HIPAA and Privacy

  • Published
  • By Colonel Melinda Sutton, 102nd Medical Group Commander
  • 102nd Intelligence Wing

HIPAA is often confused as HIPPA. It is not Health Insurance Privacy Protection Act. It is actually the Health Information Portability and Accountability Act. Established in 1996, HIPAA is a federal law with guidelines to protect patient’s confidential medical information. More specifically the HIPAA rules contain privacy, security, and breach notification requirements that apply to individually identifiable health information that is created, received, maintained, or transmitted by health care providers who engage in certain electronic transactions, health transactions, health plans, health care clearinghouses, and their business associates.

In other words, health care entities are supposed to protect your personal health information. If there is a breach, there is a time frame in which they must make a notification. This serves to protect patients from unnecessary and potentially damaging release of information without their permission. It is also intended to protect a patient from the possibility of fraud or identity theft.

While HIPAA covers both security and privacy of protected health information (PHI). The concept of Privacy refers to the right of the individual to control the use or disclosure of his or her personal information. Security involves IT protocols and physical barriers to safeguard health data.

The Privacy Act of 1974 was amended on 14 January 2019 (5 U.S.C. 552a-PDF; 5 U.S.C. 552a-HTM). The Privacy Act protects records that can be retrieved by personal identifiers such as name and social security number. You have a right to access to an accounting of disclosures of these types of records maintained about you. With certain exemptions such as a subpoena for a legal matter, the Privacy Act prohibits disclosure of records that can be retrieved as previously stated without your prior consent. The Privacy Act is binding to federal agencies and records under federal control.

Regarding health information privacy, there are special provisions for an individual’s personal representative such when a person may be incapacitated or deceased. Minors present a special case in that usually a parent if the personal representative. A licensed health care professional can exercise professional judgement to deny parental access. This is usually in the instance of abuse or neglect
A violation of the Privacy Act can also be considered an invasion of privacy. It happens when there is intentional physical or perhaps electronic intrusion into someone’s personal matters or concerns.

Depending on the nature and extent of the violation, it can be punishable by law.

By now you may be wondering how this affects you as a military member. Your commander can direct an evaluation or make an inquiry about your health. This can occur if there has been unusual behavior, a decline in performance, or an increase in administrative or disciplinary actions. A commander can issue a directive for a medical or psychological evaluation. There is also Military Command Exception. HIPAA permits PHI of military members to be disclosed to command authorities for authorized activities which include fitness for duty determination, fitness for a specific assignment, or activities for the mission in general. With regard to mental health and/or substance abuse, when a member voluntarily seeks help, the providers are not required to notify their commanders. Also, it is feasible that command authorities may require notification of medical appointments, as well as, missed appointments for members under their command. Additional information can be found at https://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties/HIPAA-Compliance-within-the-MHS/Military-Command-Exception

The 102nd Medical Group members take pride in their duty and do not want to do anything that violates your privacy and/or that of your health information. Please be advised that the 102nd MDG is not a military treatment facility; therefore, it is not subject to HIPAA. The Privacy Act does apply. No information is to be released without following the established Privacy Act. Please inform us if you believe your information or that of another has been compromised so that the matter is promptly addressed.