TRICARE and HIPAA: Your Privacy Rights Guide
*Disclaimer: TRICARE.com is an independent reference site and is not the official TRICARE program or affiliated with the Department of Defense. For official policy, visit TRICARE.mil.*
## Quick answer The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of your military health records and ensures you can keep health insurance coverage when changing jobs. For TRICARE beneficiaries, it means the Defense Health Agency (DHA), TriWest (West Region), and Humana Military (East Region) cannot share your medical information without your permission, except for specific reasons like treatment, payment, or healthcare operations.
## In detail HIPAA consists of several "Rules" that dictate how your TRICARE data—referred to as Protected Health Information (PHI)—is handled. These regulations apply across all TRICARE plans, including Prime, Select, and For Life.
### The HIPAA Privacy Rule This rule gives you rights over your health information. Within the TRICARE system, you have the right to: * **Request Records:** You can ask to see or get a copy of your medical records from a Military Treatment Facility (MTF) or a civilian provider. * **Request Corrections:** If you find an error in your TRICARE records, you can request an amendment. * **Restrict Sharing:** You can ask TRICARE or your provider not to share certain information with specific people or entities. * **Notice of Privacy Practices:** All TRICARE contractors (Humana Military, TriWest, and Express Scripts) must provide you with a notice explaining how they use your data.
### The HIPAA Security Rule While the Privacy Rule covers all PHI, the Security Rule specifically protects *electronic* PHI (ePHI). As of 2026, TRICARE utilizes advanced encryption and multi-factor authentication for the MHS GENESIS Patient Portal to remain compliant. Contractors like TriWest Healthcare Alliance must maintain rigorous technical safeguards to prevent data breaches of beneficiary records in the West Region.
### HIPAA and Military Command Exceptions A unique aspect of HIPAA within the military is the **Military Command Exception**. Under 45 CFR 164.512(k), healthcare providers may disclose PHI of Armed Forces personnel to command authorities for specific purposes, such as: 1. Determining fitness for duty. 2. Fitness to perform a particular assignment. 3. Carrying out a military mission. 4. Reporting on casualties.
### Administrative Protections and Portability The "Portability" part of HIPAA ensures that if you transition from TRICARE to a civilian employer-sponsored plan (or vice-versa), you cannot be denied coverage or face new "pre-existing condition" exclusions, provided you have "Creditable Coverage." TRICARE counts as creditable coverage.
| Feature | TRICARE East (Humana) | TRICARE West (TriWest) | | :--- | :--- | :--- | | **Privacy Oversight** | Humana Military Privacy Office | TriWest Privacy Office | | **Digital Access** | MHS GENESIS / Humana Portal | MHS GENESIS / TriWest Portal | | **PBM Privacy** | Express Scripts | Express Scripts | | **Compliance Standard** | 2026 HIPAA Regulatory Standards | 2026 HIPAA Regulatory Standards |
## Who this applies to * **Active Duty Service Members (ADSMs):** Protected by HIPAA, but subject to the Military Command Exception for readiness and fitness for duty. * **Retirees and Families:** Full HIPAA protections apply; providers generally cannot speak to a spouse about an adult beneficiary's health without a signed authorization (DD Form 2870). * **Young Adult Dependents:** Once a child turns 18 (or the age of majority in their state), parents no longer have automatic access to their TRICARE medical records or claims data without written consent. * **Transitional Beneficiaries:** Those moving from TRICARE to civilian insurance use HIPAA portability rules to prove prior coverage and waive waiting periods.
## Common scenarios ### 1. The Protected Spouse A spouse of a retired Chief Petty Officer calls Humana Military to check on a claim for her husband’s $500 specialist visit (2026 Select copay). Because of HIPAA, the representative cannot discuss the specific diagnosis or treatment with her unless the husband has a **DD Form 2870 (Authorization to Disclose Health Information)** on file.
### 2. The Command Inquiry An Army Captain undergoes a mental health evaluation at an MTF. Under the HIPAA Military Command Exception, the provider may notify the Commanding Officer if the Captain’s condition affects the safety of the unit or the mission, even without the Captain's specific written authorization.
### 3. Transitioning to a Civilian Job A Major separates from the Air Force and takes a corporate job. The new employer’s insurance has a 12-month exclusion for pre-existing conditions. Under HIPAA Portability, the Major uses their TRICARE "Certificate of Creditable Coverage" to prove they had prior insurance, forcing the new plan to waive the exclusion period immediately.
## Related terms * **PHI (Protected Health Information):** Any individually identifiable health information held or transmitted by a covered entity. * **DD Form 2870:** The official DOD form used to authorize TRICARE to release your medical records to a third party. * **MHS GENESIS:** The unified electronic health record system used by the Department of Defense. * **Creditable Coverage:** Health insurance coverage held prior to a new policy that counts toward exhausting a pre-existing condition exclusion period. * **Covered Entity:** Healthcare providers, health plans (like TRICARE), and healthcare clearinghouses that must comply with HIPAA.
## Sources * **TRICARE.mil Privacy Office:** https://www.tricare.mil/Privacy * **HHS.gov HIPAA Basics:** https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html * **Defense Health Agency (DHA) Privacy and Civil Liberties:** https://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties * **TriWest Healthcare Alliance Privacy:** https://www.triwest.com/en/privacy-information/