[Federal Register Volume 75, Number 243 (Monday, December 20, 2010)]
[Notices]
[Pages 79345-79348]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-31789]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DOD-2010-OS-0167]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary of Defense, DoD.

ACTION: Notice to Alter a System of Records

-----------------------------------------------------------------------

SUMMARY: The Office of the Secretary of Defense proposes to alter a 
system of records in its inventory of record systems subject to the 
Privacy Act of 1974 (5 U.S.C. 552a), as amended.

DATES: This proposed action would be effective without further notice 
on January 19, 2011 unless comments are received which result in a 
contrary determination.

ADDRESSES: You may submit comments, identified by docket number and/
Regulatory Information Number (RIN) and title, by any of the following 
methods:
     Federal Rulemaking Portal: http://www.regulations.gov.Follow the instructions for submitting comments.
     Mail: Federal Docket Management System Office, Room 3C843, 
1160 Defense Pentagon, Washington, DC 20301-1160.
    Instructions: All submissions received must include the agency name 
and docket number or Regulatory Information Number (RIN) for this 
Federal Register document. The general policy for comments and other 
submissions from members of the public is to make these submissions 
available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any 
personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Chief, OSD/JS Privacy Office, Freedom 
of Information Directorate, Washington Headquarters Services, 1155 
Defense Pentagon, Washington, DC 20301-1155, or Ms. Cindy Allard at 
(703) 588-6830.

SUPPLEMENTARY INFORMATION: The Office of the Secretary of Defense 
notices for systems of records subject to the Privacy Act of 1974 (5 
U.S.C. 552a), as amended, have been published in the Federal Register 
and are available from the FOR FURTHER INFORMATION CONTACT address 
above. The proposed system report, as required by 5 U.S.C. 552a(r) of 
the Privacy Act of 1974, as amended, was submitted on December 10, 
2010, to the House Committee on Oversight and Government Reform, the 
Senate Committee on Governmental Affairs, and the Office of Management 
and Budget (OMB) pursuant to paragraph 4c of Appendix I to OMB Circular 
No. A-130, ``Federal Agency Responsibilities for Maintaining Records 
About Individuals,'' dated February 8, 1996 (February 20, 1996, 61 FR 
6427).

    Dated: December 10, 2010.
Morgan F. Park,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
DHA 12

System Name:
    Third Party Collection System (March 29, 2005, 70 FR 15847).

Changes:
System location:
    Delete entry and replace with ``Defense Health Services Systems, 
Suite 1599, 5203 Leesburg Pike, Falls Church, VA 22041-3891.''

Categories of individuals covered by the system:
    Delete entry and replace with ``Members of the uniformed services 
(and their dependents) and retired military members (and their 
dependents) who receive or have received health services approved by 
the Department of Defense, contractors participating in military 
deployments or related operations who receive or have received medical 
or dental care at a military treatment facility, Department of Defense 
civilian employees (to include non-appropriated fund employees) who 
receive or have received medical or dental care at a military treatment 
facility, and other individuals who receive or have received medical or 
dental care at a military treatment facility.''

Categories of records in the system:
    Delete entry and replace with ``Individual Data: This includes 
patient name, Social Security Number (SSN)(or foreign identification), 
whether treatment was outpatient or inpatient, outpatient visit date 
and time, date of birth, mailing address, home telephone number, family 
member prefix, and relationship to policy holder; sponsor or insurance 
policy holder name, Social Security Number (SSN), and date of birth; 
other covered family member name(s), Social Security Number (SSN), and 
date(s) of birth; and, if applicable, Medicare and Medicaid coverage 
data.

Insurance Policy Information Data:
    This includes policy number or identification, card holder 
identification, group number, group name, enrollment plan/code, policy 
effective date, policy category, policy end date, insurance company 
name, address and telephone number, insurance type, policy holder, 
whether policy holder is insured through their employer, and drug 
coverage data regarding authority to bill for pharmaceuticals.

[[Page 79346]]

Employer Information data:
    This includes employer name, address, and telephone number.

Billing Information Data:
    This includes bill type (military treatment facility, clinic, 
pharmacy, laboratory/radiology, ambulance), name and location of 
military treatment facility, whether treatment was outpatient or 
inpatient, outpatient visit date and time, inpatient admission and 
discharge dates and time, patient identification number, patient name, 
provider code/description, office visit code description, Medical 
Expense and Performance Reporting System code/description, diagnosis 
code/description, billing amount, user who created the bill, date bill 
was created, and status of bill and source of billing data.

Accounting Information Data:
    This includes control number, transaction code, debit amount, 
credit amount, check number, Batch posting number, balance, patient 
identification, patient name, encounter date, comments, entry date and 
follow-up date.

Insurance Company Data:
    This contains tables for insurance company, policy, provider, fees, 
codes, rates, and procedure maintenance.''

Authority for maintenance of the system:
    Delete entry and replace with ``10 U.S.C. 1095, Health care 
services incurred on behalf of covered beneficiaries: collection from 
third-party payers; 10 U.S.C. 1079b, Procedures for charging fees for 
care provided to civilians; retention and use of fees collected; 42 
U.S.C. Chapter 32, ``Third Party Liability For Hospital and Medical 
Care;'' 28 CFR Part 43, ``Recovery of Costs of Hospital and Medical 
Care and Treatment Furnished by the United States;'' 45 CFR parts 160 
and 164, Health and Human Services, General Administrative Requirements 
and Security & Privacy; 32 CFR part 220, Collection from Third Party 
Payers of Reasonable Charges for Healthcare Services; DoD 6010.15-M, 
Chapter 3, Medical Services Account; and E.O. 9397 (SSN), as amended.''

Purpose(s):
    Delete entry and replace with ``To establish a standard patient 
accounting system for health care billing practices. It shall assist 
military treatment facilities in the collection, tracking, and 
reporting of data required for the Department of Defense Third Party 
Collection Program billing process by the adoption of standard 
commercial medical coding and billing practices to military treatment 
facilities.
    The Defense Finance Accounting Service (DFAS) uses this information 
to bill person(s) or organization(s) liable for payment on behalf those 
receiving care at a military treatment facility.''

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    Delete entry and replace with ``In addition to those disclosures 
generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, 
as amended, these records may specifically be disclosed outside the 
Department of Defense as a routine use pursuant to 5 U.S.C. 552a(b)(3) 
as follows:
    To interface with all commercial insurance carriers and parties 
against whom recovery has been sought by the Department of Defense 
Military Health System, as well as all parties involved in support of 
the collection activities for health care approved by the Department of 
Defense.
    To the National Data Clearinghouse, an electronic healthcare 
clearinghouse, for purposes of converting the data to an industry-wide 
format prior to forwarding the billing information to the insurance 
companies for payment.
    The DoD `Blanket Routine Uses' set forth at the beginning of Office 
of the Secretary of Defense's compilation of systems of records notices 
apply to this system.

    Note 1:  This system of records contains individually 
identifiable health information. The Department of Defense Health 
Information Privacy Regulation (DoD 6025.18-R) issued pursuant to 
the Health Insurance Portability and Accountability Act of 1996, 
applies to most such health information. DoD 6025.18-R may place 
additional procedural requirements on the uses and disclosures of 
such information beyond what is found in the Privacy Act of 1974 or 
mentioned in this system of records notice.


    Note 2:  Personal identity, diagnosis, prognosis or treatment 
information of any patient maintained in connection with the 
performance of any program or activity relating to substance abuse 
education, prevention, training, treatment, rehabilitation, or 
research, which is conducted, regulated, or directly or indirectly 
assisted by any department or agency of the United States is, except 
as per 42 U.S.C. 290dd-2, treated as confidential and disclosed only 
for the purposes and under the circumstances expressly authorized 
under 42 U.S.C. 290dd-2.''

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Delete entry and replace with ``Paper file folders and electronic 
storage media.''

Retrievability:
    Delete entry and replace with ``Records are retrieved by the 
sponsor or patient name, Social Security Number (SSN), Department of 
Defense Benefits Number, third party payer identification number 
assigned to individual, family member prefix (a two-digit code 
identifying the person's relationship to the Military Sponsor), and/or 
Patient Control Number.''

Safeguards:
    Delete entry and replace with ``Physical access to system location 
restricted by cipher locks, visitor escort, access rosters, and photo 
identification. Adequate locks on doors and server components secured 
in a locked computer room with limited access. Each system end user 
device protected within a locked storage container, room, or building 
outside of normal business hours. All visitors and other persons that 
require access to facilities that house servers and other network 
devices supporting the system that do not have authorization for access 
escorted by appropriately screened/cleared personnel at all times.
    Access to the system is role-based and a valid user account is 
required. The system provides two-factor authentication, using either a 
Common Access Card and Personal Identification Number or a unique logon 
identification and password. Where a unique logon identification and 
password is used, passwords must be renewed every sixty (60) days. 
Authorized personnel must have appropriate Information Assurance 
training, Health Insurance Portability and Accountability Act training, 
and Privacy Act of 1974 training.''

Retention and disposal:
    Delete entry and replace with ``Records are destroyed five years 
after the end of the year in which the record was closed.''

System manager(s) and address:
    Delete entry and replace with ``Program Manager, Defense Health 
Services Systems, Suite 1500, 5203 Leesburg Pike, Falls Church, VA 
22041-3891.''

Notification procedure:
    Delete entry and replace with ``Individuals seeking to determine

[[Page 79347]]

whether this system contains information about themselves should 
address written inquires to the TRICARE Management Activity, Department 
of Defense, ATTN: TMA Privacy Officer, Suite 810, 5111 Leesburg Pike, 
Falls Church VA 22041-3206.
    Request should contain participant's and/or sponsor's full name, 
their Social Security Number (SSN), and current address and telephone 
number and the names of the military treatment facility or facilities 
in which they have received medical treatment.
    If requesting health information of a minor (or legally incompetent 
person), the request must be made by a custodial parent, legal 
guardian, or party acting in loco parentis of such individual(s). 
Written proof of the capacity of the requestor may be required.''

Record access procedures:
    Delete entry and replace with ``Individuals seeking access to 
records about themselves contained in this system should address 
written inquiries to TRICARE Management Activity, Attention: Freedom of 
Information Act Requester Service Center, 16401 East Centretech 
Parkway, Aurora, CO 80011-9066.
    Requests should contain participant's and/or sponsor's full name, 
their Social Security Number (SSN), and current address and telephone 
number and the names of the military treatment facility or facilities 
in which they have received medical treatment.
    If requesting health information of a minor (or legally incompetent 
person), the request must be made by a custodial parent, legal 
guardian, or party acting in loco parentis of such individual(s). 
Written proof of the capacity of the requestor may be required.''

Contesting record procedures:
    Delete entry and replace with ``The Office of the Secretary of 
Defense rules for accessing records, for contesting contents and 
appealing initial agency determinations are published in Office of the 
Secretary of Defense Administrative Instruction 81 (32 CFR part 311) or 
may be obtained from the system manager.''

Record source categories:
    Delete entry and replace with ``Information is obtained from an 
automated medical records system, the Composite Health Care System 
(specifically, the Ambulatory Data Module), which is automatically sent 
to the Third Party Collection System. Other information may be obtained 
from the AHLTA System and the Theater Data Medical Stores System.''
* * * * *
DHA 12

System Name:
    Third Party Collection System.

System location:
    Defense Health Services Systems, Suite 1599, 5203 Leesburg Pike, 
Falls Church, VA 22041-3891.

Categories of individuals covered by the system:
    Members of the uniformed services (and their dependents) and 
retired military members (and their dependents) who receive or have 
received health services approved by the Department of Defense, 
contractors participating in military deployments or related operations 
who receive or have received medical or dental care at a military 
treatment facility, Department of Defense civilian employees (to 
include non-appropriated fund employees) who receive or have received 
medical or dental care at a military treatment facility, and other 
individuals who receive or have received medical or dental care at a 
military treatment facility.

Categories of records in the system:
Individual Data:
    This includes patient name, Social Security Number (SSN) (or 
foreign identification), whether treatment was outpatient or inpatient, 
outpatient visit date and time, date of birth, mailing address, home 
telephone number, family member prefix, and relationship to policy 
holder; sponsor or insurance policy holder name, Social Security Number 
(SSN), and date of birth; other covered family member name(s), Social 
Security Number (SSN), and date of birth; and, if applicable, Medicare 
and Medicaid coverage data.

Insurance Policy Information Data:
    This includes policy number or identification, card holder 
identification, group number, group name, enrollment plan/code, policy 
effective date, policy category, policy end date, insurance company 
name, address and telephone number, insurance type, policy holder, 
whether policy holder is insured through their employer, and drug 
coverage data regarding authority to bill for pharmaceuticals.

Employer Information data:
    This includes employer name, address, and telephone number.

Billing Information Data:
    This includes bill type (military treatment facility, clinic, 
pharmacy, laboratory/radiology, ambulance), name and location of 
military treatment facility, whether treatment was outpatient or 
inpatient, outpatient visit date and time, inpatient admission and 
discharge dates and time, patient identification number, patient name, 
provider code/description, office visit code description, Medical 
Expense and Performance Reporting System code/description, diagnosis 
code/description, billing amount, user who created the bill, date bill 
was created, and status of bill and source of billing data.

Accounting Information Data:
    This includes control number, transaction code, debit amount, 
credit amount, check number, Batch posting number, balance, patient 
identification, patient name, encounter date, comments, entry date and 
follow-up date.

Insurance Company Data:
    This contains tables for insurance company, policy, provider, fees, 
codes, rates, and procedure maintenance.

Authority for maintenance of the system:
    10 U.S.C. 1095, Health care services incurred on behalf of covered 
beneficiaries: collection from third-party payers; 10 U.S.C. 1079b, 
Procedures for charging fees for care provided to civilians; retention 
and use of fees collected; 42 U.S.C. Chapter 32, ``Third Party 
Liability For Hospital and Medical Care;'' 28 CFR part 43, ``Recovery 
of Costs of Hospital and Medical Care and Treatment Furnished by the 
United States;'' 45 CFR parts 160 and 164, Health and Human Services, 
General Administrative Requirements and Security & Privacy; 32 CFR part 
220, Collection from Third Party Payers of Reasonable Charges for 
Healthcare Services; DoD 6010.15-M, Chapter 3, Medical Services 
Account; and E.O. 9397 (SSN), as amended.

Purpose(s):
    To establish a standard patient accounting system for health care 
billing practices. It shall assist military treatment facilities in the 
collection, tracking, and reporting of data required for the Department 
of Defense Third Party Collection Program billing process by the 
adoption of standard commercial medical coding and billing practices to 
military treatment facilities.
    The Defense Finance Accounting Service (DFAS) uses this information 
to bill person(s) or organization(s) liable for payment on behalf those 
receiving care at a military treatment facility.

[[Page 79348]]

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, as amended, these records may specifically 
be disclosed outside the Department of Defense as a routine use 
pursuant to 5 U.S.C. 552a(b)(3) as follows:
    To interface with all commercial insurance carriers and parties 
against whom recovery has been sought by the Department of Defense 
Military Health System, as well as all parties involved in support of 
the collection activities for health care approved by the Department of 
Defense.
    To the National Data Clearinghouse, an electronic healthcare 
clearinghouse, for purposes of converting the data to an industry-wide 
format prior to forwarding the billing information to the insurance 
companies for payment.
    The DoD `Blanket Routine Uses' set forth at the beginning of Office 
of the Secretary of Defense's compilation of systems of records notices 
apply to this system.

    Note 1:  This system of records contains individually 
identifiable health information. The Department of Defense Health 
Information Privacy Regulation (DoD 6025.18-R) issued pursuant to 
the Health Insurance Portability and Accountability Act of 1996, 
applies to most such health information. DoD 6025.18-R may place 
additional procedural requirements on the uses and disclosures of 
such information beyond what is found in the Privacy Act of 1974 or 
mentioned in this system of records notice.


    Note 2:  Personal identity, diagnosis, prognosis or treatment 
information of any patient maintained in connection with the 
performance of any program or activity relating to substance abuse 
education, prevention, training, treatment, rehabilitation, or 
research, which is conducted, regulated, or directly or indirectly 
assisted by any department or agency of the United States is, except 
as per 42 U.S.C. 290dd-2, treated as confidential and disclosed only 
for the purposes and under the circumstances expressly authorized 
under 42 U.S.C. 290dd-2.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Paper file folders and electronic storage media.

Retrievability:
    Records are retrieved by the sponsor or patient name, Social 
Security Number, Department of Defense Benefits Number, third party 
payer identification number assigned to individual, family member 
prefix (a two-digit code identifying the person's relationship to the 
Military Sponsor), and/or Patient Control Number.

Safeguards:
    Physical access to system location restricted by cipher locks, 
visitor escort, access rosters, and photo identification. Adequate 
locks on doors and server components secured in a locked computer room 
with limited access. Each system end user device protected within a 
locked storage container, room, or building outside of normal business 
hours. All visitors and other persons that require access to facilities 
that house servers and other network devices supporting the system that 
do not have authorization for access escorted by appropriately 
screened/cleared personnel at all times.
    Access to the system is role-based and a valid user account is 
required. The system provides two-factor authentication, using either a 
Common Access Card and Personal Identification Number or a unique logon 
identification and password. Where a unique logon identification and 
password is used, passwords must be renewed every sixty (60) days. 
Authorized personnel must have appropriate Information Assurance 
training, Health Insurance Portability and Accountability Act training, 
and Privacy Act of 1974 training.

Retention and disposal:
    Records are destroyed five years after the end of the year in which 
the record was closed.

System manager(s) and address:
    Program Manager, Defense Health Services Systems, Suite 1500, 5203 
Leesburg Pike, Falls Church, VA 22041-3891.

Notification procedure:
    Individuals seeking to determine whether this system contains 
information about themselves should address written inquires to the 
TRICARE Management Activity, Department of Defense, ATTN: TMA Privacy 
Officer, Suite 810, 5111 Leesburg Pike, Falls Church, VA 22041-3206.
    Request should contain participant's and/or sponsor's full name, 
their Social Security Number (SSN), and current address and telephone 
number and the names of the military treatment facility or facilities 
in which they have received medical treatment.
    If requesting health information of a minor (or legally incompetent 
person), the request must be made by a custodial parent, legal 
guardian, or party acting in loco parentis of such individual(s). 
Written proof of the capacity of the requestor may be required.

Record access procedures:
    Individuals seeking access to records about themselves contained in 
this system should address written inquiries to TRICARE Management 
Activity, Attention: Freedom of Information Act Requester Service 
Center, 16401 East Centretech Parkway, Aurora, CO 80011-9066.
    Requests should contain participant's and/or sponsor's full name, 
their Social Security Number (SSN), and current address and telephone 
number and the names of the military treatment facility or facilities 
in which they have received medical treatment.
    If requesting health information of a minor (or legally incompetent 
person), the request must be made by a custodial parent, legal 
guardian, or party acting in loco parentis of such individual(s). 
Written proof of the capacity of the requestor may be required.

Contesting record procedures:
    The Office of the Secretary of Defense rules for accessing records, 
for contesting contents and appealing initial agency determinations are 
published in Office of the Secretary of Defense Administrative 
Instruction 81 (32 CFR part 311) or may be obtained from the system 
manager.

Record source categories:
    Information is obtained from an automated medical records system, 
the Composite Health Care System (specifically, the Ambulatory Data 
Module), which is automatically sent to the Third Party Collection 
System. Other information may be obtained from the AHLTA System and the 
Theater Data Medical Stores System.

Exemptions claimed for the system:
    None.

[FR Doc. 2010-31789 Filed 12-17-10; 8:45 am]
BILLING CODE 5001-06-P