Both HIPAA and military regulations emphasize the need to safeguard individuals' personal health information, and being aware of how they intersect helps ensure compliance and maintain the confidentiality of patient data.
What is the military health system?
The Military Health System (MHS) is the healthcare system that provides medical services and support to the members of the United States Armed Forces and their eligible family members. It is operated by the Department of Defense (DoD) and includes military treatment facilities, such as hospitals and clinics, as well as contracted civilian healthcare providers.
As well as complying with military regulations, MHS is required to comply with HIPAA and the Privacy Act of 1974. This stipulates how the protected health information (PHI) of active-duty service members, their families, and eligible retirees should be protected. Both the MHS and HIPAA provide certain rights to patients regarding their health information. Patients have the right to access their medical records, request corrections, and receive notice of how their information is used and disclosed.
See also: HIPAA Compliant Email: The Definitive Guide
Which provisions related to military personnel
Military command exception
The Military Command Exception is a specific provision that permits covered entities (including military healthcare providers) to disclose PHI to military command authorities. These authorized activities may include fitness for duty determinations, assessments of fitness for specific assignments, or other activities vital to the operational readiness of the armed forces.
Disclosure without authorization
Under the Military Command Exception, military treatment facilities can disclose PHI to Command authorities without obtaining individual authorization. This is an exception to the general rule in HIPAA, which requires patient authorization for most uses and disclosures of PHI.
Privacy Act of 1974
While the Military Command Exception allows for certain disclosures to military command authorities, the PHI remains protected under the Privacy Act of 1974. The Privacy Act governs the collection, use, and disclosure of personal information by federal agencies and ensures that military personnel's privacy rights are respected.
Balance of privacy and mission needs
The Military Command Exception aims to strike a balance between protecting the privacy of military personnel's health information and supporting the operational needs of the military. It ensures that medical information is available to support decision-making related to the readiness and deployment of service members.
See also: A deep dive into HIPAA's administrative safeguards
Healthcare organizations and military personnel treatment
When military personnel are treated by civilian healthcare facilities or contractors, it typically occurs under specific circumstances, such as when military treatment facilities are not available or when specialized care is needed beyond the scope of military healthcare. When this happens, the military personnel's medical information may need to be shared with the civilian healthcare providers to ensure proper treatment and continuity of care.
The sharing of medical information must adhere to the privacy and security regulations set forth by the HIPAA and any other applicable federal and state laws. Military personnel may undergo treatment, surgeries, or therapies as needed, and civilian providers may communicate with military healthcare coordinators to ensure a seamless transfer of medical records and treatment plans. Once the medical care is complete, relevant information may be communicated back to the military for continuity of care and further follow-up, if necessary.
Dealing with sharing active duty members and data sharing
Data sharing for active-duty members often serves the purpose of ensuring their operational readiness. The Military Command Exception permits covered entities, including military healthcare providers, to share PHI with military command authorities for authorized activities necessary for the military mission. When a healthcare provider receives a data request from someone in the military, it is necessary to ensure that the individual making the data request is the military service member or their authorized representative.
If the request for military personnel data does not fall under an exception, and the healthcare provider believes the disclosure requires individual authorization, request written consent from the military service member or their authorized representative. Clearly state the purpose of the disclosure and the information to be shared.
See also: What is the HIPAA treatment exception?
Kirsten Peremore
