Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Military Purposes

12/28/2000

Armed Forces Personnel and Veterans

Comment: A few comments opposed the proposed rule's provisions on the military, believing that they were too broad. Although acknowledging that the Armed Forces may have legitimate needs for access to protected health data, the commenters believed that the rule failed to provide adequate procedural protections to individuals. A few comments said that, except in limited circumstances or emergencies, covered entities should be required to obtain authorization before using or disclosing protected health information. A few comments also expressed concern over the proposed rule's lack of specific safeguards to protect the health information of victims of domestic violence and abuse. While the commenters said they understood why the military needed access to health information, they did not believe the rule would impede such access by providing safeguards for victims of domestic violence or abuse.

Response: We note that the military comprises a unique society and that members of the Armed Forces do not have the same freedoms as do civilians. The Supreme Court held in Goldman v. Weinberger, 475 US 503 (1986), that the military must be able to command its members to sacrifice a great many freedoms enjoyed by civilians and to endure certain limits on the freedoms they do enjoy. The Supreme Court also held in Parker v. Levy, 417 US 733 (1974), that the different character of the military community and its mission required a different application of Constitutional protections. What is permissible in the civilian world may be impermissible in the military. We also note that individuals entering military service are aware that they will not have, and enjoy, the same rights as others.

The proposed rule would have authorized covered entities to use and disclose protected health information about armed forces personnel only for activities considered necessary by appropriate military command authorities to assure the proper execution of the military mission. In order for the military mission to be achieved and maintained, military command authorities need protected health information to make determinations regarding individuals' medical fitness to perform assigned military duties.

The proposed rule required the Department of Defense (DoD) to publish a notice in the Federal Register identifying its intended uses and disclosures of protected health information, and we have retained this approach in the final rule. This notice will serve to limit command authorities' access to protected health information to circumstances in which disclosure of protected health information is necessary to assure proper execution of the military mission.

With respect to comments regarding the lack of procedural safeguards for individuals, including those who are victims of domestic violence and abuse, we note that the rule does not provide new authority for covered entities providing health care to individuals who are Armed Forces personnel to use and disclose protected health information. Rather, the rule allows the Armed Forces to use and disclose such information only for those military mission purposes which will be published separately in the Federal Register. In addition, we note that the Privacy Act of 1974, as implemented by the DoD, provides numerous protections to individuals.

We modify the proposal to publish privacy rules for the military in the Federal Register. The NPRM would have required this notice to include information on the activities for which use or disclosure of protected health information would occur in order to assure proper execution of the military mission. We believe that this proposed portion of the notice is redundant and thus unnecessary in light the rule's application to military services. In the final rule, we eliminate this proposed section of the notice, and we state that health plans and covered health care providers may use and disclose protected health information of Armed Forces personnel for activities considered necessary by appropriate military command authorities to assure the proper execution of a military mission, where the appropriate military authority has published a Federal Register notice identifying: (1) the appropriate military command authorities; and (2) the purposes for which protected health information may be used or disclosed.

Comment: A few commenters, members of the affected beneficiary class, which numbers approximately 2.6 million (active duty and reserve military personnel), opposed proposed § 164.510(m) because it would have allowed a non-governmental covered entity to provide protected health information without authorization to the military. These commenters were concerned that military officials could use the information as the basis for taking action against individuals.

Response: The Secretary does not have the authority under HIPAA to regulate the military's re-use or re-disclosure of protected health information obtained from health plans and covered health care providers. This provision's primary intent is to ensure that proper military command authorities can obtain needed medical information held by covered entities so that they can make appropriate determinations regarding the individual's medical fitness or suitability for military service. Determination that an individual is not medically qualified for military service would lead to his or her discharge from or rejection for service in the military. Such actions are necessary in order for the Armed Forces to have medically qualified personnel, ready to perform assigned duties. Medically unqualified personnel not only jeopardize the possible success of a mission, but also pose an unacceptable risk or danger to others. We have allowed such uses and disclosures for military activities because it is in the Nation's interest.

Separation or Discharge from Military Service

Comment: The preamble to the NPRM solicited comments on the proposal to permit the DoD to transfer, without authorization, a service member's military medical record to the Department of Veterans Affairs (DVA) when the individual completed his or her term of military service. A few commenters opposed the proposal, believing that authorization should be obtained. Both the DoD and the DVA supported the proposal, noting that transfer allows the DVA to make timely determinations as to whether a veteran is eligible for benefits under programs administered by the DVA.

Response: We note that the transfer program was established based on recommendations by Congress, veterans groups, and veterans; that it has existed for many years; and that there has been no objection to, or problems associated with, the program. We also note that the Department of Transportation (DoT) and the Department of Veterans Affairs operate an analogous transfer program with respect to United States Coast Guard personnel, who comprise part of the U.S. Armed Forces. The protected health information involved the DoD/DVA transfer program is being disclosed and used for a limited purpose that directly benefits the individual. This information is covered by, and thus subject to the protections of, the Privacy Act. For these reasons, the final rule retains the DoD/DVA transfer program proposed in the NPRM. In addition, we expand the NPRM's proposed provisions regarding the Department of Veterans Affairs to include the DoT/DVA program, to authorize the continued transfer of these records.

Comment: The Department of Veterans Affairs supported the NPRM's proposal to allow it to use and disclose protected health information among components of the Department so that it could make determinations on whether an individual was entitled to benefits under laws administered by the Department. Some commenters said that the permissible disclosure pursuant to this section appeared to be sufficiently narrow in scope, to respond to an apparent need. Some commenters also said that the DVA's ability to make benefit determinations would be hampered if an individual declined to authorize release of his or her protected health information. A few commenters, however, questioned whether such an exchange of information currently occurs between the components. A few commenters also believed the proposed rule should be expanded to permit sharing of information with other agencies that administer benefit programs.

Response: The final rule retains the NPRM's approach regarding use and disclosure of protected health information without authorization among components of the DVA for the purpose of making eligibility determinations based on commenters' assessment that the provision was narrow in scope and that an alternative approach could negatively affect benefit determinations for veterans. We modify the NPRM language slightly, to clarify that it refers to a health plan or covered health care provider that is a component of the DVA. These component entities may use or disclose protected health information without authorization among various components of the Department to determine eligibility for or entitlement to veterans' benefits. The final rule does not expand the scope of permissible disclosures under this provision to allow the DVA to share such information with other agencies. Other agencies may obtain this information only with authorization, subject to the requirements of § 164.508.

Foreign Military Personnel

Comments: A few comments opposed the exclusion of foreign diplomatic and military personnel from coverage under the rule. These commenters said that the mechanisms that would be necessary to identify these personnel for the purpose of exempting them from the rule's standards would create significant administrative difficulties. In addition, they believed that this provision would have prohibited covered entities from making disclosures allowed under the rule. Some commenters were concerned that implementation of the proposed provision would result in disparate treatment of foreign military and diplomatic personnel with regard to other laws, and that it would allow exploitation of these individuals' health information. These commenters believed that the proposed rule's exclusion of foreign military and diplomatic personnel was unnecessarily broad and that it should be narrowed to meet a perceived need. Finally, they noted that the proposed exclusion could be affected by the European Union's Data Protection Directive.

Response: We agree with the commenters' statement that the NPRM's exclusion of foreign military and diplomatic personnel from the rule's provisions was overly broad. Thus, the final rule's protections apply to these personnel. The rule covers foreign military personnel under the same provisions that apply to all other members of the U.S. Armed Forces, as described above. Foreign military authorities need access to protected health information for the same reason as must United States military authorities: to ensure that members of the armed services are medically qualified to perform their assigned duties. Under the final rule, foreign diplomatic personnel have the same protections as other individuals.

Intelligence Community

Comments: A few commenters opposed the NPRM's provisions regarding protected health information of intelligence community employees and their dependents being considered for postings overseas, on the grounds that the scope of permissible disclosure without authorization was too broad. While acknowledging that the intelligence community may have legitimate needs for its employees' protected health information, the commenters believed that the NPRM failed to provide adequate procedural protections for the employees' information. A few comments also said that the intelligence community should be able to obtain their employees' health information only with authorization. In addition, commenters said that the intelligence community should make disclosure of protected health information a condition of employment.

Response: Again, we agree that the NPRM's provision allowing disclosure of the protected health information of intelligence community employees without authorization was overly broad. Thus we eliminate it in the final rule. The intelligence community can obtain this information with authorization (pursuant to § 164.508), for example, when employees or their family members are being considered for an oversees assignment and when individuals are applying for employment with or seeking a contract from an intelligence community agency.