECH and DoD requirements. See the Privacy Office Information Paper on the American Recovery and Reinvestment Act for additional background information.

[Top]

[Top]

When did the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions go into effect?
The general effective date for these changes was February 17, 2010. However, different effective date rules apply for some changes. For example, the breach notification changes took effect September 23, 2009, based on the Department of Health and Human Services (HHS) Breach Rule released under HITECH in August 2009. Please refer to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office Information Paper on the American Recovery and Reinvestment Act for a timeline of effective dates and regulatory guidance.

[Top]

Who should I contact if an event occurs that may involve improper use or disclosure of protected health information (PHI)?
You should immediately contact the Privacy Officer for your Department of Defense (DoD) Component. The DoD Component Privacy Officer should follow existing DoD breach response procedures, which include reporting the breach to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office (Privacy Office) within 24 hours of discovery. The Privacy Office will determine whether the Department of Health and Human Services (HHS) Breach Rule applies; if it does, the Privacy Office will submit required reporting to HHS and advise the DoD component on complying with individual notification requirements.

[Top]

Who can answer further questions about the Health Information Technology for Economic and Clinical Health (HITECH) Act and its impact on the Military Health System (MHS)?
All inquiries regarding the HITECH Act and its impact on privacy requirements within the MHS should be directed to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office via e-mail at PrivacyOfficerMail@tma.osd.mil.

[Top]

Regardless of whether HITECH requirements apply to an incident involving improper use or disclosure of personally identifiable information (PII), including but not limited to PHI, Department of Defense (DoD) components should continue to follow existing DoD breach notification requirements as outlined in DoD 5400.11-R, "Department of Defense Privacy Program" and June 5, 2009 OSD Memorandum, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information."
Actual or possible breaches of PII that occur within the Military Health System (MHS) must continue to be reported to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office (Privacy Office) within 24 hours of discovery in accordance with the DoD 5400.11-R and the September 24, 2007, Assistant Secretary of Defense (Health Affairs) Memorandum, "Breach Notification Reporting for the Military Health System." It is important that this initial report be made within the 24 hour period after discovery, in order that subsequent notification and reporting may be completed in a timely manner. The Privacy Office will determine if the incident qualifies as a breach under the new HITECH provisions. If so, the Privacy Office will advise the DoD Component on notifying affected individuals in accordance with the new HITECH requirements. In addition, the Privacy Office will report the incident directly to the Department of Health and Human Services (HHS).

[Top]

The HITECH Act amends the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to establish new requirements for notification of affected individuals and reporting to HHS when a "breach" of "unsecured protected health information (PHI)" occurs as defined by HHS (a "HIPAA breach").
HHS provided guidance on these new requirements in August 2009, when it issued an Interim Final Rule on Breach Notification for Unsecured Protected Health Information ("HHS Breach Rule"). Limited changes to this Rule may occur when the Interim Final Rule is made final. At that time, further information will be provided at http://www.tricare.mil/tma/privacy/breach.aspx. In addition, the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office (Privacy Office) will issue an information paper on the HHS Breach Rule to provide general background information. Future amendments to DoD 6025.18-R, the DoD Health Information Privacy Rule, will take into account the HHS Breach Rule.

In all cases of a breach of personally identifiable information (PII), including PHI, existing DoD breach notification rules continue to apply, and the Privacy Office shall continue to receive reports of all such incidents.

[Top]

HITECH requires that Health Insurance Portability and Accountability Act (HIPAA)-covered entities notify individuals "without unreasonable delay" after a possible breach of unsecured PHI has been discovered. A breach is treated as discovered on the first day the breach is known or should have been known to any person who is a workforce member or agent of the covered entity (other than the person committing the breach). In contrast, DoD currently requires notification to occur within 10 days. The 10 day period begins after the DoD Component is able to identify the individuals affected by the breach. When there is insufficient contact information for individual written notice, special rules for substitute notice apply. In all cases, individual notification or substitute notice must be issued no later than 60 calendar days from the time a breach is discovered. The 60-day period is an outer limit; in most cases, the "without unreasonable delay" standard will require notifying affected individuals shortly after the breach is discovered.

Notice to the media is required when a breach affects more than 500 residents of a state or jurisdiction. The TRICARE Management Activity (TMA) Privacy and Civil Liberties Office (Privacy Office) will work with the DoD Component to provide the required notices in compliance with both DoD guidance and the HHS Breach Rule (if it applies). If a law enforcement official requests delay of notification, the Privacy Office should be informed immediately.

[Top]

What notification requirements apply to contractors/business associates?
The Department of Health and Human Services (HHS) Breach Rule applies not only to Health Insurance Portability and Accountability Act (HIPAA) covered entities but also to their contractors/business associates. Under the HHS Breach Rule, a business associate must notify the covered entity with which it has a contractual relationship if any employee or agent becomes aware of a breach. Business associates shall continue to follow existing contract reporting requirements and shall ensure that both the Department of Defense (DoD) Component and TRICARE Management Activity (TMA) Privacy and Civil Liberties Office are promptly informed of the occurrence of a breach.

[Top]

Who can answer further questions about current breach notification requirements?
All questions regarding breach notification and response requirements should be sent to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office via e-mail at PrivacyOfficerMail@tma.osd.mil.

[Top]

Breach Response

What exactly is a "data breach?"
DoD 5400.11-R, Department of Defense Privacy Program, May 14, 2007, defines "lost, stolen or compromised information," otherwise termed a breach, as "actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purposes where one or more individuals will be adversely affected." Special rules apply if a breach involves "Unsecured Protected Health Information." For more information, see the HITECH FAQs section.

[Top]

How do I report a data breach?
Please report the breach of personally identifiable and/or protected health information (PII/PHI) belonging to the Military Health System (MHS) to PrivacyOfficerMail@tma.osd.mil.

In addition to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office, additional reporting is required. For detailed information on which government agencies require notification, what/how to report, critical timetables, etc., please reference the Guidelines for Reporting Breaches, which outlines Department of Defense (DoD) reporting and notification requirements for breaches.

[Top]

Am I required to notify individuals affected by a breach within a certain time period?
Yes, all affected individuals must be notified within ten working days from the time the identities of the affected individuals have been determined. If only some affected individuals are identified initially, notifications should be given to those individuals, with follow-up notifications given to those subsequently identified.

[Top]

What if I am unable to definitively confirm the identities of the affected individuals?
According to the DoD 5400.11-R (C1.5.1.2.3.), "the Component shall provide a generalized notice to the potentially affected population by whatever means the Component believes is most likely to reach the affected individuals."

[Top]

Do I have to provide notification to individuals even if there is little or no risk involved?
Though all incidents must be reported to the appropriate government entities, the Office of Management and Budget (OMB) states that "agencies should bear in mind that notification of a breach when there is little or no risk of harm might create unnecessary concern and confusion." The decision to notify should be made once the level of risk involved has been assessed. As stated by OMB, "In general, the risk of harm to the individual is higher the greater the sensitivity of the data involved. For example, a name associated with a Social Security number poses a higher risk and potential harm to the individual than a name associated with a subscription list."

Additional details to assist in this decision are provided by the June 5, 2009 Office of the Secretary of Defense Memorandum, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.

[Top]

When preparing the notification to the affected individuals, what information should I provide?
According to the DoD 5400.11-R (C1.5.1.5), the following information shall be included in the notification:

The data elements that have been potentially compromised.
The facts and circumstances surrounding the breach.
A description of the protective actions being taken, or steps the individual can take, to mitigate potential future harm.

[Top]

Is it ever appropriate to delay notification of the affected individuals?
This decision should be made by the Agency Head or a designated individual in a senior-level position. According to the OMB, a delay may be required "if it would seriously impede the investigation of the breach or the affected individuals." However, any delay should not exacerbate risk or harm to any affected individual(s).

[Top]

By what means should the affected individuals be notified?
This is dependent upon the number of affected individuals and what contact information is available for those individuals. According to the OMB, some types of notices which may be considered are:

Telephone
First Class Mail
E-Mail
Existing Government Wide Services (i.e., 1-800-FedInfo and www.USA.gov)
Newspapers or other Public Media Outlets

[Top]

What if only limited information regarding the breach is available?
OMB states that "Although only limited information about the breach may be available, US CERT must be advised so it can assist in coordinating communications with other agencies. Updates should be provided as further information is obtained."

[Top]

Regardless of whether HITECH requirements apply to an incident involving improper use or disclosure of personally identifiable information (PII), including but not limited to PHI, Department of Defense (DoD) components should continue to follow existing DoD breach notification requirements as outlined in DoD 5400.11-R, "Department of Defense Privacy Program" and June 5, 2009 OSD Memorandum, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information."
Actual or possible breaches of PII that occur within the Military Health System (MHS) must continue to be reported to the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office (Privacy Office) within 24 hours of discovery in accordance with the DoD 5400.11-R and the September 24, 2007, Assistant Secretary of Defense (Health Affairs) Memorandum, "Breach Notification Reporting for the Military Health System." It is important that this initial report be made within the 24 hour period after discovery, in order that subsequent notification and reporting may be completed in a timely manner. The Privacy Office will determine if the incident qualifies as a breach under the new HITECH provisions. If so, the Privacy Office will advise the DoD Component on notifying affected individuals in accordance with the new HITECH requirements. In addition, the Privacy Office will report the incident directly to the Department of Health and Human Services (HHS).

[Top]

The HITECH Act amends the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to establish new requirements for notification of affected individuals and reporting to HHS when a "breach" of "unsecured protected health information (PHI)" occurs as defined by HHS (a "HIPAA breach").
HHS provided guidance on these new requirements in August 2009, when it issued an Interim Final Rule on Breach Notification for Unsecured Protected Health Information ("HHS Breach Rule"). Limited changes to this Rule may occur when the Interim Final Rule is made final. At that time, further information will be provided at http://www.tricare.mil/tma/privacy/breach.aspx. In addition, the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office will issue an information paper on the HHS Breach Rule to provide general background information. Future amendments to DoD 6025.18-R, the DoD Health Information Privacy Rule, will take into account the HHS Breach Rule.

In all cases of a breach of personally identifiable information (PII), including PHI, existing DoD breach notification rules continue to apply, and the TMA Privacy Office shall continue to receive reports of all such incidents.

[Top]

What breach reporting and notification requirements are imposed by the Health Information Technology for Economic and Clinical Health (HITECH) Act?
In the case of a "breach" of "unsecured protected health information (PHI)" as defined by the Department of Health and Human Services (HHS) Breach Rule, the following requirements apply together with current Department of Defense (DoD) requirements under DoD 5400.11-R, C1.5.

HITECH requires that Health Insurance Portability and Accountability Act (HIPAA)-covered entities notify individuals "without unreasonable delay" after a possible breach of unsecured PHI has been discovered. A breach is treated as discovered on the first day the breach is known or should have been known to any person who is a workforce member or agent of the covered entity (other than the person committing the breach). In contrast, DoD currently requires notification to occur within 10 days. The 10 day period begins after the DoD Component is able to identify the individuals affected by the breach. When there is insufficient contact information for individual written notice, special rules for substitute notice apply. In all cases, individual notification or substitute notice must be issued no later than 60 calendar days from the time a breach is discovered. The 60-day period is an outer limit; in most cases, the "without unreasonable delay" standard will require notifying affected individuals shortly after the breach is discovered.

Notice to the media is required when a breach affects more than 500 residents of a state or jurisdiction. The TRICARE Management Activity (TMA) Privacy Office will work with the DoD Component to provide the required notices in compliance with both DoD guidance and the HHS Breach Rule (if it applies). If a law enforcement official requests delay of notification, the TMA Privacy Office should be informed immediately.

[Top]

What notification requirements apply to contractors/business associates?
The Department of Health and Human Services (HHS) Breach Rule applies not only to Health Insurance Portability and Accountability Act (HIPAA) covered entities but also to their contractors/business associates. Under the HHS Breach Rule, a business associate must notify the covered entity with which it has a contractual relationship if any employee or agent becomes aware of a breach. Business associates shall continue to follow existing contract reporting requirements and shall ensure that both the Department of Defense (DoD) Component and TRICARE Management Activity (TMA) Privacy Office are promptly informed of the occurrence of a breach.

[Top]

Who can answer further questions about current breach notification requirements?
All questions regarding breach notification and response requirements should be sent to the TRICARE Management Activity (TMA) Privacy Office via e-mail at PrivacyOfficerMail@tma.osd.mil.

[Top]

Civil Liberties

How does Civil Liberties differ from Civil Rights?
Civil liberties offer protection to individuals from improper government action and arbitrary governmental interference. They are the freedoms guaranteed by the Bill of Rights, the first 10 Amendments to the United States Constitution-such as freedom of speech, press, or religion and due process of law. The 9/11 Commission Report, formally named the Final Report of the National Commission on Terrorist Attacks Upon the United States, referred to civil liberties as “precious liberties that are vital to our way of life.” The 9/11 Commission, and subsequent legislation identified the protection of civil liberties as a key federal priority.

[Top]

What are the Federal Requirements?
Implementing Recommendations of the 9/11 Commission Act of 2007 (“9/11 Commission Act”), Public Law 110-53 implemented many of the recommendations of the 9/11 Commission, including the reconstitution of the Privacy and Civil Liberties Oversight Board, as well as instructing certain federal agencies to create civil liberties programs.

Federal Agency Data Mining Reporting Act of 2007 - Section 804 of the 9/11 Commission Act requires all federal agencies to submit reports to Congress regarding their programs, both operational and in development, that involve data mining as defined by the Act.

Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Congress established the need to protect privacy and civil liberties as a core tenet of the Information Sharing Environment (ISE).

ISE Privacy and Civil Liberties Guidelines, The President approved for issuance and implementation of the ISE Privacy and Civil Liberties Guidelines (in accordance with IRTPA §1016 (d), and in furtherance of Executive Order 13388).

[Top]

HIPAA Privacy

I am a member of the Armed Forces. How can my protected health information (PHI) be used and disclosed?
Generally, information pertaining to the use and disclosure of PHI of individuals who are Armed Forces personnel from a covered entity to an appropriate military command authority can be found in the DoD Health Information Privacy Regulation, DoD 6025.18-R (C7.11).

An appropriate military command authority includes all commanders who exercise authority over an individual who is a member of the Armed Forces, or other person designated by such a commander to receive PHI in order to carry out an activity under the authority of the Commander (C7.11.1.2.1.). The purposes for which PHI of an individual who is a member of the Armed Forces may be used or disclosed are also explained (C7.11.1.3). Included in these purposes are: determining the member's fitness for duty, determining the member's fitness to perform any particular mission, assignment, order, or duty, and to carry out any other activity necessary to the proper execution of the mission of the Armed Forces.

[Top]

When may an individual's medical records be disclosed in whole or part?
In general, a provider may disclose an individual's entire medical record to another provider when needed by the other provider for care, treatment or other military treatment facility (MTF) operational purposes. Under DoD 6025.18-R (C6.2) a provider may disclose information from the individual's medical record to a family member, close personal friend or other person designated by the individual, but they should only receive information directly relevant to their direct involvement with the subject individual's care (or payment for care). While it may be permissible to disclose PHI under certain circumstances and specific exceptions, an individual's entire medical record may not be released to a family member without a specific HIPAA-compliant authorization.

For example, where a sponsor and spouse are divorcing, the sponsor may not obtain the spouse's medical records for use in the legal proceedings without the spouse's written authorization or a HIPAA-compliant subpoena.

[Top]

Can I determine who has had access to my medical records?
The Department of Defense (DoD) Health Information Privacy Regulation DoD 6025.18-R (C13.1.1) provides that an individual has a right to receive an accounting of disclosures of protected health information (PHI) made by a covered entity in the six years prior to the date that the accounting is requested. There are exceptions to this rule (referred to at C13.1.1.1 - C13.1.1.9) and include those disclosures made to carry out treatment, payment and health care operations (C4), to individuals of PHI about them, for the facility's directory or to persons involved in the individual's care or other notification purposes (C6), and to correctional institutions or law enforcement officials (C7.11.6).

[Top]

What is the difference between acknowledging the Notice of Privacy Practices (NoPP) and authorizing the use or release of Protected Health Information (PHI)?
Under DoD 6025.18-R (C9) by providing a signed acknowledgement of receipt of the NoPP, beneficiaries verify only that a copy of the NoPP has been received, whereas signing a HIPAA-compliant authorization gives the TRICARE provider permission to use and/or disclose a beneficiary's PHI as described in the authorization.

[Top]

What is the difference between a "use" of Protected Health Information (PHI) and a "disclosure" of PHI?
Under DoD 6025.18-R (DL1.1.38), "use" means the sharing, utilization, analysis, etc., of information within the entity maintaining the PHI. Conversely, under DoD 6025.18-R, (DL1.1.8), "disclosure" means the release, transfer, access to or other divulging of PHI outside the entity maintaining the PHI.

[Top]

Does the authorization requirement limit health care providers from talking to other health care providers about a beneficiary's condition?
No. Under DoD 6025.18-R (C4), military treatment facilities (MTFs) may use and disclose Protected Health Information (PHI) for treatment, payment and health care operation purposes without beneficiary authorization. Consultation and referrals among health care providers fall within the definition of "treatment." Therefore, the providers with whom the beneficiary has consulted may discuss the care of that beneficiary.

[Top]

May an individual request a military treatment facility (MTF) or TRICARE Management Activity (TMA) to not disclose protected health information (PHI) where the HIPAA Privacy Rule would permit disclosure? If so, once a request for non-disclosure is made to the covered entity, is it effective immediately?
Under DoD 6025.18-R (C10.1) an individual may request restrictions on certain disclosures, but neither the MTF nor TMA is required to agree. A signed agreement between a patient and an MTF, or a patient and TMA, must include an effective date that TRICARE can reasonably accommodate. This date may or may not be immediate.

[Top]

When a Military Health System (MHS) Primary Care Manager refers beneficiaries to network providers or specialists, which Notice of Privacy Practices will cover the beneficiaries' wishes to gain access to, get a copy of, and amend/correct their medical records?
When a patient is seen in a military treatment facility (MTF), the MHS Notice of Privacy Practices covers the information created during the visit. However, when a network provider sees a patient, the patient will be presented with that network provider's Notice of Privacy Practices. A patient's request to gain access to, get a copy of, and amend/correct a record must be directed to the creator of the information. Therefore, if the network provider or specialist creates the information, any request to modify the information must comply with that network provider's Notice of Privacy Practices.

[Top]

MHS Learn/PHIMT

What is MHS Learn and how can I get help with it?
MHS Learn is a centralized, Web-based platform that provides the military medical workforce and the beneficiary population with a single source for managing, delivering and tracking learning. MHS Learn is an enterprise solution utilized by the Military Health System to offer various training courses, including mandatory HIPAA and Privacy Act training. All requests for assistance with MHS Learn should be directed to the MHS Help Desk:

PHONE: (800) 600-9332
E-MAIL: mhssc@timpo.osd.mil

[Top]

As a PHIMT user, may I revoke an Authorization?
Yes. You may revoke an Authorization by requesting it in writing.

[Top]

As a first time PHIMT user, what must my password contain?
The password must contain at least two: English uppercase and lowercase letter, Arabic numeral (0,1,2,…..9), non-alphanumeric special characters (!,@,#,&) and should be 9 to 15 characters long. [Top]

I am a PHIMT user and I forgot my user ID and password.
Contact the User Admin for your organization.

[Top]

I am the PHIMT User Admin and I forgot my password, who should I contact?
Since the User Admin is the one responsible for resetting the passwords at their facilities, if they forget their password, they must contact the PHIMT helpdesk: Dhss-eids@mhs-helpdesk.com

[Top]

I am a PHIMT admin user. What should be done if an individual separates from the service?
A separation from a Service would indicate that the individual should no longer need access to PHIMT. Select the Admin tab. Select the User Search Hyperlink. Type the name of the user you are searching for and select Search. Select the small circle radio button for the user you are searching for and choose the Select button. Place a check in the User Disabled box and select Update.

[Top]

I'm a PHIMT User Admin. How do I add users? How do I assign roles?
To add users, you must log into the PHIMT as a User Admin. Your User Admin account will be established in advance by the Tool Admin and you will be provided with your login information. Once you have logged in, verify that your name and organization display in the Current User field. Click on the Admin tab. Select the Add User hyperlink located on the left side of the screen. The User Profile screen will display. Enter data in the Name, Phone Number, User ID, E-mail address, New Password, and Confirm New Password fields as necessary. Please note that the Name, User ID, New Password, and Confirm New Password fields are required. Scroll down to the bottom of the screen. Select an Organization from the Organization dropdown menu and then assign the User Role by selecting the appropriate checkbox. Select the Save button. To determine the appropriate User Role and Organization access, please consult with the Facilities Privacy Officers. Once the account has been created and the Organization and User Role has been assigned, the User needs to be contacted with their login information (User ID and Password). Follow your Facilities procedures for disseminating the account information.

[Top]

I'm a PHIMT User Admin. What steps are needed to create a User-to-User Relationship?
Once a user has been added and their organization and user role is established, the User Admin can establish the workflow for their disclosures. This is done by creating User-to-User Relationships as directed by the Privacy Officers. Scroll to the bottom of the User Profile screen and select the New button in the User-to-User Relationships section. Enter the name of the user that you want to establish a relationship with and press the Search button. Select the small circle radio button for the user and choose the Select button. If the search returns no matches then there are three possible reasons: The User does not exist. You must then add the user and create their profile before you can establish them as part of a workflow. Recheck your search criteria. The User may not exist within the Organization. Ensure that the User has a profile that exists within the Organization. Select a Relationship Start Date and enter a Relationship End Date if one is known. Otherwise leave the Relationship End Date blank. Select the Save button. The User Profile screen with the updated user-to-user data will display.

[Top]

I'm a PHIMT User Admin. How do I edit a User Profile?
The User Admin has the ability to edit User Profiles for individuals within their Organization. Changes can be made to any of the fields in the User Profile screen with the exception of the System ID. The System ID is a computer-generated number, which cannot be changed. If the individual's name were to change then please contact the PHIMT help desk (dhss-eids@mhs-helpdesk.com). Select the User Search hyperlink located on the left side of the screen. Type the last name of the user you are searching for and select the Search button. Select the small circle radio button under the search results for the user you are searching for and choose the Select button. Changes can be made to any of the fields in the User Profile screen, except the System ID. The System ID is a computer-generated number, which cannot be changed. You can change or create a new Organization and User Role by selecting an Organization from the dropdown menu in the User Roles section. A User can have multiple roles in multiple organizations. Select the Organization and select the appropriate User Role checkbox. If the new role and organization should be the primary then choose the small circle radio button. Once the chosen options are displayed, remove the role for the old Organization and select the Update button. The updated User Profile screen with the old organizations no longer visible will display.

[Top]

I'm a PHIMT User Admin. How do I Add an Organization?
From the Admin tab the User Admin can add a new organization, including their address, phone number, contact persons, and child organizations. Select the Admin tab. Select the Organization Management hyperlink. Select the Requester/Recipient Organizations hyperlink and select the New button. Enter a Name and Type for the new organization. Selections will default to Active and Recipient. Select Primary or Origin by placing a check in the corresponding box if needed and select the Save button. Enter the Organization Address and select Save. Scroll down to the bottom of the screen. Enter the Phone Numbers, Contact People, or Child Organizations and select Update. A child organization is a subset of a larger entity (i.e., a local FBI office or an MTF under the Army). Select the All Users List hyperlink. Select the Display all in Hierarchy checkbox and select the Display button. The listed users from the Service and associated child records will display.

[Top]

I'm a PHIMT User Admin. How do I unlock User Accounts?
Individuals will get locked out the system if they incorrectly enter their User ID or Password after three attempts. The User Admin is responsible for unlocking user accounts within their assigned Facilities. Select the Admin tab. Select the User Search hyperlink. Type the name of the user you are searching for and select Search. Select the small circle radio button for the user you are searching for and choose the Select button. Remove the check from the Password Locked box and select Update. Establish a New Password and Confirm New Password and select Update. Make a note of the User ID and New Password to be distributes according to your Facilities procedures.

[Top]

I am a PHIMT user and have questions about the application. Who can I contact?
The PHIMT help desk will be able to assist you with your questions/issues: Ddhss-eids@mhs-helpdesk.com.

[Top]

PIAs

What is a PIA?
A PIA is an analysis of how personally identifiable information (PII) is handled to:

Ensure data handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;
Determine the need, privacy risks and effects of collecting, maintaining, using and disseminating PII in electronic form; and
Examine and evaluate protections and alternative processes to mitigate potential privacy risks.

[Top]

E-Government (E-Gov) Act of 2002, Section 208
OMB Memorandum 03-22, OMB Guidance for Implementing the Privacy Provisions in the E-Government Act of 2002, September 26, 2003
DoDI 5400.16, DoD Privacy Impact Assessment (PIA) Guidance, February 12, 2009
DoD 5400.11-R, Department of Defense Privacy Program, May 14, 2007
DoD 6025.18-R, DoD Health Information Privacy Regulation, January 2003
DoD 8580.02-R, DoD Health Information Security Regulation, July 12, 2007
DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), November 28, 2007
Privacy Act of 1974, 5 U.S.C. 552(a)

[Top]

When is a PIA required?
As stated in DoDI 5400.16, a PIA is required for information systems and electronic collections in the following situations:

"For existing DoD information systems and electronic collections for which a PIA has not previously been completed, including systems that collect personally identifiable information (PII) about federal personnel and contractors.
In accordance with Reference (d), for new information systems or electronic collections:
1. Prior to developing or purchasing new information systems or electronic collections;
2. When converting paper-based records to electronic systems; or,
3. When functions applied to an existing information collection change anonymous information into PII.
For DoD information systems or electronic collections with a completed PIA, when change creates new privacy risks including the examples stated in subparagraphs 1.b.(3)(a) through 1.b.(3)(f)."

[Top]

Who completes a PIA?
The System Program Manager has ultimate responsibility for the completion of a PIA however system team members must assist to address how the data are used and who will use it.

[Top]

What is personally identifiable information (PII)?
Information about an individual that identifies, links, relates or is unique to, or describes him or her (e.g., a Social Security number; age; marital status; race; salary; home telephone number; other demographic, biometric, personnel, medical, and financial information). Also, information that can be used to distinguish or trace an individual's identity, such as his or her name; Social Security number; date and place of birth; mother's maiden name; and biometric records, including any other personal information that is linked or linkable to a specified individual.

[Top]

How does TMA define Information Technology (IT)?
Information Technology (IT), as defined in the Clinger-Cohen Act, is any equipment, software or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

[Top]

What are major information systems?
Major information systems include "large" and "sensitive" information systems. A major information system, as defined in OMB Circular A-130 (Section 6.u) and annually in OMB Circular A-11 (section 300-4 (2003)), is a system or project that requires special management attention because of its: (i) importance to the agency mission, (ii) high development, operating and maintenance costs, (iii) high risk, (iv) high return, or (v) significant role in the administration of an agency's programs, finances, property or other resources.

[Top]

What is a National Security System?
A National Security System, as defined in the Clinger-Cohen Act, is an information system operated by the federal government, the function, operation or use of which involves: (a) intelligence activities, (b) cryptologic activities related to national security, (c) command and control of military forces, (d) equipment that is an integral part of a weapon or weapons systems, or (e) systems critical to the direct fulfillment of military or intelligence missions, but does not include systems used for routine administrative and business applications, such as payroll, finance, logistics and personnel management

[Top]

How may I reach the TMA Privacy and Civil Liberties Office with questions about PIAs?
Please send an e-mail to piamail@tma.osd.mil.

[Top]

Records Management

When are e-mail messages records?
Treat e-mail messages the same way you treat paper correspondence. A message is a record if it documents the TMA mission, provides evidence of a business transaction, and if you or anyone else would need to retrieve the message of official actions.

[Top]

Do I have to manage incoming and outgoing e mails as records?
Yes. Apply the standard described above to both incoming and outgoing e-mail. Both sender and recipient of e-mail messages have the responsibility to document their activities and those of their organizations. Both the sender and the recipient have to determine whether a particular e-mail message is a necessary part of that documentation.

[Top]

Are e-mail systems reliable enough for transmitting official messages?
Yes. E-mail systems are highly reliable for transmitting messages. However, you should use e-mail for business only when you are reasonably sure that the message will not be altered after transmission. Consider the nature and sensitivity of the message, the technology involved, and the persons with whom you communicate when you decide to use e-mail for business.

[Top]

How can e-mail be an official record if it is not signed?
A signature does not make something a record. Many types of records, such as manuals, photographs, and maps, do not contain signatures, but they can still be records.

[Top]

If an e-mail record is sent to several recipients, which copy is the official record?
It depends. Different copies of the same message may be records. If you take any official action related to a message, and the message is needed for adequate and complete documentation of the action, the message would be a record in your office, regardless of whether copies are retained elsewhere. If you receive a message only for information and do not take action related to it, your copy would not be a record.

[Top]

If I'm working on draft material, is it sufficient for me to save just my last draft?
In some cases the last draft may be sufficient, and in other cases not. Follow your office's policy concerning what drafts you must keep.

[Top]

Do these guidelines apply to TMA contractors?
Yes. These guidelines apply to TMA contractors and other agents, as well as TMA employees. Contract terms should ensure that contractor systems satisfy legal requirements for creating and maintaining adequate and complete records of TMA transactions when those transactions are carried out by contractors.

[Top]

Are there special requirements for retaining e mail messages as records?
The basic requirements that apply to all records apply to e-mail records as well. However, there are some specific requirements for records made or received through e-mail. You should make sure that:

The e-mail record includes transmission data that identifies the sender and the recipient(s) and the date and time the message was sent and/or received;
When the e-mail is sent to a distribution list, information identifying all parties on the list is retained for as long as the message is retained; and
If the e-mail system uses codes, or aliases, to identify senders or recipients, a record of their real names is kept as long as any record containing only the codes or aliases.

[Top]

Why is it necessary to keep the transmission data about the sender, receiver, date and time of the e-mail?
You would not delete the names of the sender and addressee, the date, or a time stamp from a letter on paper. The data identifying the sender and recipient(s), the time and data the message was sent, and, on the recipient(s) copy, the time and date it was received are equally essential elements that constitute a complete e-mail record.

[Top]

Do I have to keep attachments to an e-mail message?
Yes. If a message qualifies as part of the documentation of your activities, you must maintain all related items that provide context for the message, including attachments. You would keep them under the same conditions that you would if they were paper attachments to a paper memo or incoming letter.

[Top]

If my outgoing message is a record, should I ask for a return receipt?
It is not necessary to ask for a return receipt or read receipt in e-mail any more than it is necessary in hard copy. We do not send all letters certified mail. If it is important to document the time a message was opened, then that receipt must be retained along with the message for as long as the message is retained. You also need to have some means of linking the receipt to the message so it is clear what outgoing message the receipt documents.

[Top]

Do I need to retain both the original message and the reply?
The requirement is to create and maintain an understandable record documenting activity. Some replies to e-mail messages contain enough information from the original message that they can stand on their own, but most do not. The simplest way to ensure understandability of e-mail messages that will become part of the record is to incorporate the original message and any reply and maintain them as a unit. If e-mail is sent back and forth and the most recent message has the entire sequence of messages, you need to keep only the final message (including the previous messages and replies), as long as it also contains attachments and other data such as the sender, receiver, date, and time that are necessary for a complete record.

[Top]

How long do I need to keep e-mail records?
Retain e-mail records in accordance with your office's file plan and the Administrative Instruction 15 (AI-15) records schedule. The exact length of time will vary depending upon the activity that the message documents.

[Top]

What if the message does not qualify as a record?
Delete e-mail that is not a record as soon as possible.

[Top]

Where do I keep e-mail messages?
E-mail records must be saved to an appropriate records keeping system. Currently TMA does not have an electronic records management system. Therefore, e-mail records must be printed off and filed like paper records IAW the AI-15.

[Top]

Does this mean that I need to print out all my e-mail messages?
No. First of all, not all e-mail messages will qualify as records. Only those e-mail messages that meet the criteria as a record should be printed out and filed in your office files IAW AI-15.

[Top]

Can I keep e-mail records in the e-mail system?
Once you determine that the e-mail message is an official record, you must follow one of two rules IAW the AI-15:

Disposal date of 90 days or less you can keep it on the system.
Disposal date of more than 90 days you must print it off and file it like any other paper record.

[Top]

Can e-mail records be kept on backup tapes or disks?
No. Backup tapes/disks are created to facilitate restoration of a system or file in case of an accidental or unintentional loss. Backup tapes/disks do not meet the requirements of a records management system.

[Top]

Do I need to retain both an electronic and hard copy for the same e-mail message?
No. If the message is a record, it is printed off and filed IAW AI-15. If it is a non-record, then it can be deleted.

[Top]

Does Freedom of Information Act (FOIA) apply to e-mail messages?
Yes, e-mail is subject to the FOIA, and its release is subject to the same FOIA exemptions that apply to other agency records.

[Top]

What do I do about e-mail messages that contain sensitive information, such as classified, proprietary or Privacy Act information?
If you receive e-mail containing sensitive information, apply the same standards and precautions to that e-mail containing sensitive information as you would to the same information in any other medium. When determining if an e-mail is a record, ask yourself these questions:

Did I originate the message and does it have to do with the business of my office?
Is the content of the message something that I will need in future years to do my work?
Does the message support decisions that were made in my program area?
If I am the recipient, is the message "information only"?
Does the message require me to take action?
Is the message needed for operational, legal, fiscal, historical or research purposes?

[Top]

TMA Privacy Office Mail

Where can I find information regarding the HIPAA Privacy Rule outside of the Military Health System?
For information regarding the HIPAA Privacy Rule as it pertains to covered entities and individuals outside of the Military Health System (MHS), please refer to the Department of Health and Human Service's Web site at: http://www.hhs.gov/ocr/privacy/

[Top]

How do I request an accounting of disclosures?
An individual has the right to receive an accounting of disclosures of protected health information (PHI) made by a covered entity in the 6 years prior to the date that the accounting is requested. Exceptions pertaining to this rule include, but are not limited to, disclosures made to carry out treatment, payment and healthcare operations, for the facility's directory or to persons involved in the individual's care, or to correctional institutions or law enforcement officials. To request an accounting of disclosures, you should contact your local MTF HIPAA Privacy Office. Please note that the TRICARE Management Activity Privacy and Civil Liberties is unable to provide an accounting of disclosures.

[Top]

How do I file a HIPAA Privacy complaint?
If you feel that a covered entity within the Military Health System may have violated your health privacy rights, or the health privacy rights of another individual, there is a formal complaint process available to you. Instructions and forms for formally filing a HIPAA Privacy complaint can be found on the TRICARE Management Activity (TMA) Privacy and Civil Liberties Office HIPAA Privacy Web site at: http://www.tricare.mil/tma/privacy/hipaa-forms.aspx.

[Top]

When is a HIPAA Authorization Form required?
Except for purposes of treatment, payment, and healthcare operations, protected health information (PHI) cannot be used or disclosed without a proper HIPAA-compliant authorization signed by the patient. Specific provisions pertaining to this general rule are addressed in Chapter 5 of the Department of Defense Health Information Privacy Regulation: http://www.dtic.mil/whs/directives/corres/pdf/602518r.pdf

For additional information regarding valid HIPAA-compliant authorization forms (DD Form 2870), please contact your local MTF HIPAA Privacy Office or the appropriate TRICARE Regional Office (http://www.tricare.mil/contacts/).

[Top]

How can I obtain HIPAA and/or Privacy related materials, including Notice of Privacy Practices (NoPP) brochures, posters, and labels?
HIPAA Privacy related materials are available on the TRICARE Smart Site and may be ordered directly at: http://www.tricare.mil/tma/privacy/TRICARESmartSite.aspx. Please note that these materials can only be distributed to authorized Points of Contact (PoCs). If you are not currently registered to receive these materials for your office, please register online or, if you are registered but are having difficulty obtaining the materials you seek, please contact the TRICARE Smart Administration team at: TRICARESmartAdmin@tma.osd.mil.

Additional information on NoPP materials, including a template for NoPP labels, can be found at: http://www.tricare.mil/tma/privacy/hipaa-nopp.aspx.

[Top]

Where can I find assistance regarding TRICARE eligibility, benefits, and/or claims?
For assistance with TRICARE eligibility, benefits, and claims, you are encouraged to contact the appropriate TRICARE Regional Health Plan. Please see: http://www.tricare.mil/contacts/. You may also submit a benefits question to a TRICARE representative at: http://www.tricare.mil/mybenefit/jsp/questions/feedback.jsp

For additional assistance, you may contact a Beneficiary Counseling and Assistance Coordinator (BCAC) at: http://www.tricare.mil/bcacdcao/.

[Top]

Who do I contact for any questions I have regarding the HIPAA/Privacy training available via MHS Learn?
For information about training, please contact the Privacy Training team at: PrivacyTraining@tma.osd.mil. For technical assistance pertaining to MHS Learn, you should contact the MHS Learn Service Desk at 1-800-600-9332, mhssc@timpo.osd.mil, or refer to http://www.tricare.mil/tma/privacy/MilitaryHealthSystemLearningPortal.aspx.

[Top]

How can I subscribe to the TMA Privacy and Civil Liberties Office's (Privacy Office) E-News Mailing list?
To subscribe to the Privacy Office's electronic mailings, please refer to: http://www.tricare.mil/tma/privacy/mailinglist.aspx.

[Top]

What access does my Commanding Officer have to my protected health information?
Your healthcare provider can disclosure your PHI to your Commanding Officer to assure the proper execution of the military mission, including determining a member's fitness for duty. Appropriate Military Command authorities include, but are not limited to, all Commanders who exercise authority over an Armed Forces member, or other person designated by such a commander to receive PHI in order to carry out an activity under the authority of the Commander. Any issues pertaining to these matters are best addressed by your Service HIPAA Privacy Officer. A detailed explanation of the "Military Command Exception" can be found at Chapter 7, paragraph 11, of the DoD Health Information Privacy Regulation (DoD 6025.15-R) . You may also find the TMA Privacy and Civil Liberties Office Information Paper on Military Command Exception, beneficial.

[Top]

What PHI can be disclosed under a Data Sharing Agreement?
Provided that the requirements under paragraph C8.3 of the Department of Defense Health Information Privacy Regulation are met, a covered entity may use or disclose a limited data set if the covered entity enters into a data sharing agreement (DSA) with the limited data set recipient. For questions regarding DSAs, Data Use Agreements (DUAs), Memoranda of Agreement (MOA), Memoranda of Understanding (MOU), and Computer Matching Agreements (CMAs), please contact the DSA Team at DSAMail@tma.osd.mil or refer to: http://www.tricare.mil/tma/privacy/duas.aspx.

[Top]