The Health Insurance Portability and Accountability Act (HIPAA) is designed to balance privacy, efficiency, and quality. A covered entity generally does not need your permission to share your protected health information (PHI) with another covered entity for treatment, payment, or healthcare operations, commonly referred to as TPO. For example, a doctor will generally not ask your permission before:
- Sending your records to a second doctor for a second opinion (treatment);
- Consulting with another health care provider regarding your medical status (treatment);
- Asking TRICARE for reimbursement for the services you received (payment);
- Sharing medical services provided for coverage and justification of charges (payment);
- Reviewing your records to conduct MHS provider training programs, including certification and licensing (health care operations); and
- Reviewing your records to see if your doctor followed protocol (health care operations).
However, HIPAA does give you the right to:
- Learn how the Military Health System (MHS) will use and disclose your PHI;
- Request to limit who can access your PHI;
- Find out when a covered entity discloses your PHI to others;
- Request to view and receive a copy of your PHI; and
- Request to amend your PHI if incorrect or incomplete.
HIPAA also requires the MHS to:
- Make sure your PHI is stored securely if maintained electronically;
- Make sure your PHI is available when you need healthcare; and
- Notify you if your PHI is lost or stolen.
You also may be interested in...
Publication
Feb. 13, 2026
.PDF |
282.79 KB
The MHS Notice of Privacy Practices describes how medical information about you may be used and disclosed and how you can get access to this information. This is a print-ready, portrait version of the brochure, measuring 8.5” x 11” (vertical).
Policy
Jan. 6, 2022
.PDF |
239.48 KB
The HIPAA Compliant Business Associate Agreement complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach and Enforcement Rules (HIPAA Rules).
- Identification #: N/A
- Type: Guideline
Form/Template
Nov. 3, 2014
.PDF |
363.14 KB
The Health Information Privacy HIPAA Complaint Form is used by DHA to proceed with a complaint. DHA uses the information provided to determine if DHA has jurisdiction and, if so, how to process your complaint.
Fact Sheet
May 14, 2014
.PDF |
703.77 KB
This document represents an updated mapping of the HIPAA Security Rule to select DOD policies and IA controls. It does not constitute the rendering of legal advice or an exhaustive list of all possible mappings of the Security Rule to DOD policies or IA controls. The document is intended to provide general information and to allow different ...
Policy
March 14, 2014
.PDF |
5.79 MB
This MOU establishes a framework governing inter-Departmental transfer of PIII/PHI of beneficiaries who receive health care and/or other benefits from either Department. This MOU revises the MOU on "Defining Data-Sharing Between the Departments," executed in May and June of 2005.
- Identification #: N/A
- Type: Memorandum of Understanding
Form/Template
Oct. 1, 2013
.PDF |
27.44 KB
The MHS Notice of Privacy Practices (NoPP) describes how medical information about you may be used and disclosed and how you can get access to this information. This form serves as an acknowledgement to patients and beneficiaries that they have received the MHS NoPP. The template is sized to scale and can be reproduced locally on Avery Label #5163, ...
Policy
July 26, 2012
.PDF |
3.32 MB
This Memorandum outlines how DOD health care entities may consider a properly completed and electronically signed Form SSA-827 a valid authorization which permits the release of that individual's PHI to the Social Security Administration (SSA).
- Identification #: N/A
- Type: Memorandum
Policy
Dec. 2, 2009
Establishes policy and assigns responsibilities for implementation of the standards for privacy of individually identifiable health information in accordance with parts 160 and 164 of title 45, Code of Federal Regulations.
- Identification #: DODI 6025.18
- Type: Instruction
Form/Template
Dec. 1, 2003
This form is to provide the patient with a means to request a restriction on the use and disclosure of
his/her protected health information.
Form/Template
Dec. 1, 2003
This form is to provide the Military Treatment Facility/Dental Treatment Facility/TRICARE Health Plan with a means to request the use and/or disclosure of an individual's protected health information.
Policy
June 18, 2002
.PDF |
115.55 KB
The purpose of this letter is to request that a Privacy Officer be appointed at each Military Treatment Facility and Dental Treatment Facility in the Military Health System.
- Identification #: N/A
- Type: Guideline
Policy
Aug. 21, 1996
The purpose of this document is to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services ...
- Identification #: 110 STAT. 1936
- Type: Federal Regulation
You are leaving Health.mil
The appearance of hyperlinks does not constitute endorsement by the Department of Defense of non-U.S. Government sites or the information, products, or services contained therein. Although the Defense Health Agency may or may not use these sites as additional distribution channels for Department of Defense information, it does not exercise editorial control over all of the information that you may find at these locations. Such links are provided consistent with the stated purpose of this website.
You are leaving Health.mil
View the external links disclaimer.
Last Updated: July 11, 2023