HIPAA and Health Information Privacy
Background
On 21 August 1996, the Health Insurance Portability and Accountability Act, (HIPAA), was signed into law as Public Law 104-191. The Act included provisions for health insurance portability and renewability, preventing fraud and abuse, medical liability reform, tax-related health provisions, group health plan requirements, revenue offset provisions and administrative simplification requirements. Title II, Subtitle F on Administrative Simplification required the Secretary of Health & Human Services to publish standards for electronic exchange, privacy and security of health information.
The promulgated regulations, known as the Privacy Rule are found at 45 Code of Federal Regulations (CFR) Part 160 and Part 164, Subparts A and E. The Security Standard is found at 45 CFR Part 164, Subpart C. These regulations became effective as of April 21, 2003, and must be complied with as of April 21, 2006. These regulations are available at the following web site: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
Resources
HIPAA Training - All Coast Guard personnel working with PHI are required to complete designated training within thirty (30) working days of reporting on duty to the Coast Guard or being assigned to a specific Coast Guard unit. Coast Guard personnel working with PHI, as prescribed in COMDTINST M6000.1 (series), are required to complete annual HIPAA refresher training. Individuals who are greater than ninety (90) days overdue for their annual refresher training will be reported to their direct supervisor.
HIPAA Military Command Exception - Providers and health plans who disclose protected health information to military commanders must make reasonable efforts to limit the disclosure to the "minimum necessary" for assuring proper execution of the military mission. Military commanders who receive protected health information, particularly when it involves mental health or substance abuse education, have special responsibilities to safeguard the information received and limit any further disclosure in accordance with the Privacy Act.
Inquiries or complaints - Beneficiaries may utilize any of the following three methods to file complaints regarding perceived misuse or disclosure of their PHI. This information includes demographics such as age, address, or email address and others, and relates to past, present or future health information and related health care services.
- Local Privacy and Security Official resources IAW COMDTINST M6000.1 (series).
- The DHA Privacy Office electronically or by mail.
- The HHS Office for Civil Rights (OCR) website gives instructions to individuals who wish to make a HIPAA complaint about a covered entity when they perceive that their protected health information has been used or disclosed in a manner not compliant with the covered entity’s privacy policies.
The Coast Guard Health Care Program, the covered entity, should try to resolve patient and individual complaints before they become complaints to OCR. Privacy incidents do happen, and may be inadvertent disclosures (technical/practical errors that are not generally deliberate, planned, or malicious disclosures).
The DHA TRICARE HIPAA website provides guidance specifically regarding the Military Health System (MHS). The MHS must comply with the requirements of HIPAA, both as a provider of health care - through Military Treatment Facilities - and as the TRICARE health plan - through contracted network health care services.
The HHS Office of Civil Rights offers a very informative site concerning HIPAA questions and official guidance on the Privacy Rule.
Notice of Privacy Practices (NoPP) - The HIPAA Privacy Rule gives individuals a right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their individual rights with respect to their protected health information (PHI). Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to make individuals aware of privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. Click on the above link to review or print a current NoPP.
For questions regarding any HIPAA or privacy concern, contact the Coast Guard Privacy and Security Official, CDR Paul Michaud at Paul.T.Michaud@uscg.mil or 202-475-5171.