Skip to Content

Notice

Privacy Act of 1974; System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Office of the Secretary of Defense, DoD.

ACTION:

Notice to Alter a System of Records

SUMMARY:

The Office of the Secretary of Defense proposes to alter a system of records in its inventory of record systems subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended.

DATES:

This proposed action would be effective without further notice on January 19, 2011 unless comments are received which result in a contrary determination.

ADDRESSES:

You may submit comments, identified by docket number and/Regulatory Information Number (RIN) and title, by any of the following methods:

  • Federal Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • Mail: Federal Docket Management System Office, Room 3C843, 1160 Defense Pentagon, Washington, DC 20301-1160.

Instructions: All submissions received must include the agency name and docket number or Regulatory Information Number (RIN) for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Chief, OSD/JS Privacy Office, Freedom of Information Directorate, Washington Headquarters Services, 1155 Defense Pentagon, Washington, DC 20301-1155, or Ms. Cindy Allard at (703) 588-6830.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The Office of the Secretary of Defense notices for systems of records subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended, have been published in the Federal Register and are available from the FOR FURTHER INFORMATION CONTACT address above. The proposed system report, as required by 5 U.S.C. 552a(r) of the Privacy Act of 1974, as amended, was submitted on December 10, 2010, to the House Committee on Oversight and Government Reform, the Senate Committee on Governmental Affairs, and the Office of Management and Budget (OMB) pursuant to paragraph 4c of Appendix I to OMB Circular No. A-130, “Federal Agency Responsibilities for Maintaining Records About Individuals,” dated February 8, 1996 (February 20, 1996, 61 FR 6427).

Start Signature

Dated: December 10, 2010.

Morgan F. Park,

Alternate OSD Federal Register Liaison Officer, Department of Defense.

End Signature

DHA 12

System Name:

Third Party Collection System (March 29, 2005, 70 FR 15847).

Changes:

System location:

Delete entry and replace with “Defense Health Services Systems, Suite 1599, 5203 Leesburg Pike, Falls Church, VA 22041-3891.”

Categories of individuals covered by the system:

Delete entry and replace with “Members of the uniformed services (and their dependents) and retired military members (and their dependents) who receive or have received health services approved by the Department of Defense, contractors participating in military deployments or related operations who receive or have received medical or dental care at a military treatment facility, Department of Defense civilian employees (to include non-appropriated fund employees) who receive or have received medical or dental care at a military treatment facility, and other individuals who receive or have received medical or dental care at a military treatment facility.”

Categories of records in the system:

Delete entry and replace with “Individual Data: This includes patient name, Social Security Number (SSN)(or foreign identification), whether treatment was outpatient or inpatient, outpatient visit date and time, date of birth, mailing address, home telephone number, family member prefix, and relationship to policy holder; sponsor or insurance policy holder name, Social Security Number (SSN), and date of birth; other covered family member name(s), Social Security Number (SSN), and date(s) of birth; and, if applicable, Medicare and Medicaid coverage data.

Insurance Policy Information Data:

This includes policy number or identification, card holder identification, group number, group name, enrollment plan/code, policy effective date, policy category, policy end date, insurance company name, address and telephone number, insurance type, policy holder, whether policy holder is insured through their employer, and drug coverage data regarding authority to bill for pharmaceuticals.Start Printed Page 79346

Employer Information data:

This includes employer name, address, and telephone number.

Billing Information Data:

This includes bill type (military treatment facility, clinic, pharmacy, laboratory/radiology, ambulance), name and location of military treatment facility, whether treatment was outpatient or inpatient, outpatient visit date and time, inpatient admission and discharge dates and time, patient identification number, patient name, provider code/description, office visit code description, Medical Expense and Performance Reporting System code/description, diagnosis code/description, billing amount, user who created the bill, date bill was created, and status of bill and source of billing data.

Accounting Information Data:

This includes control number, transaction code, debit amount, credit amount, check number, Batch posting number, balance, patient identification, patient name, encounter date, comments, entry date and follow-up date.

Insurance Company Data:

This contains tables for insurance company, policy, provider, fees, codes, rates, and procedure maintenance.”

Authority for maintenance of the system:

Delete entry and replace with “10 U.S.C. 1095, Health care services incurred on behalf of covered beneficiaries: collection from third-party payers; 10 U.S.C. 1079b, Procedures for charging fees for care provided to civilians; retention and use of fees collected; 42 U.S.C. Chapter 32, “Third Party Liability For Hospital and Medical Care;” 28 CFR Part 43, “Recovery of Costs of Hospital and Medical Care and Treatment Furnished by the United States;” 45 CFR parts 160 and 164, Health and Human Services, General Administrative Requirements and Security & Privacy; 32 CFR part 220, Collection from Third Party Payers of Reasonable Charges for Healthcare Services; DoD 6010.15-M, Chapter 3, Medical Services Account; and E.O. 9397 (SSN), as amended.”

Purpose(s):

Delete entry and replace with “To establish a standard patient accounting system for health care billing practices. It shall assist military treatment facilities in the collection, tracking, and reporting of data required for the Department of Defense Third Party Collection Program billing process by the adoption of standard commercial medical coding and billing practices to military treatment facilities.

The Defense Finance Accounting Service (DFAS) uses this information to bill person(s) or organization(s) liable for payment on behalf those receiving care at a military treatment facility.”

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

Delete entry and replace with “In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, these records may specifically be disclosed outside the Department of Defense as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

To interface with all commercial insurance carriers and parties against whom recovery has been sought by the Department of Defense Military Health System, as well as all parties involved in support of the collection activities for health care approved by the Department of Defense.

To the National Data Clearinghouse, an electronic healthcare clearinghouse, for purposes of converting the data to an industry-wide format prior to forwarding the billing information to the insurance companies for payment.

The DoD `Blanket Routine Uses' set forth at the beginning of Office of the Secretary of Defense's compilation of systems of records notices apply to this system.

Note 1:

This system of records contains individually identifiable health information. The Department of Defense Health Information Privacy Regulation (DoD 6025.18-R) issued pursuant to the Health Insurance Portability and Accountability Act of 1996, applies to most such health information. DoD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond what is found in the Privacy Act of 1974 or mentioned in this system of records notice.

Note 2:

Personal identity, diagnosis, prognosis or treatment information of any patient maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States is, except as per 42 U.S.C. 290dd-2, treated as confidential and disclosed only for the purposes and under the circumstances expressly authorized under 42 U.S.C. 290dd-2.”

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage:

Delete entry and replace with “Paper file folders and electronic storage media.”

Retrievability:

Delete entry and replace with “Records are retrieved by the sponsor or patient name, Social Security Number (SSN), Department of Defense Benefits Number, third party payer identification number assigned to individual, family member prefix (a two-digit code identifying the person's relationship to the Military Sponsor), and/or Patient Control Number.”

Safeguards:

Delete entry and replace with “Physical access to system location restricted by cipher locks, visitor escort, access rosters, and photo identification. Adequate locks on doors and server components secured in a locked computer room with limited access. Each system end user device protected within a locked storage container, room, or building outside of normal business hours. All visitors and other persons that require access to facilities that house servers and other network devices supporting the system that do not have authorization for access escorted by appropriately screened/cleared personnel at all times.

Access to the system is role-based and a valid user account is required. The system provides two-factor authentication, using either a Common Access Card and Personal Identification Number or a unique logon identification and password. Where a unique logon identification and password is used, passwords must be renewed every sixty (60) days. Authorized personnel must have appropriate Information Assurance training, Health Insurance Portability and Accountability Act training, and Privacy Act of 1974 training.”

Retention and disposal:

Delete entry and replace with “Records are destroyed five years after the end of the year in which the record was closed.”

System manager(s) and address:

Delete entry and replace with “Program Manager, Defense Health Services Systems, Suite 1500, 5203 Leesburg Pike, Falls Church, VA 22041-3891.”

Notification procedure:

Delete entry and replace with “Individuals seeking to determine Start Printed Page 79347whether this system contains information about themselves should address written inquires to the TRICARE Management Activity, Department of Defense, ATTN: TMA Privacy Officer, Suite 810, 5111 Leesburg Pike, Falls Church VA 22041-3206.

Request should contain participant's and/or sponsor's full name, their Social Security Number (SSN), and current address and telephone number and the names of the military treatment facility or facilities in which they have received medical treatment.

If requesting health information of a minor (or legally incompetent person), the request must be made by a custodial parent, legal guardian, or party acting in loco parentis of such individual(s). Written proof of the capacity of the requestor may be required.”

Record access procedures:

Delete entry and replace with “Individuals seeking access to records about themselves contained in this system should address written inquiries to TRICARE Management Activity, Attention: Freedom of Information Act Requester Service Center, 16401 East Centretech Parkway, Aurora, CO 80011-9066.

Requests should contain participant's and/or sponsor's full name, their Social Security Number (SSN), and current address and telephone number and the names of the military treatment facility or facilities in which they have received medical treatment.

If requesting health information of a minor (or legally incompetent person), the request must be made by a custodial parent, legal guardian, or party acting in loco parentis of such individual(s). Written proof of the capacity of the requestor may be required.”

Contesting record procedures:

Delete entry and replace with “The Office of the Secretary of Defense rules for accessing records, for contesting contents and appealing initial agency determinations are published in Office of the Secretary of Defense Administrative Instruction 81 (32 CFR part 311) or may be obtained from the system manager.”

Record source categories:

Delete entry and replace with “Information is obtained from an automated medical records system, the Composite Health Care System (specifically, the Ambulatory Data Module), which is automatically sent to the Third Party Collection System. Other information may be obtained from the AHLTA System and the Theater Data Medical Stores System.”

* * * * *

DHA 12

System Name:

Third Party Collection System.

System location:

Defense Health Services Systems, Suite 1599, 5203 Leesburg Pike, Falls Church, VA 22041-3891.

Categories of individuals covered by the system:

Members of the uniformed services (and their dependents) and retired military members (and their dependents) who receive or have received health services approved by the Department of Defense, contractors participating in military deployments or related operations who receive or have received medical or dental care at a military treatment facility, Department of Defense civilian employees (to include non-appropriated fund employees) who receive or have received medical or dental care at a military treatment facility, and other individuals who receive or have received medical or dental care at a military treatment facility.

Categories of records in the system:

Individual Data:

This includes patient name, Social Security Number (SSN) (or foreign identification), whether treatment was outpatient or inpatient, outpatient visit date and time, date of birth, mailing address, home telephone number, family member prefix, and relationship to policy holder; sponsor or insurance policy holder name, Social Security Number (SSN), and date of birth; other covered family member name(s), Social Security Number (SSN), and date of birth; and, if applicable, Medicare and Medicaid coverage data.

Insurance Policy Information Data:

This includes policy number or identification, card holder identification, group number, group name, enrollment plan/code, policy effective date, policy category, policy end date, insurance company name, address and telephone number, insurance type, policy holder, whether policy holder is insured through their employer, and drug coverage data regarding authority to bill for pharmaceuticals.

Employer Information data:

This includes employer name, address, and telephone number.

Billing Information Data:

This includes bill type (military treatment facility, clinic, pharmacy, laboratory/radiology, ambulance), name and location of military treatment facility, whether treatment was outpatient or inpatient, outpatient visit date and time, inpatient admission and discharge dates and time, patient identification number, patient name, provider code/description, office visit code description, Medical Expense and Performance Reporting System code/description, diagnosis code/description, billing amount, user who created the bill, date bill was created, and status of bill and source of billing data.

Accounting Information Data:

This includes control number, transaction code, debit amount, credit amount, check number, Batch posting number, balance, patient identification, patient name, encounter date, comments, entry date and follow-up date.

Insurance Company Data:

This contains tables for insurance company, policy, provider, fees, codes, rates, and procedure maintenance.

Authority for maintenance of the system:

10 U.S.C. 1095, Health care services incurred on behalf of covered beneficiaries: collection from third-party payers; 10 U.S.C. 1079b, Procedures for charging fees for care provided to civilians; retention and use of fees collected; 42 U.S.C. Chapter 32, “Third Party Liability For Hospital and Medical Care;” 28 CFR part 43, “Recovery of Costs of Hospital and Medical Care and Treatment Furnished by the United States;” 45 CFR parts 160 and 164, Health and Human Services, General Administrative Requirements and Security & Privacy; 32 CFR part 220, Collection from Third Party Payers of Reasonable Charges for Healthcare Services; DoD 6010.15-M, Chapter 3, Medical Services Account; and E.O. 9397 (SSN), as amended.

Purpose(s):

To establish a standard patient accounting system for health care billing practices. It shall assist military treatment facilities in the collection, tracking, and reporting of data required for the Department of Defense Third Party Collection Program billing process by the adoption of standard commercial medical coding and billing practices to military treatment facilities.

The Defense Finance Accounting Service (DFAS) uses this information to bill person(s) or organization(s) liable for payment on behalf those receiving care at a military treatment facility.Start Printed Page 79348

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, as amended, these records may specifically be disclosed outside the Department of Defense as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

To interface with all commercial insurance carriers and parties against whom recovery has been sought by the Department of Defense Military Health System, as well as all parties involved in support of the collection activities for health care approved by the Department of Defense.

To the National Data Clearinghouse, an electronic healthcare clearinghouse, for purposes of converting the data to an industry-wide format prior to forwarding the billing information to the insurance companies for payment.

The DoD `Blanket Routine Uses' set forth at the beginning of Office of the Secretary of Defense's compilation of systems of records notices apply to this system.

Note 1:

This system of records contains individually identifiable health information. The Department of Defense Health Information Privacy Regulation (DoD 6025.18-R) issued pursuant to the Health Insurance Portability and Accountability Act of 1996, applies to most such health information. DoD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond what is found in the Privacy Act of 1974 or mentioned in this system of records notice.

Note 2:

Personal identity, diagnosis, prognosis or treatment information of any patient maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States is, except as per 42 U.S.C. 290dd-2, treated as confidential and disclosed only for the purposes and under the circumstances expressly authorized under 42 U.S.C. 290dd-2.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:

Storage:

Paper file folders and electronic storage media.

Retrievability:

Records are retrieved by the sponsor or patient name, Social Security Number, Department of Defense Benefits Number, third party payer identification number assigned to individual, family member prefix (a two-digit code identifying the person's relationship to the Military Sponsor), and/or Patient Control Number.

Safeguards:

Physical access to system location restricted by cipher locks, visitor escort, access rosters, and photo identification. Adequate locks on doors and server components secured in a locked computer room with limited access. Each system end user device protected within a locked storage container, room, or building outside of normal business hours. All visitors and other persons that require access to facilities that house servers and other network devices supporting the system that do not have authorization for access escorted by appropriately screened/cleared personnel at all times.

Access to the system is role-based and a valid user account is required. The system provides two-factor authentication, using either a Common Access Card and Personal Identification Number or a unique logon identification and password. Where a unique logon identification and password is used, passwords must be renewed every sixty (60) days. Authorized personnel must have appropriate Information Assurance training, Health Insurance Portability and Accountability Act training, and Privacy Act of 1974 training.

Retention and disposal:

Records are destroyed five years after the end of the year in which the record was closed.

System manager(s) and address:

Program Manager, Defense Health Services Systems, Suite 1500, 5203 Leesburg Pike, Falls Church, VA 22041-3891.

Notification procedure:

Individuals seeking to determine whether this system contains information about themselves should address written inquires to the TRICARE Management Activity, Department of Defense, ATTN: TMA Privacy Officer, Suite 810, 5111 Leesburg Pike, Falls Church, VA 22041-3206.

Request should contain participant's and/or sponsor's full name, their Social Security Number (SSN), and current address and telephone number and the names of the military treatment facility or facilities in which they have received medical treatment.

If requesting health information of a minor (or legally incompetent person), the request must be made by a custodial parent, legal guardian, or party acting in loco parentis of such individual(s). Written proof of the capacity of the requestor may be required.

Record access procedures:

Individuals seeking access to records about themselves contained in this system should address written inquiries to TRICARE Management Activity, Attention: Freedom of Information Act Requester Service Center, 16401 East Centretech Parkway, Aurora, CO 80011-9066.

Requests should contain participant's and/or sponsor's full name, their Social Security Number (SSN), and current address and telephone number and the names of the military treatment facility or facilities in which they have received medical treatment.

If requesting health information of a minor (or legally incompetent person), the request must be made by a custodial parent, legal guardian, or party acting in loco parentis of such individual(s). Written proof of the capacity of the requestor may be required.

Contesting record procedures:

The Office of the Secretary of Defense rules for accessing records, for contesting contents and appealing initial agency determinations are published in Office of the Secretary of Defense Administrative Instruction 81 (32 CFR part 311) or may be obtained from the system manager.

Record source categories:

Information is obtained from an automated medical records system, the Composite Health Care System (specifically, the Ambulatory Data Module), which is automatically sent to the Third Party Collection System. Other information may be obtained from the AHLTA System and the Theater Data Medical Stores System.

Exemptions claimed for the system:

None.

End Supplemental Information

[FR Doc. 2010-31789 Filed 12-17-10; 8:45 am]

BILLING CODE 5001-06-P