Security of Individually Identifiable Health Information in DoD Health Care Programs
|Publication Date:||12 August 2015|
PURPOSE. This instruction:
a. Reissues DoD 8580.02-R (Reference (a)) as a DoD instruction (DoDI) in accordance with the authority in DoD Directive (DoDD) 5124.02 (Reference (b)).
b. Establishes policy and assigns responsibilities for security of individually identifiable health information created, received, maintained, or transmitted in electronic form (referred to in this instruction as "electronic protected health information (ePHI)").
c. Implements policy regarding information security as established in sections 300gg and 1320d et seq. of Title 42 United States Code (U.S.C.) (Reference (c)); section 1181 et seq. of Title 29 U.S.C. (Reference (d)); and parts 160, 162, and 164 of Title 45, Code of Federal Regulations (Reference (e)). References (c), (d), and (e) are collectively known and referred to in this instruction as the "Health Insurance Portability and Accountability Act (HIPAA)."
a. This instruction applies to:
(1) OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the DoD, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD, which are covered entities as defined in DoD 6025.18-R (Reference (f)) (referred to collectively in this instruction as the "DoD Components").
(2) Business associates, where the contract or other written arrangement makes this instruction applicable.
b. This instruction does not apply to:
(1) DoD drug-testing programs carried out pursuant to DoDI 1010.01 (Reference (g)) or DoDI 1010.09 (Reference (h).
(2) The provision of health care to foreign national beneficiaries of the Military Health System (MHS) when such care is provided in a country other than the United States.
(3) The Armed Forces Repository of Specimen Samples for the Identification of Remains established and operated pursuant to DoDI 5154.30 (Reference (i)).
(4) The provision of health care to enemy prisoners of war, retained personnel, civilian internees, and other detainees pursuant to DoDD 2310.01E (Reference (j)).
(5) Education records maintained by domestic or overseas DoD-operated schools.
(6) Records maintained by DoD-operated day care centers.
(7) Military Entrance Processing Stations.
(8) Reserve Component medical personnel who are outside the authority of the military treatment facilities (MTFs) and who do not engage in standard electronic transactions covered by this instruction. See Glossary for a list of covered transactions.
(9) Health care providers that participate in Defense Health Agency (DHA)-managed care support contractor provider networks, unless otherwise required by the TRICARE program manuals or other agreements.
c. As required pursuant to the Inspector General Act of 1978, as amended, Title 5, U.S.C., Appendix (Reference (k)), nothing in this instruction will be construed to diminish the authority of any statutory Inspector General, including such authority as provided for in Reference (k).
d. This instruction is based on the requirements of HIPAA, and has common characteristics with sections 3541 through 3544 of Title 44, U.S.C., also known as and referred to in this instruction as the "Federal Information Security Management Act (FISMA) of 2002" (Reference (l)). However, this instruction does not lessen the need for DoD to comply with FISMA, nor does this instruction supersede FISMA.