We've noticed that you're using an ad blocker

Our content is brought to you free of charge because of the support of our advertisers. To continue enjoying our content, please turn off your ad blocker.

It's off now Dismiss How do I disable my ad blocker?
❌

How to disable your ad blocker for our site:

Adblock / Adblock Plus
  • Click on the AdBlock / AdBlock Plus icon on the top right of your browser.
  • Click “Don’t run on pages on this domain.” OR “Enabled on this site.”
  • Close this help box and click "It's off now".
Firefox Tracking Prevention
  • If you are Private Browsing in Firefox, "Tracking Protection" may casue the adblock notice to show. It can be temporarily disabled by clicking the "shield" icon in the address bar.
  • Close this help box and click "It's off now".
Ghostery
  • Click the Ghostery icon on your browser.
  • In Ghostery versions < 6.0 click “Whitelist site.” in version 6.0 click “Trust site.”
  • Close this help box and click "It's off now".
uBlock / uBlock Origin
  • Click the uBlock / uBlock Origin icon on your browser.
  • Click the “power” button in the menu that appears to whitelist the current website
  • Close this help box and click "It's off now".
  • Topics
  • Health IT
  • Careers
  • Law/Malpractice
  • Compensation
  • Staffing
  • Pearls
  • Contribute to Site

Modern Medicine Network
  • Login
  • Register
Skip to main content
Modern Medicine Network
  • Login
  • Register
Menu
User
Home
  • Topics
  • Health IT
  • Careers
  • Law/Malpractice
  • Compensation
  • Staffing
  • Pearls
  • Contribute to Site

SUBSCRIBE: eNewsletter

HIPAA Highlights: Additional Compliance with Military Contracts

  • Rachel V. Rose, JD, MBA
Feb 21, 2013
  • Contracts, HIPAA, Law & Malpractice
  • Physicians Practice

Editor's Note: This is the second in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.

During the course of practicing medicine, physicians may encounter opportunities to affiliate with the military. Such instances include: being enrolled in the Reserves or National Guard as a physician, contracting with a government agency, such as the Department of Defense (DoD), or coordinating care with a treating physician at the Veterans Administration (VA). Therefore, it is important to recognize that in addition to complying with HIPAA, the HITECH Act, and related rules and regulations (e.g., Privacy Rule, Security Rule and Breach Notification Rule), the military also has additional relevant regulations.

Before delving into specific related regulations, it is important to provide some legislative history related to the privacy of an individual’s information, and note the difference between personally identifiable information (PII) and protected health information (PHI). The notion of protecting an individual’s personal information was initiated well before HIPAA passed in August 1996. In 1974, Congress passed the Privacy Act (codified at 5 U.S.C. 552(a)), to safeguard an individual’s records when they are maintained by a government agency such as the DoD. Importantly, the Privacy Act should not to be confused with the HIPAA-related Privacy Rule. Civil and criminal penalties in relation to either the Privacy Act or HIPAA/the HITECH Act may be assessed. Therefore, compliance is important.

The legislative purpose behind the Privacy Act is balancing an individual’s privacy rights with the government’s need to collect, maintain, and utilize that information. Specific DoD and Military Health System implementation occurs through DoD 5400.11 (May 8, 2007, incorporating Change 1 on Sept. 1, 2011) and DoD 5400.11-R (May 14, 2007). In short, PII was defined as “information that can be used to distinguish or trace an individual’s identity.” Examples of PII include: name, social security number, age, date and place of birth, military rank or civilian status, and other personal information, including PHI, which can be linked to a specific individual. PII is related to HIPAA/the HITECH Act when determining what factors could identify an individual and link treatment or specific medical conditions to that particular person.

DoD Health Information Privacy Regulation (6025.18-R (Jan. 24, 2003)) is equally as important. Here, the uses and disclosures of PHI are set forth and are based on the HIPAA requirements (P.L. 104-191) and became effective April 14, 2003. This provision is mandated. Moreover, like HIPAA, it requires that covered entities and business associates enter into business associate agreements (BAAs), which outline the parties’ obligations to protect PHI.

There is also language related to a business associate’s subcontractors, which is similar to that expressed in 45 C.F.R. §164.314, whereby covered entities, business associates, and their subcontractors are required to impose the standards and implement the requisite safeguards. As a DoD presentation explained, “a covered entity is a health plan, a healthcare clearing house or a healthcare provider who transmits health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard.” Military treatment facilities (MTF) and TRICARE Management Activity (TMA) — a health plan covering military retirees, active duty troops, and their dependants — are both considered covered entities. (U.S. Department of Defense – Health Affairs, TMA Privacy Office 2010 Data Protection Seminar – HIPAA Privacy and Security Overview). (For the related Health Information Security Regulation, see DoD 8580.02-R).

In September 2011, TRICARE was required to post the discovery of a data breach affecting at least 4.9 million patients. Here, backup computer tapes containing PHI of beneficiaries located in 10 Southern states treated between 1992 and September 7, 2011 were lost. Notably, this action related to the Breach Notification Rule (45 C.F.R. §406).

In relation to the military, the key take-aways for physicians are:

• Comply with HIPAA/the HITECH Act, related regulations and the Privacy Act;

• Review related DoD provisions; and

• Recognize that civil and criminal penalties exist for violations of both PII and PHI.

Taking precautionary, proactive measures to ensure compliance can mitigate significant exposure, as well as potential financial and reputational harm.

Related Articles

  • Getting Around a Non-Compete Contract
  • Physicians Can't Win When It Comes to Payments
  • Physicians Need an Exit Strategy
  • Physicians Sick of Jumping Through Hoops to be Paid
  • Employment Contract Advice for Docs and Practices

Resource Topics rightRail

  • Resource Topics
  • Partner Content
Mobile
Work/Life Balance
Medical Billing & Collections
Coding
HIMSS
Ebook: Improving Your Practice’s Revenue Without Adjusting Your Revenue Cycle Process
Taking an Integrated Data-Driven Approach to Charge Capture
Physician Burnout and the Burden of Documentation
Interface Engines Simplify Interoperability – But Should you Go It Alone?
The impact of patient financial satisfaction on the independent medical practice
Connect with Us
  • Twitter
  • Facebook
  • LinkedIn
  • RSS
Modern Medicine Network
  • Home
  • About Us
  • Advertise
  • Advertiser Terms
  • Privacy statement
  • Terms & Conditions
  • Editorial & Advertising Policy
  • Editorial Board
  • Contact Us
Modern Medicine Network
© UBM 2018, All rights reserved.
Reproduction in whole or in part is prohibited.