Skip to main content

Military Health System

Utility Navigation Links

TRICARE Operations Manual 6010.62-M, April 2021
Chapter 1
Section 5
Compliance With Federal Statutes
1.1  The contractor shall comply with all federal privacy laws which apply to the administration of TRICARE health plans. In situations where federal law is in conflict with the law in the state(s) in which the contractor is based or operating, federal law as applicable to the Department of Defense (DoD) generally has precedence over state law, except as to the health privacy rights of minors.
1.2  This Manual incorporates by reference the federal regulations and DoD issuances referred to in this Section.
1.3  A key federal statute relating to information privacy applicable to the Defense Health Agency (DHA) contractors is the Privacy Act of 1974 (“Privacy Act”), 5 United States Code (USC) 552a. The DoD has implemented the Privacy Act with DoD Instruction (DoDI) 5400.11 (2019) and DoD 5400.11-R (2007), referenced in this Manual collectively as “DoD Privacy Act Issuances.”
1.4  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a key federal statute governing health information privacy, 45 Code of Federal Regulation (CFR) Part 160 and 164. The Department of Health and Human Services (HHS) has issued the HIPAA Privacy, Security, Breach, and Enforcement Rules (collectively, HIPAA Rules). The DoD has implemented the HIPAA Privacy and Security Rules with the following issuances:
•  DoDI 6025.18, “Privacy of Individually Identifiable Health Information in DoD Programs,” March 13, 2019.
•  DoDM 6025.18, “Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in DoD Health Care Programs,” March 13, 2019; and
•  DoDI 8580.02, “Security of Individually Identifiable Health Information in DoD Health Care Programs,” August 12, 2015.
2.1  The contractor shall ensure that beneficiary Personally Identifiable Information (PII) collected in TRICARE records is limited to that which is legally authorized and necessary.
2.2  The contractor shall ensure PII is maintained in a manner which assures its confidentiality. When confidentiality is not assured, a privacy breach may have occurred, which triggers requirements under the Privacy Act. When the PII is in electronic form, additional requirements under the Federal Information Security Modernization Act of 2014 (FISMA) apply. When the PII includes Protected Health Information (PHI), requirements under the HIPAA Privacy, Breach, and Security Rules apply.
2.3  Electronic PII and Security Compliance
The contractor shall follow applicable FISMA and DoD cybersecurity requirements, including information security compliance under the National Institute of Standards and Technology (NIST) program as stated in the TRICARE Systems Manual (TSM), Chapter 1, Section 1.1. These requirements are concerned with not only confidentiality, but also integrity and availability of PII.
2.4  Breach Response - General Requirements
2.4.1  The contractor shall establish internal procedures to address the following areas of breach response: containment, mitigation (which includes individual notification), eradication, recovery, and follow-up.
2.4.2  The contractor shall assign an investigator to report and respond to breaches and cybersecurity incidents. The investigator will conduct an investigation immediately upon discovery of a possible or confirmed breach or cybersecurity incident.  The contractor shall provide notification if a potential or actual breach, defined as an actual or possible loss of control, unauthorized disclosure of, or unauthorized access to, personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes occurs with respect to personally identifiable information or protected health information that has been created, received, maintained or transmitted by the contractor.  The contractor shall notify the DHA Privacy Office within 24 hours, at If such breach is a cybersecurity incident, the discovering party shall report this to the National Cybersecurity and Communications Integration Center (NCCIC) (formerly known as United States Computer Emergency Readiness Team (US-CERT)) within one hour of the potential cybersecurity incident; and will complete the breach response actions required by DHA guidance.”
2.4.3  The contractor shall consult with the DHA Privacy Office where guidance is needed, such as when the contractor is uncertain whether a discovered breach is the contractor’s responsibility (e.g., if the contractor discovers a breach not caused by the contractor), or how the contractor is to classify an incident (breach vs. non-breach, confirmed vs. possible).
2.4.4  The contractor shall consider relevant factors in determining whether an unauthorized access should be treated as a suspected breach; including, but not limited to:
•  How the event was discovered.
•  Did the information stay within the covered entity’s control.
•  Was the information actually accessed or viewed.
•  Ability to ensure containment (e.g., recovered, destroyed, or deleted).
2.4.5  For reporting requirements, see DD Form 1423, Contract Data Requirements List (CDRL), located in Section J of the applicable contract.
2.4.6  Incidents Involving Electronic PII/PHI  The contractor shall report incidents (confirmed or potential) within one hour of confirmation to the NCCIC Incident Reporting System at, as required by the Department of Homeland Security (DHS)).  The contractor shall record the NCCIC incident reporting number, which shall be included in the initial report to the DHA Privacy Office. Information may not be known or complete, but available information shall be reported within the one-hour deadline for submission to NCCIC.  The contractor shall provide any updates to the initial NCCIC report by email to, with the “Reporting Number” in the subject line.  The contractor shall provide a copy of the initial or updated NCCIC report to the DHA Privacy Office. Any questions about NCCIC reporting shall be directed to the DHA Privacy Office, not the NCCIC office.  The contractor shall immediately take steps to minimize any adverse repercussions from the occurrence and proceed with further investigation of any relevant details such as root causes, vulnerabilities exploited, or actions needed (e.g., containment, mitigation, eradication, recovery and follow-up).
2.5  The contractor shall require subcontractors who discover a potential or confirmed breach or cybersecurity incident to initiate the incident response requirements herein by reporting the incident to the contractor immediately after discovery.
2.5.1  The contractor shall report to DHA Privacy Office within 24 hours of receiving the subcontractor’s report of a potential or confirmed breach. If a cybersecurity incident is involved, the contractor’s deadline for NCCIC reporting (one-hour) runs from the time the incident is confirmed.
2.5.2  The contractor shall require the subcontractor to meet deadlines, maintain records, and otherwise enable the contractor to complete the breach response requirements herein.
2.5.3  The contractor and subcontractor may agree that the subcontractor shall report incidents directly to NCCIC and the DHA Privacy Office, and that the subcontractor shall be responsible for completing the response process, provided that such agreement requires the subcontractor to inform the contractor of the incident and the subsequent response actions.
2.5.4  The contractor shall maintain records of all breach and cybersecurity incident investigations, regardless of the outcome. Investigations identifying unauthorized disclosures must be logged in accordance with HIPAA and Privacy Act requirements.
2.5.5  The contractor, when acting as a HIPAA-covered entities (rather than as a business associate), is not subject to the breach response requirements of this Manual. However, the contractor is subject to both the HIPAA Breach Rule (applicable to the contractor in its capacity as covered entities) and DoD cybersecurity requirements (applicable to the contractor in its capacity as a DoD contractor).
2.5.6  The contractor shall send the breach report form (required within 24 hours) to: Encryption is not required since reports and notices shall not contain PII/PHI. If electronic mail is not available, telephone notification is also acceptable, but all notifications and reports delivered telephonically must be confirmed in writing as soon as technically feasible.
2.5.7  The contractor shall prepare the breach reports required within the 24 hour deadline by completing the Breach Reporting DD Form 2959 (Breach of PII Report), available at the Breach Response link on the DHA Privacy Office website,
2.5.8  The contractor shall assign an internal tracking number and include that number in Box 1.e of the DD Form 2959 for non-cyber incidents without an NCCIC number.
2.5.9  The contractor shall coordinate with the DHA Privacy Office for subsequent action such as beneficiary notification, and mitigation. For reporting requirements, see the DD Form 1423, CDRL, located in Section J of the applicable contract provides guidance on completing and updating the Breach Reporting DD Form 2959.
2.5.10  The contractor shall update the DD Form 2959 as new information becomes available.
2.5.11  The contractor shall draft a notification letter for DHA Privacy Office review and endorsement prior to sending to the affected beneficiaries should the DHA Privacy Office determine that beneficiary notification is required.  The contractor shall send the draft notification letter to DHA Privacy within 10 business days from discovery of the breach and affected beneficiary(ies) ascertainment. The 10 business day period begins when the contractor is able to determine the identities (including addresses) of the beneficiaries whose records were affected; however, in no case will notification take placed later than 60 calendar days following the discovery of a breach.  The beneficiary notification letter shall include, but is not limited to, the following:
•  Specific data elements.
•  Basic facts and circumstances.
•  Recommended precautions the beneficiary can take.
•  Federal Trade Commission (FTC) identity theft hotline information.
•  Any mitigation support services offered such as credit monitoring.  The contractor shall ensure that envelopes containing written notifications to affected beneficiaries are clearly labeled to alert the recipient to the importance of its contents, i.e., “Data Breach Information Enclosed,” and that the envelope is marked with the identity of the contractor and/or subcontractor organization that suffered the breach.
2.5.12  The contractor shall notify the DHA Privacy Office to determine needed follow-up actions if notification cannot be accomplished within 10 business days.
2.6  The contractor shall, following the discovery of a breach involving 500 or more residents of a State or jurisdiction and after approval by the DHA Privacy Office, notify prominent media outlets serving the State or jurisdiction.
2.7  The contractor shall, should media notice be required, submit a proposed notice and recommended media outlets for DHA Privacy Office review (which will include coordination with the DHA Communications Division) and approval within five business days, and in no case later than 60 calendar days following the discovery of a breach.
2.8  System of Records (SOR) Maintained or Operated by Contractors
2.8.1  Contractor activity is typically associated with the SOR described in System of Records Notice (SORN) EDTMA 04 - Medical/Dental Claim History Files (note that physical location of records in this SOR may be decentralized). However, some contractor records may instead be associated with the following SORs:
•  EDTMA 01 - Health Benefits Authorization Files
•  EDTMA 02 - Medical/Dental Care and Claims Inquiry Files
•  EDHA 06 - Designated Provider Managed Care System Records, formerly known as Uniformed Service Treatment Facility (USTF) Managed Care System,
•  EDHA 07 - Military Health Information System, and
•  EDHA 08 - Health Affairs Survey and Study Database
2.8.2  The contractor shall not disclose any record contained in an SOR to any person or agency outside DoD without prior written consent or request of the beneficiary to whom the record pertains except for “routine use” disclosures and other authorized disclosures as provided in DoD 5400.11-R, C4.1.1.3 and C4.2.
2.8.3  The Privacy Act permits use of PII throughout the Military Health System (MHS) for legitimate mission purposes, including when a TRICARE contractor has a need for the records in the performance of its duties.  TRICARE contractors should be aware that TRICARE Beneficiary Counseling and Assistance Coordinators (BCACs), Debt Collection Assistance Officers (DCAOs), and Uniformed Services Claims Officers (USCOs) are employees of the DoD authorized to receive information from TRICARE records if they have a need for the information in the performance of their duties.  A TRICARE BCAC, DCAO, USCO, or other authorized DHA/MHS representative who is assisting a beneficiary may receive TRICARE information pertaining to that beneficiary, provided that the identity and authority of such representative is verified (e.g., through the Customer Service Community Directory). The restriction on disclosure of only that information directly releasable to the beneficiary also applies to the BCAC, DCAO, USCO, or other representative.
2.8.4  The contractor shall coordinate through the DHA Privacy Office, regarding any needed updates following proper SORN publication and Government confirmation of contractor authority to operate the applicable system(s).
2.8.5  The contractor shall advise the DHA Privacy Office within 30 calendar days of changes in SORs or their use that may require a change in the applicable SORN, whether EDTMA 04 or otherwise.
2.9  Collecting Information
2.9.1  The Privacy Act requires personal information to be collected, to the greatest extent practicable, directly from the subject beneficiary when the information may result in adverse determinations about the beneficiary’s rights, benefits, or privileges under federal programs. The collection of information from third parties shall be minimized except where there is a need to obtain the information directly from a third party, such as a need to verify information provided by the subject beneficiary.
2.9.2  The contractor shall provide a Privacy Act Statement (PAS) whenever PII is solicited and collected (by paper, electronic, or verbal means) from a beneficiary for an SOR. The PAS informs the beneficiary of the authority for soliciting and collecting PII, the principal purposes for which that PII will be used, where that PII may be disclosed outside of DoD, whether furnishing that information is voluntary or mandatory, and the effects on the beneficiary of choosing not to provide all or part of that requested PII. The PAS must be conspicuously posted before the point of collection. On paper forms this usually means placing the PAS at the beginning of the form, immediately following the title, before the first official heading or selection, or immediately prior to the first collection field. On electronic forms, this means placing the PAS so that the beneficiary sees it before providing information. A PAS may not be displayed via a hyper-link or pop-up that the beneficiary could bypass. When information is collected by telephone, a brief oral explanation of the Privacy Act shall be given to the beneficiary.
2.9.3  The contractor shall use the following language for an oral PAS, showing the mandatory portion of the PAS:
•  This information is being collected to: Process your request to change your provider.
•  Providing this information is: Voluntary. However, failure to provide all requested information may result in a delay or denial of your request to change your provider.
•  This information may be disclosed for routine uses consistent with why it was collected.
•  This information is being collected under the authority of: 10 USC Chapter 55; 32 CFR 199; and E.O. 9397 (SSN), as amended.
•  To hear this again please tell me / press 1 [If answer is “yes,” repeat script.].
•  If you do not want it repeated, please tell me / press 2 [If answer is “yes,” continue with script.].
•  If you would like to hear a full list of routine uses which may be made of your information, and the complete legal authorities for collecting this information, please tell me / press 9 now.
Note:  The last few lines may change depending on whether the PAS is being provided by a human or automated system and on how that system would operate. The point is to actively ask whether the beneficiary (1) would like the PAS to be repeated, and (2) would like to hear the routine uses and authority titles.
2.9.4  The contractor shall process claims for payment that do not indicate that the claimant received a PAS.
2.9.5  The contractor shall, if requiring additional claim information from the beneficiary, include the appropriate PAS language.
2.10  Access To Contractor Records Under The Privacy Act
2.10.1  The contractor shall develop policies and procedures by which a beneficiary is permitted access to records pertaining to him or her under the Privacy Act.
2.10.2  The contractor shall treat any record request as a HIPAA request if the following exists:
•  The record contains any individually identifiable health information.
•  Is transmitted or maintained in any form or medium including identifiable demographic.
•  The information relating to the past, present, or future physical or mental health condition of an individual.
•  The provision or payment of healthcare to an individual.
2.10.3  Upon request, a beneficiary must be informed whether or not the Medical and Dental Claim History Files contain a record pertaining to him or her. If the beneficiary so desires, he or she shall be permitted to review such record. Furthermore, a beneficiary is permitted to obtain a copy of such record in a form which is comprehensible to him or her.
2.10.4  The contractor shall act on a request for access no later than 30 calendar days after receipt of the request.
2.10.5  The contractor shall not require the beneficiary or personal representative to provide a reason or justification before granting the beneficiary or personal representative access to a record containing his or her PII.  However, the beneficiary or personal representative shall be required to provide such information as is necessary to determine where and how to look for the records  The beneficiary or personal representative shall also be required to provide reasonable identity verification, in accordance with 45 CFR 164.514(h), before access is granted.  Since most records in the Medical and Dental Claim History Files relate to medical information, a beneficiary or personal representative may be required to submit a written request for access to the file. This allows the contractor time to review the medical information in accordance with the following procedures to determine if direct access by the beneficiary or personal representative to the medical information would have an adverse effect on the beneficiary.
2.10.6  Neither the Privacy Act nor the HIPAA Privacy Rule distinguish between custodial and non-custodial parents in cases involving separation or divorce. A minor’s PII/PHI may be released to either parent, unless the contractor is informed of divorce or legal separation or a court order or other documentation potentially affecting parental authority with respect to the minor’s health care.  The contractor shall review the documentation to verify which parent has authority with respect to the minor’s health care and whether disclosure of the minor’s PHI to either parent is restricted.  The contractor shall make disclosure to minors in accordance with State law in the jurisdiction in which the minor resides.  The contractor shall disclose to the minor only if the minor consents to care and parental consent is not required under state law, or the minor and parent have agreed that the minor may have a confidential relationship with the provider of the care about which the disclosure is requested, or if the minor has been granted a legal emancipation.  The contractor shall provide the appropriate disclosures to the court or appointee if the minor obtains care at the direction of a court or guardian or other court appointee.  The contractor shall not disclose a minor’s PII/PHI to the minor’s parent if the contractor reasonably believes, in the exercise of professional judgment, that disclosure would not be in the minor’s best interest (e.g., due to risk of abuse or neglect by the parent or other risk of endangerment to the minor, or where the minor has signed a claim related to sensitive matters such as abortion, substance abuse or sexually transmitted disease). Questions regarding custodial parent issues shall be addressed to DHA Privacy Office.  The contractor shall acknowledge a request for information within 10 business days from the date of receipt. A beneficiary’s request for access to records pertaining to him or her shall receive concurrent consideration both under the Privacy Act, HIPAA, and the Freedom of Information Act (FOIA), if appropriate.  The contractor may consult the DHA FOIA Service Center if needed at The requested FOIA information shall be furnished within 20 business days, be informed in writing of the reason for delay and when it is anticipated that the information will be furnished.  The contractor shall forward the request to DHA, Attention: Office of General Counsel (OGC), within 10 business days of receipt of the request if the contractor does not agree to access as requested.  Per the Department of Justice (DOJ), all third party requests shall be processed solely under FOIA.
2.11  Corrections To Records
2.11.1  The contractor shall act on the individual’s request for an amendment no later than 60 calendar days after receipt of such request.
2.11.2  The contractor may extend the time for such action by no more than 30 calendar days if the contractor is unable to act on the amendment within the time required, provided that:
•  The contractor provides the individual with a written statement of the reasons for the delay and the date by which it will complete its action on the request; and
•  The contractor may only have one such extension of time for action on a request for an amendment.
2.11.3  The contractor shall amend the record if it agrees with allowing any portion of the beneficiary’s request.  The contractor shall make reasonable efforts to inform previous recipients of the uncorrected record identified by the beneficiary or by a disclosure of accounting as required below.  The contractor shall inform previous recipients of any amended text.  The contractor shall provide the individual with a written denial if the requested amendment is denied in whole or in part.  The contractor’s denial letter must use plain writing and contain:
•  The basis for the denial;
•  The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
•  A statement that, if the individual does not submit a statement of disagreement, the individual may request that the contractor provide the individual’s request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and
•  A description of how the individual may submit a complaint to the contractor. The description must include the name, or title, and telephone number of the contact person or office.  Statement of Disagreement
The contractor shall permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement.  Rebuttal Statement
The covered entity may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement.
2.12  Accounting For Disclosures
2.12.1  The Privacy Act requires an accurate accounting for disclosures of PII to third parties outside the DoD that are not disclosures under the FOIA or disclosures to DoD personnel for use in official duties. Such accounting requires tracking:  The name and address of the person and, if appropriate, the agency to whom the disclosure is made.  The date, nature, and purpose of each disclosure.  For disclosures requiring consent, the consent of the beneficiary to whom the record pertains.
2.12.2  The contractor shall keep a record of each disclosure or be able to reconstruct from its system the required accounting information when needed.
2.12.3  Accounting records must be retained for at least six years after the last disclosure, to assure compliance with HIPAA as well as the Privacy Act. If the PII to which the accounting request applies includes PHI, then the contractor shall apply the disclosure accounting requirements of the HIPAA Privacy Rule and DoDM 6025.18, in such a manner that both the Privacy Act and the HIPAA Privacy Rule are satisfied.
2.13  Safeguards
2.13.1  The contractor shall implement administrative and physical safeguards to protect Medical and Dental Claim History Files from unauthorized or unintentional access, disclosure, modification, or destruction.
2.13.2  The contractor shall educate all persons whose official duties require access to or processing and maintenance of personal information of the proper safeguarding and use of such information.
2.13.3  The contractor shall advise all employees of their responsibilities under the Privacy Act.
2.14  General Correspondence
2.14.1  The contractor shall send general correspondence replies to the beneficiary regardless of who made the inquiry.
2.14.2  The contractor shall not return the inquiry to the spouse or family member unanswered if a spouse or other family member makes an inquiry concerning a beneficiary.
2.14.3  The contractor shall send the response to the beneficiary with an explanation that under the Privacy Act the reply could not be made to the spouse or family member who made the inquiry.
2.14.4  The contractor shall reply to the beneficiary, not the beneficiary’s spouse (Service member) or parent, including an eligible family member regardless of age. The only exceptions are when:  A parent writes on behalf of a minor child (under 18 years of age) unless State law allows a minor to seek medical care without parental consent; or  When a guardian writes on behalf of a physically or mentally incompetent beneficiary.
2.14.5  The contractor shall follow the procedures outlined under Access to Contractor Records (paragraph in responding to a parent of a minor or guardian of an incompetent for disclosure of sensitive information (e.g., abortion, alcohol and substance abuse, venereal disease) or information which, if released, would have an adverse effect on the beneficiary.
2.14.6  The contractor shall not send copies of the response to any family member, spouse or other person who may have made the inquiry.
2.15  Release of Information to Members of Congress
2.15.1  The contractor shall not release any PHI to Congressional offices without a valid and signed HIPAA authorization (DD Form 2870) from the individual.
2.15.2  The contractor shall not release any PHI to a Congressional office at the request of a third party unless the subject of the PHI authorizes the disclosure using a valid HIPAA authorization form or the third party has legal authority to act for the individual such as a parent of a minor.
2.15.3  The contractor shall not release beneficiary records to a Congressional office that would not be releasable directly to the beneficiary (i.e., psychotherapy notes).
2.15.4  Replies to members of Congress must be made expeditiously and must be documented. For responses that include PHI, the contractor shall keep PHI to the minimum amount necessary to fulfill the request. The contractor shall verify the completed DD Form 2870 and any limits placed by the individual on the release of PHI. The contractor may opt to disclose the requested PHI directly to the individual and subsequently notify the Congressional office without providing the PHI to the Congressional Member that the contractor has replied directly to the individual.
Policy of DoD:
3.1  The contractor shall forward all requests for information under FOIA to the Contracting Officer (CO) within two business days.
3.2  The contractor shall provide all records to the CO in response to the FOIA request within five business days.
3.3  The contractor shall provide records electronically.
3.4  The contractor shall not respond directly to the requestor including interim replies.
3.5  The contractor shall comply with the provisions of 45 CFR Part 160 and 164 if the requestor specifically seeks information covered under HIPAA.
4.1  The HHS Substance Abuse and Mental Health Services Administration (SAMHSA) has issued special rules on substance abuse information. For information regarding identity, diagnosis, prognosis or treatment of any beneficiary in connection with a substance abuse or alcoholism program, consent must generally be obtained before information can be released. See SAMHSA Regulations at 42 CFR Part 2, including the model consent form. Disclosure without beneficiary consent, however, may be made in certain circumstances (such as emergencies and approved research or other health care operational activities) described in 42 CFR Part 2 Subpart D. Before releasing health information based on a SAMHSA consent, HIPAA authorization requirements, where needed, must also be satisfied.
Note:  The consent requirement and other SAMHSA rules apply in any civil, criminal, administrative or legislative proceeding. For information from SAMHSA regarding treatment programs, contact: Telephone: (877) 726-4727.
4.2  The contractor shall establish and maintain procedures and controls to assure compliance with SAMHSA requirements, including the following provisions.
4.2.1  Consent for Minor, Incompetent or Deceased Beneficiaries  The SAMHSA rule applicable to minors, 42 CFR 2.14, relies on State laws to define minors and requirements for informed consent by minors and parents. If no age of majority is specified in the applicable State law, the age of 18 years shall be considered the age of majority. A beneficiary who has been legally declared an emancipated minor shall be considered as an adult. A beneficiary who is under 18 years of age and is or was a spouse of an Active Duty Service Member (ADSM) or retiree shall also be considered an emancipated minor. In cases involving unemancipated minor beneficiaries and separated or divorced parents, it may be necessary to review any applicable court order, if applicable state law and 42 CFR 2.14 to determine the privacy rights of a minor receiving alcohol and substance abuse prevention and treatment services.  For beneficiaries, other than minors, judged to be incompetent, the consent to collection of information may be given by the guardian or other person authorized under state law to act on the patient’s behalf.  When consent is required for collection or disclosure of records of a deceased beneficiary, consent may be obtained from an executor, administrator, or other personal representative of the deceased beneficiary’s estate. If such a representative has not been appointed, the spouse, or if none, other family member involved with the deceased beneficiary’s care or payment for care may give consent.
4.2.2  Disclosure to Beneficiary or Family Members or Others
Disclosure of alcohol and substance abuse information to the beneficiary shall be determined in accordance with the procedures set forth in “Access to Contractor Records Under the Privacy Act” (paragraph 2.10). When consent is given, disclosure may be made to family members or any person with whom the beneficiary has a close personal relationship and who is involved in the beneficiary’s care unless, in the judgment of the person responsible for the beneficiary’s treatment, the disclosure would be harmful to the beneficiary.
4.2.3  Prohibition On Redisclosure  The contractor shall include the following statement whenever a written disclosure is made:
“Prohibition on redisclosure: This information has been disclosed to you from records protected by Federal Law. Federal Regulations (42 CFR Part 2) prohibit you from making any further disclosure of this information except with the specific written consent of the person to whom it pertains. A general authorization for the release of medical or other information, if held by another party, is not sufficient for this purpose. Federal regulations state that any person who violates any provision of this law shall be fined not more than $500 in the case of a first offense and not more than $5,000 in the case of each subsequent offense.”  This statement shall either appear on correspondence transmitting the documents or be stamped on the first page of the documents disclosed.
4.3  Other Disclosures
Requests for disclosures in situations not specified above shall be made only with the written approval of OGC or the DHA Privacy Office.
The contractor shall satisfy DoD’s NIST-based cybersecurity requirements as described in the TSM, Chapter 1, Section 1.1.
6.0  HIPAA
7.1  Title VI of the Civil Rights Act of 1964 provides that no person shall, on the grounds of race, color or national origin, be excluded from participation under any program or activity receiving federal financial assistance.
7.2  In addition, Section 1557 of the Patient Protection and Affordable Care Act (PPACA) (hereafter referred to as the Affordable Care Act or ACA) prohibits discrimination on the ground of race, color, national origin, sex, age, or disability under any health program or activity administered by an Executive agency.
7.3  These federal laws apply to TRICARE and DHA, including the managed care support and ancillary services provided under TRICARE and DHA contracts.
7.4  Hospitals, skilled nursing facilities, residential treatment centers and special treatment facilities determined to be authorized providers under TRICARE are subject to the provisions of Title VI and Section 1557.
7.5  The contractor shall send any discrimination complaints involving Title VI or ACA Section 1557 to DHA, Attention: OGC, 16401 East Centretech Parkway, Aurora, Colorado 80011-9066 within two business days of receipt.
7.6  The contractor shall comply with Section 504 of the Rehabilitation Act of 1973 as amended, regarding qualified handicapped individuals.
7.7  The contractor shall forward any discrimination complaints involving Section 504 to DHA OGC within two business days of receipt.
8.1  The contractor shall educate and train its staff on the following programs: Privacy Act (including DoD breach response); HIPAA Privacy, Security, Breach, and Enforcement Rules; and FOIA.
8.2  The contractor shall ensure that it includes a training requirement on the Privacy Act (including DoD breach response); HIPAA Privacy, Security, Breach, and Enforcement Rules; and FOIA in each of its subcontracts. The training shall include the requirements below if the subcontractor has access to or maintains PII/PHI.
8.3  The contractor’s training and communication(s) related to privacy, security, breach and FOIA shall be specific and commensurate with a workforce member’s responsibilities. Training is required for system testing as well as ordinary system access if testing would involve PII/PHI access.
8.4  The contractor shall develop HIPAA Privacy, Security, Breach, and Enforcement Rules and FOIA training modules.
8.5  The contractor shall educate and train newly hired staff within 30 business days of onboarding and before having access to PHI.
8.6  The contractor’s training modules shall include, but is not limited to the following:
8.6.1  Role-Based Training
Role based training to enhance general orientation where a job category requires access to PII/PHI.
8.6.2  Management Training
Management training provides managers and decision-makers information that shall be taken into account when making management decisions affecting compliance with Privacy Act and HIPAA requirements. Personnel responsible for these management decisions should receive management training on privacy compliance when they first enter management positions.
8.6.3  Records Managers  The Government will include training on PII/PHI breach response requirements in the DHA Annual Records Management (RM) Training for contractor RM personnel.  The Government will provide the contractor with electronic and hard copies of the RM breach training slide deck for use in developing the contractor’s own training modules for non-RM personnel.  The contractor shall provide records managers Privacy Act and FOIA training in conjunction with their RM training.
8.6.4  Refresher Training and Retraining  Refresher training demonstrates the importance of privacy requirements, and ensures that the workforce continues to understand current requirements.  The contractor shall provide retraining to inform workforce members whose functions are affected by changes in applicable rules, policies and procedures. Refresher training and retraining must be completed within 30 business days as needed.
8.7  Documentation
8.7.1  The contractor shall document and maintain records of completed training of each staff member, including subcontractor staff.
8.7.2  The contractor’s documented training shall include a signature or electronic signature or other satisfactory evidence for each trainee, verifying completion and date of the training and understanding of its pertinence to his or her position.
8.7.3  The contractor shall provide records of training completion to the DHA Privacy Office if requested.
8.7.4   These records are subject to review by Government officials during audits, reviews and inspections.
- END -
Follow us on Instagram Follow us on LinkedIn Follow us on Facebook Follow us on Twitter Follow us on YouTube Sign up on GovDelivery