BY KATHLEEN GILBERD
Privacy and confidentiality of military medical records and information have long been of concern to servicemembers and those who assist them. For decades, records of medical evaluation and treatment were easily available to commanding officers and others in a patient’s command. Since many commands consider medical problems a weakness, malingering or cowardice, and since diagnoses of medical problems has often been used against whistleblowers and those seen as troublemakers, this posed many problems.
In the last couple of decades, however, total command access to medical records and information has given way to some limited confidentiality, and to an understanding that the Privacy Act and HIPAA have application to the military. Those of us trained in military law some years ago may not be familiar with more recent regulations and policies. Many commands are unfamiliar with or resentful of these changes. It is not uncommon for sergeants to demand to see medical records and for commanders to assume they should have full access to medical files.
In the last issue of On Watch, this writer discussed DoD Instruction 6000.14, the “DoD Patient Bill of
Rights and Responsibilities,” and noted briefly that the Instruction allows military members to “communicate with healthcare providers in confidence” and “have the privacy and security of their protected health information maintained,” subject to restrictions in other regulations. (Encl. 3, part 2.f) That Instruction also outlines the right to “reasonable safeguards for the confidentiality, integrity, and availability of their protected health information, and similar rights for other PII [Protected Identifiable Information], in electronic, written, and spoken form.” (Encl. 2, part 1.c) This article discusses those privacy rights in more detail, with an emphasis on information concerning mental health.
HIPAA AND PRIVACY RIGHTS
DoD Instruction 6025.18 of March 13, 2019, “Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule Compliance in DoD Health Care Programs”
(https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/602518p.pdf?ver=2019–03–13125803–017) , and an accompanying Manual, DoDM 6025.18, “Implementation of the HIPAA Privacy Rule in DoD Health Care Programs”
(https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/602518m.pdf?ver=2019–0313–123513–717), set out much of the current policy. They require that DoD entities and its business associates must follow the HIPAA rules on privacy and breach of privacy, which are described in some detail in the Manual. The Instruction states that DoD and business associates must comply with related federal requirements, including 5 USC 552a (the Privacy Act), DoD regulations implementing the Act and other federal rules.
But HIPAA and privacy rights are still limited in the military. The Instruction also states that DoD and business associates:
Must, as authorized by and consistent with the procedures pursuant to DoDM 6025.18, ensure the availability to appropriate command authorities of health information concerning military personnel necessary to ensure the proper execution of the military mission. In doing so, DoD covered entities and business associates must follow the policies regarding mandatory and prohibited release of PHI [individually identifiable health information] pursuant to DoD Instruction 6490.08 to dispel stigma associated with seeking mental health services, substance misuse education services, or both. (Section 1.2.a.(3))
When medical information is released, covered individuals (except inmates) should have the right to notification of the release, with an explanation of their rights and the releasing entity’s obligations; the releasing health care provider or facility must make a good faith effort to obtain acknowledgement of receipt. Members may authorize the release of information, under part 4.2 of the Manual; part 4.3 covers their right to object to disclosures. There are, of course, exceptions for such things as emergency circumstances, and part 4.4 sets out additional situations for unauthorized disclosure, including some releases to public health authorities, some releases concerning victims of abuse, neglect or domestic violence, releases for judicial and administrative proceedings, etc.
Under part 5.2 of DoD 6025.18, an individual may request restrictions on permitted use and disclosure of records. The covered entity, however, has discretion to deny the request. If the entity agrees to the restriction, it may not violate the agreement except in cases where emergency treatment is required and the restricted information is needed in that treatment. Requests for restriction should be submitted to the person or office obliged to comply with the restriction.
HANDLING BREACHES OF PRIVACY
The DoD Manual sets out requirements for DoD entities where a breach of confidentiality has occurred. All breaches must be reported to the Defense Health Agency [DHA] Privacy Office within 24 hours of discovery, and the entity must also follow other “breach response and reporting requirements” described in Part 6-2.b.(1) of the Manual. The health care provider or entity must conduct an assessment of the nature of the breach, determine whether it is also a breach under Health and Human Services [HHS] provisions, and decide what notification is required and what mitigation or response is needed. The DHA Privacy Office reviews this assessment and makes a final determination on it. Normally, notification of the individual whose privacy is breached must be written, in plain language, and include a brief description of what happened and when, when it was discovered, what type of health information was involved, and any steps the person should take to protect himself or herself from harm due to the breach. The notification must also describe what is being done to investigate the breach, mitigate any harm it caused, and protect against future breaches. Delays in notification may be permitted when investigating law enforcement personnel tell the DoD entity that notification would impede investigation or harm national security. Where the DHA Privacy Office determines that the breach qualifies as an HHS breach, it must report that fact directly to the secretary of HHS, with a copy to the affected DoD entity.
Readers may be surprised to learn of these provisions, since they are frequently unknown to or ignored by providers and medical clinics. Where clients are willing, pressing for enforcement may be an important lesson to military health entities.
CONSIDERATIONS FOR MENTAL HEALTH RECORDS AND INFORMATION
The privacy and confidentiality of mental health records pose some of the most serious problems for servicemembers. The military itself acknowledges that there is a considerable stigma attached to seeking mental health care or having a mental health condition. When commands learn of either, members may face serious harassment, formal and/or informal discrimination, and real damage to their careers. By way of a painful example of harassment, a command at Camp Pendleton used to require its members to hand carry a chit to and from any mental health appointment; the chit was attached to a teddy bear. (This practice stopped when Navy Times learned of and publicized the behavior.)
In addition to the regulations discussed above, releases of mental health information by health care providers and facilities to command personnel are covered in DoD Instruction 6490.08 of August 17, 2013, “Command Notification Requirements to Dispel Stigma in Providing Mental Health Care to Service Members”
(https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/649008p.pdf). This Instruction applies to mental health evaluations and treatments requested by members or referred by other medical care providers, as well as voluntarily-sought drug and alcohol abuse education (as distinguished from mandatory treatment). It does not apply to command-directed mental health evaluations [CDEs], which are covered in DoD Instruction 6490.04 and have the effect of an order. The command notification Instruction gives some emphasis to the need to avoid stigma. It makes a general statement that healthcare providers will not notify commands of mental health evaluations or treatment except in specific circumstances. (Enc. 2, part 1.a) The Instruction requires commanders to protect the privacy of information and restrict it to those with a need to know, i.e., “access to the information must be necessary to the conduct of official duties.” (Encl. 2, part 3) The vagueness of the language here is worth noting.
Unfortunately, DoD 6490.08 contains more exceptions than privacy requirements; these are covered in Encl. 2, part 1.b. Healthcare providers should notify commanders when evaluation or treatment shows a serious risk of harm to self or others, or to a specific military operational mission (here the instruction notes that the risk would include disorders significantly affecting impulsivity, insight, reliability or judgment); a significant risk to mission accomplishment for special personnel such as members of the Personnel Reliability Program; provision of inpatient care (as admission or discharge are considered “critical points in treatment”); acute medical condition interfering with duty or acute medical retreatment that impairs ability to perform assigned duties; entrance into or discharge from substance abuse treatment programs, whether inpatient or outpatient; command-directed evaluations; or “other special circumstances in which proper execution of the military mission outweighs the interests served by avoiding notification” in the opinion of a healthcare provider or other authorized medical official at the O-6 level or above. This writer is hard-pressed to think of more than a few conditions which cannot be shoe-horned into one of these exceptions, though challenges to the release of information may be possible with outside psychiatric and legal advocacy.
Fortunately, health care providers are instructed to provide commands with the minimal amount of information needed to meet the purpose of the disclosure. This would include the diagnosis, description of planned treatment, impact on duty or mission, recommended duty restrictions or limitations, prognosis, implications for safety of the member or others, and “ways the command can support or assist the Service member’s treatment.” (Encl. 2, part 1.c)
Army policy on privacy of medical information is generally in accord, offering detailed opportunities to release information to non-medical personnel. AR 40-66, of June 17, 2008 (with Rapid Action
Revision of January 4, 2010), “Medical Record Administration and Health Care Documentation” (https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/r40_66.pdf), refers to DoD regs allowing military personnel with an official need to know to have access to a member’s records for specific purposes. (Chapter 2, part 2-4) These include, among other things, release for judicial or administrative proceedings, to avert a serious threat to health or safety, to determine fitness for duty or for any particular mission or assignment. Medical professionals are permitted to release rather general medical profiles to commands, and to release minimum necessary information to avoid a “serious and imminent threat to health or safety of a person, such as suicide, homicide, or other violent action.” (Chapter 2, part 2-4.a.(2).(a))
SPECIAL RULES FOR SUBSTANCE USE DISORDER RECORDS
There are special provisions for confidentiality of substance abuse disorder records made by federally assisted substance use disorder programs; these are set out in 42 CFR Part 2. Where those rules apply to private health information of a DoD covered entity, the entity must follow both sets of rules. If one set prohibits a release, and the other does not, the prohibition applies. The DoD regulation distinguishes confidential records of substance abuse “education” from records made when a member has entered or been discharged from an inpatient or outpatient treatment program. (DoD 6490.08, Encl. 2, part 1.a and 1.b.(7))
OBTAINING MEDICAL RECORDS
Traditionally, obtaining copies of one’s own medical records has been a hit or miss proposition. Some servicemembers requesting their records from medical clinics have been told (usually by clerks, medics or corpsmen) that they are not entitled to their own records, though in other cases the records are released without difficulty. New measures for viewing one’s medical records electronically are now in place (though these are beyond this writer’s Luddite understanding).
DoD regulations are clear that members have the right to see and obtain copies of their medical records; this is set out in the DoD Manual, part 5-3, and elsewhere. Records should normally be provided within 30 days of a request, with a possible extension of 30 days if the initial deadline cannot be met; in such cases, the facility or provider must explain the reasons for the delay to the requester. Where servicemembers encounter difficulties or refusals of records requests, or with large medical facilities, it is sometimes advantageous to request the records with DD Form 2870, “Authorization for Disclosure of Medical or Dental Information,” This form is HIPAA-compliant, and sufficiently official that it is usually treated with respect by record-holders.
Some grounds exist for denial of requests, such as psychotherapy notes; information “compiled in reasonable anticipation of, or for use in,” litigation or administrative action; some quality assurance information; inmates’ PHI if the information would jeopardize health, rehabilitation, etc., of the requester or others; research treatment records while the research is ongoing; records denied under exceptions to the Privacy Act, such as classified records and certain investigative material; and records where confidentiality has been promised to a non-health-care worker and the release would likely identify him or her. Some other records may be denied, but with the right to have them reviewed by an independent DoD health care provider.
The Army affirms DoD’s requirement that members have access to their records in AR 40-66 at Chapter 2, part 2-3.a, which requires that requested records be made available to the member within 30 days. Requests must be in writing, and may use the same DD Form 2870; if the form is not available, the member may submit a letter describing the records or information. The reg notes that, if a physician or dentist feels the information could adversely affect the patient’s physical, behavioral or emotional help, the member may be required to name a medical professional to receive the records. The Civilian Medical Resources Network may be helpful in these cases.
The military purports to take violation of confidentiality and privacy rights seriously. Military personnel who violate these rights may be subject to disciplinary or administrative action, with other sanctions available for DoD civilian employees and contractors.
When a member feels that these rights have been violated, the DoD Manual sets out remedies, though these are not the only ones available. Part 7.2.a of the Manual states that the member may file a HIPAA complaint with the DoD entity involved, with the DHA Privacy Office, or with HHS. The Defense Health Agency has an obligation to make sure that information on how to file HIPAA complaints is available to military personnel. Health and Human Services HIPAA complaint forms may be found on the HHS website.
DoD entities receiving HIPAA complaints from HHS are required to send them to the DHA Privacy Office within five days of receipt, along with any relevant documentation. (Part 7-2.a.(2).(b)) That office serves as the liaison for all HIPAA complaints against DoD agencies or offices which are submitted through HHS. When the DHA Privacy Office receives a complaint from an individual or from HHS, it must “initiate, coordinate and monitor” an investigation and assign an investigation suspense date.
Once a DoD covered entity has finished its own investigation, it must forward the report of investigation to the local HIPAA privacy officer, who in turn sends it to the DHA Privacy Office for review. When the investigation is considered complete, that office provides the complaint resolution to HHS or the individual. The Manual also notes that a member may make a complaint directly to HHS under 45 CFR 160.306. (The regs are not clear on whether the member may make separate complaints to both DoD and HHS.)
The DoD Manual also states that a covered entity may not “intimidate, threaten, coerce, discriminate against, or take other retaliatory action” against one who files a HHS complaint, or testifies or assists in an investigation, hearing etc., regarding compliance, or in good faith opposes an act or practice made unlawful by the Manual. (Here, the manner of opposition must be reasonable and must not itself involve any improper disclosure of PHI.) (Part 7.2.b)
AR 40-66, at part 2-3, outlines complaint mechanisms for Army personnel:
“ (j) Individuals may file a complaint when they believe that PHI relating to them has been used or disclosed improperly; that an employee has improperly handled the information; that they have wrongfully been denied access to or opportunity to amend the information; or that the entity’s notice does not accurately reflect its information practices. All such complaints must be in writing.
“(k) The Freedom of Information Act/Privacy Official is the primary point of contact for
individuals to file complaints pursuant to this policy.
“(l) As stated in the NOPP, individuals may also complain to the HHS if they believe their privacy rights have been violated. If an individual chooses to file a complaint with HHS, the complaint must— 1. Be filed in writing, either on paper or electronically; 2. Name the entity that is the subject of the complaint and describe the actions that have allegedly been violations of the privacy standards; and 3. Be filed within 180 days of when the complainant knew or should have known that the violation occurred.
“(m) All workforce members are prohibited from retaliating against individuals filing a complaint or requiring individuals to waive their rights to file a complaint with the HHS as a condition of the provision of treatment, payment, enrollment, or eligibility for benefits.”
It is noteworthy that, under the DoD Manual, part 5.5, an individual has the right to an accounting of disclosures of PHI for six years preceding the request. This sounds promising, but the section includes a number of exclusions, such as disclosure to carry out treatment, payment and healthcare operations, to persons involved in the individual’s care or other notice purposes provided in paragraph 4.3; for national security or intelligence purposes, incident to a disclosure otherwise permitted or required by the Manual per paragraph 4.5.d.
Unfortunately, the regs do not discuss any complaint procedures other than HIPAA-type complaints to DoD or HHS. Where a member wishes the matter to be kept as private as possible, a request mast or use of the commander’s open-door policy may be used to ask a commanding officer to deal with the offender and perhaps reinforce the general need for privacy of medical information. Discussion with medical facility ombudsmen may also be helpful. If non-medical command personnel in the member’s command are responsible for the improper release, a complaint under Article 138 of the UCMJ may be appropriate. Particularly if the complaint involves medical personnel, the 138 may be rejected on the grounds that another appeal/complaint procedure is available, though this may still be worth a try. (A discussion of Article 138 complaints is available on the MLTF website at https://nlgmltf.org/military–law–library/publications/memos/article–138/.) Congressional inquiries can be helpful, particularly if the Congressional office is given information about the military’s privacy policies. Complaints to an Inspector General may also be appropriate, particularly if the member feels that the breach of privacy was a reprisal for whistleblowing or another protected communication, or if he or she faces reprisals for the complaint itself.
The medical privacy regs are not helpful about the relief which may be sought, aside from mentioning “mitigation” and making it clear that an offender may be subjected to disciplinary or administrative action. But what of the servicemember whose co-workers or superiors are now aware of his or her medical or psychological condition? In an HIV breach of privacy case some years ago, the member asked for a public apology during formation from the offender, as well as a full-command briefing on medical privacy and on the realities and stereotypes about HIV. Remedies of this sort may be very helpful, though they cannot undo the disclosure. Where private information has become too widespread, nothing prevents a member from requesting a transfer to another unit or command. When approaching these cases, it is important to help the member think about the remedies that would be most helpful.