Defense Privacy and Civil Liberties Office

U.S. Department of Defense

System of Record Notices (SORNs)

DOD Component Notice

Defense Health Agency

EDHA 07

SYSTEM NAME:

Military Health Information System  (November 18, 2013,  78 FR 69076)

SYSTEM LOCATION:

Primary location: Defense Enterprise Computing Center-Denver/WEE, 6760 E. Irvington Place Denver, CO 80279-5000.

Secondary locations: Directorate of Information Management, Building 1422, Fort Deitrick, MD 21702-5000; Service Medical Treatment Facility Medical Centers and Hospitals: Uniformed Services Treatment Facilities; Defense Enterprise Computing Centers; TRICARE Management Activity, Department of Defense, 5111 Leesburg Pike, Skyline 6, Suite 306, Falls Church, VA 22041-3206;

Joint Medical Information Systems Office, 5109 Leesburg Pike Suite 900, Skyline Building 6, Falls Church, VA 22041-3241, and contractors under contract to TRICARE. Program Executive Officer, Joint Medical Information Systems Office, 5109 Leesburg Pike, Suite 900, Skyline Building 6, Falls Church, Virginia 22041-3241. Joint Task Force Sexual Assault Prevention and Response Office (JTF-SAPR), 1401 Wilson Blvd, Suite 402, Arlington, VA 22209-2318. For a complete listing of all facility addresses write to the system manger.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Uniformed services medical beneficiaries enrolled in the Defense Enrollment Eligibility Reporting System (DEERS) who receive or have received medical care at one or more of DoD's medical treatment facilities (MTFs), Uniformed Services Treatment Facilities (USTFs), or care provided under TRICARE programs. Uniformed services medical beneficiaries who receive or have received care at one or more dental treatment facilities or other system locations including medical aid stations, Educational and Developmental Intervention Services clinics and Service Medical Commands. Uniformed service members serving in a deployed status and those who receive or received care through the Department of Veterans Affairs (VA).

CATEGORIES OF RECORDS IN THE SYSTEM:

PERSONAL IDENTIFICATION DATA: Selected electronic data elements extracted from the Defense Enrollment and Eligibility Reporting System (DEERS) beneficiary and enrollment records that include data regarding personal identification including demographic characteristics.

ELIGIBILITY AND ENROLLMENT DATA: Selected electronic data elements extracted from DEERS regarding personal eligibility for and enrollment in various health care programs within the Department of Defense (DoD) and among DoD and other federal healthcare programs including those of the Department of Veterans Affairs (DVA), the Department of Health and Human Services (DHHS), and contracted health care provided through funding provided by one of these three Departments.

CLINICAL ENCOUNTER DATA: Electronic data regarding beneficiaries' interaction with the MHS including health care encounters, health care screenings and education, wellness and satisfaction surveys, and cost data relative to such healthcare interactions. Electronic data regarding Military Health System beneficiaries' interactions with the DVA or DHHS healthcare delivery programs where such programs effect benefits determinations between these Department-level programs, continuity of clinical care, or effect payment for care between Departmental programs inclusive of care provided by commercial entities under contract to these three Departments.

Electronic data regarding dental tests, pharmacy prescriptions and reports, data incorporating medical nutrition therapy and medical food management, data for young MHS beneficiaries eligible for services from the military medical departments covered by the Individuals with Disabilities Educations Act (IDEA). Data collected within the system also allows beneficiaries to request an accounting of who was given access to their medical records prior to the date of request. It tracks disclosure types, treatment, payment and other Health Care Operations (TPO) versus non-TPO, captures key information about disclosures, process complaints, process and track request for amendments to records, generates disclosure accounting and audit reports, retains history of disclosure accounting processing. The Protected Health Management Information Tool (PHMIT), an electronic disclosure-tracking tool, assists in complying with the HIPAA Privacy disclosure accounting requirement. The PHIMT stores information about all disclosures, complaints, authorizations, restrictions and confidential communications that are made about or requested by a particular patient.

BUDGETARY AND MANAGERIAL COST ACCOUNTING DATA: Electronic budgetary and managerial cost accounting data associated with beneficiaries' interactions with the MHS, DVA, DHHS or contractual commercial healthcare providers.

CLINICAL DATA: Inpatient an out patient medical records, diagnosis procedures, and pharmacy records.

OCCUPATIONAL AND ENVIRONMENTAL EXPOSURE DATA: Electronic data supporting exposure-based medical surveillance; reports of incidental exposures enhanced industrial hygiene risk reduction; improved quality of occupational health care and wellness programs for the DoD workforce; hearing conservation, industrial hygiene and occupational medicine programs within the MHS; and timely and efficient access of data and information to authorized system users

MEDICAL AND DENTAL RESOURCES: Electronic data used by the MHS for resource planning based on projections of actual health care needs rather than projections based on past demand.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 301, Department Regulation; 10 U.S.C., Chapter 55; Pub.L. 104-91, Health Insurance Portability and Accountability Act of 1996; DoD 6025.18-R, DoD Health Information Privacy Regulation; 10 U.S.C. 1071-1085, Medical and Dental Care; 42 U.S.C. Chapter 117, Sections 11131-11152, Reporting of Information; 10 U.S.C. 1097a and 1097b, TRICARE Prime and TRICARE Program; 10 U.S.C. 1079, Contracts for Medical Care for Spouses and Children; 10 U.S.C. 1079a, Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); 10 U.S.C. 1086, Contracts for Health Benefits for Certain Members, Former Members, and Their Dependents; DoD Instruction 6015.23, Delivery of Healthcare at Military Treatment Facilities (MTFs); DoD 6010.8-R, CHAMPUS; 10 U.S.C. 1095, Collection from Third Party Payers Act; and E.O. 9397 (SSN).

PURPOSE(S):

Data collected within and maintained by the Military Health Information System supports benefits determination for MHS beneficiaries between DoD, DVA, and DHHS healthcare programs, provides the ability to support continuity of care across Federal programs including use of the data in the provision of care, ensures more efficient adjudication of claims and supports healthcare policy analysis and clinical research to improve the quality and efficiency of care within the MHS.

The electronic medical records portion of the system (EMR)addresses documenting and tracking environmental health readiness data located in arsenals, depots, and bases. Data collected and maintained is used to assess the medical and dental deployability of Service members for the purposes of pre-and post-deployment exams. This assists in recording health conditions before deployment and any changes during and after deployment.

Data collected and maintained in the EMR system is used to perform disease management and the prevention of exacerbations and complications using evidence-based practice guidelines and patient empowerment strategies. Data collected and maintained in the EMR system is used in proactive health intervention activities for the active duty and non-active duty beneficiary population. Data collected and maintained is used to capture data on hearing loss and occupational exposures, to perform noise exposure surveillance and injury referrals to assess auditory readiness.

Data collected and maintained in the EMR system is used to establish individual longitudinal exposure records using pre-deployment exposure records. These records are used as a baseline against new exposures to facilitate post-deployment follow-up and workplace injury root-cause analysis in an effort to mitigate loss work time within the DoD.

Data collected within and maintained in the system is used for patient administration (including registration, admission, disposition and transfer); patient appointing and scheduling' delivery of managed care; workload and medical services accounting; and quality assurance.

Data collected will be provided to Special Oversight Boards created by applicable DoD authorities to investigate special circumstances and conditions resulting from a deployment of DoD personnel to a theater of operations.

Data collected and maintained in electronic and paper records is used to track victims of sexual assault crimes, and medical and other support services provided to them. Data collected and maintained is also used to capture demographics and perform trend analysis.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

To permit the disclosure of records to the Department of Health and Human Services (HHS) and its components for the purpose of conducting research and analytical projects, and to facilitate collaborative research activities between DoD and HHS.

To the Congressional Budget Office for projecting costs and workloads associated with DoD Medical benefits.

To the Department of Veterans Affairs (DVA) for the purpose of providing medical care to former service members and retirees, to determine the eligibility for or entitlement to benefits, to coordinate cost sharing activities, and to facilitate collaborative research activities between the DoD and DVA.

To the National Research Council, National Academy of Sciences, National Institutes of Health, Armed Forces Institute of Pathology, and similar institutions for authorized health research in the interest of the Federal Government and the public. When not essential for longitudinal studies, patient identification data shall be deleted from records used for research studies. Facilities/activities releasing such records shall maintain a list of all such research organizations and an accounting disclosure of records released thereto.

To local and state government and agencies for compliance with local laws and regulations governing control of communicable diseases, preventive medicine and safety, child abuse, and other public health and welfare programs.

To federal offices and agencies involved in the documentation and review of defense occupational and environmental exposure data, including the National Security Agency, the Army corps of Engineers, National Guard, and the Defense Logistics Agency.

The DoD 'Blanket Routine Uses' set forth at the beginning of OSD's compilation of systems of records notices apply to this system, except as identified below.

NOTE 1: This system of records contains individually identifiable health information. The DoD Health Information Privacy Regulation (DoD 6025.18-R) issued pursuant to the Health Insurance Portability and Accountability Act of 1996, applies to most such health information. DoD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond those found in the Privacy Act of 1974 or mentioned in this system of records notice.

NOTE 2: Personal identity, diagnosis, prognosis or treatment information of any patient maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States, except as provided in 42 U.S.C. 290dd-2, will be treated as confidential and will be disclosed only for the purposes and under the circumstances expressly authorized under 42 U.S.C. 290dd-2. The "Blanket Routine Uses" do not apply to these types of records

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:


STORAGE:

Records are maintained on optical and magnetic media.

RETRIEVABILITY:

Records may be retrieved by individual's Social Security Number, sponsor's Social Security Number, Beneficiary ID (sponsor's ID, patient's name, patient's DOB, and family member prefix or DEERS dependent suffix), diagnosis codes, admission and discharge dates, location of care or any combination of the above.

SAFEGUARDS:

Automated records are maintained in controlled areas accessible only to authorized personnel. Entry to these areas is restricted to personnel with a valid requirement and authorization to enter. Physical entry is restricted by the use of a cipher lock. Back-up data maintained at each location is stored in a locked room. The system will comply with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Access to HMIS records is restricted to individuals who require the data in the performance of official duties. Access is controlled through use of passwords.

RETENTION AND DISPOSAL:

Records are maintained until no longer needed for current business.

SYSTEM MANAGER(S) AND ADDRESS:

Program Manager, Executive Information/Decision Support Program Office, Six Skyline Place, Suite 809, 5111 Leesburg Pike, Falls Church, VA 22041-3201.

Program Manager, Joint Task Force Sexual Assault Prevention and Response, 1401 Wilson Blvd, Suite 402, Arlington, VA 22209-2318.

NOTIFICATION PROCEDURE:

Individuals seeking to determine whether information about themselves is contained in this system should address written inquiries to the TRICARE Management Activity Privacy Office, Skyline 5, Suite 810, 5111 Leesburg Pike, Falls Church, VA 22041-3201 or Commander, Joint Task Force Sexual Assault Prevention and Response, 1401 Wilson Blvd, Suite 402, Arlington, VA 22209-2318.

Requests should contain the full names of the beneficiary and sponsor, sponsor Social Security Number, sponsor service, beneficiary date of birth, beneficiary sex, treatment facility(ies), and fiscal year(s) of interest.

RECORD ACCESS PROCEDURES:

Individuals seeking access to information about themselves contained in this system of records should address written requests to TRICARE Management Activity Privacy Office, Skyline 5, Suite 810, 5111 Leesburg Pike, Falls Church, VA 22041-3201 or Commander, Joint Task Force Sexual Assault Prevention and Response, 1401 Wilson Blvd, Suite 402, Arlington, VA 22209-2318.

Requests should contain the full names of the beneficiary and sponsor, sponsor's Social Security Number, sponsor's service, beneficiary date of birth, beneficiary sex, treatment facility(ies) that have provided care, and fiscal year(s) of interest.

CONTESTING RECORD PROCEDURES:

The OSD rules for accessing records, for contesting contents and appealing initial agency determinations are contained in OSD Administrative Instruction 81; 32 CFR part 311; or may be obtained from the system manager.

RECORD SOURCE CATEGORIES:

The individual data records that are assembled to form the MHIS are submitted by the Military Departments' medical treatment facilities, commercial healthcare providers under contract to the MHS, the Defense Enrollment Eligibility Reporting System, the Uniformed Service Treatment Facility Managed Care System, the Department of Health and Human Services, the Department of Veterans Affairs, and any other source financed through the Defense Health Program.

EXEMPTIONS CLAIMED FOR THE SYSTEM:

None.

FEDERAL REGISTER HISTORY:

March 30, 2006, 71 FR 16127; November 18, 2013, 78 FR 69076