GPSOLO October/November 2007
HIPAA: A Military Perspective
As a former active-duty officer in the U.S. Air Force, I’ve spent my fair share of time at military medical treatment facilities (MTFs) for various dental appointments, shots, and physical health assessments. Military commanders are sticklers about fitness for duty. Even in the age of the scheduled deployment, military officers and enlisted persons never know for sure when they will be called to deploy or how long that deployment will last. But if that call comes, the commander expects all officers and enlisted persons to be physically and mentally ready to go.
In addition to being an officer, I was also a judge advocate (JAG). We like acronyms in the military. We use them all the time. As a JAG, one of my favorite acronyms was HIPAA: Health Insurance Portability and Accountability Act of 1996. This article will provide an overview of HIPAA and its Department of Defense (DoD) incarnation, DoD Health Information Privacy Regulation, DoD 6025.18-R.
HIPAA and the DoD
The definition of “health plan” in HIPAA (Pub. Law 104-191) specifically includes “the health care program for active military personnel under title 10, United States Code.” Within the DoD, DoD 6025.18-R prescribes the uses and disclosures of protected health information (PHI) in accordance with HIPAA (see www.dtic.mil/whs/directives). PHI is “individually identifiable health information” that is created or received by a health care provider, health plan, or employer; that relates to a person’s past, present, or future physical or mental health condition, the provision of health care to a person, or the past, present, or future payment of health care; that identifies the person; and that is transmitted or maintained by electronic or any other form or medium (see DoD 6025.18-R, paragraphs DL1.1.20 and DL1.1.28).
The Military Health System (MHS) must comply with the requirements of HIPAA, both as a “health care provider” through MTFs and as a “health plan” through TRICARE—the DoD’s worldwide health care program for active-duty and retired military members and their families (see www.tricare.mil/hipaa). The MHS is under the common control of the Assistant Secretary of Defense for Health Affairs as a single “covered entity” (see DoD 6025.18-R, paragraph 3.2). Nevertheless, there is a HIPAA privacy officer at each MTF ready to help JAGs, commanders, law enforcement investigators, and patients with their health care privacy issues.
Even though the MHS is under the common control of the Assistant Secretary of Defense for Health Affairs, the rules and procedures established by the Secretary of Health and Human Services (HHS) apply to the MHS just as they do to civilian health care providers, health plans, and health care clearinghouses.
Like its application in the civilian health care system, the DoD privacy regulation prohibits PHI from being used or disclosed “except for specifically permitted purposes” (see DoD 6025.18-R, paragraph C1.2.1). Also, the MHS may use and disclose PHI for treatment, payment, or health care operations activities without the authorization of the patient (see DoD 6025.18-R, Chapter 4). Other uses and disclosures of PHI are generally prohibited “without the written authorization of the patient” (see DoD 6025.18-R, paragraph C1.2.3). In some circumstances, the DoD privacy regulation permits disclosures of PHI but gives the patient the opportunity to object to its release (see DoD 6025.18-R, Chapter 6). Other disclosures of PHI may be made without the patient’s authorization or opportunity to object. These include releases to “law enforcement officials” and to “Military Command Authorities” as a “special government function.” I will discuss these two purposes in greater detail below (see DoD 6025.18-R, Chapter 7). There are also special rules that require using and disclosing the “minimum amount necessary” to the requester of the PHI (see DoD 6025.18-R, Chapter 8). This rule is the military equivalent of the “minimum necessary” rule in the HHS Privacy Rule (see 45 C.F.R. §§ 164.502(b) and 164.514(d)). The DoD privacy regulation also provides persons specific rights concerning their PHI, specifically the right to notices of disclosures that may be made by the MHS and the right to receive an accounting of certain disclosures. The patient also has the right to request that the MHS restrict the disclosures of PHI, to request a confidential communication of PHI from a health care provider, to obtain a copy of PHI, and to request that the MHS amend the PHI in the medical record (see DoD 6025.18-R, Chapters 9-13).
The HHS Privacy Rule, which was issued by the HHS to implement the requirements of HIPAA, permits a covered entity to disclose PHI without a person’s authorization for 12 purposes (see 45 C.F.R. § 164.512). The DoD privacy regulation in Chapter 7 lists essentially the same 12 uses or disclosures of PHI for which authorization or the opportunity to object is not required (see DoD 6025.18-R, paragraph C1.2.5).
In my opinion, the most often used of the 12 provisions in the military are for the purposes of “law enforcement” and “specialized government functions.” The reason is that JAGs often wear two hats: legal advisor to the commander and prosecutor/military justice. As a JAG in an Air Force base legal office, I alternated between these two hats on many occasions.
Disclosures for Law Enforcement Purposes
Disclosures for law enforcement purposes may be made to a “law enforcement official” if certain conditions listed in the DoD privacy regulation are met (see DoD 6025.18-R, paragraph C7.6). The term “law enforcement official” includes a military prosecutor (see DoD 6025.18-R, paragraph DL18.104.22.168). There are several provisions in the DoD privacy regulation that authorize the release of medical records for military justice purposes. When I was stationed in an Air Force base legal office as a prosecutor, the “law enforcement official” provision was often used to access medical records—for example, information about a victim’s injuries resulting from an assault.
Air Force medical law experts provide JAGs in base legal offices a sample memorandum that is to be used by JAG prosecutors to request medical records for law enforcement purposes. In this memorandum, which is addressed to the MTF, the JAG prosecutor is required to state why the medical record is needed (e.g., “I’m prosecuting the case of United States v. Airman Snuffy”). The JAG prosecutor is also asked to indicate the minimum amount of the medical record necessary for the law enforcement activity. Depending on the facts of the investigation, this may include the entire medical record. Also, the JAG prosecutor can request a temporary suspension of the member’s right to receive an accounting of the PHI disclosure. A temporary suspension is often necessary if an accounting of the disclosure could impede the investigation or hinder the prosecution of the case. The memorandum is then signed by the JAG prosecutor and typically given to the MTF HIPAA privacy officer, who then forwards it to the MTF commander for review before the records are released.
Requests for mental health and alcohol and substance abuse records are subject to additional laws and regulations. For example, for access to mental health records for a court-martial, Military Rule of Evidence (MRE) 513 provides that a patient has a privilege to refuse to disclose and to prevent any other person from disclosing a confidential communication made between the patient and psychotherapist. This MRE applies to all the branches of the military and in cases that arise under the Uniform Code of Military Justice—in other words, criminal cases—but not administrative discharge actions involving mental disorders that interfere with a member’s ability to serve in the military.
Disclosures for Specialized Government Functions
The DoD privacy regulation takes into account the fact that the military isn’t like just any other employer in the United States. That’s understandable. The military has different expectations than civilian employers. For example, in the military we are required to be physically and mentally fit. That is part of our job. It is our duty. Physical and mental fitness determines whether we deploy to fight, and it may determine whether we are allowed to remain in the military. As a defense counsel in the Air Force, I had approximately a dozen clients in the last year who were administratively discharged for either a mental disorder that interfered with their ability to serve, or for failure to maintain Air Force physical fitness standards. In order for a commander to know which subordinates are mentally and physically able to serve and deploy to fight, the commander is permitted access to the information in the subordinates’ medical and mental health records (see DoD 6025.18-R, paragraphs C1.2.5 and C7.11).
Information maintained in an active-duty member’s medical records may be accessed by “Military Command Authorities” to “assure the proper execution of the military mission” (see DoD 6025.18-R, paragraph C22.214.171.124). The “Military Command Authority” typically refers to the commanding officer over the patient. The MHS can disclose PHI to a commander to determine the member’s “fitness for duty” and “fitness to perform any particular mission, assignment, order, or duty.” But what does that mean exactly? What is it that my commander can know about my physical and mental health without my permission? I’ll give you an example.
Before I separated in May from active duty, I completed a physical health assessment (PHA), received the flu shot, got my eyes examined, and went to my dental exam, as I did every other year. The results of this information were input into a database at the MTF that tracks this “readiness” data. Is this information about my physical condition covered by HIPAA? Yes, because it contains PHI. The information was created or received by a health care provider, relates to my present physical health condition, and the database identifies me as the person who received the medical care. As a result, this database’s information about my health care status falls under the definition of PHI (see DoD 6025.18-R, paragraph DL1.1.20). It is also PHI because it is “individually identifiable health information” that is “transmitted or maintained by electronic or any other form or medium” (see DoD 6025.18-R, paragraph DL1.1.28). Therefore, the protections and rights under HIPAA apply.
However, as we discussed above, the fact this information is considered PHI doesn’t prevent my commander from accessing it. What HIPAA ensures is that I have certain protections and rights—for example, the “minimum necessary” standard and the right to request an accounting for disclosures of my PHI.
When disclosing PHI in any form, the MHS must make “reasonable efforts” to limit the use or disclosure of PHI to “the minimum necessary” to accomplish its intended purpose (see DoD 6025.18-R, paragraph C8.2). In the Air Force, Air Force Instruction (AFI) 41-210 permits access to the member’s actual medical record only if such access is specifically requested in writing by the member’s commander (or designee) to the MTF commander with an explanation as to why the actual medical record is needed. If given access to the actual record, the commander must conduct the records review with the assistance of a health care provider who can advise the commander on medical record data that might be misinterpreted. I mention this because it is important for JAGs to understand that a commander or first sergeant cannot just walk into an MTF and review the actual medical record of a subordinate. This would clearly violate the “minimum necessary” standard of DoD 6025.18-R. Unfortunately, I’ve heard such things actually happen. As JAGs we must educate our commanders and first sergeants about HIPAA, particularly the “minimum necessary” standard.
Under HIPAA I also have the right to receive an accounting of disclosures of my PHI for the previous six years (see DoD 6025.18-R, paragraph C13.1). As discussed above, accounting for a disclosure to a “law enforcement official” can be suspended if the accounting would interfere with an ongoing investigation. There are other exceptions to this accounting requirement. For example, I do not have the right to receive an accounting for disclosures of my PHI for national security or intelligence purposes (see DoD 6025.18-R, paragraphs C7.11.4 and C126.96.36.199). However, my immunizations record, dental exam, and PHA results do not fall under that exception because the information has virtually nothing to do with any legitimate intelligence or other national security activity. It makes sense to me. Whether I have a cavity is not a national security concern. It is a possible concern for my commander because it could affect whether I am able to deploy, but it is not an issue the Central Intelligence Agency needs to be concerned with.
Based on my experience as an Air Force JAG, I can tell you that HIPAA and its DoD progeny do not receive the attention they deserve from JAGs. In this age of yearlong deployments and our military leadership’s emphasis on being fit to fight, JAGs certainly need to be sensitive to our commanders’ interest in the physical and mental health of their subordinates; however, JAGs cannot allow commanders to access medical records willy-nilly just because the commander wants to. This may sound like typical defense counsel drivel, but our young enlisted and officer corps have rights under HIPAA, and as JAGs we have a duty to follow the law and ensure that commanders are not walking into MTFs and pulling their subordinates’ medical records off the shelves.
Timothy J. Rushenberg is a former active-duty U.S. Air Force judge advocate. His final duty assignment was as the area defense counsel at Minot Air Force Base, North Dakota, which ended in May 2007. He currently practices law in Elkhart, Indiana. He may be reached at email@example.com. The views expressed in this article are his own and not necessarily the views of the Department of the Air Force, the Department of Defense, or the U.S. government. Mr. Rushenberg would like to give special thanks to June Rogers, the HIPAA Privacy Officer at Davis-Monthan Air Force Base, Arizona, for her input in this article.