Tricare and You – All about HIPAA

Written by Cmdr. Aaron Middlekauff, U.S. Public Health Service

What is the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? Why should you be concerned with it and does it matter?

HIPAA protects and ensures accountability of your Protected Health Information (PHI). The basic provisions regarding the HIPAA Privacy Rule are that only those who have a need-to-know access PHI for the treatment, payment and health care operation activities, protects and limits PHI access, that only the minimum necessary be disclosed and that the disclosure is appropriately documented.

Who must comply with HIPAA?

All military and civilian health care plans, health care clearinghouses and health care providers who electronically conduct financial and administrative transactions must comply with HIPAA. TRICARE, military hospitals and clinics, providers, regional contractors, subcontractors and other business associate relationships fall within these categories.

The military has a unique exception regarding PHI access and handling which is extended to military command or their designated representative to determine the active duty member’s fitness for duty or to ensure proper execution of the mission.

There have been cases where an active duty member disclosed PHI to their supervisor regarding a family member and the information gets disseminated to the crew by the supervisor, in good faith, to ask to keep their family in positive thoughts and prayers. Unfortunately, this information can become widely disseminated in the community through word of mouth which can cause great concern, sensitivity and additional grief.

We all have a duty to protect and educate fellow service members regarding the proper handling of PHI, especially by those to whom a great deal of faith and trust are afforded when put into positions of leadership and authority.

HIPAA Military Command Exception

Providers and health plans who disclose protected health information to military commanders must make reasonable efforts to limit the disclosure to the “minimum necessary” for assuring proper execution of the military mission. Military commanders who receive protected health information, particularly when it involves mental health or substance abuse education, have special responsibilities to safeguard the information received and limit any further disclosure in accordance with the Privacy Act.


All Coast Guard personnel working with PHI are required to complete designated training within 30 working days of reporting on duty to the Coast Guard or being assigned to a specific Coast Guard unit. Coast Guard personnel working with PHI, as prescribed in COMDTINST M6000.1 (series), are required to complete annual HIPAA refresher training. Individuals who are greater than 90 days overdue for their annual refresher training will be reported to their direct supervisor. This training MUST be completed annually. Stay tuned as this training will soon be migrating from Joint Knowledge Online to the Coast Guard Learning Management System to facilitate administrative tracking compliance capabilities.

Inquiries or complaints

Beneficiaries may utilize any of the following three methods to file complaints regarding perceived misuse or disclosure of their PHI. This information includes demographics such as age, address, or email address and others, and relates to past, present or future health information and related health care services.

  1. Local Privacy and Security Official resources IAW COMDTINST M6000.1 (series).
  2. The DHA Privacy Office electronically or by mail.
  3. The HHS Office for Civil Rights (OCR) website gives instructions to individuals who wish to make a HIPAA complaint about a covered entity when they perceive that their protected health information has been used or disclosed in a manner not compliant with the covered entity’s privacy policies.

The Coast Guard Health Care Program, the covered entity, should try to resolve patient and individual complaints before they become complaints to OCR. Privacy incidents do happen, and may be inadvertent disclosures (technical/practical errors that are not generally deliberate, planned, or malicious disclosures).

The DHA TRICARE HIPAA website provides guidance specifically regarding the Military Health System (MHS). The MHS must comply with the requirements of HIPAA, both as a provider of health care – through Military Treatment Facilities – and as the TRICARE health plan – through contracted network health care services.

The HHS Office of Civil Rights offers a very informative site concerning HIPAA questions and official guidance on the Privacy Rule.

Notice of Privacy Practices (NoPP) – The HIPAA Privacy Rule gives individuals a right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their individual rights with respect to their protected health information (PHI). Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to make individuals aware of privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. Click on the above link to review or print a current NoPP.

For questions regarding any HIPAA or privacy concern, contact the Coast Guard Privacy and Security Officials, CDR Aaron Middlekauff at or 202-475-5181 or Ms. Debra Fitzgerald at or (757) 628-4363.

Tags: ,