DOC

Assist Visit Program Supplement to the TMA Assist Visit Guide

By Todd Thomas,2014-06-22 18:55
14 views 0
Assist Visit Program Supplement to the TMA Assist Visit Guide

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    PRIVACY ACT

    INDIVIDUAL RIGHTS/SYSTEM OF RECORDS

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References STANDARD

    Privacy Act of 1974 MHS is not allowed to maintain a system of records without first 1. Personnel are aware that the Military Healthcare System

    (5 U.S.C. ?552a) publishing its purpose, routine use, and other requirements in the (MHS) shall not have any unauthorized system of records. Federal Register.

DoD 5400.11-R Department Normally, amendments under this Regulation are limited to 2. Individuals have a legal right to see and amend their

    of Defense Privacy Program correcting factual matters and not matters of official judgment, information maintained in a system of records. C3.3.2.1 such as performance ratings, promotion potential, and job

     performance appraisals.

DoD 5400.11-R C1.4.1; The Privacy Act states administrative, physical, and technical 3. The government is required to safeguard their information

    Privacy Act of 1974 security safeguards, should be implemented to protect Personally maintained in a system of records to ensure its security and (5 U.S.C. ?552a) Identifiable Information (PII). accuracy.

    DoD 5400.11-R C6.1.6 A Privacy Act SORN is required for systems from which 4. A system notice is published in the Federal Register at least

     information is retrieved using an individual's name or some other 30 days before a system goes live. identifier. http://www.tricare.mil/tma/privacy/RoleoftheTMAPrivacyOffice.aspx

     A system of records under development or one that is undergoing

     significant modification must complete a Privacy Act System of

    Record Notice.

    Please check in the online listings to see if your system is already

    listed.

    If your system is not listed or you require a new SOR notice,

    please read the steps for “Establishing a new (or

    Altering/Amending and Existing) System of Records

    (http://www.tricare.mil/tma/privacy/SystemsofRecords.aspx).

    TMA Privacy Office Assist Visit Program Supplement 1

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    PRIVACY ACT

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References STANDARD

    USES AND DISCLOSURES

    DoD 5400.11-R Department A Privacy Act “system of records” is defined as a group of any 5. A Systems of Records Notice (SORN) must be submitted for of Defense Privacy Program records under the control of any agency from which information is publication in the Federal Register if paper and/or electronic C1.1.2.2 retrieved (or accessed) by the name of the individual, number, records are retrieved by name or other personal identifier. symbol, or other identifier particularly assigned to the individual.

    The Privacy Act requires each agency to publish notice of its

    systems of records in the Federal Register. This notice is

    generally referred to as a system of records notices (SORN).

    Examples: Professional Credential Records System; and Leave

    and Earning Records System.

DoD 5400.11-R C2.1; Privacy Per the Privacy Act, records are to be maintained with only 6. The Privacy Act limits the collection of personal information.

    Act of 1974 (5 U.S.C. ?552a) minimum required information about an individual as is relevant and necessary to accomplish the required purpose.

    DoD 5400.11-R C4.2.7; When a record is disclosed under this provision, reasonable 7. Disclosures of PII are made without the consent of the person C4.2.11.1; efforts to notify the individual to whom the record pertains should in accordance with legal activities 5 USC 552a(b)(11) be made.

    BREACH

    TMA Components Breach Reporting: DoD 5400.11-R C1.5, C10.6; 8. Actual or possible breaches are identified, responded to and TRICARE Management reported. Leadership Immediately Activity Incident Response Team and Breach http://www.tricare.mil/tma/privacy/breach.aspx TMA Privacy Office-Within 1 Hour (privacyofficermail@tma.osd.mil ) Notification Policy Memorandum, October 12, US CERT Within 1 Hour (Done by TMA PO) 2007; TMA Breach Notification Standard Defense Privacy Office Within 48 Hours Operating Procedures (SOP) (Done by TMA PO) 5.1

    TMA Privacy Office Assist Visit Program Supplement 2

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    PRIVACY ACT

    BREACH

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References STANDARD

    TMA Components Breach Reporting: DoD 5400.11-R C1.5, C10.6; 9. Immediate notification of a supervisor is required in the event

     TRICARE Management of an actual or possible breach. Activity Incident Response Leadership Immediately

     Team and Breach

    Notification Policy Memorandum, October 12,

    2007; TMA Breach

    Notification SOP 5.1.2

    TMA Components Breach Reporting: DoD 5400.11-R C1.5, C10.6; 10. The TMA Privacy Office and Chief Information Officer must

    TRICARE Management be contacted within one hour of discovery of an actual or Activity Incident Response TMA Privacy Office Within 1 Hour possible breach. Team and Breach (PrivacyOfficerMail@tma.osd.mil) Notification Policy Memorandum, October 12,

    2007; TMA Breach

    Notification SOP 5.4.1.3; DoD

    Policy Memorandum:

    Safeguarding Against and

    Responding to the Breach of

    Personally Identifiable

    Information, Part IV,

    September 25, 2008

    TMA Breach Notification SOP When an actual or possible breach is discovered the information 11. The affected system must be secured or taken off-line as 5.6; or affected system is taken off-line to mitigate the consequences soon as possible when an actual or possible breach occurs. and minimize the risks.

    TMA Privacy Office Assist Visit Program Supplement 3

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    PRIVACY ACT

    PENALTIES

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References STANDARD

    DoD 5400.11-R C10.2, C10.3, 12. Any individual who believes his or her rights under the Individuals may initiate a civil lawsuit against DoD if they C10.4; Privacy Act have been violated can bring a civil action against believe their rights have been denied, including but not 5 USC 522a (g) the DoD. limited to inadequate access to their personal records, refusal to amend their records, or inadequate accounting of

     disclosures.

    DoD 5400.11-R 13. Government contractors are subject to the same penalties Government contractors are held to the same standards as C1.3.1.1, C10.4; under the Privacy Act as all DoD employees when working with government and military employees in complying with 5 USC 552a: Federal PII. privacy policy and procedures. Acquisition Regulation (FAR) Part 24.000 The following are the penalties for violation of the Privacy Act:

    Any person who knowingly and willfully requests or obtains

    access to any record concerning another individual under

    false pretenses may be found guilty of misdemeanor and

    fined up to $5,000.

    TMA Privacy Office Assist Visit Program Supplement 4

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

    INDIVIDUAL RIGHTS

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References STANDARD

    DoD 6025.18-R C8.2.3; 45 To minimize risk and protect PHI, access should be limited to those 14. Access to PHI is based on an individual’s job position CFR 164.514(d), 164.502(b) persons who need the access to carry out their duties. and responsibilities.

    DoD 6025.18-R DoD Health Access should be accommodated within 30 working days of the request. 15. Individuals have the right to review and/or obtain a Information Privacy If this is not possible, the individual must be notified; HIPAA rule applies to copy of their Protected Health Information (PHI). Regulation C11.1.1 PHI.

    The individual must provide reasonable proof of his or her identity. DoD 6025.18-R C12.1.1; 45 Request may be denied if the record was created by a different 16. Individuals have the right to correct or amend their C.F.R. ?164.526(a) organization. PHI. Request may be denied if the record proved to be accurate and complete.

    DoD 6025.18-R C14.4.1 Privacy related complaints at TMA should be directed to the TMA Privacy 17. Individuals have the right to file a complaint if they

    Office. believe their HIPAA privacy rights have been violated.

     privacymail@tma.osd.mil http://www.tricare.mil/tma/privacy/hipaa-forms.aspx

     Privacy complaints may also be filed directly to the Office for Civil Rights

    (OCR) section U.S. Department of Health & Human Services

    http://www.hhs.gov/ocr/privacy/hipaa/complaints/ DoD 6025.18-R C14.4.2, The TMA complaint form is available online. 18. All HIPAA complaints are documented in writing.

    C14.10 It is forbidden to intimidate, threaten, coerce, discriminate or retaliate http://www.tricare.mil/tma/privacy/downloads/201033/Complaint-

    against anyone for filing a complaint. Form-10_04.pdf

    USES AND DISCLOSURES

    DoD 6025.18-R C13.1.1 When PHI is disclosed for purposes other than Treatment, Payment, or 19. Individuals have a right to an accounting of

    Healthcare Operations (TPO). disclosures of their PHI. For example, state tumor registry board reviews.

    TMA Privacy Office Assist Visit Program Supplement 5

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

    USES AND DISCLOSURES

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References STANDARD

    DoD 6025.18-R C8.2; “When using or disclosing PHI in any form or when requesting PHI from 20. Disclosures of PHI must be limited to the amount

    45 CFR 164.514(d)(3)(i) another covered entity (for example: another hospital), a covered entity reasonably necessary to achieve the purpose. shall make reasonable efforts to limit the use, disclosure, or request of

    PHI to the minimum necessary to accomplish the intended purpose of

    the use, disclosure, or request.” Ask the question, how much is necessary

    to accomplish the mission, think twice when giving information.

DoD 6025.18-R C10.1 For example, an individual could ask that a particular surgery they had, 21. Individuals have a right to request reasonable not be disclosed. restrictions on the use and disclosure of their PHI. Request for restriction can be denied. Restriction applies only to the management authority level that agreed to the restriction; for example, if restriction is at MTF level, it does not apply to the entire MHS or to TMA.

     Request to restrict medical or dental information (DD Form 2871) is

    available online. http://www.dtic.mil/whs/directives/infomgt/forms/eforms/dd2871.pdf

    DoD 6025.18-R C4 TPO is essential every day activities of health plans and healthcare 22. Use or disclosure of the minimum necessary PHI is

    providers required to complete healthcare business. permitted for the purposes of Treatment, Payment or

    Healthcare Operations. (TPO)

    DoD 6025.18-R R C7; An individual may request an accounting of disclosures of their PHI for the 23. Disclosures of PHI outside of TPO are documented.

    45 CFR 164.528(b)(3) past six (6) years.

    DoD 6025.18-R C7.6.1 For example, a member of the police force may request information to 24. PHI can be disclosed in connection with law

    investigate reports of child abuse/neglect or domestic violence; the enforcement provided there is an appropriate request. request must be in writing and specific and limited only to the scope of the

    purpose of the investigation.

    TMA Privacy Office Assist Visit Program Supplement 6

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

    USES AND DISCLOSURES

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References

    DoD 6025.18-R C13.1; PHIMT is a database used by the Military Health System (MHS) to store 25. The Protected Health Information Management Tool

    TMA Overarching Policy for information about disclosures of PHI. (PHIMT) is used for documenting disclosures of PHI. HIPAA Privacy and Security An individual has a right to receive an accounting of disclosures of PHI Programs, August 6, 2007 (including disclosures during the 6 yrs prior to the date when the

    accounting is requested). http://www.tricare.mil/tma/privacy/ProtectedHealthInformationManagementTool.aspx

    Account Authorization A few specific systems require an Account Authorization Request Form 26. Individuals approved for access to specific DoD

    Request Form (AARF), (AARF) for access to specific data. systems must maintain a log for all queries or query Acknowledgment results that contain PHI. When PHI is involved, a query log is required to provide an accounting of Section, Item 6 access to or use of PHI.

    DUA and AARF Overview are available online.

     http://www.tricare.mil/tma/privacy/duas.aspx

    AUTHORIZATIONS

    DoD 6025.18-R C5 A valid authorization must be obtained from the individual or his/her 27. Uses or disclosures of PHI outside of TPO require an

    representative if PHI is shared or used beyond treatment, payment or authorization. healthcare operations. For example, Third Party Access: if an individual

    wants PHI released to a spouse, an authorization needs to be on file.

    DoD 6025.18-R C5.3.1 The authorization form used by the MHS is available online. 28. A valid authorization contains: specific and meaningful description of disclosed information, the Patient authorization request: authorization for disclosure of medical or name of the requestor, the purpose of the requested use, dental information (DD Form 2870) the individual’s dated signature and the expiration date or event. http://www.dtic.mil/whs/directives/infomgt/forms/eforms/dd2870.pdf for example, obtaining

    x-rays from another hospital.

    TMA authorization to access information for program development

    (example):

    http://www.tricare.mil/tma/privacy/downloads/TMA%20Data%20Use%20Agreeme

    nt%20Template.doc

    TMA Privacy Office Assist Visit Program Supplement 7

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

    AUTHORIZATIONS

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References

    DoD 6025.18-R C5.2.5 An existing authorization can be revoke prior to the established expiration 29. An individual may revoke an authorization at any

    date. time.

    DATA USE AGREEMENTS

    DoD 6025.18-R C8.3.4 DUAs are used to control and monitor the release of patient-related 30. Data Use Agreements (DUAs) are required for the

    sensitive information to internal and external requestors. release of patient related sensitive information to internal and external requestors. The TMA Privacy Office uses DUAs to approve and monitor access to corporate information systems containing patient information. http://www.tricare.mil/tma/privacy/DataUseAgreements.aspx Additional information and guidance on this matter is available online.

     The approval letter provides easy access to your DUA approval number 31. Copies of DUA approval letters are maintained at the

    and expiration date. user’s worksite. The DUA number is needed should a modification to the DUA be required.

DoD 6025.18-R C3.4.2.2.9 The CDD must be submitted 30 days after the completion of a project or 32. When a DUA is terminated all data containing PHI is

    expiration of a DUA if the DUA will not be renewed. This is to ensure that destroyed or returned and a Certificate of Data all PHI is accounted for or destroyed. Destruction (CDD) must be submitted. http://www.tricare.mil/tma/privacy/downloads/20100204/Certification%

     20of%20Data%20Destruction.doc

    BUSINESS ASSOCIATE AGREEMENTS

    http://www.tricare.mil/tma/privacy/hipaa-baa.aspx DoD 6025.18-R C3.4; 33. All contracts with entities or individuals that perform Federal Acquisition covered functions contain Business Associate Regulation (FAR) Part 24.104 Agreement language

    TMA Privacy Office Assist Visit Program Supplement 8

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

    BUSINESS ASSOCIATE AGREEMENTS

    COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References

    DoD 6025.18-R DoD Health 34. Your office has a Business Associate Agreement This BA standard contract clause is mandatory under HIPAA

    Information Privacy (BAA) with outside entities. whenever a contract is awarded to a person or entity that is not Regulation C3.4 within the Department of Defense (DoD) or a DoD component for

    the purpose of providing functions, activities, or services involving

    the use and/or disclosure of PHI. The BA standard contract clause

    must be incorporated in section 6.4.4 of the appropriate Task Order

    Template.

    http://www.tricare.mil/tma/privacy/hipaa-baa.aspx American Recovery and 35. All Business Associates are required to protect PHI at Reinvestment Act (ARRA) of the same level of due diligence as the covered entity. 2009, SEC 13041b

    DoD 6025.18-R C3.4.2.2.3 A standard contract clause is mandatory whenever a contract is awarded 36. Business Associate Agreements contains a

    to a person or entity that is not within the DoD or a DoD component for the requirement for reporting any wrongful use or disclosures purpose of providing functions, activities, or services involving the use to the covered entity. and/or disclosure of PHI.

    The Standard Contract Clause for Business Associates is available online.

    http://www.tricare.mil/tma/privacy/downloads/Business%20Associate%20Agreeme

    nt.doc

    http://www.tricare.mil/tma/privacy/hipaa-baa.aspx DoD 6025.18-R C3.4, C14.6 37. All Business Associate Agreements contain language in which the Business Associate agrees to mitigate, to http://www.tricare.mil/tma/privacy/contractlanguage.aspx the extent practicable, any harmful effects due to any wrongful use or disclosure that is known to the Business http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.h

    tml Associate.

    DoD 6025.18-R C3.4.2.2.9 38. All data which pertains to PHI is returned or

     destroyed upon termination of the Business Associate’s functions or contract.

    TMA Privacy Office Assist Visit Program Supplement 9

    February 2010

    TRICARE MANAGEMENT ACTIVITY PRIVACY OFFICE

    SUPPLEMENT TO THE TMA ASSIST VISIT GUIDE

    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

    PENALTIES

     COMMENTS AND/OR OPPORTUNITIES FOR IMPROVEMENT IDENTIFIED References

    DoD 6025.18-R C1.1.3, The following are the four tiers of civil penalties for each violation under 39. Intentional or unintentional violations of HIPAA result C2.5.5; HIPAA: in serious consequences such as civil or criminal money 5 USC 522a (g)(1);TMA ; $100 for each such violation, not to exceed $25,000 for all penalties and/or imprisonment. Memorandum, Sanction identical violations under the same requirements during the calendar Policy for Privacy and year; Security Violations, April 9, ; $1,000 for each such violation, year may not exceed $100,000 for 2008; all identical violations under the same requirements during the

    American Recovery and calendar year; Reinvestment Act (ARRA) of ; $10,000 for each such violation, not to exceed $250,000 for all 2009 SEC 13410(3)(A) identical violations under the same requirements during the calendar year; and

    ; $50,000 for each such violation, not to exceed $1,500,000 for all

    identical violations under the same requirements during the calendar

    year.

    ;

    DoD 6025.18-R, C14.7; 45 There should be no retaliatory actions taken against an individual who is 40. Intimidation, threatening, coercion, discrimination, or C.F.R. 164.530(g) filing a complaint or participating in a complaint investigation. other retaliatory action cannot be taken against any individual for filing a complaint, testifying, assisting, or participating in an investigation, compliance review,

     proceeding, or hearing, or opposing any act of practice

    made unlawful involving PHI.

    TMA Privacy Office Assist Visit Program Supplement 10

    February 2010

Report this document

For any questions or suggestions please email
cust-service@docsford.com