2.0
Privacy
Act And related requirements
Under the Privacy
Act, contractors must assure that PII about beneficiaries collected
in TRICARE records is limited to that which is legally authorized
and necessary, and is maintained in a manner which assures its confidentiality. When
confidentiality is not assured, a privacy breach may have occurred,
which triggers requirements under the Privacy Act. When the PII
is in electronic form, additional requirements under the Federal
Information Security Modernization Act of 2014 (FISMA) apply. When
the PII includes PHI, requirements under the HIPAA Privacy, Breach,
and Security Rules apply. The procedures in
paragraphs 2.1 and
2.2 take
into account Privacy Act, FISMA, and HIPAA requirements. With respect
to electronic PII and security compliance, the contractor shall
follow applicable FISMA and DoD cybersecurity requirements, including
information security compliance under the National Institute of
Standards and Technology (NIST) program as stated in the TRICARE Systems
Manual (TSM),
Chapter 1, Section 1.1. These requirements
are concerned with not only confidentiality but also integrity and
availability of PII.
2.1
Breach Response
- Definition and General Requirements
2.1.1 A breach, as defined in DoDD 5400.11 (2014),
is a loss of control, compromise, unauthorized disclosure, unauthorized
acquisition, unauthorized access, or any similar term referring
to situations where persons other than authorized users and for
an other than authorized purpose have access or potential access
to PII/PHI, whether in paper or electronic form. Breaches are classified
as either possible or confirmed (see the following two definitions)
and as either cyber or non-cyber (i.e., involving either electronic
PII/PHI or paper/oral PII/PHI).
2.1.2 A possible breach is an incident where the
possibility of unauthorized access is suspected (or should be suspected)
and has not been ruled out. For example, if a laptop containing
PII/PHI is lost, and the contractor does not initially know whether
or not the PII/PHI was encrypted, then the incident shall initially
be classified as a possible breach, because it is impossible to
rule out the possibility of unauthorized access to the PII/PHI.
In contrast, the possibility may be ruled out immediately, and a possible
breach has not occurred, when misdirected postal mail is returned
unopened in its original packaging. However, if the intended recipient
informs the contractor that an expected package has not been received,
then a possible breach exists until and unless the unopened package
is returned to the contractor. In determining whether unauthorized
access should be suspected, the contractor shall consider at least
the following factors:
• How
the event was discovered;
• Did
the information stay within the covered entity’s control;
• Was
the information actually accessed/viewed; and
• Ability
to ensure containment (e.g., recovered, destroyed, or deleted).
2.1.3 A confirmed breach is an incident
in which it is known that unauthorized access could occur. For example,
if a laptop containing PII/PHI is lost and the contractor knows
that the PII/PHI is unencrypted, then the contractor shall classify
and report the incident as a confirmed breach, because unauthorized
access could occur due to the lack of encryption (the contractor
knows this even without knowing whether or not unauthorized access
to the PII/PHI has actually occurred). If the laptop is subsequently
recovered and forensic investigation reveals that files containing
PII/PHI were never accessed, then the possibility of unauthorized
access can be ruled out, and the contractor shall re-classify the
incident as a non-breach incident.
2.1.4 A HIPAA Breach is an incident that
satisfies the definition of a breach in 45 CFR 164.402 (HIPAA Breach
Rule).
2.1.5 A cybersecurity incident is
a violation or imminent threat of violation of computer security policies,
acceptable use policies, or standard security practices, with respect
to electronic PII/PHI. A cybersecurity incident may or may not involve
a breach of PII/PHI. For example, a malware infection would be a
possible breach if it could cause unauthorized access to PII/PHI.
However, if the malware only affects data integrity or availability
(not confidentiality), then a non-breach cybersecurity incident has
occurred.
2.1.6 The contractor shall follow
the procedures below upon discovery of a possible breach or cybersecurity
incident. These procedures focus on the first two steps (breach
identification and reporting) of a comprehensive breach response
program, but also require addressing the remaining steps: containment,
mitigation (which includes individual notification), eradication,
recovery, and follow-up. The contractor shall establish internal
processes for carrying out the procedures set forth below. These
processes shall assign responsibility for investigating, classifying,
reporting and otherwise responding to breaches and cybersecurity
incidents. The contractor should consult with the DHA Privacy Office
where guidance is needed, such as when the contractor is uncertain
whether a discovered breach is the contractor’s responsibility (e.g.,
if the contractor discovers a breach not caused by the contractor),
or how the contractor is to classify an incident (breach vs. non-breach,
confirmed vs. possible). Under no circumstances shall a contractor
delay reporting a confirmed or possible breach to the DHA Privacy
Office beyond the 24-hour deadline (see
paragraph 2.2.5) while waiting
for the DHA Privacy Office guidance or while investigating the incident.
2.1.7 In the event of a cybersecurity incident not
involving a PII/PHI breach, the contractor shall follow applicable
DoD cybersecurity and NIST requirements. If at any point a contractor
finds that a cybersecurity incident involves a confirmed or possible PII/PHI
breach, the contractor shall immediately initiate the reporting procedures
set forth below. The contractor shall also continue to follow any required
cybersecurity incident response procedures and other applicable
DoD cybersecurity requirements.
2.1.8 Contractors shall require subcontractors who
discover a possible breach or cybersecurity incident to initiate
the incident response requirements herein by reporting the incident
to the contractor immediately after discovery. The time of that
report to the contractor shall trigger the contractor’s DHA Privacy
Office reporting deadline (24 hours) under
paragraph 2.2.5. If a cybersecurity incident
is involved, the contractor’s deadline for US-CERT reporting (one
hour) runs from the time the incident is confirmed, under
paragraph 2.2.1.
The contractor shall require the subcontractor to cooperate as necessary
to meet these deadlines, maintain records, and otherwise enable
the contractor to complete the breach response requirements herein.
Alternatively, the contractor and subcontractor may agree that the
subcontractor shall report directly to US-CERT and the DHA Privacy
Office, and that the subcontractor shall be responsible for completing
the response process, provided that such agreement requires the
subcontractor to inform the contractor of the incident and the subsequent response
actions.
2.1.9 Contractors shall maintain
records of all breach and cybersecurity incident investigations, regardless
of the outcome. Investigations identifying unauthorized disclosures
must be logged for HIPAA and Privacy Act disclosure accounting purposes,
whether or not individual notification is required under the HIPAA
Breach Rule.
2.1.10 Contractors,
when acting as HIPAA-covered entities (rather than as business associates),
are not subject to the breach response requirements of this Manual. However,
such contractors are subject to both the HIPAA Breach Rule (applicable
to them in their capacity as covered entities) and DoD cybersecurity
requirements (applicable to them in their capacity as DoD contractors).
2.2
Breach
Response - Specific Reporting and Individual Notification Requirements
2.2.1 Immediately
upon discovery of a possible or confirmed breach or cybersecurity
incident, the contractor shall initiate an investigation. If the
incident involves electronic PII/PHI, and if the investigation finds
a confirmed breach or cybersecurity incident, the contractor shall report it
within one hour of confirmation, to the United States-Computer Emergency
Readiness Team (US-CERT) Incident Reporting System at
https://forms.us-cert.gov/report/, as
required by the Department of Homeland Security (DHS).
Note: DHS no longer
requires US-CERT reporting of non-cyber breaches or unconfirmed electronic
breaches. However, DHS permits US-CERT reporting of unconfirmed
cyber-related incidents on a voluntary basis. Thus, if a contractor
is uncertain whether a possible cyber-related incident should be
treated as confirmed and thus reportable, the contractor may voluntarily
report the incident.
2.2.2 Before submission to US-CERT, the contractor
shall save a copy of the on-line report. After submitting the report,
the contractor shall record the US-CERT incident reporting number,
which shall be included in the initial report to the DHA Privacy
Office as described in
paragraphs 2.2.5 through
2.2.7.
Information may not be known or complete, but available information
shall be reported within the one hour deadline for submission.
Note: Regardless of
whether or not an incident is confirmed, the contractor shall also
investigate whether or not the incident impacts data integrity or
availability of PII/PHI. If such impact is confirmed, then the incident
is reportable to US-CERT. For guidance on investigating the impact
on data integrity and availability, refer to DoD cybersecurity and
NIST guidance.
2.2.3 The contractor shall provide any updates to
the initial US-CERT report by e-mail to soc@us-cert.gov, with the
Reporting Number in the subject line. The contractor shall provide
a copy of the initial or updated US-CERT report to the DHA Privacy
Office if requested. Contractor questions about US-CERT reporting
shall be directed to the DHA Privacy Office, not the US-CERT office.
2.2.4 In conjunction with its initial investigation,
the contractor shall immediately take steps to minimize any impact from
the occurrence and proceed with further investigation of any relevant details such
as root causes, vulnerabilities exploited, or actions needed (such
as containment, mitigation, eradication, recovery and follow-up).
2.2.5 In
addition to US-CERT reporting, the contractor shall report to the
DHA Privacy Office by submitting the form specified below within
24 hours of discovery of a breach (possible or confirmed), unless
the breach falls within a category that the Privacy Office has determined
to be not reportable. This 24 hour period runs from the time of
discovery, unlike the one hour US-CERT reporting period, which runs
from the time a cybersecurity incident is confirmed. Thus, depending
on the time period needed to confirm, the report to the DHA Privacy
Office may be due either before or after the US-CERT report.
2.2.6 The breach report form required within the
24 hour deadline shall be sent by e-mail to: dha.ncr.pcl.mbx.dha-privacy-officer@mail.mil.
Encryption is not required, because reports and notices shall not
contain PII/PHI. If electronic mail is not available, telephone
notification is also acceptable, but all notifications and reports
delivered telephonically must be confirmed in writing as soon as technically
feasible.
2.2.7 The
contractors shall prepare the breach reports required within the
24 hour deadline by completing the Breach Reporting DD Form 2959
(Breach of PII Report), available at the Breach Response link on
the DHA Privacy Office web
site,
https://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties For
non-cyber
incidents without a US-CERT number, the contractor shall assign
an internal tracking number and include that number in Box 1.e of
the DD Form 2959. The contractor shall coordinate with the DHA Privacy
Office for subsequent action such as beneficiary notification, and mitigation.
The corresponding
DD Form 1423, Contract
Data Requirements List (CDRL)
, located in Section
J of the applicable contract provides guidance on
completing and updating the Breach Reporting DD Form 2959. The contractor shall promptly
update the DD Form 2959 as new information becomes available.
2.2.8 If the DHA Privacy Office determines that beneficiary
notification is required, the contractor shall provide written notification
to beneficiaries affected by the breach as soon as possible, but
no later than 10 working days after the breach is discovered and
the identities of the beneficiaries are ascertained. The 10 day
period begins when the contractor is able to determine the identities (including
addresses) of the beneficiaries whose records were impacted.
2.2.9 The contractor’s proposed notification to be
issued to the affected beneficiaries shall be submitted to the DHA Privacy
Office for approval. The notification to the beneficiaries, at a
minimum, shall include the following:
• Specific data elements.
• Basic facts and
circumstances.
• Recommended precautions
the beneficiary can take.
• Federal Trade Commission
(FTC) identity theft hotline information.
• Any mitigation
support services offered such as credit monitoring.
2.2.10 The contractor
shall ensure that envelopes containing written notifications to
affected beneficiaries are clearly labeled to alert the recipient
to the importance of its contents, e.g., “Data Breach Information
Enclosed,” and that the envelope is marked with the identity of
the contractor and/or subcontractor organization that suffered the
breach.
2.2.11 If notification
cannot be accomplished within 10 working days, the contractor shall
notify the DHA Privacy Office to determine needed follow-up actions.
2.2.12 If media notice is required, the contractor
will submit a proposed notice and suggested media outlets for the
DHA Privacy Office review (which will include coordination with
the DHA Communications Division) and approval.
2.2.13 The contractor shall, at no cost to the Government,
bear any costs associated with a breach of PII/PHI that the contractor
has caused or is otherwise responsible for addressing.
2.3 System of
Records (SOR) Maintained or Operated by Contractors
2.3.1 Contractor activity is typically
associated with the SOR described in System of Records Notice (SORN)
EDTMA 04 - Medical/Dental Claim History Files (note that physical
location of records in this SOR may be decentralized). However,
some contractor records may instead be associated with the following
SORs:
• EDTMA
01 - Health Benefits Authorization Files;
• EDTMA 02 - Medical/Dental
Care and Claims Inquiry Files;
• EDHA 06 - Designated
Provider Managed Care System Records, formerly known as USTF Managed
Care System;
• EDHA
07 - Military Health Information System; and
• EDHA 08 - Health Affairs
Survey and Study Data Base.
Except
for “routine use” disclosures and other authorized disclosures as
provided in DoD 5400.11-R, C4.1.1.3 and C4.2, no record contained
in a SOR operated and maintained by the contractor for the Government
shall be disclosed to any person or to any agency outside DoD without
prior written consent or request of the beneficiary to whom the
record pertains.
2.3.2 The Privacy Act permits use
of PII throughout the Military Health System (MHS) for legitimate
mission purposes, including when TRICARE contractors have a need
for the records in the performance of their duties. TRICARE contractors
should be aware that TRICARE Beneficiary Counseling and Assistance
Coordinators (BCACs), Debt Collection Assistance Officers (DCAOs),
and Uniformed Services Claims Officers (USCOs) are employees of
the DoD authorized to receive information from TRICARE records if
they have a need for the information in the performance of their
duties. A TRICARE BCAC, DCAO, USCO, or other authorized DHA/MHS
representative who is assisting a beneficiary may receive TRICARE
information pertaining to that beneficiary, provided that the identity
and authority of such representative is verified (e.g., through
the Customer Service Community Directory). The restriction on disclosure
of only that information directly releasable to the beneficiary
also applies to the BCAC, DCAO, USCO, or other representative.
2.3.3 Following
proper SORN publication and Government confirmation of contractor
authority to operate the applicable system(s), the contractor shall
coordinate through the DHA Privacy Office, regarding any needed
updates. The contractor shall promptly advise the DHA Privacy Office
of changes in SORs or their use that may require a change in the
applicable SORN, whether EDTMA 04 or otherwise.
2.4 Confidentiality
Of Medical/Dental Claim History Files
Certain
categories of PII/PHI (such as SSN or Date of Birth (DOB) data,
or PHI relating to mental health, sexually transmitted disease,
etc.) are sensitive. Except as otherwise permitted in this paragraph or
as permitted by law, the contractor shall not release such sensitive
PII/PHI to a third party unless the beneficiary who is the subject
of the PII/PHI has specifically consented to disclosure of such
sensitive information in accordance with applicable consent/authorization
requirements (under Privacy Act, HIPAA, or Substance Abuse and Mental
Health Services Administration (SAMHSA) rules). However, if the contractor
is uncertain about whether disclosure without consent is warranted
(for example, on the basis of a HIPAA Privacy Rule exception), the
contractor shall consult with DHA Privacy Office or DHA Office of
General Counsel (OGC). In determining what PHI is sensitive, the
contractor may take into account the Explanation of Benefits (EOB)
issuance exceptions in
Chapter 8, Section 8,
the contractor’s own internal guidelines, and/or the contractor’s
case-by-case determinations.
2.5 Collecting Information
2.5.1 The Privacy
Act requires personal information to be collected, to the greatest
extent practicable, directly from the subject beneficiary when the
information may result in adverse determinations about the beneficiary’s
rights, benefits, or privileges under federal programs. The collection
of information from third parties shall be minimized except where
there is a need to obtain the information directly from a third
party, such as a need to verify information provided by the subject beneficiary.
2.5.2 Whenever
PII is solicited and collected (by paper, electronic, or verbal
means) from a beneficiary for a SOR, a
Privacy Act Statement (PAS)
shall be provided. The PAS informs the beneficiary of the authority
for soliciting and collecting PII, the principal purposes for which
that PII will be used, where that PII may be disclosed outside of
DoD, whether furnishing that information is voluntary or mandatory,
and the effects on the beneficiary of choosing not to provide all
or part of that requested PII. The PAS must be conspicuously posted
before the point of collection. On paper forms this usually means
placing the PAS at the beginning of the form, immediately following
the title, before the first official heading/selection, or immediately
prior to the first collection field. On electronic forms, this means
placing the PAS so that the beneficiary sees it before providing
information. A PAS may not be displayed via a hyper-link or pop-up
that the beneficiary could bypass. When information is collected by
telephone, a brief oral explanation of the Privacy Act shall be
given to the beneficiary. The following text illustrates acceptable
language for an oral PAS, showing the mandatory portion of the PAS
with example language in
bold (this is only illustrative;
modify as needed):
This information
is being collected to: Process your request to change your provider.
Providing this information is: Voluntary.
However, failure to provide all requested information may result
in a delay or denial of your request to change your provider.
This information may be disclosed for
routine uses consistent with why it was collected.
This information is being collected under
the authority of: 10 USC Chapter 55; 32 CFR Part 199; and
E.O. 9397 (SSN), as amended.
To hear this again please tell
me / press 1 [If answer is “yes,” repeat script.]
If you do not want it repeated,
please tell me / press 2 [If answer is “yes,” continue with script.]
If you would like to hear a full
list of routine uses which may be made of your information, and
the complete legal authorities for collecting this information,
please tell me / press 9 now.
Note: The last few lines may change depending on whether
the PAS is being provided by a human or automated system and on
how that system would operate. The point is to actively ask whether
the beneficiary (1) would like the PAS to be repeated, and (2) would
like to hear the routine uses and authority titles.
2.5.3 Claims
received by the contractor which do not indicate that the claimant
received a PAS shall, nevertheless, be processed for payment. However,
if additional information concerning a claim is required, the request
to the beneficiary must include the appropriate PAS language.
2.6
Access
To Contractor Records Under The Privacy Act
2.6.1 The contractor must develop
and describe procedures by which a beneficiary is permitted access
to records pertaining to him or her under the Privacy Act. If the
request is under HIPAA, refer to
Chapter 19, Section 3 (if
the request specifies neither HIPAA nor the Privacy Act, the contractor
shall apply its judgment as to whether the Privacy Act or HIPAA
is more applicable). Upon request, a beneficiary must be informed
whether or not the Medical/Dental Claim History Files contain a
record pertaining to him or her. And, if the beneficiary so desires,
he or she shall be permitted to review such record and to be accompanied
for the purpose of reviewing the record by a person of his or her
choice. Further, a beneficiary is permitted to obtain a copy of
such record in a form which is comprehensible to him or her.
2.6.2 The contractor
shall not require the beneficiary to provide a reason or justification
before granting beneficiary access to a record containing his/her
PII. However, the requester shall be required to provide such information
as is necessary to determine where and how to look for the records.
The beneficiary shall also be required to provide reasonable identity
verification, in accordance with 45 CFR 164.514(h), before access
is granted. Since most records in the Medical/Dental Claim History
Files relate to medical information, a beneficiary may be required
to submit a written request for access to the file. This allows
the contractor time to review the medical information in accordance
with the following procedures to determine if direct access by the
beneficiary to the medical information would have an adverse effect
on the beneficiary.
2.6.3 Neither the Privacy Act nor
the HIPAA Privacy Rule distinguish between custodial and non-custodial
parents in cases involving separation or divorce. A minor’s PII/PHI
may be released to either parent, unless the contractor is informed
of divorce or legal separation or a court order or other documentation
potentially affecting parental authority with respect to the minor’s
health care. In that situation, the contractor shall review the
documentation to verify which parent has authority with respect
to the minor’s health care and whether disclosure of the minor’s
PHI to either parent is restricted.
2.6.4 Disclosure shall be made only
to the minor if the minor consents to care and parental consent
is not required under law, or the minor and parent have agreed that
the minor may have a confidential relationship with the provider
of the care about which disclosure is requested. If the minor obtains
care at the direction of a court or guardian or other court appointee,
then disclosures shall be made to the court or appointee. In addition,
a minor’s PII/PHI need not be disclosed to a parent if the contractor
reasonably believes, in the exercise of professional judgment, that
disclosure would not be in the minor’s best interest, for example,
due to risk of abuse or neglect by the parent or other risk of endangerment
to the minor, or where the minor has signed a claim related to sensitive
matters such as abortion, substance abuse or sexually transmitted
disease. If the records relate to alcohol or drug abuse treatment,
then see the SAMHSA Regulations provisions below. Questions regarding
custodial parent issues shall be addressed to the DHA OGC.
2.6.5 Requests
for information or records must be acknowledged (if not responded
to) within 10 working days from the date of receipt. A beneficiary’s
request for access to records pertaining to him or her shall receive
concurrent consideration both under the Privacy Act and the Freedom
of Information Act (FOIA), if appropriate. The contractor may consult
the DHA FOIA Service Center if needed. The requested information
must be furnished within 20 working days unless good cause exists
to delay furnishing the record, in which case the beneficiary shall,
within the 20 working days, be informed in writing of the reason
for delay and when it is anticipated that the information will be
furnished. If the contractor does not agree to access as requested,
the contractor shall forward the request to DHA, ATTENTION OGC,
within 10 working days of receipt of the request.
2.7 Corrections
To Records
2.7.1 Beneficiaries’ requests for corrections of
records should be in writing and contain, at a minimum, sufficient
identifying information to enable location of the record, a description
of the items to be amended and the reason amendment is being requested.
Requests for amendments must be acknowledged within 10 working days
from the date of receipt, as provided in DoD 5400.11-R, C3.1.10 and
C3.3.7.1. If it is determined that the patient’s request is under
HIPAA, refer to
Chapter 19, Section 3.
2.7.2 TRICARE
contractors shall implement procedures for reviewing records at
the request of individuals concerned and develop and implement procedures
for making corrections, if appropriate. Whenever practicable, contractors
shall complete the review and advise the beneficiary of the decision to
amend the record within 10 working days of receipt of the request.
Otherwise, a written acknowledgment of receipt of a request for
amendment must be provided within 10 working days after receipt,
with notification of a decision to amend the record furnished within
30 working days of receipt of the request. The final amendment and
notification must in any event be accomplished within 30 days after
the request.
2.7.3 If a contractor agrees with allowing any portion
of the beneficiary’s request to amend a record, it shall amend the
record accordingly. The contractor must make reasonable efforts
to inform previous recipients of the uncorrected record identified
by the beneficiary or by a disclosure accounting as required below.
Informing previous recipients must include providing them the amended
text.
2.7.4 If the TRICARE contractor does not agree to
amend the record as requested, the beneficiary shall not be advised
of the decision. Rather the beneficiary’s request for amending the
record, together with a copy of the record and the contractor’s
written explanation of the reason(s) for not amending the record,
shall be sent to DHA, ATTENTION: OGC, within 10 working days of
receipt of the request. Written acknowledgment of receipt of the
request for amendment shall be provided to the beneficiary.
2.8 Accounting
For Disclosures
2.8.1 The Privacy Act requires an accurate accounting
for disclosures of PII to third parties outside the DoD that are
not disclosures under the FOIA or disclosures to DoD personnel for
use in official duties. Such accounting requires tracking:
• The
name and address of the person and, if appropriate, the agency to
whom the disclosure is made.
• The date, nature,
and purpose of each disclosure.
• For disclosures requiring
consent, the consent of the beneficiary to whom the record pertains.
2.8.2 The contractor
must keep a record of each disclosure or be able to reconstruct
from its system the required accounting information when needed.
Accounting records must be retained for at least five years after
the last disclosure, to assure compliance with HIPAA as well as
the Privacy Act. If the PII to which the accounting request applies
includes PHI, then the contractor must apply the disclosure accounting
requirements of the HIPAA Privacy Rule and DoD 6025.18-R, C13 in
such a manner that both the Privacy Act and the HIPAA Privacy Rule
are satisfied. See the provisions on HIPAA accounting in
Chapter 19, Section 3 and TSM,
Chapter 1, Section 1.1.
2.9 Safeguards
Contractors must implement administrative and
physical safeguards to protect Medical/Dental Claim History Files
from unauthorized or unintentional access, disclosure, modification,
or destruction. All persons whose official duties require access
to or processing and maintenance of personal information shall be
advised of the proper safeguarding and use of such information.
In addition, all employees should be aware of their responsibilities
under the Privacy Act.
2.10 General Correspondence
In responding to general correspondence, the
reply should be sent to the beneficiary regardless of who made the
inquiry. If a spouse or other family member makes an inquiry concerning
a beneficiary’s claim, etc., the inquiry shall not be returned to
the spouse or family member unanswered. Rather, a reply should be
addressed to the beneficiary with an explanation that under the
Privacy Act the reply could not be made to the spouse or family
member who made the inquiry. Also, if an inquiry is made by the
beneficiary, including an eligible family member regardless of age,
the reply shall be addressed to the beneficiary, not the beneficiary’s
spouse (Service member) or parent. The only exceptions are when
a parent writes on behalf of a minor child (under 18 years of age)
or when a guardian writes on behalf of a physically or mentally
incompetent beneficiary. However, in responding to a parent of a
minor or guardian of an incompetent, the procedures outlined under
Access to Contractor Records (
paragraph 2.6) shall be followed in responding
to a request by a parent of a minor or guardian of an incompetent
for disclosure of sensitive information (e.g., abortion, alcohol
and substance abuse, venereal disease, etc.) or information which,
if released, would have an adverse effect on the beneficiary. When
a reply is made to the beneficiary, the reply must be fully responsive
to the inquiry whether or not the query was originally made by the
beneficiary. Copies of the response shall NOT be sent to any family
member, spouse or other person who may have made the inquiry.
2.11 Release Of
Information To Members Of Congress
2.11.1 In accordance
with the DoD policy of making maximum information concerning its operations
and activities available to both Government officials and to the
public in general, DHA and TRICARE contractors will answer constituent’s
letters to members of Congress as fully as possible.
2.11.2 Information
requested by members of the Congress for the constituents shall
be handled in the same manner as if the beneficiary had written
directly to DHA or the TRICARE contractor. If it develops that the
information cannot be released, the Member of the Congress requesting
the information shall be advised promptly of that fact and of the
reasons for the determination.
2.11.3 An established
as a routine use of the Medical/Dental Claim History Files is providing information
from a beneficiary’s records to a Congressional office in response
to the beneficiary’s request to the Congressional office. However,
special rules apply in certain situations, as summarized below.
Consult the DHA Privacy Office if necessary.
2.11.3.1 If the
PII to be disclosed includes PHI, the HIPAA Privacy Rule applies,
which requires that the beneficiary authorize disclosure by signing
a HIPAA-compliant authorization form such as DD Form 2870. Pending
receipt of a signed authorization form, any response disclosing
PHI shall be issued directly to the beneficiary and not to the Congressional
office (which shall be notified that the response has been sent
to the beneficiary). Refer to
Chapter 19, Section 3.
2.11.3.2 In those
cases in which PHI is not requested and the Congressional inquiry
indicates that the request is being made on behalf of a person other
than the beneficiary whose record is to be disclosed (e.g., a spouse
or family member), the contractor shall advise the Congressional
office that written consent of the beneficiary is required, unless
the person has legal authority to act for the beneficiary (e.g.,
authority as a parent of a minor or as a guardian). Absent written
consent, the response shall generally be sent directly to the beneficiary
(the Congressional office must be notified of this action).
2.11.3.3 A record
of a beneficiary which would not be releasable directly to the beneficiary
(e.g., a medical record which would have an adverse effect on the
beneficiary) cannot be released directly to the Congressional office
making the inquiry on behalf of the beneficiary. Instead, the Congressional office
shall be advised of the procedure for release of such record. Of
course, in those cases where a contractor can respond to a Congressional
request for assistance on behalf of a beneficiary, without disclosing
PII/PHI which would fall under the Privacy Act, the contractor shall
comply.
2.11.4 Replies
to all Congressional inquiries and requests shall be completely
responsive and handled as expeditiously as possible. Should it become
evident that a response to a request cannot be made within 15 working
days, an interim reply will be sent. The interim reply will indicate
the anticipated date of completion and the steps being taken to
obtain the information requested.
2.12 Appeals
Guidance
for handling general correspondence also applies to appeal cases,
except that a designated “representative” (as defined in
32 CFR 199.10(a)(2)(ii)), may be communicated
with on the same basis as the beneficiary. However, unless the representative
is the parent of a minor or the legally appointed representative
of an incompetent beneficiary, a written statement from the beneficiary appointing
the representative is required. (See
Chapter 12, Section 2,
for requirements.)
4.0 Federal
Regulations On The Confidentiality Of Alcohol And Drug Abuse Patient
Records
The HHS SAMHSA has issued special
rules on substance abuse information. For information regarding
identity, diagnosis, prognosis or treatment of any beneficiary in
connection with a substance abuse or alcoholism program, consent
must generally be obtained before information can be released. See
SAMHSA Regulations at 42 CFR Part 2, including the model consent
form. Disclosure without beneficiary consent, however, may be made
in certain circumstances (such as emergencies and approved research
or other health care operational activities) described in 42 CFR
Part 2 Subpart D. Before releasing health information based on a
SAMHSA consent, HIPAA authorization requirements, where needed,
must also be satisfied.
• The consent requirement
and other SAMHSA rules apply in any civil, criminal, administrative
or legislative proceeding. For information from SAMHSA regarding treatment
programs, contact:
• The contractor shall
establish and maintain procedures and controls to assure compliance with
SAMHSA requirements, including the following provisions.
4.1 Consent for
Minor, Incompetent or Deceased Beneficiaries
4.1.1 The SAMHSA rule applicable
to minors, 42 CFR 2.14, relies on State laws to define minors and
requirements for informed consent by minors and parents. If no age
of majority is specified in the applicable State law, the age of
18 years shall be considered the age of majority. A beneficiary
who has been legally declared an emancipated minor shall be considered
as an adult. A beneficiary who is under 18 years of age and is or
was a spouse of an Active Duty Service Member (ADSM) or retiree
shall also be considered an emancipated minor. In cases involving
unemancipated minor beneficiaries and separated or divorced parents,
it may be necessary to review any applicable court order, applicable state
law and 42 CFR 2.14 to determine the privacy rights of a minor receiving
alcohol and substance abuse prevention and treatment services.
4.1.2 For beneficiaries,
other than minors, judged to be incompetent, the consent to collection of
information may be given by the guardian or other person authorized
under state law to act on the patient’s behalf.
4.1.3 When consent
is required for collection or disclosure of records of a deceased
beneficiary, consent may be obtained from an executor, administrator,
or other personal representative of the deceased beneficiary’s estate.
If such a representative has not been appointed, the spouse, or
if none, other family member involved with the deceased beneficiary’s
care or payment for care may give consent.
4.2 Disclosure
to Beneficiary or Family Members or Others
Disclosure
of alcohol and substance abuse information to the beneficiary shall
be determined in accordance with the procedures set forth in “Access
to Contractor Records Under the Privacy Act” (
paragraph 2.6). When consent
is given, disclosure may be made to family members or any person
with whom the beneficiary has a close personal relationship and
who is involved in the beneficiary’s care unless, in the judgment
of the person responsible for the beneficiary’s treatment, the disclosure
would be harmful to the beneficiary.
4.3
Prohibition
On Redisclosure
Whenever a written disclosure
is made, with proper written consent, the disclosure shall be accompanied
by a written statement as follows:
“Prohibition on redisclosure: This information
has been disclosed to you from records protected by Federal Law.
Federal Regulations (42 CFR Part 2) prohibit you from making any
further disclosure of this information except with the specific
written consent of the person to whom it pertains. A general authorization
for the release of medical or other information, if held by another
party, is not sufficient for this purpose. Federal regulations state
that any person who violates any provision of this law shall be
fined not more than $500 in the case of a first offense and not
more than $5,000 in the case of each subsequent offense.”
Note: This statement shall either appear on correspondence
transmitting the documents or be stamped on the first page of the
documents disclosed.
4.4
Other
Disclosures
Requests for disclosures in situations
not specified above shall be made only with the written approval
of OGC or the DHA Privacy Office.
7.0 Federal Non-discrimination
Laws
7.1 Title VI of the Civil Rights
Act of 1964 provides that no person shall, on the grounds of race, color
or national origin, be excluded from participation under any program
or activity receiving federal financial assistance. In addition,
Section 1557 of the Patient Protection and Affordable Care Act (ACA) prohibits
discrimination on the ground of race, color, national origin, sex,
age, or disability under any health program or activity administered
by an Executive agency. These federal laws apply to TRICARE and
DHA, including the managed care support and ancillary services provided
under TRICARE/DHA contracts. Hospitals, skilled nursing facilities,
residential treatment centers and special treatment facilities determined
to be authorized providers under TRICARE are subject to the provisions
of Title VI and Section 1557.
7.2 Investigating complaints of noncompliance is
a function of DHA. Any discrimination complaints involving Title
VI or ACA Section 1557 that are received by contractors shall be
sent to DHA OGC, 16401 East Centretech Parkway, Aurora, Colorado
80011-9066.
7.3 The
contractors shall comply with Section 504 of the Rehabilitation
Act of 1973 as amended, regarding qualified handicapped individuals.
Any discrimination complaints involving Section 504 that are received
by contractors shall be forwarded to DHA OGC within two working
days of receipt.