Editor's Note: This is the second in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.
During the course of practicing medicine, physicians may encounter opportunities to affiliate with the military. Such instances include: being enrolled in the Reserves or National Guard as a physician, contracting with a government agency, such as the Department of Defense (DoD), or coordinating care with a treating physician at the Veterans Administration (VA). Therefore, it is important to recognize that in addition to complying with HIPAA, the HITECH Act, and related rules and regulations (e.g., Privacy Rule, Security Rule and Breach Notification Rule), the military also has additional relevant regulations.
Before delving into specific related regulations, it is important to provide some legislative history related to the privacy of an individual’s information, and note the difference between personally identifiable information (PII) and protected health information (PHI). The notion of protecting an individual’s personal information was initiated well before HIPAA passed in August 1996. In 1974, Congress passed the Privacy Act (codified at 5 U.S.C. 552(a)), to safeguard an individual’s records when they are maintained by a government agency such as the DoD. Importantly, the Privacy Act should not to be confused with the HIPAA-related Privacy Rule. Civil and criminal penalties in relation to either the Privacy Act or HIPAA/the HITECH Act may be assessed. Therefore, compliance is important.
The legislative purpose behind the Privacy Act is balancing an individual’s privacy rights with the government’s need to collect, maintain, and utilize that information. Specific DoD and Military Health System implementation occurs through DoD 5400.11 (May 8, 2007, incorporating Change 1 on Sept. 1, 2011) and DoD 5400.11-R (May 14, 2007). In short, PII was defined as “information that can be used to distinguish or trace an individual’s identity.” Examples of PII include: name, social security number, age, date and place of birth, military rank or civilian status, and other personal information, including PHI, which can be linked to a specific individual. PII is related to HIPAA/the HITECH Act when determining what factors could identify an individual and link treatment or specific medical conditions to that particular person.
DoD Health Information Privacy Regulation (6025.18-R (Jan. 24, 2003)) is equally as important. Here, the uses and disclosures of PHI are set forth and are based on the HIPAA requirements (P.L. 104-191) and became effective April 14, 2003. This provision is mandated. Moreover, like HIPAA, it requires that covered entities and business associates enter into business associate agreements (BAAs), which outline the parties’ obligations to protect PHI.
There is also language related to a business associate’s subcontractors, which is similar to that expressed in 45 C.F.R. §164.314, whereby covered entities, business associates, and their subcontractors are required to impose the standards and implement the requisite safeguards. As a DoD presentation explained, “a covered entity is a health plan, a healthcare clearing house or a healthcare provider who transmits health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard.” Military treatment facilities (MTF) and TRICARE Management Activity (TMA) — a health plan covering military retirees, active duty troops, and their dependants — are both considered covered entities. (U.S. Department of Defense – Health Affairs, TMA Privacy Office 2010 Data Protection Seminar – HIPAA Privacy and Security Overview). (For the related Health Information Security Regulation, see DoD 8580.02-R).
In September 2011, TRICARE was required to post the discovery of a data breach affecting at least 4.9 million patients. Here, backup computer tapes containing PHI of beneficiaries located in 10 Southern states treated between 1992 and September 7, 2011 were lost. Notably, this action related to the Breach Notification Rule (45 C.F.R. §406).
In relation to the military, the key take-aways for physicians are:
• Comply with HIPAA/the HITECH Act, related regulations and the Privacy Act;
• Review related DoD provisions; and
• Recognize that civil and criminal penalties exist for violations of both PII and PHI.
Taking precautionary, proactive measures to ensure compliance can mitigate significant exposure, as well as potential financial and reputational harm.