This Regulation, “DoD Health Information Privacy Regulation,” is issued under the authority of DoD Directive 6025.18, “Privacy of Individually Identifiable Health Information in DoD Health Care Programs,” December 19, 2002 (reference (a)). It prescribes the uses and disclosures of protected health information. This Regulation is based on the requirements of the Health Insurance Portability and Accountability Act, Public Law 104-191 (reference (b)). Although it covers much of the same ground as the Privacy Act of 1974 (reference (c)), this Regulation in no way impacts the need for the Department of Defense to comply with reference (c) which has been implemented within DoD by DoD 5400.11-R (reference (d)). This Regulation applies to the Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the Department of Defense.

This Regulation is issued under the authority of DoD Directive 5136.1 (Reference (a)). It assigns the Assistant Secretary of Defense for Health Affairs (ASD(HA)) the authority, direction, and control to establish policies, procedures, and standards that shall govern DoD medical programs. Although this Regulation is based on the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191 (1996) (Reference (b)), and title 45 Code of Federal Regulations parts 160, 162, and 164 (Reference (c)), it covers much of the same ground as the Federal Information Security Management Act (FISMA) (Reference (d)). This Regulation in no way impacts the need for the Department of Defense to comply with the FISMA. This law has not been superseded and has been taken into consideration in developing this Regulation. This Regulation applies to the Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the Department of Defense (hereafter referred to collectively as the "DoD Components").

This Regulation is issued under the authority of DoD Directive 5136.1 (Reference (a)). It assigns the Assistant Secretary of Defense for Health Affairs (ASD(HA)) the authority, direction, and control to establish policies, procedures, and standards that shall govern DoD medical programs. Although this Regulation is based on the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191 (1996) (Reference (b)), and title 45 Code of Federal Regulations parts 160, 162, and 164 (Reference (c)), it covers much of the same ground as the Federal Information Security Management Act (FISMA) (Reference (d)). This Regulation in no way impacts the need for the Department of Defense to comply with the FISMA. This law has not been superseded and has been taken into consideration in developing this Regulation. This Regulation applies to the Office of the Secretary of Defense, the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the Department of Defense.