Defense Health Agency (DHA), Department of Defense (DoD).
Notice of a modified System of Records.
DHA is modifying the System of Records titled, “Military Health Information System (MHIS),” EDHA 07 to facilitate public health activities and research efforts in response to the COVID-19 pandemic. In addition, this System of Records will become the DoD-wide SORN with enterprise application across the department. The proposed modifications include clarifying the purposes for the handling and use of data to improve quality assurance within healthcare operations (such as Start Printed Page 36191data analytics and clinical research) to address COVID-19. Modifications also include broadening the categories of individuals to cover all associated information systems and updating routine uses to enable better collaboration with federal agencies and academic institutions to accommodate the COVID-19 Insights Project. The Military Health Information System (MHIS) collects and maintains data that supports benefits determination for Military Health System (MHS) beneficiaries between the DoD, Department of Veterans Affairs (VA), and Department of Health and Human Services (HHS) healthcare programs. This data also provides Federal Agencies the ability to support continuity of care for patrons, ensures more efficient adjudication of claims, enables quality assurance and healthcare operations, and supports a myriad of healthcare policy, public health, military mission, data analysis, and clinical research activities.
This System of Records modification is effective upon publication; however, comments on the Routine Uses will be accepted on or before July 15, 2020. The Routine Uses are effective at the close of the comment period.
You may submit comments, identified by docket number and title, by any of the following methods.
* Federal Rulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
* Mail: DoD cannot receive written comments at this time due to the COVID-19 pandemic. Comments should be sent electronically to the docket listed above.
Instructions: All submissions received must include the agency name and docket number for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at https://www.regulations.gov as they are received without change, including any personal identifiers or contact information.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ms. Rahwa A. Keleta, Chief, Defense Health Agency, Privacy and Civil Liberties Office, 7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101, or by phone at (703) 275-6363.
End Further Info
Start Supplemental Information
The DHA is modifying this System of Records to facilitate public health activities and research efforts in response to the COVID-19 pandemic. This modification is necessary to enable the sharing of information with other federal agencies and academic institutions to process and analyze data to further the federal government's public health mission and medical research goals. This effort is especially urgent due to the current COVID-19 pandemic; and these modifications are also anticipated to assist in responding to future public health emergencies.
The statutory intent behind this System of Records is the provision of medical and dental care, financial compensation for military members and beneficiaries, support to military readiness, enhancement for public health institutions, and advancements in medical research. The statute also facilitates disclosure of records in accordance with the Health Insurance Portability and Accountability Act (HIPAA).
The DoD notices for Systems of Records subject to the Privacy Act of 1974, as amended, have been published in the Federal Register and are available from the address in FOR FURTHER INFORMATION CONTACT or at the Defense Privacy, Civil Liberties and Transparency Division website at https://dpcld.defense.gov.
The proposed system reports, as required by the Privacy Act, were submitted on May 28, 2020, to the House Committee on Oversight and Reform, the Senate Committee on Homeland Security and Governmental Affairs, and the Office of Management and Budget (OMB) pursuant to Section 6 of OMB Circular No. A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,” revised December 23, 2016 (December 23, 2016, 81 FR 94424).
Dated: June 10, 2020.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
SYSTEM NAME AND NUMBER:
Military Health Information System, EDHA 07.
Defense Health Agency (DHA), Electronic Health Records (EHR) Core Program Office, 7700 Arlington Boulevard, Falls Church, VA 22042-510.
Program Manager, EHR Core Program Office, 1700 N Moore Street, Suite 2300, Arlington, VA 22209.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Public Law 104-191, Health Insurance Portability and Accountability Act of 1996; 10 U.S.C., Chapter Ch. 55, Medical and Dental Care; 10 U.S.C. 1097a, TRICARE Prime: Automatic Enrollments; Payment Options; 10 U.S.C. 1097b, TRICARE Prime and TRICARE Program: Financial Management; 10 U.S.C. 1079, Contracts for Medical Care for Spouses and Children: Plans; 10 U.S.C. 1079a, TRICARE Program: Treatment of Refunds and Other Amounts Collected Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); 10 U.S.C. 1086, Contracts for Health Benefits for Certain Members, Former Members, and Their Dependents; 10 U.S.C. 1095, Health Care Services Incurred on behalf of Covered Beneficiaries: Collection From Third-party Payers; 42 U.S.C. 290dd, Substance Abuse Among Government and Other Employees; 42 U.S.C. 290dd-2, Confidentiality Of Records; 42 U.S.C 42 U.S.C. Ch. 117, Sections 11131-11152, Reporting of Information; 45 CFR 164, Security and Privacy; Department of Defense (DoD) Instruction 6015.23, Foreign Military Personnel Care and Uniform Business Offices in Military Treatment Facilities (MTFS); DoD 6025.18-R, DoD Health Information Privacy Regulation; and E.O. 9397 (SSN).
PURPOSE(S) OF THE SYSTEM:
The MHIS collects and maintains data that supports benefits determination for Military Health System (MHS) beneficiaries between DoD, Department of Veterans Affairs (VA), and Department of Health and Human Services (HHS) healthcare programs. The MHIS collects and maintains data used to authenticate and identify American Red Cross volunteers and United Service Organizations granted privileges and access to DoD facilities. This data provides Federal Agencies the ability to support continuity of care for patrons, ensures more efficient adjudication of claims, enables quality assurance and healthcare operations, and supports a myriad of healthcare policy, public health, military mission, data analysis, and clinical research activities. The system documents and tracks environmental health data, deployment information, and data used to perform disease management. The system also maintains data used in proactive health intervention activities. Data is used for research and data analysis to support military missions, improve safety, and advance military technology. Continuity of care includes maintaining data for patient Start Printed Page 36192administration (including registration, admission, disposition and transfer); patient appointments and scheduling delivery of managed care; workload and medical services accounting; and quality assurance. Data collected and maintained is also used to capture demographics and perform trend analysis.
The information stored in this system consists of personally identifiable information (PII) protected by the Privacy Act and personal health information (PHI) protected by the Health Insurance Portability and Accountability Act (HIPAA). The DoD Health Information Privacy Regulation (DoD 6025.18-R) issued pursuant to the HIPAA of 1996, applies to most health information. DoD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond those found in the Privacy Act of 1974 or mentioned in this System of Records Notice (SORN).
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Members, former members, retirees, civilian employees (includes non-appropriated fund) and contractor employees of the DoD and all of the Uniformed Services; Presidential appointees of all Federal Government agencies; Medal of Honor recipients; U.S. Military Academy students; Lighthouse Service, DoD and VA beneficiaries (e.g. dependent family members, legal guardians and other protectors, prior military eligible for VA benefits, Non-DoD Beneficiary and DoD Beneficiary, a person who receives benefits from the DoD based on prior association, condition or authorization, an example is a former spouse; Former member (Reserve service, discharged from Ready Reserve or Selective Reserve following notification of retirement eligibility); non-Federal agency civilian associates and other individuals granted DoD privileges, benefits, or physical or logical access to military installations (e.g., American Red Cross paid employees, United Service Organization (USO), Intergovernmental Personnel Act Employees (IPA), Boy and Girl Scout Professionals, non-DoD contract employees); members of the public treated for a medical emergency in a DoD or joint DoD/VA medical facility; Non-DoD Civilian employee; and individuals requiring a Common Access Card to access DoD information technology applications (i.e., Department of Homeland Security employees, state National Guard Employees, and Affiliated Volunteers); Civilian Retirees; DoD Outside of the Continental United States (OCONUS) Hires; Foreign Army; Foreign Navy; Foreign Marine Corps; Foreign Air Force; and Foreign Coast Guard.
CATEGORIES OF RECORDS IN THE SYSTEM:
Eligibility and Enrollment Data: Selected electronic data elements extracted from the Defense Enrollment Eligibility Reporting System (DEERS) regarding personal eligibility for and enrollment in various health care programs within the DoD and among DoD and other federal healthcare programs including those of the VA, the HHS, and contracted health care provided through funding provided by one of these three Departments. Personal data includes: Name; DoD ID number; Social Security Number (SSN); address; email address(es); date of birth; gender; branch of service; citizenship; DoD Benefits number; DEERS ID number; sponsorship and beneficiary information; race and ethnic origin; religious preference;
Emergency Data information may include spouse's name and address; children's names, dates of birth, address and telephone number; parents' names, addresses and telephone numbers; or emergency contact's name and address;
Employment Information: Employment status; duty position; email address(es); leave balances and history; work schedules; individual personnel records; time and attendance records; retirement records, sponsor duty location, unit of assignment; occupation; rank; skill specialty; security clearance information.
Personal Financial Information: Pay, wage, earnings information; separation information; financial benefit records; income tax withholding records; accounting records.
Medical Readiness and Deployment Information: Inpatient and outpatient medical records; diagnosis codes; admission and discharge dates; location of care; pharmacy records; immunization records; Medical and Physical Evaluation Board records; neuropsychological functioning and cognitive testing data; periodic and deployment-related health assessments.
Clinical Encounter Data: Electronic data regarding beneficiaries' interaction with the MHS including health care encounters, health care screenings and education, wellness and satisfaction surveys, and cost data relative to such healthcare interactions. Electronic data regarding Military Health System beneficiaries' interactions with the VA or HHS healthcare delivery programs where such programs effect benefits determinations between these Department-level programs, continuity of clinical care, or effect payment for care between Departmental programs inclusive of care provided by commercial entities under contract to these three Departments.
Electronic data regarding dental tests, pharmacy prescriptions and reports, data incorporating medical nutrition therapy and medical food management, data for young MHS beneficiaries eligible for services from the military medical departments covered by the Individuals with Disabilities Educations Act (IDEA). Data collected within the system also allows beneficiaries to request an accounting of who was given access to their medical records prior to the date of request. It tracks disclosure types, treatment, payment and other Health Care Operations (TPO) versus non-TPO, captures key information about disclosures, process complaints, process and track request for amendments to records, generates disclosure accounting and audit reports, retains history of disclosure accounting processing. The Protected Health Management Information Tool (PHMIT), an electronic disclosure-tracking tool, assists in complying with the HIPAA Privacy disclosure accounting requirement. The PHIMT stores information about all disclosures, complaints, authorizations, restrictions and confidential communications that are made about or requested by a particular patient.
Occupational and Environmental Exposure Data: Electronic data supporting exposure-based medical surveillance; reports of incidental exposures enhanced industrial hygiene risk reduction; improved quality of occupational health care and wellness programs for the DoD workforce; hearing conservation, industrial hygiene and occupational medicine programs within the MHS; and timely and efficient access of data and information to authorized system users.
RECORD SOURCE CATEGORIES:
Individuals; all DoD databases flowing into or accessed through the following integrated data systems, environments, applications, and tools: The Composite Health Care System (CHCS) and individual Service readiness applications, contractor systems providing clinical results, personnel systems, workload management systems; Defense Manpower Data Center, other developers (Lab Corp, Quest and EpiLab to perform patient specimen laboratory testing); DEERS; and all other systems within the DoD systems' repository that meets the regulatory requirements of this System of Records notice collection. Military Departments' medical Start Printed Page 36193treatment facilities, Medical Centers and Hospitals: Uniformed Services Treatment Facilities, and commercial healthcare providers; HHS; VA, and any other source financed through the Defense Health Program.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:
In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, these records may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
a. To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for the Federal Government when necessary to accomplish an agency function related to this System of Records.
b. To permit the disclosure of records to the HHS and its components, other federal agencies, and academic institutions for the purposes of public health activities and conducting research, including to facilitate collaborative research activities.
c. To the Congressional Budget Office for projecting costs and workloads associated with DoD Medical benefits.
d. To the VA for the purpose of providing medical care to former service members and retirees, to determine the eligibility for or entitlement to benefits, to coordinate cost sharing activities, and to facilitate collaborative research activities between the DoD and VA.
e. To the National Research Council, National Academy of Sciences, National Institutes of Health, Armed Forces Institute of Pathology, and similar institutions for authorized health research in the interest of the Federal Government and the public.
f. To local and state government and agencies for compliance with local laws and regulations governing control of communicable diseases, preventive medicine and safety, child abuse, and other public health and welfare programs.
g. To federal offices and agencies involved in the documentation and review of defense occupational and environmental exposure data.
h. To the appropriate Federal, State, local, territorial, tribal, foreign, or international law enforcement authority or other appropriate entity where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether criminal, civil, or regulatory in nature.
i. To any component of the Department of Justice for the purpose of representing the DoD, or its components, officers, employees, or members in pending or potential litigation to which the record is pertinent.
j. In an appropriate proceeding before a court, grand jury, or administrative or adjudicative body or official, when the DoD or other Agency representing the DoD determines the records are relevant and necessary to the proceeding; or in an appropriate proceeding before an administrative or adjudicative body when the adjudicator determines the records to be relevant to the proceeding.
k. To the National Archives and Records Administration for the purpose of records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.
l. To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.
m. To appropriate agencies, entities, and persons when (1) the DoD suspects or confirms a breach of the System of Records; (2) the DoD determined as a result of the suspected or confirmed breach there is a risk of harm to individuals, the DoD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the DoD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
n. To another Federal agency or Federal entity, when the DoD determines information from this System of Records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Electronic and paper.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Name, SSN, Beneficiary ID (sponsor's ID, patient's name, patient's DOB, and family member prefix or DEERS dependent suffix), diagnosis codes, admission and discharge dates, location of care or any combination of the above.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Temporary. Cut off upon last episode of patient care or last entry to the patient record is annotated. Delete/Destroy when 75 years old.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Multifactor log-in authentication including CAC authentication and password. Access controls enforce need-to-know policies so only authorized users have access to PII and/or PHI. Additionally, security audit and accountability policies and procedures directly support privacy and accountability procedures. Network encryption protects data transmitted over the network while disk encryption secures the disks storing data. Key management services safeguards encryption keys. Sensitive data is identified and masked as practicable. All individuals granted access to this System of Records must complete requisite training to include Information Assurance and Privacy Act training. Sensitive data will be identified, properly marked with access by only those with a need to know, and safeguarded as appropriate.
RECORD ACCESS PROCEDURES:
Individuals seeking access to information about themselves contained in this System of Records should address written inquiries to the Chief, Freedom of Information Act (FOIA) Service Center, Defense Health Agency, Privacy and Civil Liberties Office, 7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101.
Written requests for information should include the individual's full name, home address, home phone number, and SSN/DoD ID number, the identifier of this SORN, and signature. If requesting information about a legally incompetent person, the request must be made by the legal guardian or person with legal authority to make decisions on behalf of the individual. Written proof of that status may be required before any records will be provided. In addition, the requester must provide a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:
If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”
If executed within the United States, its territories, possessions, or Start Printed Page 36194commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”
CONTESTING RECORD PROCEDURES:
The DoD rules for accessing records, for contesting contents and appealing initial agency determinations are published in 32 CFR part 310, or may be obtained from the system manager.
Individuals seeking to determine whether information about themselves is contained in this System of Records should address written inquiries to Chief, Freedom of Information Act (FOIA) Service Center, Defense Health Agency, Privacy and Civil Liberties Office, 7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101.
Written requests should contain the individual's full name, home address, home phone number, and SSN/DoD ID number, the identifier of this SORN, and signature. If requesting information about a legally incompetent person, the request must be made by the legal guardian or person with legal authority to make decisions on behalf of the individual. Written proof of that status may be required before the existence of any information will be confirmed. In addition, the requester must provide a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:
If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”
If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
March 30, 2006, 71 FR 16127; November 18, 2013, 78 FR 69076.
End Supplemental Information
[FR Doc. 2020-12839 Filed 6-12-20; 8:45 am]
BILLING CODE 5001-06-P