HIPAA and Privacy

In This Section:

HIPAA and Privacy

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to

Combat waste, fraud and abuse
Improve portability of health insurance coverage
Simplify health care administration

Who must comply with HIPAA?
All military and civilian health care plans, health care clearinghouses and health care providers who electronically conduct certain financial and administrative transactions must comply with HIPAA. TRICARE, military treatment facilities, providers, regional contractors, subcontractors and other business associate relationships fall within these categories.

HIPAA's Privacy Rule and Security Rule relate specifically to the privacy and security of your protected health information (PHI).

How the Privacy Rule Protects You
The HIPAA Privacy Rule lets medical staff use and disclose your protected health information for treatment, payment and health care operations without written authorization. Your permission is required for most other uses and disclosures.

Under the Privacy Rule, you have the right to:

Receive a copy of the Military Health System Notice of Privacy Practices
Request access to PHI
Request amendment of PHI
Request an accounting of PHI disclosures
Request restriction on PHI use and disclosure
File a complaint regarding privacy infractions

HIPAA Security Rule
The HIPAA Security Rule lists a set of business processes and technical requirements that providers, health plans and health care clearinghouses must follow to ensure the security of private health care information. The Security Rule addresses three areas:

Administrative Safeguards manage security measures and the conduct of personnel that access, view, process and distribute electronic protected health information.
Physical Safeguards protect physical equipment and related buildings from natural and environmental hazards, as well as from physical intrusions.
Technical Safeguards protect, control and monitor access to information.