Defense Privacy and Civil Liberties Office

U.S. Department of Defense

System of Record Notices (SORNs)

DOD Component Notice

Defense Health Agency

EDHA 12

SYSTEM NAME:

Third Party Collection System  (November 18, 2013,  78 FR 69076)

SYSTEM LOCATION:

Defense Health Services Systems, Suite 1599, 5203 Leesburg Pike, Falls Church, VA 22041-3891.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Members of the uniformed services (and their dependents) and retired military members (and their dependents) who receive or have received health services approved by the Department of Defense, contractors participating in military deployments or related operations who receive or have received medical or dental care at a military treatment facility, Department of Defense civilian employees (to include non-appropriated fund employees) who receive or have received medical or dental care at a military treatment facility, and other individuals who receive or have received medical or dental care at a military treatment facility.

CATEGORIES OF RECORDS IN THE SYSTEM:

Individual Data: This includes patient name, Social Security Number (SSN) (or foreign identification), whether treatment was outpatient or inpatient, outpatient visit date and time, date of birth, mailing address, home telephone number, family member prefix, and relationship to policy holder; sponsor or insurance policy holder name, Social Security Number (SSN), and date of birth; other covered family member name(s), Social Security Number (SSN), and date of birth; and, if applicable, Medicare and Medicaid coverage data.

Insurance Policy Information Data: This includes policy number or identification, card holder identification, group number, group name, enrollment plan/code, policy effective date, policy category, policy end date, insurance company name, address and telephone number, insurance type, policy holder, whether policy holder is insured through their employer, and drug coverage data regarding authority to bill for pharmaceuticals.

Employer Information data: This includes employer name, address, and telephone number.

Billing Information Data: This includes bill type (military treatment facility, clinic, pharmacy, laboratory/radiology, ambulance), name and location of military treatment facility, whether treatment was outpatient or inpatient, outpatient visit date and time, inpatient admission and discharge dates and time, patient identification number, patient name, provider code/description, office visit code description, Medical Expense and Performance Reporting System code/description, diagnosis code/description, billing amount, user who created the bill, date bill was created, and status of bill and source of billing data.

Accounting Information Data: This includes control number, transaction code, debit amount, credit amount, check number, Batch posting number, balance, patient identification, patient name, encounter date, comments, entry date and follow-up date.

Insurance Company Data: This contains tables for insurance company, policy, provider, fees, codes, rates, and procedure maintenance.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

10 U.S.C. 1095, Health care services incurred on behalf of covered beneficiaries: collection from third-party payers; 10 U.S.C. 1079b, Procedures for charging fees for care provided to civilians; retention and use of fees collected; 42 U.S.C. Chapter 32, Third Party Liability For Hospital and Medical Care; 28 CFR Part 43, Recovery of Costs of Hospital and Medical Care and Treatment Furnished by the United States; 45 CFR Parts 160 and 164, Health and Human Services, General Administrative Requirements and Security & Privacy; 32 CFR Part 220, Collection from Third Party Payers of Reasonable Charges for Healthcare Services; DoD 6010.15-M, Chapter 3, Medical Services Account; and E.O. 9397 (SSN), as amended.

PURPOSE(S):

To establish a standard patient accounting system for health care billing practices. It shall assist military treatment facilities in the collection, tracking, and reporting of data required for the Department of Defense Third Party Collection Program billing process by the adoption of standard commercial medical coding and billing practices to military treatment facilities.

The Defense Finance Accounting Service (DFAS) uses this information to bill person(s) or organization(s) liable for payment on behalf those receiving care at a military treatment facility.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, as amended, these records may specifically be disclosed outside the Department of Defense as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

To interface with all commercial insurance carriers and parties against whom recovery has been sought by the Department of Defense Military Health System, as well as all parties involved in support of the collection activities for health care approved by the Department of Defense.

To the National Data Clearinghouse, an electronic healthcare clearinghouse, for purposes of converting the data to an industry-wide format prior to forwarding the billing information to the insurance companies for payment.

The DoD Blanket Routine Uses set forth at the beginning of Office of the Secretary of Defenses compilation of systems of records notices apply to this system.

NOTE 1: This system of records contains individually identifiable health information. The Department of Defense Health Information Privacy Regulation (DoD 6025.18-R) issued pursuant to the Health Insurance Portability and Accountability Act of 1996, applies to most such health information. DoD 6025.18-R may place additional procedural requirements on the uses and disclosures of such information beyond what is found in the Privacy Act of 1974 or mentioned in this system of records notice.

NOTE 2: Personal identity, diagnosis, prognosis or treatment information of any patient maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States is, except as per 42 U.S.C. 290dd-2, treated as confidential and disclosed only for the purposes and under the circumstances expressly authorized under 42 U.S.C. 290dd-2.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:


STORAGE:

Paper file folders and electronic storage media.

RETRIEVABILITY:

Records are retrieved by the sponsor or patient name, Social Security Number, Department of Defense Benefits Number, third party payer identification number assigned to individual, family member prefix (a two-digit code identifying the person's relationship to the Military Sponsor), and/or Patient Control Number.

SAFEGUARDS:

Physical access to system location restricted by cipher locks, visitor escort, access rosters, and photo identification. Adequate locks on doors and server components secured in a locked computer room with limited access. Each system end user device protected within a locked storage container, room, or building outside of normal business hours. All visitors and other persons that require access to facilities that house servers and other network devices supporting the system that do not have authorization for access escorted by appropriately screened/cleared personnel at all times.

Access to the system is role-based and a valid user account is required. The system provides two-factor authentication, using either a Common Access Card and Personal Identification Number or a unique logon identification and password. Where a unique logon identification and password is used, passwords must be renewed every sixty (60) days. Authorized personnel must have appropriate Information Assurance training, Health Insurance Portability and Accountability Act training, and Privacy Act of 1974 training.

RETENTION AND DISPOSAL:

Records are destroyed five years after the end of the year in which the record was closed.

SYSTEM MANAGER(S) AND ADDRESS:

Program Manager, Defense Health Services Systems, Suite 1500, 5203 Leesburg Pike, Falls Church, VA 22041-3891.

NOTIFICATION PROCEDURE:

Individuals seeking to determine whether this system contains information about themselves should address written inquires to the TRICARE Management Activity, Department of Defense, ATTN: TMA Privacy Officer, Suite 810, 5111 Leesburg Pike, Falls Church, VA. 22041-3206.

Request should contain participants and/or sponsors full name, their Social Security Number (SSN), and current address and telephone number and the names of the military treatment facility or facilities in which they have received medical treatment.

If requesting health information of a minor (or legally incompetent person), the request must be made by a custodial parent, legal guardian, or party acting in loco parentis of such individual(s). Written proof of the capacity of the requestor may be required.

RECORD ACCESS PROCEDURES:

Individuals seeking access to records about themselves contained in this system should address written inquiries to TRICARE Management Activity, Attention: Freedom of Information Act Requester Service Center, 16401 East Centretech Parkway, Aurora, CO, 80011-9066.

Requests should contain participants and/or sponsors full name, their Social Security Number (SSN), and current address and telephone number and the names of the military treatment facility or facilities in which they have received medical treatment.

If requesting health information of a minor (or legally incompetent person), the request must be made by a custodial parent, legal guardian, or party acting in loco parentis of such individual(s). Written proof of the capacity of the requestor may be required.

CONTESTING RECORD PROCEDURES:

The Office of the Secretary of Defense rules for accessing records, for contesting contents and appealing initial agency determinations are published in Office of the Secretary of Defense Administrative Instruction 81 (32 CFR Part 311) or may be obtained from the system manager.

RECORD SOURCE CATEGORIES:

Information is obtained from an automated medical records system, the Composite Health Care System (specifically, the Ambulatory Data Module), which is automatically sent to the Third Party Collection System. Other information may be obtained from the AHLTA System and the Theater Data Medical Stores System.

EXEMPTIONS CLAIMED FOR THE SYSTEM:

None.

FEDERAL REGISTER HISTORY:

December 20, 2010, 75 FR 79345; November 18, 2013, 78 FR 69076