Should service members have the same right to privacy under the Health Insurance Portability and Accountability Act (HIPAA) in regards to their Private Health Information (PHI) that civilians do? From an ethical standpoint, should a Servicemember seeking treatment from a behavioral health specialist have the right to speak freely about their mental health without having to be concerned that their information will be shared with their command team? Or does the potential benefit of the command team knowing ahead of time to possibly prevent harm to the service member and other members of the unit outweigh those rights? Making an ethical choice is not always as easy as simply choosing between “right” and “wrong”. It is sometimes necessary to look at two (or more) options, both of which may be right, and choose the one that will produce the best possible outcome. In this study, we are going to take a deep dive into the rights of a Service Member to keep their personal medical records confidential versus the Military Command Exception and Disclosing PHI of Armed Forces Personnel.
HIPAA and the Privacy Rule
Prior to 1996 laws to protect the privacy of health information did not exist, that all changed on 21 August 1996 when President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. The purpose of the legislation was meant to “improve the portability and accountability of health insurance coverage”. The law was also meant to reduce waste, fraud and abuse and aid in making the administration of healthcare more efficient (HHS Office of the Secretary, Office for Civil Rights & OCR, 2013). Based on the rules in place for HIPAA, the Secretary of the Department of Health & Human Services (HHS) was required to set forth privacy regulations to protect individually identifiable health information if Congress did not institute privacy laws within three years from the date that HIPAA was signed into law. Due to Congress not establishing this privacy legislation, HHS submitted for public review the Privacy Rule on 3 November 1999 (HHS Office of the Secretary, Office for Civil Rights & OCR, 2013). The legislation commonly known as the Privacy Rule was enacted in 2002. The primary goal of the Privacy Rule is to protect the privacy of an individual’s Protected Health Information (PHI). PHI applies to both civilian and military healthcare organizations, and healthcare plans such as TRICARE as well (“federal register”, 2002). Disclosing PHI to any third-party is only permitted with the authorization of the individual, and includes confidential health information (which could potentially reveal their identity), including their medical history, and is protected under the Privacy Rule (HIPAA Privacy Rule, n.d.).
The problem in the case of military health care providers is that an exception to the Privacy Rule exists. In normal circumstances, medical providers cannot for any reason give PHI unless a written release is given by an individual. However, under the Military Command Exception, a health care provider, at their discretion without authorization from the Service member can disclose the PHI of Service members to appropriate military command authorities, for authorized activities. Authorized activities that PHI could (at the discretion of the health care provider) be disclosed to the appropriate command authorities include: Determining a service member’s fitness for duty; Determining a service member’s fitness to perform a particular assignment; Or determining if a service member can carry out other activities essential to their mission (Military Command Exception, 2015).
The Root Cause
The root cause of this ethical dilemma is the regulations regarding how much, and when PHI is given to command teams which allows health care providers to have too much leeway. For example, the guidance given in DoDI 6490.08 states that notification requirements are based on circumstances in which proper execution of the military mission outweighs the interests served by avoiding notification, as determined on a case by case basis by the healthcare provider. In some instances, the healthcare providers give more information than is necessary, especially if they have developed a repour with the command team, and in other cases, they don’t give enough. While there are guidelines as to what information can be given, and it differs slightly for medical issues, and mental health/substance abuse concerns, the bottom line is that in every instance it boils down solely to the health care providers discretion what, when, and how much information is given (DHA, n.d.).
Acknowledging that a service member’s right to have privacy in regards to their healthcare is equally important as the interests of the Military and for the service member’s command team in keeping their service member’s medical readiness. However, just as in civilian healthcare that right is not absolute, and it shouldn’t be – there are some cases where health care providers should be mandated to report – if an individual is/could be harmful to others, if an individual is/could be a harm to themselves, and if they already have or are preparing to commit a crime. The solution(s) for this dilemma comes in two separate, but equally important parts. The first part of the solution is that regulations surrounding when, and for what reasons PHI can be disclosed needs to be adjusted so that service members can feel comfortable talking about medical and/or behavioral health issues (apart from those strictly laid out conditions), without the fear of repercussions. The regulations should be laid out explicitly and followed to the letter, we must keep service members and those around them safe without stripping them of their right to keep their PHI confidential. The second part of the solution is that classes should be required for command teams before they can have access to even limited information in a service member’s PHI. Including a lesson in the Commander and First Sergeant Course on sensitivity when dealing with the information that they may encounter to gain a better understanding of the violation that a service member may feel when their PHI has been exposed could go a long way in easing tension between the service member, their health care provider, and the command team.
The Three Ethical Lenses
When faced with the question of right versus right in any ethical dilemma, there are three philosophies – or lenses – that can be applied to assist in making a decision. The first philosophy/lens is principals-based ethics. Principals-based ethics lens is defined as that “one should not act according to the consequences of an action, but instead according to agreed-upon or settled values and principles” (James H Svara, 1995). When applying the principals or rules lens to the ethical dilemma of military healthcare providers releasing PHI to command teams the solution(s) is feasible. The second ethical lens is the consequences-based philosophy, “ethical decisions determined under this basis are made on the likely consequences or results of the actions” (H. George Frederickson, 1997) Applying the who wins to the consequences-based ethical lens when determining the feasibility of the proposed solution – in this case, the servicemember wins because his/her right to confidentiality in their medical records is protected. The healthcare provider wins as the question of what to report and when will become less of a moral question due to the clear-cut guidelines, and the command team also wins as they will no longer have the added stressors that inherently go along with having too much personal information about their subordinates that may affect how they perceive them. Applying the who loses – there are no losers in this scenario, the military, specifically the command teams will still be provided with the information required to make the appropriate decisions that benefit both the service member and the organization, without compromising the right to have confidential medical records. The third and final ethical lens is the Virtues-based lens, in this type of ethical lens to determine the feasibility of the proposed solution the golden rule can be applied to focus the decisions being made. Answer the question, if this solution was applied to me would I be happy with the outcome? The answer is a resounding yes. When I seek care from a health care provider I want to feel comfortable knowing that barring any of the circumstances outlined in the guidelines – harm to myself, harm to others, and planning or committing a crime- that my PHI is being protected to the letter of the law and not being shared unreasonably.
In conclusion, adjusting the regulation in the Military Command Exception as it pertains to the PHI of service members and how it is disclosed to command teams, and requiring command teams to attend an additional class on how to appropriately handle the information that they receive regarding confidential health information of their subordinates will result in a more ethical handling of information.
- DHA “Military Command Exception” webpage at: http://www.health.mil/Military-Health-Topics/Privacy-and-CivilLiberties/HIPAA-Compliance-within-the-MHS/Military-Command-Exception
- DoD Instruction (DoDI) 6490.08, “Command Notification Requirements to Dispel Stigma in Providing Mental Health Care to Service Members,” August 17, 2011
- HIPAA Privacy Rule. (n.d.). Retrieved from https://www.hipaajournal.com/hipaa-privacy-rule/
- HHS Office of the Secretary, Office for Civil Rights, & Ocr. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- H. George Frederickson, The Spirit of Public Administration, (San Francisco: Jossey-Bass Publishers, 1997), p167-168.
- James H Svara, “The Ethical Triangle: Synthesizing the Bases of Administrative Ethics,” CSG &ASPA Public Integrity Annual (1995), 38-39
- Military Command Exception. (2015, May 13). Retrieved from https://health.mil/Military- Health-Topics/Privacy-and-Civil-Liberties/HIPAA-Compliance-within-the-MHS/Military-Command-Exception
- Standards for Privacy of Individually Identifiable Health Information. (2002, December 28). Retrieved from https://www.federalregister.gov/documents/2002/12/28/00-32678/standards-for-privacy-of-individually-identifiable-health-information