Maintaining Patient Privacy of TRICARE Beneficiaries

Maintaining privacy of Protected Health Information (PHI) is an important part of providing quality health care to TRICARE beneficiaries. Understanding the rules that govern the release of PHI is essential in maintaining the security and confidentiality of PHI and will reduce the risk of unauthorized disclosure.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the release of PHI without an authorization for purposes of treatment, payment, and health care operations. However, the HIPAA Privacy Rule requires providers to reasonably limit the amount of information disclosed for payment and health care operations to the minimum necessary.

PHI is any individually identifiable health information that relates to a patient’s past, present, or future physical or mental health and related health care services. PHI may include demographics, documentation of symptoms, examination and test results, diagnoses and treatments.

Here are some frequently asked provider-related questions regarding PHI from the U.S. Department of Health and Human Services:

• Do I need a patient’s written authorization to send a copy of the patient’s medical record to a specialist or other health care provider who will treat the patient? No. Providers may disclose PHI to another health care provider for treatment purposes.
• If a patient is a minor or is not competent to make health care decisions, may I release information to the parent or guardian? Depending upon state laws, providers may or may not release minor’s information to parents or guardians without a minor’s consent. If the patient is unconscious or incompetent, whether a minor or not, the provider may use their professional discretion; or in the case of minors, the guardian or other person authorized to act on the patient’s behalf may give the consent.
• Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient. See 45 CFR 164.506.
• Can health care providers, such as a specialist or hospital, to whom a patient is referred for the first time, use protected health information to set up appointments or schedule surgery or other procedures without the patient's written consent? Yes. The HIPAA Privacy Rule does not require covered entities to obtain an individual’s consent prior to using or disclosing protected health information about him or her for treatment, payment, or health care operations.
• Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient's authorization? Yes. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity. See 45 CFR 164.506 and the definitions of "treatment," "payment," and "health care operations" at 45 CFR 164.501.

Refer to the HIPAA Web site at http://www.hhs.gov/hipaafaq/providers/treatment/index.html for a complete list of FAQs. For more information about TRICARE PHI and other HIPAA issues, visit the online TRICARE Privacy Office at www.tricare.mil/tmaprivacy.

In addition, detailed disclosure and confidentiality information regarding the Alcohol, Drug Abuse and Mental Health Administration (ADAMHA) Reorganization Act can be found in the TRICARE Operations Manual, 6010.51-M, August 1, 2002, at www.tricare.mil.