TRICARE Data Security & Privacy Guide (2026)
## Quick answer TRICARE protects your healthcare data through strict adherence to HIPAA and federal cybersecurity standards, managed by the Defense Health Agency (DHA). Your sensitive information—including medical records, SSNs, and claims data—is secured by contractors like Humana Military (East), TriWest (West), and Express Scripts (Pharmacy). You can control who sees your data by managing authorizations through the MHS GENESIS Patient Portal or MilConnect.
*TRICARE.com is an independent reference site and is not affiliated with the official TRICARE program or the Department of Defense. For official policy, visit TRICARE.mil.*
In detail
TRICARE data security is a multi-layered system involving the Department of Defense (DoD), regional contractors, and third-party pharmacy managers. Because TRICARE is a federal program, it must comply with both the Health Insurance Portability and Accountability Act (HIPAA) and the Privacy Act of 1974.
### The T-5 Contract and Security Roles As of the T-5 contract transition on January 1, 2025, data security responsibilities are split between several key entities:
* **Defense Health Agency (DHA):** Sets the overarching cybersecurity policies and manages the MHS GENESIS electronic health record system. * **Humana Military (East Region):** Responsible for securing the data of beneficiaries in the Eastern U.S. * **TriWest Healthcare Alliance (West Region):** Newly responsible (as of 2025) for data integrity and privacy across the Western U.S. * **Express Scripts:** Manages pharmacy records and prescription history security.
### How Your Data is Shielded TRICARE employs several specific technical and legal safeguards to protect your Personal Health Information (PHI) and Personally Identifiable Information (PII):
1. **MHS GENESIS Security:** The centralized electronic health record uses "need-to-know" access controls. Only providers directly involved in your care are permitted to view your records. 2. **Encryption:** Data is encrypted both "at rest" (stored on servers) and "in transit" (sent between your doctor and the insurance contractor). 3. **DS Logon:** Access to TRICARE portals requires a Defense Self-Service (DS) Logon, which uses multi-factor authentication (MFA) to prevent unauthorized account takeovers. 4. **DEERS Integrity:** The Defense Enrollment Eligibility Reporting System (DEERS) acts as the "source of truth." Keeping this updated is the beneficiary’s primary responsibility to ensure mail and digital notifications are not sent to an old address.
### Privacy Rights and Disclosures Under the HIPAA Privacy Rule, TRICARE beneficiaries have the right to: * Inspect and copy their medical records. * Request an "accounting of disclosures" to see who has accessed their health data outside of routine treatment, payment, or healthcare operations. * Place a "Security Freeze" or restriction on how certain information is shared with family members (relevant for adult children or spouses).
## Who this applies to * **Active Duty Service Members (ADSMs):** Highest level of data sharing; commanders may have access to specific health information that affects "fitness for duty." * **Active Duty Family Members (ADFMs):** Protected by HIPAA; once a child turns 18, parents generally cannot see their medical records without a signed DD Form 2870. * **Retirees and Families:** Data is managed primarily through regional contractors (Humana or TriWest) for claims processing and secondary insurance coordination. * **Providers:** Must meet DHA cybersecurity standards to link their local Electronic Medical Records (EMR) with the TRICARE system.
Common scenarios
### The 18th Birthday Privacy Shift Sarah is a dependent under her father’s TRICARE Prime plan. On her 18th birthday, she becomes a legal adult under HIPAA. Even though her father pays for the plan and the enrollment fees (which are $0 for active duty, but vary for retirees), he can no longer see the details of her doctor visits in the MHS GENESIS portal unless Sarah signs a **DD Form 2870** (Authorization for Disclosure of Medical or Dental Information).
### Cybersecurity Breach Notification If a contractor like TriWest or Humana Military experiences a data breach, they are legally required to notify affected beneficiaries. For example, if a laptop containing unencrypted claims data for 1,000 beneficiaries is stolen, the contractor must mail notification letters within 60 days and often provides one year of free credit monitoring services.
### Switching Regions (East to West) When a Petty Officer moves from Norfolk, VA (East) to San Diego, CA (West) in 2026, their data must securely migrate from Humana Military to TriWest. This is handled via the DEERS system. The member’s medical history remains in MHS GENESIS, while their billing and referral history is transferred to the new regional contractor using encrypted federal data tunnels.
## Related terms * **HIPAA:** The Health Insurance Portability and Accountability Act; the primary federal law protecting health privacy. * **PII (Personally Identifiable Information):** Data that can be used to identify you, such as your SSN, DOB, or home address. * **PHI (Protected Health Information):** Any information about health status, provision of health care, or payment for health care. * **MHS GENESIS:** The unified electronic health record system used by the Military Health System. * **DEERS:** The database that tracks military members and their dependents for TRICARE eligibility. * **DD Form 2870:** The official document used to authorize TRICARE to release your medical information to a third party.
## Sources * **TRICARE.mil Privacy Office:** https://www.tricare.mil/Privacy * **Defense Health Agency (DHA) Cybersecurity:** https://health.mil/Military-Health-Topics/Technology/Cybersecurity * **MHS GENESIS Patient Portal:** https://patientportal.mhsgenesis.health.mil * **Health.mil HIPAA Notice of Privacy Practices:** https://www.health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties/HIPAA-Compliance-in-the-MHS/Notice-of-Privacy-Practices