[Federal Register Volume 85, Number 115 (Monday, June 15, 2020)]
[Notices]
[Pages 36190-36194]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-12839]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DoD-2020-HA-0060]


Privacy Act of 1974; System of Records

AGENCY: Defense Health Agency (DHA), Department of Defense (DoD).

ACTION: Notice of a modified System of Records.

-----------------------------------------------------------------------

SUMMARY: DHA is modifying the System of Records titled, ``Military 
Health Information System (MHIS),'' EDHA 07 to facilitate public health 
activities and research efforts in response to the COVID-19 pandemic. 
In addition, this System of Records will become the DoD-wide SORN with 
enterprise application across the department. The proposed 
modifications include clarifying the purposes for the handling and use 
of data to improve quality assurance within healthcare operations (such 
as

[[Page 36191]]

data analytics and clinical research) to address COVID-19. 
Modifications also include broadening the categories of individuals to 
cover all associated information systems and updating routine uses to 
enable better collaboration with federal agencies and academic 
institutions to accommodate the COVID-19 Insights Project. The Military 
Health Information System (MHIS) collects and maintains data that 
supports benefits determination for Military Health System (MHS) 
beneficiaries between the DoD, Department of Veterans Affairs (VA), and 
Department of Health and Human Services (HHS) healthcare programs. This 
data also provides Federal Agencies the ability to support continuity 
of care for patrons, ensures more efficient adjudication of claims, 
enables quality assurance and healthcare operations, and supports a 
myriad of healthcare policy, public health, military mission, data 
analysis, and clinical research activities.

DATES: This System of Records modification is effective upon 
publication; however, comments on the Routine Uses will be accepted on 
or before July 15, 2020. The Routine Uses are effective at the close of 
the comment period.

ADDRESSES: You may submit comments, identified by docket number and 
title, by any of the following methods.
    * Federal Rulemaking Portal: https://www.regulations.gov.
    Follow the instructions for submitting comments.
    * Mail: DoD cannot receive written comments at this time due to the 
COVID-19 pandemic. Comments should be sent electronically to the docket 
listed above.
    Instructions: All submissions received must include the agency name 
and docket number for this Federal Register document. The general 
policy for comments and other submissions from members of the public is 
to make these submissions available for public viewing on the internet 
at https://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Ms. Rahwa A. Keleta, Chief, Defense 
Health Agency, Privacy and Civil Liberties Office, 7700 Arlington 
Boulevard, Suite 5101, Falls Church, VA 22042-5101, or by phone at 
(703) 275-6363.

SUPPLEMENTARY INFORMATION: The DHA is modifying this System of Records 
to facilitate public health activities and research efforts in response 
to the COVID-19 pandemic. This modification is necessary to enable the 
sharing of information with other federal agencies and academic 
institutions to process and analyze data to further the federal 
government's public health mission and medical research goals. This 
effort is especially urgent due to the current COVID-19 pandemic; and 
these modifications are also anticipated to assist in responding to 
future public health emergencies.
    The statutory intent behind this System of Records is the provision 
of medical and dental care, financial compensation for military members 
and beneficiaries, support to military readiness, enhancement for 
public health institutions, and advancements in medical research. The 
statute also facilitates disclosure of records in accordance with the 
Health Insurance Portability and Accountability Act (HIPAA).
    The DoD notices for Systems of Records subject to the Privacy Act 
of 1974, as amended, have been published in the Federal Register and 
are available from the address in FOR FURTHER INFORMATION CONTACT or at 
the Defense Privacy, Civil Liberties and Transparency Division website 
at https://dpcld.defense.gov.
    The proposed system reports, as required by the Privacy Act, were 
submitted on May 28, 2020, to the House Committee on Oversight and 
Reform, the Senate Committee on Homeland Security and Governmental 
Affairs, and the Office of Management and Budget (OMB) pursuant to 
Section 6 of OMB Circular No. A-108, ``Federal Agency Responsibilities 
for Review, Reporting, and Publication under the Privacy Act,'' revised 
December 23, 2016 (December 23, 2016, 81 FR 94424).

    Dated: June 10, 2020.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.

SYSTEM NAME AND NUMBER:
    Military Health Information System, EDHA 07.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Defense Health Agency (DHA), Electronic Health Records (EHR) Core 
Program Office, 7700 Arlington Boulevard, Falls Church, VA 22042-510.

SYSTEM MANAGER(S):
    Program Manager, EHR Core Program Office, 1700 N Moore Street, 
Suite 2300, Arlington, VA 22209.
    [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Public Law 104-191, Health Insurance Portability and Accountability 
Act of 1996; 10 U.S.C., Chapter Ch. 55, Medical and Dental Care; 10 
U.S.C. 1097a, TRICARE Prime: Automatic Enrollments; Payment Options; 10 
U.S.C. 1097b, TRICARE Prime and TRICARE Program: Financial Management; 
10 U.S.C. 1079, Contracts for Medical Care for Spouses and Children: 
Plans; 10 U.S.C. 1079a, TRICARE Program: Treatment of Refunds and Other 
Amounts Collected Civilian Health and Medical Program of the Uniformed 
Services (CHAMPUS); 10 U.S.C. 1086, Contracts for Health Benefits for 
Certain Members, Former Members, and Their Dependents; 10 U.S.C. 1095, 
Health Care Services Incurred on behalf of Covered Beneficiaries: 
Collection From Third-party Payers; 42 U.S.C. 290dd, Substance Abuse 
Among Government and Other Employees; 42 U.S.C. 290dd-2, 
Confidentiality Of Records; 42 U.S.C 42 U.S.C. Ch. 117, Sections 11131-
11152, Reporting of Information; 45 CFR 164, Security and Privacy; 
Department of Defense (DoD) Instruction 6015.23, Foreign Military 
Personnel Care and Uniform Business Offices in Military Treatment 
Facilities (MTFS); DoD 6025.18-R, DoD Health Information Privacy 
Regulation; and E.O. 9397 (SSN).

PURPOSE(S) OF THE SYSTEM:
    The MHIS collects and maintains data that supports benefits 
determination for Military Health System (MHS) beneficiaries between 
DoD, Department of Veterans Affairs (VA), and Department of Health and 
Human Services (HHS) healthcare programs. The MHIS collects and 
maintains data used to authenticate and identify American Red Cross 
volunteers and United Service Organizations granted privileges and 
access to DoD facilities. This data provides Federal Agencies the 
ability to support continuity of care for patrons, ensures more 
efficient adjudication of claims, enables quality assurance and 
healthcare operations, and supports a myriad of healthcare policy, 
public health, military mission, data analysis, and clinical research 
activities. The system documents and tracks environmental health data, 
deployment information, and data used to perform disease management. 
The system also maintains data used in proactive health intervention 
activities. Data is used for research and data analysis to support 
military missions, improve safety, and advance military technology. 
Continuity of care includes maintaining data for patient

[[Page 36192]]

administration (including registration, admission, disposition and 
transfer); patient appointments and scheduling delivery of managed 
care; workload and medical services accounting; and quality assurance. 
Data collected and maintained is also used to capture demographics and 
perform trend analysis.
    The information stored in this system consists of personally 
identifiable information (PII) protected by the Privacy Act and 
personal health information (PHI) protected by the Health Insurance 
Portability and Accountability Act (HIPAA). The DoD Health Information 
Privacy Regulation (DoD 6025.18-R) issued pursuant to the HIPAA of 
1996, applies to most health information. DoD 6025.18-R may place 
additional procedural requirements on the uses and disclosures of such 
information beyond those found in the Privacy Act of 1974 or mentioned 
in this System of Records Notice (SORN).

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Members, former members, retirees, civilian employees (includes 
non-appropriated fund) and contractor employees of the DoD and all of 
the Uniformed Services; Presidential appointees of all Federal 
Government agencies; Medal of Honor recipients; U.S. Military Academy 
students; Lighthouse Service, DoD and VA beneficiaries (e.g. dependent 
family members, legal guardians and other protectors, prior military 
eligible for VA benefits, Non-DoD Beneficiary and DoD Beneficiary, a 
person who receives benefits from the DoD based on prior association, 
condition or authorization, an example is a former spouse; Former 
member (Reserve service, discharged from Ready Reserve or Selective 
Reserve following notification of retirement eligibility); non-Federal 
agency civilian associates and other individuals granted DoD 
privileges, benefits, or physical or logical access to military 
installations (e.g., American Red Cross paid employees, United Service 
Organization (USO), Intergovernmental Personnel Act Employees (IPA), 
Boy and Girl Scout Professionals, non-DoD contract employees); members 
of the public treated for a medical emergency in a DoD or joint DoD/VA 
medical facility; Non-DoD Civilian employee; and individuals requiring 
a Common Access Card to access DoD information technology applications 
(i.e., Department of Homeland Security employees, state National Guard 
Employees, and Affiliated Volunteers); Civilian Retirees; DoD Outside 
of the Continental United States (OCONUS) Hires; Foreign Army; Foreign 
Navy; Foreign Marine Corps; Foreign Air Force; and Foreign Coast Guard.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Eligibility and Enrollment Data: Selected electronic data elements 
extracted from the Defense Enrollment Eligibility Reporting System 
(DEERS) regarding personal eligibility for and enrollment in various 
health care programs within the DoD and among DoD and other federal 
healthcare programs including those of the VA, the HHS, and contracted 
health care provided through funding provided by one of these three 
Departments. Personal data includes: Name; DoD ID number; Social 
Security Number (SSN); address; email address(es); date of birth; 
gender; branch of service; citizenship; DoD Benefits number; DEERS ID 
number; sponsorship and beneficiary information; race and ethnic 
origin; religious preference;
    Emergency Data information may include spouse's name and address; 
children's names, dates of birth, address and telephone number; 
parents' names, addresses and telephone numbers; or emergency contact's 
name and address;
    Employment Information: Employment status; duty position; email 
address(es); leave balances and history; work schedules; individual 
personnel records; time and attendance records; retirement records, 
sponsor duty location, unit of assignment; occupation; rank; skill 
specialty; security clearance information.
    Personal Financial Information: Pay, wage, earnings information; 
separation information; financial benefit records; income tax 
withholding records; accounting records.
    Medical Readiness and Deployment Information: Inpatient and 
outpatient medical records; diagnosis codes; admission and discharge 
dates; location of care; pharmacy records; immunization records; 
Medical and Physical Evaluation Board records; neuropsychological 
functioning and cognitive testing data; periodic and deployment-related 
health assessments.
    Clinical Encounter Data: Electronic data regarding beneficiaries' 
interaction with the MHS including health care encounters, health care 
screenings and education, wellness and satisfaction surveys, and cost 
data relative to such healthcare interactions. Electronic data 
regarding Military Health System beneficiaries' interactions with the 
VA or HHS healthcare delivery programs where such programs effect 
benefits determinations between these Department-level programs, 
continuity of clinical care, or effect payment for care between 
Departmental programs inclusive of care provided by commercial entities 
under contract to these three Departments.
    Electronic data regarding dental tests, pharmacy prescriptions and 
reports, data incorporating medical nutrition therapy and medical food 
management, data for young MHS beneficiaries eligible for services from 
the military medical departments covered by the Individuals with 
Disabilities Educations Act (IDEA). Data collected within the system 
also allows beneficiaries to request an accounting of who was given 
access to their medical records prior to the date of request. It tracks 
disclosure types, treatment, payment and other Health Care Operations 
(TPO) versus non-TPO, captures key information about disclosures, 
process complaints, process and track request for amendments to 
records, generates disclosure accounting and audit reports, retains 
history of disclosure accounting processing. The Protected Health 
Management Information Tool (PHMIT), an electronic disclosure-tracking 
tool, assists in complying with the HIPAA Privacy disclosure accounting 
requirement. The PHIMT stores information about all disclosures, 
complaints, authorizations, restrictions and confidential 
communications that are made about or requested by a particular 
patient.
    Occupational and Environmental Exposure Data: Electronic data 
supporting exposure-based medical surveillance; reports of incidental 
exposures enhanced industrial hygiene risk reduction; improved quality 
of occupational health care and wellness programs for the DoD 
workforce; hearing conservation, industrial hygiene and occupational 
medicine programs within the MHS; and timely and efficient access of 
data and information to authorized system users.

RECORD SOURCE CATEGORIES:
    Individuals; all DoD databases flowing into or accessed through the 
following integrated data systems, environments, applications, and 
tools: The Composite Health Care System (CHCS) and individual Service 
readiness applications, contractor systems providing clinical results, 
personnel systems, workload management systems; Defense Manpower Data 
Center, other developers (Lab Corp, Quest and EpiLab to perform patient 
specimen laboratory testing); DEERS; and all other systems within the 
DoD systems' repository that meets the regulatory requirements of this 
System of Records notice collection. Military Departments' medical

[[Page 36193]]

treatment facilities, Medical Centers and Hospitals: Uniformed Services 
Treatment Facilities, and commercial healthcare providers; HHS; VA, and 
any other source financed through the Defense Health Program.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, as amended, these records may 
specifically be disclosed outside the DoD as a routine use pursuant to 
5 U.S.C. 552a(b)(3) as follows:
    a. To contractors, grantees, experts, consultants, students, and 
others performing or working on a contract, service, grant, cooperative 
agreement, or other assignment for the Federal Government when 
necessary to accomplish an agency function related to this System of 
Records.
    b. To permit the disclosure of records to the HHS and its 
components, other federal agencies, and academic institutions for the 
purposes of public health activities and conducting research, including 
to facilitate collaborative research activities.
    c. To the Congressional Budget Office for projecting costs and 
workloads associated with DoD Medical benefits.
    d. To the VA for the purpose of providing medical care to former 
service members and retirees, to determine the eligibility for or 
entitlement to benefits, to coordinate cost sharing activities, and to 
facilitate collaborative research activities between the DoD and VA.
    e. To the National Research Council, National Academy of Sciences, 
National Institutes of Health, Armed Forces Institute of Pathology, and 
similar institutions for authorized health research in the interest of 
the Federal Government and the public.
    f. To local and state government and agencies for compliance with 
local laws and regulations governing control of communicable diseases, 
preventive medicine and safety, child abuse, and other public health 
and welfare programs.
    g. To federal offices and agencies involved in the documentation 
and review of defense occupational and environmental exposure data.
    h. To the appropriate Federal, State, local, territorial, tribal, 
foreign, or international law enforcement authority or other 
appropriate entity where a record, either alone or in conjunction with 
other information, indicates a violation or potential violation of law, 
whether criminal, civil, or regulatory in nature.
    i. To any component of the Department of Justice for the purpose of 
representing the DoD, or its components, officers, employees, or 
members in pending or potential litigation to which the record is 
pertinent.
    j. In an appropriate proceeding before a court, grand jury, or 
administrative or adjudicative body or official, when the DoD or other 
Agency representing the DoD determines the records are relevant and 
necessary to the proceeding; or in an appropriate proceeding before an 
administrative or adjudicative body when the adjudicator determines the 
records to be relevant to the proceeding.
    k. To the National Archives and Records Administration for the 
purpose of records management inspections conducted under the authority 
of 44 U.S.C. 2904 and 2906.
    l. To a Member of Congress or staff acting upon the Member's behalf 
when the Member or staff requests the information on behalf of, and at 
the request of, the individual who is the subject of the record.
    m. To appropriate agencies, entities, and persons when (1) the DoD 
suspects or confirms a breach of the System of Records; (2) the DoD 
determined as a result of the suspected or confirmed breach there is a 
risk of harm to individuals, the DoD (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with the DoD's 
efforts to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    n. To another Federal agency or Federal entity, when the DoD 
determines information from this System of Records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic and paper.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Name, SSN, Beneficiary ID (sponsor's ID, patient's name, patient's 
DOB, and family member prefix or DEERS dependent suffix), diagnosis 
codes, admission and discharge dates, location of care or any 
combination of the above.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Temporary. Cut off upon last episode of patient care or last entry 
to the patient record is annotated. Delete/Destroy when 75 years old.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Multifactor log-in authentication including CAC authentication and 
password. Access controls enforce need-to-know policies so only 
authorized users have access to PII and/or PHI. Additionally, security 
audit and accountability policies and procedures directly support 
privacy and accountability procedures. Network encryption protects data 
transmitted over the network while disk encryption secures the disks 
storing data. Key management services safeguards encryption keys. 
Sensitive data is identified and masked as practicable. All individuals 
granted access to this System of Records must complete requisite 
training to include Information Assurance and Privacy Act training. 
Sensitive data will be identified, properly marked with access by only 
those with a need to know, and safeguarded as appropriate.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to information about themselves 
contained in this System of Records should address written inquiries to 
the Chief, Freedom of Information Act (FOIA) Service Center, Defense 
Health Agency, Privacy and Civil Liberties Office, 7700 Arlington 
Boulevard, Suite 5101, Falls Church, VA 22042-5101.
    Written requests for information should include the individual's 
full name, home address, home phone number, and SSN/DoD ID number, the 
identifier of this SORN, and signature. If requesting information about 
a legally incompetent person, the request must be made by the legal 
guardian or person with legal authority to make decisions on behalf of 
the individual. Written proof of that status may be required before any 
records will be provided. In addition, the requester must provide a 
notarized statement or an unsworn declaration made in accordance with 
28 U.S.C. 1746, in the following format:
    If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).''
    If executed within the United States, its territories, possessions, 
or

[[Page 36194]]

commonwealths: ``I declare (or certify, verify, or state) under penalty 
of perjury that the foregoing is true and correct. Executed on (date). 
(Signature).''

CONTESTING RECORD PROCEDURES:
    The DoD rules for accessing records, for contesting contents and 
appealing initial agency determinations are published in 32 CFR part 
310, or may be obtained from the system manager.

NOTIFICATION PROCEDURES:
    Individuals seeking to determine whether information about 
themselves is contained in this System of Records should address 
written inquiries to Chief, Freedom of Information Act (FOIA) Service 
Center, Defense Health Agency, Privacy and Civil Liberties Office, 7700 
Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101.
    Written requests should contain the individual's full name, home 
address, home phone number, and SSN/DoD ID number, the identifier of 
this SORN, and signature. If requesting information about a legally 
incompetent person, the request must be made by the legal guardian or 
person with legal authority to make decisions on behalf of the 
individual. Written proof of that status may be required before the 
existence of any information will be confirmed. In addition, the 
requester must provide a notarized statement or an unsworn declaration 
made in accordance with 28 U.S.C. 1746, in the following format:
    If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).''
    If executed within the United States, its territories, possessions, 
or commonwealths: ``I declare (or certify, verify, or state) under 
penalty of perjury that the foregoing is true and correct. Executed on 
(date). (Signature).''

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    March 30, 2006, 71 FR 16127; November 18, 2013, 78 FR 69076.

[FR Doc. 2020-12839 Filed 6-12-20; 8:45 am]
BILLING CODE 5001-06-P