by order of the air force instruction 41-200 secretary … · certification and approval. refer...
TRANSCRIPT
BY ORDER OF THE
SECRETARY OF THE AIR FORCE
AIR FORCE INSTRUCTION 41-200
25 JULY 2017
Health Services
HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT (HIPAA)
COMPLIANCE WITH THIS PUBLICATION IS MANDATORY
ACCESSIBILITY: Publications and forms are available on the e-Publishing website at
www.e-Publishing.af.mil for downloading or ordering.
RELEASABILITY: There are no releasability restrictions on this publication.
OPR: AFMSA/SG3S Policy Branch Certified by: AF/SG3/5
(Maj Gen Roosevelt Allen, Jr.)
Pages: 60
This publication implements Air Force Policy Directive (AFPD) 41-2, Medical Support. This
Instruction identifies and defines the requirements, policies, procedures, and activities necessary
to ensure successful compliance with the Health Insurance Portability and Accountability Act
(HIPAA) Privacy and Security Rules. It describes how to manage administration functions for
the establishment of the HIPAA privacy program, including personnel designations, training,
safeguarding medical information, handling complaints, sanctions, mitigation, policies and
procedures, refraining from intimidating or retaliatory acts, and documentation requirements.
Organizational alignment of these functions may vary among Medical Treatment Facilities. This
Instruction requires the collection and or maintenance of information protected by HIPAA, 45
CFR Parts 160 & 164, and the Privacy Act (PA) of 1974, 5 United States Code (U.S.C.) Section
552a. The applicable SORN [F044 F SG E, Electronic Medical Records System] is available at:
http://dpclo.defense.gov/Privacy/SORNs.aspx. Forms affected by the PA have an appropriate
PA statement. This instruction applies to all Air Force medical units; Air National Guard or Air
Force Reserve Component personnel when assigned to or provide operational support when
members are working as part of the covered entity. This instruction does not apply to Air Force
personnel participating at a non-Air Force facility, military or civilian, as part of their official
duties pursuant to an agreement; in those instances, the other facility’s policies and procedures
would apply. This publication may be supplemented at any level, but all supplements must be
routed to the Office of Primary Responsibility (OPR) listed above for coordination prior to
certification and approval. Refer recommended changes and questions about this publication to
the OPR listed above using the AF Form 847, Recommendation for Change of Publication; route
AF Forms 847 from the field through the appropriate chain of command. The authorities to
waive wing/unit level requirements in this publication are identified with a Tier (“T-0, T-1, T-2,
Certified Current on, 10 April 2020
2 AFI41-200 25 JULY 2017
T-3”) number following the compliance statement. See AFI 33-360, Publications and Forms
Management, Table 1.1 for a description of the authorities associated with the Tier numbers.
Submit requests for waivers through the chain of command to the appropriate Tier waiver
approval authority, or alternately, to the Publication OPR for non-tiered compliance items.
Ensure that all records created as a result of processes prescribed in this publication are
maintained IAW Air Force Manual (AFMAN) 33-363, Management of Records, and disposed of
IAW the Air Force Records Disposition Schedule (RDS) in the Air Force Records Information
Management System (AFRIMS). The use of the name or mark of any specific manufacturer,
commercial product, commodity, or service in this publication does not imply endorsement by
the Air Force.
Chapter 1— PROGRAM OVERVIEW 5
1.1. HIPAA within the Air Force Medical Service. ....................................................... 5
1.2. Interaction Between HIPAA Privacy and Patient Administration Functions ......... 5
Chapter 2— ORGANIZATIONAL STRUCTURE AND FUNCTIONAL ROLES AND
RESPONSIBILITIES 6
2.1. The Air Force Medical Support Agency (AFMSA). .............................................. 6
2.2. Air Force Medical Operations Agency (AFMOA). ................................................ 6
2.3. Medical Group Commander or MTF Commander. ................................................ 7
2.4. MTF HIPAA Privacy Officer (HPO) Roles and Responsibilities. ......................... 8
2.5. Breach Response Coordinator (BRC) Roles and Responsibilities. ......................... 10
2.6. HIPAA Security Officer (HSO) Roles and Responsibilities. ................................. 11
Chapter 3— HIPAA ADMINISTRATION 13
3.1. Administrative Requirements. ................................................................................ 13
3.2. NoPP Requirements. ............................................................................................... 14
3.3. Accessing Information. ........................................................................................... 14
3.4. Minimum Necessary. .............................................................................................. 15
3.5. Incidental disclosures. ............................................................................................. 15
3.6. De-identification. .................................................................................................... 15
3.7. Accounting of Disclosures. ..................................................................................... 16
3.8. HIPAA Training Oversight. .................................................................................... 17
3.9. Document Retention, Destruction, and Disposal. ................................................... 19
AFI41-200 25 JULY 2017 3
3.10. Removal of PHI from the Facility. ......................................................................... 20
3.11. Storage of Electronic Documents Containing PHI. ................................................ 20
Chapter 4— USE AND DISCLOSURE OF PHI 22
4.1. Uses and Disclosures for Which an Authorization is Required. ............................. 22
4.2. Uses and Disclosures Requiring an Opportunity for the Patient to Agree or
Object ....................................................................................................................... 23
4.3. Uses and Disclosures for Which an Authorization or Opportunity to Agree or
Object is not Required. ............................................................................................ 24
Chapter 5— SPECIAL CONSIDERATIONS FOR USE AND DISCLOSURE OF PHI 27
5.1. Command Authorities. ............................................................................................ 27
5.2. ARC Access. ........................................................................................................... 29
5.3. Individual Medical Readiness (IMR) and Mission-Related Medical
Communications. ..................................................................................................... 30
5.4. For Release of Information for Personnel Reliability Assurance Program (PRAP)
Purposes. .................................................................................................................. 30
5.5. Occupational Safety and Health Administration (OSHA). ..................................... 30
Chapter 6— COMPLAINTS & INVESTIGATIONS 31
6.1. Complaints. ............................................................................................................. 31
6.2. Department of Health and Human Services (HHS) inquiries. ................................ 31
6.3. Identification. .......................................................................................................... 32
6.4. Investigation. ........................................................................................................... 32
6.5. Notification Procedures to Affected Individuals. ................................................... 37
6.6. Other Reporting Requirements. .............................................................................. 38
6.7. Incident Closure. ..................................................................................................... 39
Chapter 7— USE OF ELECTRONIC COMMUNICATIONS 41
7.1. Use of E-mail. ......................................................................................................... 41
7.2. Non-Clinical Communications with Patients .......................................................... 42
7.3. Secure Messaging ................................................................................................... 42
7.4. Text Messaging. ...................................................................................................... 43
7.5. Appointment Reminders. ........................................................................................ 43
4 AFI41-200 25 JULY 2017
7.6. Electronic Copies of Health Records. ..................................................................... 43
7.7. Social Media. .......................................................................................................... 44
7.8. Other Types of E-Communications. ....................................................................... 44
7.9. Fax transmissions .................................................................................................... 45
7.10. Tele-Health ............................................................................................................. 46
Chapter 8— HEALTH RECORD AUDITS FOR HIPAA INVESTIGATIONS 47
8.1. Purpose.................................................................................................................... 47
8.2. Requesting a Health Record Audit for Breach Incidents. ....................................... 47
8.3. Document Retention for Audit Requests. ............................................................... 48
Chapter 9— OTHER BUSINESS RELATIONSHIPS 49
9.1. Business Associates ................................................................................................ 49
9.2. Health Information Exchanges/Organizations (HIE/O). ......................................... 49
9.3. Patient Safety Organizations (PSO). ....................................................................... 50
Attachment 1— GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 51
Attachment 2— E-MAIL DIRECTIVE 60
AFI41-200 25 JULY 2017 5
Chapter 1
PROGRAM OVERVIEW
1.1. HIPAA within the Air Force Medical Service. The purpose of HIPAA is to improve the
portability and continuity of health insurance coverage, improve access to long term care
services and coverage, and to simplify the administration of healthcare. A primary component of
HIPAA administrative simplification provisions, 45 Code of Federal Regulations (CFR) Parts
160 and 164, is the protection and privacy of individually identifiable health information. The
HIPAA Privacy Rule governs this component, and DoD 6025.18-R, DoD Health Information
Privacy Regulation, implements the requirements of the HIPAA Privacy Rule throughout the
MHS. Reference to sections of the DoD 6025.18-R also includes reference to the same content
in any successor issuances. This AFI applies to all organizational units and military, civilian,
contractor and volunteer staff working at Air Force military treatment facilities. (T-0)
1.2. Interaction Between HIPAA Privacy and Patient Administration Functions. Many of
the HIPAA Privacy implementation requirements set forth by DoD 6025.18-R are functions
inherently conducted by TRICARE Operations and Patient Administration (TOPA) personnel
within the Medical Treatment Facility (MTF). Various sections of AFI 41-210 also include
policy and guidance relating to certain aspects of HIPAA.
6 AFI41-200 25 JULY 2017
Chapter 2
ORGANIZATIONAL STRUCTURE AND FUNCTIONAL ROLES AND
RESPONSIBILITIES
2.1. The Air Force Medical Support Agency (AFMSA). AFMSA will appoint an Air Force
Medical Service (AFMS) HIPAA Privacy Officer (HPO). The primary responsibility of the
AFMS HPO is to oversee the activities of the HIPAA Privacy Program, including but not limited
to, policy development and interpretation as necessary to ensure AFMS compliance with
applicable federal guidelines, Department of Health and Human Services (HHS) rules,
Department of Defense (DoD) directives and instructions, and Air Force policies and procedures
pertaining to the confidentiality, integrity and availability of individual’s health information
subject to DoD 6025.18-R, C1.5.1., C14.1.
2.1.1. Communicates and coordinates with the Defense Health Agency (DHA), external
federal agencies, Secretary of the Air Force (SECAF) agencies, and other DoD organizations
as necessary to implement, clarify and execute HIPAA privacy activities throughout the Air
Force Medical Service.
2.1.2. Facilitates notice, as applicable, to the Defense Health Agency Privacy and Civil
Liberties Office of all breaches of PHI involving MHS beneficiaries.
2.1.3. Provides policy guidance to Air Force Medical Operations Agency (AFMOA), Health
Benefits Support Branch to ensure MTFs are receiving current and accurate information
regarding HIPAA privacy policy, procedures, and operational changes.
2.1.4. The AFMS HPO, in collaboration with AFMOA Health Benefits (AFMOA/SGAT)
HIPAA team (collectively referred to as AFMOA HIPAA), will create and distribute HIPAA
Privacy Officer guidance for MTF HIPAA Privacy Officers.
2.1.5. The AFMS HPO also provides HIPAA privacy support and subject matter expertise to
all AF/SG directorates assigned to the National Capitol Region (NCR).
2.1.5.1. The AFMS HPO will ensure AF/SG and directorate personnel assigned to the
NCR receive initial and annual HIPAA training in accordance with AFMS and HIPAA
policy and procedures.
2.1.6. Participates as a member of the Incident Response Team (IRT), as necessary.
2.2. Air Force Medical Operations Agency (AFMOA). AFMOA will provide centralized
capability and lead the AFMS in executing all HIPAA policies. AFMOA will provide privacy
and security consultation and Subject Matter Expertise (SME) to support the Air Force medical
infrastructure.
2.2.1. HIPAA execution functions will be centralized at AFMOA within the SGA
Directorate, Health Benefits Support. AFMOA will appoint an individual to serve as the
single point of contact to funnel privacy and security information between AFMSA and the
field. This branch will oversee HIPAA privacy and security functions and will be responsible
to monitor AFMS HIPAA compliance, provide centralized technical expertise, conduct site
visits, and provide consultative assistance to Major Command (MAJCOM) Surgeons and
MTFs.
AFI41-200 25 JULY 2017 7
2.2.1.1. Develops standardized metrics to be used by MTFs to monitor and analyze
HIPAA compliance and identify any trends.
2.2.1.2. Maintains centralized aggregation of metrics available to leadership and the
AFMS HPO, upon request.
2.2.2. Assists MTFs on responses and mitigation efforts for breaches of PHI.
2.2.2.1. Requests/coordinates external SME input and assistance as necessary to assist
the affected organization in reporting, mitigating, documenting and resolving the
incident.
2.2.2.2. Coordinates with AFMS HPO for actions associated with HHS breach reporting
requirements.
2.2.2.3. Controls flow of information between involved (affected) organization and
higher headquarters/external agencies.
2.2.2.4. Serves as an advisor to the MTF IRT, as necessary.
2.3. Medical Group Commander or MTF Commander. The Medical Group Commander or
MTF Commander, where there is not a Medical Group Commander assigned, will maintain
overall responsibility for the implementation and administration of local MTF HIPAA privacy
and security programs designed to ensure compliance with established federal, DoD, and Air
Force privacy and confidentiality rules. (T-0)
2.3.1. Oversees the development of Medical Group Instructions (MDGIs) to ensure
processes, documentation requirements, and implementation specifications relating to
HIPAA compliance, beyond what is already included in Air Force instructions. (T-0) The
AFMOA HIPAA team can provide additional guidance and resources for the development of
an MDGI.
2.3.2. Designates, in writing, a MTF primary HIPAA Privacy Officer (HPO) and HIPAA
Security Officer (HSO) to implement and manage HIPAA Privacy/Security compliance
activities throughout the MTF’s facilities, and to receive and investigate complaints and
allegations of non-compliance with the HIPAA Privacy/Security Rule. MTF HPOs and
HSOs have access to systems that are unique and require complex access requests (e.g.,
PHIMT, JKO) and may also require special training. In the event that a MTF only has one
designated individual, the MTF is at risk of non-compliance in the handling of patient
requests and complaints if the HPO or HSO is out of the office on extended leave, TDY, or
other non-availability. Alternate HPOs and HSOs should also be appointed. (T-0)
Reference DoD 6025.18-R, C1.5.1., C14.1.; DoDI 8580.02, Security of Individually
Identifiable Health Information in DoD Health Care Programs.
2.3.3. Identifies a primary and alternate Breach Response Coordinator (BRC) within the
organization to act as a single point of contact for coordinating organizational activities
associated with the breach notification and reporting process. (T-1) This individual must be
empowered to coordinate personnel and resources throughout the organization as necessary
to ensure the prompt investigation and mitigation of the incident. (T-1)
2.3.3.1. Designates the MTF HPO as the BRC, depending on staffing and subject matter
expertise.
8 AFI41-200 25 JULY 2017
2.3.4. Ensures workforce members are trained IAW DoD 6025.18-R to include local policies
and procedures for the safeguarding of PII and PHI. (T-0) Personnel must also be trained on
action steps for securing PII and PHI and internal reporting procedures in the event of a
suspected or actual breach of information. (T-0)
2.3.5. Ensures minimum of two (2) Health Record Auditors are assigned in writing. (T-1)
See Chapter 8 of this AFI for additional requirements.
2.3.6. Oversees MTF IRT, as necessary.
2.4. MTF HIPAA Privacy Officer (HPO) Roles and Responsibilities.
2.4.1. Many activities required by HIPAA privacy overlap with patient administration duties
and require interaction with senior level personnel and coordination with external agencies.
The individual who is appointed to perform the duties of the MTF HPO must possess the
requisite experience, knowledge, and authority to develop, implement, and monitor the
HIPAA privacy practices, policies, and procedures throughout the facility. (T-0)
2.4.1.1. For Limited Scope Medical Treatment Facilities (LSMTF). The individual who
is appointed to perform the duties of the MTF HPO must possess the requisite
experience, knowledge, and authority to develop, implement, and monitor the HIPAA
privacy practices, policies, and procedures throughout the facility.
2.4.2. Develops policies and procedures, as necessary, for local implementation of the
HIPAA Privacy regulation IAW DoD 6025.18-R, C14.9., and in the format described in
paragraph 2.3.1. (T-0)
2.4.2.1. Provides the following MTF Integration Activities:
2.4.2.1.1. Understands the content of health information in its clinical, research, and
business context. (T-2)
2.4.2.1.2. Understands the decision-making processes throughout the MTF that rely
on all forms of health information. (T-2)
2.4.2.1.3. Identifies and monitors the flow of information within the MTF and
throughout the local healthcare network. (T-2)
2.4.2.1.4. Serves as privacy liaison for users of clinical and administrative systems.
(T-2)
2.4.2.1.5. Coordinates with HIPAA Security Officer (HSO) to review all system-
related information security plans throughout the MTF network to ensure alignment
between security and privacy practices and acts as a liaison to the information
systems department. (T-2)
2.4.2.1.6. Collaborates with HSO to ensure appropriate security measures are in
place to safeguard PHI. (T-2)
2.4.2.2. The HPO will coordinate with the appropriate offices (e.g., Patient
Administration Functions, Medical Record Administration, and Information Assurance)
to validate existing MDGIs adequately address DoD 6025.18-R requirements, align with
HIPAA, and should then simply cross-reference the policy rather than duplicate policies
in a separate HIPAA instruction.
AFI41-200 25 JULY 2017 9
2.4.3. Tracks the delivery of initial and annual refresher privacy training for all members of
the MTF workforce, including volunteers, medical and professional staff, physician residents
and interns, contractor employees, and visiting personnel such as clinical students who have
access to PHI. (T-0)
2.4.3.1. Provides a briefing on patient rights under HIPAA and provides the MHS Notice
of Privacy Practices (NoPP) at all Wing/MTF Newcomer’s Orientations briefings as part
of the TOPA Flight briefing. (T-2)
2.4.4. Serves as the Subject Matter Expert (SME) and maintains current knowledge of
applicable federal and DoD privacy laws, accreditation standards, DoD and AFMS
regulations and policies related to health information. Monitors advancements of emerging
privacy technologies to ensure that the MTF is positioned to adapt and comply with these
advancements. (T-1)
2.4.4.1. Consults with legal counsel, as needed, when making decisions related to the
use and disclosure of PHI in situations which may deviate from normal treatment,
payment and health care operations (TPO). (T-2)
2.4.5. Ensures continuous assessment, implementation, monitoring, and revision of the MTF
HIPAA Privacy programs in light of changing circumstances in its organizational, security,
and/or regulatory environment. (T-1)
2.4.5.1. Conducts HIPAA Compliance Assessments/Audits using AFMS approved
compliance monitoring tools (e.g., DHA HIPAA Privacy Rule Assessment Tool;
HHS/Office for Civil Rights (OCR) HIPAA Privacy, Security, and Breach Audit
Protocols). (T-0)
2.4.5.1.1. Conducts an initial compliance assessment within 60 days of assignment
and documents findings. (T-2)
2.4.5.1.2. Conducts periodic compliance assessments and monitoring thereafter, but
no less than annually, to identify shortfalls in compliance and implements corrective
action(s) as necessary; documents results using the AFMS approved compliance
monitoring tool. (T-1)
2.4.6. Ensures a mechanism is in place at the MTF for receiving, documenting, tracking,
investigating, and taking action on all complaints concerning the organization’s privacy
policies and procedures in coordination and collaboration with other similar functions, and
when necessary, legal counsel. (T-0) Reference DoD 6025.18-R, C14.4.2.
2.4.6.1. Chairs the IRT and designates a central point for coordinating information and
document gathering for dissemination to members of the IRT. (T-1)
2.4.6.2. Develops a list of key IRT participants and contact information based on the
categories outlined in paragraph 2.4.6.2.1. (T-1) IRT participation will be dependent on
the type and severity of the incident. (T-1)
2.4.6.2.1. MTF or Base IRT members may include the following, depending on the
circumstances: MTF HIPAA Privacy Officer/Office (HPO), Installation Privacy Act
Official/Officer, MTF HIPAA Security Officer (HSO), Internal Investigator(s),
affected Unit/Operations representative(s), Public Affairs, Legal, Finance/Accounting
representative(s), Human Resources, and Call Center representative(s).
10 AFI41-200 25 JULY 2017
2.4.6.2.1.1. Additional representation, depending on the severity, may also
include law enforcement, other government entities (such as DHA, HHS/OCR),
or identity theft/credit monitoring vendors.
2.4.6.2.1.2. This is not an exhaustive list and participants can be added on an as
needed basis. Each member of the IRT will bring subject matter expertise to aid
the MTF HPO/HSO with mitigating and complying with regulatory requirements.
2.4.6.2.2. Ensures IRT, AFMS HPO, and AFMOA HIPAA are informed of all
breaches involving 500 or more beneficiaries as well as all other high-visibility
breaches, regardless of the affected number of beneficiaries. (T-1)
2.4.6.3. Serves as the liaison between the MTF and Installation Privacy Official to
report, resolve and mitigate breaches of personally identifiable information. (T-2) The
Installation Privacy Official oversees compliance with the Privacy Act, and should not be
confused with the MTF HPO, who oversees compliance with the HIPAA Privacy Rule.
2.4.6.4. Refers to the AFMOA Health Information Compliance Team KX website for
detailed information on the breach process.
2.4.6.5. Coordinates with the BRC, as applicable. (T-1)
2.4.7. Documents any disclosures of PHI in the Protected Health Information Management
Tool (PHIMT) or other AFMS approved disclosure accounting tool, including unauthorized
disclosures of PHI resulting from an incident. (T-0)
2.4.7.1. If the MTF HPO delegates this responsibility, the MTF HPO is still responsible
for oversight and compliance for this process.
2.4.8. Liaisons with Medical Logistics and other MTF activities to ensure the most current
and appropriate Business Associate Agreements (BAAs) and/or Data Use/Sharing
Agreements are in place, where applicable. (T-0)
2.5. Breach Response Coordinator (BRC) Roles and Responsibilities.
2.5.1. Any individual within the organization may be appointed to this position, but
individuals such as the Privacy Act Monitor, MTF HPO, and HSO are particularly well-
suited based on their functional responsibilities and expertise.
2.5.2. Keeps MTF HPO, as applicable, informed during the course of receiving,
documenting, tracking, and investigating incidents IAW Chapter 6 of this AFI. (T-2)
2.5.2.1. Acts as the single point of contact within the organization with overall
responsibility for coordinating information flow and response actions to breaches of PII
or PHI under the organization‘s control. (T-1)
2.5.3. Keeps organizational leadership informed of evolving events and response activities
through periodic updates and executive summaries, as requested. (T-1)
2.5.4. Coordinates with the AFMOA HIPAA team as necessary to ensure all reporting
requirements and status updates are up-channeled to AFMS leadership. (T-1)
2.5.5. Coordinates with the organization‘s Chief Information Officer for all incidents
involving information systems and e-PHI. (T-1)
AFI41-200 25 JULY 2017 11
2.5.6. Develops a plan of action to ensure compliance with all reporting requirements and
action steps as required. (T-1)
2.5.7. Participates as a member of the IRT, as necessary.
2.6. HIPAA Security Officer (HSO) Roles and Responsibilities.
2.6.1. Implements administrative, physical and/or technical safeguards sufficient to reduce
risks and vulnerabilities to electronic PHI (ePHI) and associated information systems to a
reasonable and appropriate level as specified by relevant Federal, DOD publications,
regulations, AFMAN 33-282, AFI 33-200, and AFI 10-712 and AFPD 33-3. (T-0) The
individual who is appointed to perform the duties of the MTF HSO must possess the requisite
experience, knowledge, and authority to develop, implement, and monitor the HIPAA
security practices, policies, and procedures throughout the facility.
2.6.1.1. For Limited Scope Medical Treatment Facilities (LSMTF). The individual who
is appointed to perform the duties of the MTF HSO must possess the requisite
experience, knowledge, and authority to develop, implement, and monitor the HIPAA
security practices, policies, and procedures throughout the facility.
2.6.2. Continuously assesses, implements, monitors, and revises the medical group health
information assurance posture as part of overall management of the host base network
infrastructure.
2.6.2.1. The AF Security Control Assessor's office has approved the HHS/OCR Security
Risk Assessment Tool (SRAT) for use in conducting risk analyses. (T-2) Refer to the
AFMOA Health Information Compliance Team KX website for additional information
and any other versions or tools that have been approved for use.
2.6.2.2. Guidance published on the HHS/OCR website states, “Risk analysis and risk
management are not one-time activities. Risk analysis and risk management are ongoing,
dynamic processes that must be periodically reviewed and updated in response to changes
in the environment. The risk analysis will identify new risks or update existing risk levels
resulting from environmental or operational changes.
2.6.3. Ensures applicable publications and procedures are periodically reviewed, to include
any revisions when significant changes occur in relevant law or operating environment, at
least annually. (T-0)
2.6.3.1. The HSO will work with local representatives from the communications
squadron as well as health records systems team members to assist with information
protection and operational requirements. (T-2)
2.6.4. A risk analysis will be conducted, as required by DoDI 8580.02, Enclosure 4, Section
1.a.(1), by the HSO to include an inventory of all systems and applications that are used to
access and house data, and classifying them by level of risk. The HSO can delegate the
performance of the risk analysis, as appropriate, but will retain oversight responsibility for
the analysis. (T-0)
2.6.4.1. Considers all relevant losses that would be expected if the security measures
were not in place, including loss or damage of data, corrupted data systems, and
anticipated ramifications of such losses or damage. (T-0)
12 AFI41-200 25 JULY 2017
2.6.5. Functions as the liaison between the MTF, higher headquarters, base Information
Assurance Office, AFMOA and other internal and external organizations in developing,
implementing, and maintaining the MTF health information security program. (T-1)
2.6.5.1. The HSO may invite other members of the MTF to participate in workgroups,
taskforces, or committees in support of protecting individually identifiable health
information and associated information systems.
2.6.6. Works with the MTF HPO to monitor medical group contracts to ensure those
contracts that involve use or disclosure of PHI or electronic PHI includes approved Business
Associate Agreement and appropriate HIPAA Security language. (T-0)
2.6.7. Co-Chairs the IRT in coordination with the HPO, when applicable.
AFI41-200 25 JULY 2017 13
Chapter 3
HIPAA ADMINISTRATION
3.1. Administrative Requirements.
3.1.1. HIPAA covered entities must comply with the administrative, technical, and physical
requirements, described in the HIPAA Privacy Rule and DoD 6025.18-R, including but not
limited to, adequate safeguards, policies and procedures, document retention requirements,
sanctions for members of the workforce who fail to comply with the privacy policies and
procedures, training, and refraining from intimidating or retaliatory acts. (T-0)
3.1.1.1. Health care personnel and related assets of the Department of the Air Force
under the management authority or employed by the Surgeon General of the Air Force,
including Headquarters staff, operating agencies (such as, but not limited to, the Air
Force Medical Support Agency and the Air Force Medical Operations Agency), Major
Command Surgeons General, and any other organizational level within the Air Force
Medical Service, are part of the AFMS covered entity.
3.1.1.1.1. This excludes ARC medical personnel when not working as part of the
covered entity.
3.1.2. Patients have certain rights (e.g., access, accounting, alternate communications,
amendment, and restrictions) outlined in the HIPAA Privacy Rule and DoD 6025.18-R. The
MTF is required to retain certain documentation IAW DoD 6025.18-R and paragraph 3.9. of
this instruction. (T-0)
3.1.2.1. Access and fees. Requests by patients for access to or copies of their health
record must be IAW AFI 41-210, paragraphs 4.3.5.7., 4.4., and, as applicable, this AFI,
paragraph 7.6. (T-0)
3.1.2.2. Accounting of disclosures. Patient can request an accounting of disclosures.
These requests should be handled IAW DoD 6025.18-R and paragraph 3.7. of this
instruction.
3.1.2.3. A patient can request that the MTF communicate with them through
alternate/confidential communications.
3.1.2.3.1. The MTF must accommodate reasonable requests by individuals to receive
communications of protected health information by alternate means or at alternate
locations. (T-0)
3.1.2.4. Requests for amendment.
3.1.2.4.1. Any correction or amendment to the health record must be IAW DoD
6025.18-R, Chapter 12, AFI 41-210, paragraphs 4.4.8., 5.3., and the direction
outlined in the “Policy for Legal Correction of AHLTA Erroneous Data or
Information” and process contained in updated guidance found on AFMOA Health
Information Compliance Team KX website, as applicable. (T-1)
3.1.2.4.2. If the MTF HPO delegates this responsibility, the MTF HPO is still
responsible for oversight and compliance for this process. (T-1)
14 AFI41-200 25 JULY 2017
3.1.2.5. Requests for restrictions must be handled IAW DoD 6025.18-R, C10.1. and AFI
41-210, paragraph 4.4.7. (T-0)
3.1.2.5.1. Requests should be submitted to the MTF HPO using the DD Form 2871,
Request to Restrict Medical or Dental Information.
3.1.2.5.2. PHIMT can be used for tracking restrictions that have been granted, using
the Accountable Disclosure Restriction functionality.
3.2. NoPP Requirements. The AFMS is required to utilize the Military Health System (MHS)
NoPP, which explains how the patient’s PHI may be used and disclosed. It also describes the
patients’ rights regarding the use of PHI and contact information for complaints or issues.
Deliver the NoPP and obtain the patient’s acknowledgement no later than the date of the first
service delivery, or if an emergency treatment situation, as soon as reasonably practicable after
the emergency treatment situation (DoD 6025.18-R, Chapter 9.).
3.2.1. The MTF must make a good faith attempt to obtain the patient’s written
acknowledgement of receipt of the NoPP, IAW DoD 6025.18-R, C9.3.2., C9.5. (T-0)
3.2.1.1. MTFs must have a process in place to ensure the patient has acknowledged
receipt of the MHS NoPP. (T-0)
3.2.1.2. NoPP acknowledgements must contain each patient’s printed and signed name.
(T-0)
3.2.1.2.1. Parents, guardians, and loco parentis must be asked to sign acknowledging
their receipt of a copy of the NoPP on behalf of the minor child. (T-0)
3.2.1.3. If the patient, parent, or guardian declines, or is unable, to acknowledge receipt,
the MTF must document the reason why the acknowledgement was not obtained. (T-0)
3.2.1.4. See the AFMOA Health Information Compliance Team KX website for
information on methodologies for obtaining acknowledgement (e.g., NoPP labels on hard
copy records, scanning NoPP labels into HAIMS, electronic capture, or other AFMS
approved mechanisms).
3.2.2. Ensure copies of the MHS NoPP pamphlet are readily available throughout MTF
points of service for beneficiaries to review and take with them. (T-0) Reference DoD
6025.18-R, C9.3.2.3.2.
3.2.2.1. Whenever the notice is revised, make the notice available upon request on or
after the effective date of the revision.
3.2.3. The MTF must post the MHS NoPP in a clear and prominent location where it is
reasonable to expect individuals seeking service from the MTF will be able to read the
notice. Ensure the MTF HPO contact information is provided on the posting in the lower
right corner. (T-0)
3.2.4. MTFs that maintain an official website describing customer services or benefits must
prominently post the MHS Notice of Privacy Practices (NoPP) on the website’s home page
IAW with guidance published by DHA Privacy and Civil Liberties Office (PCLO). (T-0)
3.3. Accessing Information. The ability to access PHI must be consistent with the staff
member’s role to access the record for treatment, payment, or health care operations. (T-0)
AFI41-200 25 JULY 2017 15
3.3.1. Accessing PHI outside the scope of an individual’s job function is not permissible.
(T-0) Each situation should be evaluated on a case-by-case basis in order to determine if the
individual had a valid reason for obtaining the PHI. HHS specifically stated in the 25
January 2013, Federal Register that “access as a result of such snooping would be neither
unintentional nor done in good faith” and would therefore be considered a breach.
Impermissibility may include, but is not limited to the following examples.
3.3.1.1. Looking up information on self, co-workers or their family members, friends,
family members, political figures, or celebrities.
3.3.1.2. Looking up demographic information of a patient in order to contact them
outside the work or treatment environment when not in the course of a performing one’s
job function (e.g., calling a patient for a social encounter).
3.3.1.3. Opening a document in HAIMS that has a sensitive or mental health indicator
when you are not treating the patient, just to see what is wrong with them.
3.4. Minimum Necessary. Use or disclosure, or request for PHI is limited to the minimum
amount of information necessary to accomplish the intended purpose of the use, disclosure, or
request unless an exception to the minimum necessary rule, as outlined in DoD 6025.18-R,
C8.2.2., applies. (T-0)
3.4.1. It may be necessary to develop local policies/procedures to address minimum
standards.
3.4.1.1. The MTF will need to evaluate its practices and enhance protections as needed
to limit unnecessary or inappropriate access to PHI. (T-0)
3.4.2. Disclosures for treatment purposes between health care providers are explicitly
exempted from the minimum necessary requirements.
3.4.3. The MTF should ensure any recipients of the information are authorized to receive the
information under the Privacy Act, HIPAA, and any other applicable law or regulation.
3.5. Incidental disclosures.
3.5.1. The MTF must implement reasonable safeguards to limit incidental uses or
disclosures. (T-0) Reference DoD 6025.18-R, C8.4.
3.5.2. It is not required that all risk of incidental use or disclosure be eliminated. For
example:
3.5.2.1. The Privacy Rule recognizes that oral communications often must occur freely
and quickly in treatment settings.
3.5.2.2. The MTF staff are free to engage in communications as required for quick,
effective, and high quality health care.
3.5.2.3. Overheard communications in these settings may be unavoidable, but it is a good
practice to use lowered voices or talking apart from others when sharing PHI.
3.6. De-identification. The MTF should use de-identified data whenever possible (e.g.,
research, aggregate reporting).
16 AFI41-200 25 JULY 2017
3.6.1. Health information that has been de-identified under DoD 6025.18-R, Chapter 8, is
considered not to be individually identifiable health information and is not subject to the
same restrictions on use/disclosure as PHI. (T-0)
3.7. Accounting of Disclosures. A patient has the right to request an accounting of certain
disclosures, except for those disclosures outlined in DoD 6025.18-R, C13.1.1., for the previous
6-year period. (T-0)
3.7.1. All MTFs will use a standardized tracking mechanism for accountable HIPAA
disclosures. (T-1) PHIMT is the required method to document all accountable disclosures,
with the following exceptions.
3.7.1.1. Aeromedical Services Information Management System (ASIMS) automatically
captures disclosures that are made to command authorities. A separate entry into PHIMT
is not required.
3.7.1.1.1. To request an ASIMS accounting of disclosure report, submit a copy of the
patient request letter to the AFMOA HIPAA team, who will facilitate with the
ASIMS Program Office.
3.7.1.2. Disease Reporting System internet (DRSi) captures disclosures that are made to
public health authorities within the MHS. A separate entry into PHIMT is not required.
3.7.1.2.1. To request a DRSi accounting of disclosure report, submit a copy of the
patient request letter to the MTF Public Health clinic, who will be able to provide a
copy of the information.
3.7.1.3. Disease reporting made by MTF Public Health to Public Health Agencies
outside the MHS that have not been documented in DRSi require an entry into PHIMT.
3.7.2. When a patient requests an accounting of disclosure, the MTF will provide a report,
consisting of PHIMT, ASIMS, and DRSi, of the disclosures made during the time period
requested by the patient, for up to 6 years preceding the request. (T-0) In addition, the
following statements in paragraph 3.7.2.1, 3.7.2.2, and 3.7.2.3 must be included with each
response to the patient that is provided by the MTF.
3.7.2.1. Recurring Disclosure to ARC Command Authority. If you are a member of a
Reserve or National Guard unit (ARC) your Guard or Reserve medical unit has had
access to your medical information beginning on the date when you applied for entry to
ARC or re-assignment within ARC to a different unit, and thereafter on an ongoing basis,
until such time as you are no longer assigned to the particular unit. Such access was for
purposes of: determining your fitness for duty and fitness to perform any particular
mission, assignment, order, or duty; health surveillance; reporting on casualties; or
carrying out any other activity necessary to the proper execution of the mission.
3.7.2.2. Recurring Disclosure for Disability Evaluation System. If you have undergone
or are currently undergoing a disability review as part of the Disability Evaluation
System (DES), your entire medical, dental, and mental health records, have been
disclosed by the MTF where you receive the majority of your care, or the nearest Air
Force MTF if you were hospitalized away from your installation of assignment or in a
non-Air Force facility, to individuals involved in the DES process. This includes the pre-
screening process, AFPC/DP2NP or ARC/SGP review, Deployment Availability
AFI41-200 25 JULY 2017 17
Working Group (DAWG), medical evaluation board (MEB), and Veterans
Administration. Disclosure of your information occurred at the date the referring
provider signed and dated the VA Form 21-0819, VA/DoD Joint Disability Evaluation
Board Claim form, and continued on an ongoing basis for the duration of your
involvement in the DES process.
3.7.2.3. Recurring Disclosure for Fire Emergency Services. If you were provided
treatment by an AF ambulance crew (Emergency Medical Services/Technician (EMS/T))
ambulance service, your medical information contained on the AF Form 552, Air Force
Patient Care Report, related to the services you received on the date of the incident was
disclosed to the AF Fire Emergency Services (FES), on or about the date you received the
service. FES is required by law to document fire department management, dispatch, data
collection and fire incident reporting in the Fire Emergency Services Information
Management System (FES-IMS) as part of the contingency planning process for fire
safety of personnel and property under the control of installation commanders. Medical
information maintained by AF FES is safeguarded in accordance with the Privacy Act of
1974.
3.7.3. If the MTF elects to use an alternate accounting tool, it must be coordinated through
the AFMOA HIPAA team and approved by the AFMS HPO prior to implementation to
ensure compliance with statutory and regulatory requirements. (T-1) At a minimum, this
data must be centralized, the tool must be able to account for all disclosures made throughout
the MTF, and it must conform to all privacy and security safeguards. (T-1) All accountable
disclosures must be kept for a minimum of 6 years IAW DoD 6025.18-R. (T-0) See
paragraph 4.3. for additional information on the various categories of disclosures which must
be documented.
3.8. HIPAA Training Oversight. The MTF HPO oversees, directs, and ensures delivery of
HIPAA privacy/security training and orientation to the MTF workforce, to include trainees and
volunteers. (T-0) Reference DoD 6025.18-R, C14.2.2.
3.8.1. Initial and Annual Training. Joint Knowledge Online (JKO) is the method for
delivering the DHA PCLO “HIPAA and Privacy Act” initial and annual refresher training
course. MTFs are required to utilize JKO for initial and annual HIPAA training to more
effectively track personnel and completions across the AFMS. In the event that the training
platform is changed, the AFMS HPO will provide direction and guidance on the future
approved mechanism for initial and annual training.
3.8.1.1. Annual training is conducted in order to maintain workforce awareness and
inform workforce of any changes to privacy policies. (T-1)
3.8.1.2. Upon in-processing to the organization, employees that can provide proof of
completion of AFMS approved HIPAA training within the previous 12 months, need
only receive local facility training. Employees that cannot offer proof of completion
must complete both AFMS approved HIPAA training and local facility training within 30
days of assignment or arrival. (T-2)
3.8.1.3. The MTF HPO should periodically run reports to determine the MTFs
compliance with training requirements.
18 AFI41-200 25 JULY 2017
3.8.1.3.1. Reconciliation of JKO reports with personnel rosters or Defense Medical
Human Resources System-internet (DMHRSi) reports ensures that all individuals
within the facility that require HIPAA training are accurately identified and tracked.
(T-1)
3.8.2. Alternate Training. MTFs may request use of alternate training in instances where the
training platform is determined to be unstable and deficiencies cannot be resolved (e.g.,
connectivity issues). Use of alternate training and delivery methods must be coordinated
through the AFMOA HIPAA team and approved by the AFMS HPO prior to
implementation, to ensure compliance with initial training content and documentation
requirements. (T-1) The AFMS HPO will provide standardized training content for use by
those facilities that are approved for alternate training. Use of commercially available or
locally produced training content is not authorized to meet core HIPAA training
requirements.
3.8.2.1. The alternate training content approved by the AFMS HPO is the equivalent of
the current HIPAA and Privacy Act course in the learning management application (e.g.,
JKO). Completion of this alternate version meets the HIPAA training requirements for
the AFMS.
3.8.2.2. Organizations approved for use of alternate delivery methods must maintain
current and accurate records of initial and annual training of workforce members and
provide training statistics to AFMOA HIPAA, upon request. (T-1)
3.8.2.2.1. ARC is approved for use of alternate training and delivery by the AFMS
HPO. Training may be accomplished through individual or group training events.
Training completion can be updated in JKO. Test results must be maintained by the
Training Coordinator (TC).
3.8.2.3. Alternate training meets the same requirements as are in JKO. Certificates of
Completion are valid throughout the AFMS.
3.8.2.4. MTFs requesting waiver consideration must submit the following information to
AFMOA HIPAA in letter format, endorsed by the MTF Administrator (SGA) or Medical
Support Squadron Commander: (T-1)
3.8.2.4.1. Identify the nature of the technical difficulties that prevent the MTF from
using the platform. (T-1)
3.8.2.4.2. Identify the specific actions that have been taken to correct the problem
(e.g., contacting Base Communications or the applicable system Help Desk, and/or
user computer configuration attempts). (T-1)
3.8.2.4.3. Provide contact information for local system administrator or report
manager. (T-2)
3.8.3. Other audiences.
3.8.3.1. There may be situations in which an individual is not able to access JKO due to
status as a NON-US CAC User (e.g., OCONUS) or does not have a CAC card. An
alternate public-facing course is available. Contact the AFMOA HIPAA team for
guidance and information on how to access the public site.
AFI41-200 25 JULY 2017 19
3.8.3.1.1. Trainees that complete this course must save a copy of their completion
certificate prior to exiting the public-facing course. No records are maintained on the
server hosting this course and there will be no evidence of completion retained in
JKO.
3.8.3.1.2. Trainees will need to provide the HPO with a copy of their Certificate of
Completion as proof of successful completion of the course. (T-2)
3.8.4. Local Training. Ensure MTF specific HIPAA information (e.g., training on local
policies, procedures, and awareness training) is briefed at MTF in-processing sessions,
commander’s calls, and other venues in order to maintain workforce awareness and to
introduce any changes to privacy policies. (T-2)
3.8.4.1. Local privacy training is not a substitute for initial and annual training outlined
in paragraph 3.8.1.
3.8.4.2. For those individuals that are not required to complete HIPAA training when
their job functions do not involve the access/use/disclosure of PHI (non-covered
functions) (e.g., janitorial/housekeeping staff, maintenance, or logistics personnel), local
privacy training can be accomplished.
3.8.4.2.1. Consult with the AFMOA HIPAA team for additional guidance and
requirements for designating categories of individuals that are not subject to HIPAA.
3.8.4.2.2. Any local policies should reference the categories of individuals that are
exempt from training requirements.
3.8.5. Other training. HIPAA Privacy Officer or medical group leadership will make
available general HIPAA overview training to new Commanders and First Sergeants within
90 days of assignment using the standardized AFMS briefing template (HIPAA Privacy: An
Overview for Commanders (CC)). (T-1) Additional briefings may be provided as needed or
upon request of wing leadership.
3.8.5.1. The CC and Air Force Leader (HIPAA Privacy: An Overview for Air Force
Leaders) briefings are the sole source of HIPAA privacy information presented at the
commanders’ courses. The most current versions are located on the AFMOA Health
Information Compliance Team KX website. Alterations to the CC and Air Force
briefings can only be approved by local Medical Group leadership.
3.9. Document Retention, Destruction, and Disposal.
3.9.1. Retention. The MTF must retain the documentation required IAW the HIPAA
Compliance Documentation outlined in the Air Force Records Disposition Schedule (RDS)
located in the Air Force Records Information Management System (AFRIMS). (T-0)
3.9.1.1. Maintain the policies and procedures provided in written or electronic form; (T-
0)
3.9.1.2. If a communication is required to be in writing, maintain the writing and any
response, or an electronic copy, including names/titles of persons or offices responsible
for receiving and processing requests, as documentation; and (T-0)
3.9.1.3. If an action, activity, or designation is required to be documented, maintain a
written or electronic record of such action, activity, or designation. (T-0)
20 AFI41-200 25 JULY 2017
3.9.2. Destruction. In the event that any documents requiring retention or documents
containing PHI have reached their applicable expiration, the documents must be properly
destroyed and disposed of by rendering records or data unusable, unreadable, or
indecipherable. (T-0)
3.9.3. Disposal. Documents or electronic systems/devices, including computers, copiers or
fax machines with memory storage, or other electronic storage devices that may contain PHI
must be disposed IAW Air Force Manual (AFMAN) 33-363, Management of Records, and
Air Force RDS located in the AFRIMS. (T-1)
3.9.3.1. The memory contained in these devices must be swiped or cleared before
disposition. (T-0)
3.9.3.2. PHI in paper format should be immediately shredded. If the PHI cannot be
immediately shredded, it will be placed in a locked, secure area until it can be destroyed.
(T-0) PHI must not be disposed of in the regular garbage or recycle bins. (T-0)
3.9.3.3. Periodic checks of garbage cans, recycle bins, or dumpsters can be made to
ensure that PHI is being properly disposed of.
3.10. Removal of PHI from the Facility.
3.10.1. In general, PHI should not be removed from the MTF for use off-site.
3.10.2. If there are particular circumstances in which treatment, payment, or health care
operations cannot be performed without removing PHI from the facility by a workforce
member, the MTF must develop and implement procedures to reasonably protect the physical
integrity, security, and confidentiality of the PHI while off-site (e.g., teleworking). (T-0)
3.10.2.1. Use of mobile devices (e.g., laptops, tablets) must comply with relevant
Federal, DOD issuances, and Air Force instructions.
3.10.2.2. Any paper documents/records must be secured when not in use and must be
returned to the facility as soon as is reasonably practical.
3.10.3. The procedures must ensure that removal of the PHI from the MTF is for an
appropriate use and has been approved by the individual’s supervisor.
3.10.4. Any damage to, loss of, or unauthorized access to the PHI must be promptly reported
to the MTF and MTF HPO.
3.10.4.1. Examples of loss might include theft from a vehicle or missing, lost baggage at
airport or other public transportation.
3.11. Storage of Electronic Documents Containing PHI. Excepting the limitations for
Alternative Methods to Capture Consults and Referral Results storage, IAW AFI 41-210,
paragraph 5.4.9.8.3., other electronic documents containing PHI that require retention, pursuant
to document retention requirements in DoD 6025.18-R, C14.10., may be stored on shared drives
or SharePoint locations (e.g., complaint investigations, patient correspondence, congressional
inquiries).
3.11.1. All MTF computer folders and files containing PHI must be limited to users who can
demonstrate a verifiable need for access. (T-0)
AFI41-200 25 JULY 2017 21
3.11.2. All computer folders and files containing PHI must offer limited user access and be
either password protected or hidden with access restriction requirements. (T-1)
3.11.3. Data at rest solutions may be deployed to encrypt files and folders containing PHI.
3.11.4. When no longer needed for daily operations or record retention, remove PHI which
is accessible or viewed through shared drives, SharePoint or similar web base applications
IAW paragraph 3.9. (T-1)
22 AFI41-200 25 JULY 2017
Chapter 4
USE AND DISCLOSURE OF PHI
4.1. Uses and Disclosures for Which an Authorization is Required.
4.1.1. When patient authorization is required, obtain written authorization from the patient or
his/her legal representative before releasing information from the health record to any person
or agency. The DD Form 2870, Authorization for Disclosure of Medical or Dental
Information, should be used for this purpose.
4.1.1.1. If a personal representative of the individual signs the authorization, a
description of, or legal documentation representing, the representative's authority to act
for the individual shall be provided for review, such as Power of Attorney, Guardianship,
etc. (T-0) The individual’s identity must also be verified in the process. (T-0)
4.1.1.1.1. For un-emancipated minors or physically or mentally challenged persons, a
personal representative signs the written authorization and, if applicable, furnishes a
copy of the court order appointing guardianship.
4.1.1.1.2. MTFs should coordinate with their Medical Law Consultant (MLC) and/or
Staff Judge Advocate (SJA) to identify specific State requirements and incorporate
these requirements into MTF policies and procedures for the treatment of minors and
confidentiality in situations when a minor can consent to treatment without parental
notification as set forth in AFI 44-102, Medical Care Management. While the law
varies from state to state, examples of these issues may include birth control,
abortion, treatment of sexually transmitted infections (STI), substance abuse
treatment, etc.
4.1.2. For deceased persons, if there is a need for an authorization before releasing PHI, the
decedent's legal personal representative signs the authorization. The status of personal
representative is normally determined by the laws of the jurisdiction where the records are
held. Consult with MLC or SJA to determine the requirements for personal representatives.
4.1.2.1. HIPAA applies to health records of a deceased individual for a period of 50
years following the death of the individual, if the entity retains the record for that period
of time. (T-0) Reference 45 CFR §164.502(f).
4.1.2.2. This does not mean that the entity is required to retain the record for the 50-year
period.
4.1.2.3. Record retention requirements are outlined in AFRIMS RDS.
4.1.3. Maintain the signed authorization with a notation of the disclosed information, date
received/disclosed, and identity of the employee making the disclosure by uploading a
scanned copy to PHIMT (or other AFMS approved applications). (T-0)
4.1.3.1. If the PHIMT authorization functionality is not available, file the authorization
in the patient’s health record.
4.1.4. If litigation is pending or contemplated, send the request for release to the MLC or
SJA for advice and appropriate action in accordance with AFI 51-301, Civil Litigation. (T-1)
AFI41-200 25 JULY 2017 23
4.1.5. Accepting Third Party Authorizations. Third party (e.g., Insurance Agencies,
Worker's Compensation) authorization forms can be accepted if they meet the data elements
listed in DoD 6025.18-R, C5.3., and include the name or organization authorized to make the
disclosure (the MTF), the name or organization to whom the MTF is making the disclosure
(the third party), the purpose of the disclosure, an expiration date or an expiration event, the
signature of the individual, and signature date.
4.1.6. Release of health records must not occur if an authorization is determined to be
invalid under the elements outlined in DoD 6025.18-R. (T-0)
4.1.6.1. Some common reasons authorizations are invalid are: missing core elements,
not completed or signed, or legal representative documents not included, when
applicable.
4.1.7. Other considerations.
4.1.7.1. Authorization for Psychotherapy Notes. An MTF must obtain an authorization
for any use or disclosure of psychotherapy notes, except to carry out the following:
treatment, payment, or health care operations. (T-0)
4.1.7.1.1. Consult with the MLC/SJA for requests received for psychotherapy notes.
(T-2)
4.1.7.2. Authorization for Marketing. An MTF must obtain an authorization for any use
or disclosure of PHI for making a marketing communication about a product or service
that encourages recipients of the communication to purchase or use the product or
service. (T-0)
4.1.7.2.1. It is highly unlikely that an MTF will engage in these types of
communications contemplated under HIPAA.
4.1.7.2.2. Consult with AFMOA HIPAA for additional guidance relating to
exceptions to the marketing restrictions and financial remuneration.
4.2. Uses and Disclosures Requiring an Opportunity for the Patient to Agree or Object.
4.2.1. Facility Directory. If the patient has been given the opportunity to agree or object to
being in the facility directory, and has not objected, the following information may be
released to those who ask for the individual by name: Individual’s location in the facility; the
patient’s condition described in general terms that does not communicate specific medical
information about the individual (using descriptions such as: stable, good, fair, serious,
critical, conscious, semiconscious, and unconscious); and the individual’s religious affiliation
to the clergy. (T-0) Reference DoD 6025.18-R, C6.1..
4.2.1.1. The following information should not be released in the facility directory:
marital status (e.g., divorced, single, widowed); base, installation, station, or organization
of routinely deployable or sensitive units; description of disease or injury; general factual
circumstances; and general extent of the injury or disease. (T-1) Do not specify location
or description that may prove embarrassing to the individual or reflect bad taste. (T-1)
4.2.1.2. NEVER release a prognosis or sensitive medical information relating to the
admission of the patient, including but not limited to, sexual assault, criminal actions,
drug or alcohol abuse, psychiatric or social conditions, STI, or Acquired
24 AFI41-200 25 JULY 2017
Immunodeficiency Syndrome (AIDS) – HIV (Human Immunodeficiency Virus) data or
AIDS related syndrome. (T-1)
4.2.2. Do not release information listed in paragraph 4.2.1.1. if the patient is not conscious or
is mentally incompetent. (T-0) If the patient is under age or incompetent, the guardian, or
legal representative may make the decision.
4.2.3. Disclosures for involvement in the individual’s care and notification purposes. An
MTF may disclose to a family member, other relative, or a close personal friend of the
individual, or any other person identified by the individual, the PHI directly relevant to such
person’s involvement with the individual’s care or payment related to the individual’s health
care.
4.2.3.1. The MTF may use or disclose PHI to notify, or assist in the notification of
(including identifying or locating), a family member, a personal representative of the
individual, or another person responsible for the care of the individual of the individual’s
location, general condition, or death. Any such use or disclosure of PHI for such
notification purposes must be in accordance with DoD 6025.18-R, C6.2., as applicable.
4.2.4. Providing Medical Information or Patient Status Information to the Public (Including
News Media). Disclosure of medical information to the public is extremely limited under
both HIPAA and the Privacy Act. If requested by a news media agency or upon receiving a
general public inquiry, the Privacy Act only permits the release information that does not
constitute an invasion of personal privacy. If appropriate, notify the patient’s personal
representative and obtain authorization before releasing information through the Public
Affairs Office to the news media or to the public. Contact the MTF HIPAA Privacy Officer
before releasing information regarding a patient’s status. Never release a patient’s diagnosis
or prognosis without patient consent. If the HIPAA Privacy Officer is not available, consult
the MLC or SJA prior to disclosing or providing any medical or patient status information.
4.3. Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object
is not Required. Most disclosures made that are not for treatment, payment or healthcare
operations, or pursuant to the patient’s authorization must be tracked in PHIMT or other tracking
tool approved by the AFMS HPO. (T-0) A record of disclosures will be maintained for six
years. (T-0) Account for disclosures IAW paragraph 3.7. for any of the disclosures listed, unless
otherwise specified, and consistent with DoD 6025.18-R. (T-0) This section provides a basic
description of permissible disclosures. For a complete review of each standard, refer to DoD
6025.18-R, Chapter 7. Included with the basic descriptions below are additional Air Force
requirements.
4.3.1. Required by law. The MTF may use or disclose PHI to the extent that such use or
disclosure is required by law and the use or disclosure complies with and is limited to the
relevant requirements of such law. Refer to DoD 6025.18-R, C7.1.
4.3.2. Public Health Activities. The MTF may disclose PHI for certain public health
activities under specified circumstances outlined in DoD 6025.18-R, C7.2.
4.3.2.1. Among the permissible public health disclosures, the MTF may disclose
immunization records to a school, IAW 45 CFR §164.512(b)(1)(vi), about an individual
who is a student or prospective student of the school, only if:
AFI41-200 25 JULY 2017 25
4.3.2.1.1. The MTF obtains a verbal or written agreement to the disclosure from
either parent/guardian/other person acting in loco parentis or adult/emancipated
minor;
4.3.2.1.2. The MTF must document the agreement to the disclosure; (T-0)
4.3.2.1.3. The PHI that is disclosed is limited to proof of immunization; and
4.3.2.1.4. The school is required by State or other law to have such proof of
immunization prior to admitting the individual.
4.3.2.1.5. Written agreement does not need to be in the form of a HIPAA compliant
authorization.
4.3.3. Victims of abuse, neglect or domestic violence. An MTF may disclose PHI about an
individual whom the MTF reasonably believes to be a victim of abuse, neglect, or domestic
violence to a government authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or domestic violence under the
circumstances specified in DoD 6025.18-R, C7.3.
4.3.3.1. In situations involving restricted reporting, follow restricted reporting guidance
provided in DoDI 6495.02, Sexual Assault Prevention and Response Program
Procedures (SAPR), AFI 90-6001, Sexual Assault Prevention and Response (SAPR)
Program, and AFI 40-301, Family Advocacy Program, to include intimate partner
maltreatment.
4.3.4. Health Oversight Activities. The MTF may disclose PHI to specified health oversight
agencies for specified oversight activities as outlined in DoD 6025.18-R, C7.4.
4.3.5. Judicial or Administrative Proceedings. The MTF may disclose PHI in the course of a
judicial or administrative proceeding if the requirements outlined in DoD 6025.18-R,
paragraph C7.5. have been met.
4.3.5.1. Consult with MLC or SJA for advice or action when the disclosure of medical
information is for pending litigation.
4.3.5.2. If the request is accompanied by a signed HIPAA authorization, an accounting
of the disclosure is not required. In any other circumstances, account for the disclosure.
4.3.6. Law Enforcement Agency Inquires. Refer to DoD 6025.18-R, C7.6., for a complete
review of standards for compliance.
4.3.6.1. Upon approval of the MTF Commander and with MLC or SJA concurrence that
the requirements set forth in DoD 6025.18-R, paragraph C7.6., have been met, provide
requested or subpoenaed PHI to law enforcement agencies conducting official
investigations. Provide either supervised access to health record(s) or certified copies
only. (T-2) Law enforcement agency inquires will be processed by the HIPAA Privacy
Officer. (T-1)
4.3.6.1.1. A sample “Investigative Agency Request for Health Information”
(“Investigative Agency Request”) letter can be found on the AFMOA Health
Information Compliance Team KX.
26 AFI41-200 25 JULY 2017
4.3.6.1.2. The Release of Information (ROI) department will keep a copy of all
investigative agency requests. (T-0) Obtain a signed receipt for any material or
document/record copies (copied by the agent or by MTF staff) furnished to the agent.
Note: Do not file the statement or document receipt in the patient’s health record.
Maintain the statement in a separate folder in the general correspondence file until the
investigation is concluded.
4.3.7. About decedents. Refer to DoD 6025.18-R, C7.7., for a complete review of standards
for disclosures related to decedents.
4.3.8. For cadaveric organ, eye or tissue donation purposes. An MTF may use or disclose
PHI under specified circumstances to facilitate organ, eye or tissue donation and
transportation IAW DoD 6025.18-R, C7.8.
4.3.9. Research Purposes Involving Minimal Risk. Follow the procedures in DoD 6025.18-
R, C7.9., for releasing PHI for research involving minimal risk. (T-0)
4.3.9.1. MTFs can release information that is properly de-identified without patient
authorization and without tracking the disclosure.
4.3.10. To avert a serious threat to health or safety. An MTF may, consistent with applicable
law and standards of ethical conduct, use or disclose PHI, if the MTF, in good faith, believes
the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the
health or safety of a person or the public and is to a person or persons reasonably able to
prevent or lessen the threat, including the target of the threat, or under other circumstances
specified in DoD 6025.18-R, C7.10.
4.3.11. Specialized Government Functions. DoD 6025.18-R, paragraphs C7.11.1. through
C7.11.7. detail circumstances under which a MTF can use or disclose PHI for specified
specialized government functions.
4.3.11.1. If the MTF discloses to a correctional institution or a law enforcement official
having lawful custody of an inmate or other individual PHI about such inmate or
individual for the purposes outlined in DoD 6025.18-R, C7.11.6.:
4.3.11.1.1. Do not give the First Sergeant or prisoner escort the original health
records of service members.
4.3.11.1.2. No accounting or tracking is required for these disclosures.
4.3.12. Workers’ Compensation. An MTF may disclose protected health information as
authorized by and to the extent necessary to comply with laws relating to workers’
compensation or other similar programs, established by law, that provide benefits for work-
related injuries or illness without regard to fault. (T-0) Reference DoD 6025.18-R, C7.12.
4.3.12.1. Any requests identified as a potential third party liability case must be recorded
on an AF Form 1488, Daily Log of Patients Treated for Injuries. (T-1) This includes
requests received from an attorney, workers’ compensation appeals board, or an
insurance company in a case involving work-related injury or disease. Forward these
requests to the clinic where the patient was seen. The clinic will complete the AF Form
1488 and forward the AF Form 1488 to the Resource Management Office. (T-1)
AFI41-200 25 JULY 2017 27
Chapter 5
SPECIAL CONSIDERATIONS FOR USE AND DISCLOSURE OF PHI
5.1. Command Authorities. Under certain conditions, HIPAA permits the MTF to use and
disclose the PHI of Armed Forces personnel for activities deemed necessary by appropriate
military command authorities to assure the proper execution of the military mission. Refer to
DoD 6025.18-R, C7.11., for a full description of uses and disclosures for specialized government
functions. (T-0)
5.1.1. Disclosures to Commanders/Civilian Directors/Designees. Disclosures are permitted
when necessary for the Commander to make a determination of the individual’s fitness for
duty, fitness to perform any particular mission/assignment/order/duty, joint medical
surveillance, reporting casualties, to carry out any other activity necessary to the proper
execution of the mission, or related to insider threats (paragraph 4.3.11.). Authorization by
the individual or the opportunity to agree or object to the disclosure is not required.
“Commander” collectively refers to Commanders and Civilian Directors. See AFI 51-604,
Appointment to and Assumption of Command. As referenced in AFI 51-604, Figure A2.1., a
civilian director can receive PHI as needed to carry out specific authorities (e.g., initiating
enlisted discharge actions, initiating Line of Duty Determinations (LODs), directing mental
health evaluations (MHEs), signing profiles, taking PRAP actions, suspending clearances,
investigating unauthorized absences, etc.) without the need for a delegation letter. For
activities not listed, consult the servicing legal office.
5.1.1.1. Disclosures pursuant to this paragraph 5.1. must be accounted for IAW
paragraph 3.7. (T-0), unless an exception applies pursuant to DoD 6025.18-R, Chapter 7.
5.1.1.1.1. Disclosures of information of members of the Armed Forces to a
Commander or designee through ASIMS are automatically captured within ASIMS.
If, however, the disclosure to the Commander or designee is made outside of ASIMS
and includes additional information from what the Commander or designee would
have access to in ASIMS, then documentation in PHIMT would be required IAW
paragraph 3.7.
5.1.1.1.2. If the patient is a National Guard or Reserve member, or applicant, release
PHI to Air Force Reserve or Air National Guard medical personnel when required to
determine the member’s medical qualification for continued military duty.
5.1.1.2. Access, however, must be balanced with the recognized sensitivity of health
records, which often contain information of a very private nature (e.g., Alcohol and Drug
Abuse Programs, HIV/AIDS status, mental health). (T-2) In addition, other laws or
regulations may further restrict the Commander’s access to, or use of, a service member’s
health information. Therefore, before a Commander or his/her designee gains access to
an individual’s PHI, in excess of what is available in ASIMS, he or she must establish the
information is required for mission-related purposes IAW DoD 6025.18-R, C7.11. and
DoDI 6490.08, Command Notification Requirements to Dispel Stigma in Providing
Mental Health Care to Service Members, and the use or disclosure must not be otherwise
restricted by law or regulation. (T-1)
28 AFI41-200 25 JULY 2017
5.1.1.2.1. In instances where the MTF is uncertain if the Commander or designee has
established a need for the information the MTF HPO shall seek the advice of the
servicing MLC or SJA. (T-2)
5.1.1.2.2. Disclosure of PHI should be released IAW the minimum amount of
information necessary to accomplish the task as defined in DoD 6025.18-R.
However, the MTF must take into consideration that the amount of information
necessary must be sufficient to permit the Commander to make informed decisions.
5.1.1.2.2.1. If a provider communicates (i.e., verbal or written) with a
Commander regarding a service member’s profile and discloses any additional
medical information than what would be released via ASIMS documentation, the
additional information disclosed during the conversation must be manually
tracked in PHIMT. (T-1)
5.1.1.2.2.2. This includes, but is not limited to, disclosures to Commanders for
confirming attendance to medical appointments or sending appointment no-show
letters.
5.1.1.2.3. Access to the original record should not ordinarily be provided, but will be
provided if there is a clear need. The requester shall document in writing to the MTF
Commander the need for access to the original record and why a summary is not
sufficient. The MTF may make a provider available to assist the requester in
interpreting the health record.
5.1.1.3. Commanders must be cognizant of their role, especially when they are serving in
the capacity of a practicing clinician. The amount of information a practicing clinician
may come in contact with, in the course of treating patients, is different than the amount
of information a Commander, as the command authority, could receive for specialized
government functions.
5.1.1.4. Once health information is disclosed to command authorities, it is no longer
subject to HIPAA because the Commander is not a HIPAA covered entity. However, it
remains subject to the Privacy Act since it was derived from a Privacy Act system of
records. Additionally, there may be other legal protections that impact releasability of
the health information.
5.1.1.5. The HIPAA Privacy Rule permits, but does not compel, the sharing of health
information between an external civilian provider and authorized command authorities.
The military has no recourse under HIPAA for obtaining information if the civilian
provider declines to release the information without the individual’s authorization.
However, AFI 48-123, Medical Examinations and Standards, paragraph 2.12. requires
military members to report and submit all medical and dental treatment from civilian
sources to their Primary Care Manager (PCM).
5.1.2. Commander Designee Process. Verification of identity is required before releasing
PHI to appropriate military command authorities or their respective designee under the
provisions of DoD 6025.18-R. (T-0) The MTF must ensure the individual to whom the PHI
pertains is under the command authority of the requestor, and that the information requested
pertains to the military mission, fitness for duty, or other permissible disclosure. (T-0)
AFI41-200 25 JULY 2017 29
5.1.2.1. Personnel permanently assigned to the position of Deputy/Vice Commander and
First Sergeant are designated as commander designees by virtue of their position.
Commanders, Deputy/Vice Commanders, and First Sergeants do not require an
appointment letter. Individuals filling these positions on a temporary or interim basis
must be appointed in writing.
5.1.2.2. Commanders will designate in writing, by position or name, any additional
personnel that are authorized to act on their behalf to receive PHI for assigned squadron
personnel. (T-1)
5.1.2.3. ARC Medical Unit Commanders will work in conjunction with the various ARC
Line Commander’s to ensure that ARC personnel, designated IAW paragraph 5.2., are
part of the ARC Line Commander designee process, having authority to access PHI of an
individual who is a member of the Armed Forces in order to perform activities outlined in
DoD 6025.18-R, C7.11.1.3. (T-1)
5.1.2.4. There are limited circumstances in which disclosures of PHI are necessary for
the purpose of a Command Directed Evaluation (CDE), ordered by a Commander or a
Supervisor. Refer to DoDI 6490.04, Mental Health Evaluations for Members of the
Military Services and AFI 44-172, Mental Health, for additional information.
5.1.2.4.1. Regardless of who requests an emergency CDE (e.g., Senior Enlisted
member), the results will be disclosed only to the Commander, Commander’s
designee, or Supervisor requesting the CDE (as defined by DoDI 6490.04). (T-1)
5.1.3. The MTF HPO will establish procedures for periodically communicating with local
units supported by the MTF to ensure current designee listings from each unit have been
submitted and are available to MTF work centers for use in verifying the identity of
Commanders and their respective designees for routine disclosures of PHI such as
appointment rosters, ASIMS Web reports, and quarters notifications. (T-2)
5.1.4. Local units are responsible for submitting the appointment letter to the MTF HPO and
ASIMS Coordinator whenever there is a change of Commanders or designees. (T-1)
5.2. ARC Access. ARC access is understood to be multiple disclosures of PHI to the command
authority for a single purpose.
5.2.1. The host MTF or National Guard Bureau (NGB)/SG Office for ANG will provide
access to health records systems (AHLTA, Composite Health Care System (CHCS), HAIMS,
etc.), and where applicable, SG approved access mechanisms (AVHE/successor system(s),
Citrix, etc.) to ARC medical personnel. (T-1) Such ARC SG providers’ access to PHI in a
health records system is subject to the terms and conditions of access applicable to the
system for which access is required. Access to the patient’s medical information will be for a
HIPAA-compliant purpose and will be accounted for IAW paragraph 3.7.2. (T-0)
5.2.2. The ARC Medical Unit Commander must designate in writing and maintain such
designation of ARC members (ARC Access List) who are medical personnel to access,
receive, use or disclose PHI of an individual under an ARC Commander’s authority for the
purposes outlined in the Chapter 7 of the DoD 6025.18-R. (T-1)
5.2.2.1. Once information is in the possession of the ARC Medical Unit outside of
AHLTA, the information is no longer subject to HIPAA because the ARC Medical Unit
30 AFI41-200 25 JULY 2017
is not a HIPAA covered entity and is not acting as a business associate. However, the
information does remain subject to the Privacy Act. Remember, ARC access to the
information in AHLTA must be for a HIPAA-compliant purpose.
5.2.3. Completion of AHLTA system training at any MTF is valid for ARC medical
personnel regardless of assigned location.
5.3. Individual Medical Readiness (IMR) and Mission-Related Medical Communications.
5.3.1. ASIMS is the authorized system for IMR tracking.
5.3.2. ASIMS automatically accounts for disclosures to command authorities in its database
and does not require manual entry of the disclosure information.
5.3.3. ASIMS includes an auto-generated communication mechanism that contains a
Common Access Card (CAC) authenticated link to the member’s MyIMR page that contains
more detailed information about IMR requirements and need for an appointment. PHI is not
contained in the initial communication to the member.
5.4. For Release of Information for Personnel Reliability Assurance Program (PRAP)
Purposes.
5.4.1. Each disclosure of the patient’s medical information for PRAP purposes must be
accounted for using one of the mechanisms outlined below:
5.4.1.1. PHIMT; or
5.4.1.2. DD Form 2870 (Authorization for Disclosure of Medical or Dental Information.
5.4.2. The PRP Administrative Qualification Central Cell (AQCC) workflow are part of the
AFMS covered entity and are required to comply with HIPAA, including accounting for
disclosures to the Certifying Official (CO) or Reviewing Official (RO).
5.4.3. Once information is in the possession of the CO or RO, the information is no longer
subject to HIPAA because the CO or RO is not a HIPAA covered entity and is not acting as a
business associate. However, the information does remain subject to the Privacy Act.
5.5. Occupational Safety and Health Administration (OSHA). For additional information
relating to occupational health, refer to AFI 48-145, Occupational and Environmental Health
Program, and AFMAN 48-146, Occupational & Environmental Health Program Management.
AFI41-200 25 JULY 2017 31
Chapter 6
COMPLAINTS & INVESTIGATIONS
6.1. Complaints.
6.1.1. Leadership of all organizations within the AFMS must comply with the
administrative, technical, and physical requirements described in HIPAA Privacy Rule,
including reporting, investigating, and mitigating breaches. (T-0)
6.1.2. Breaches under the Privacy Act involving non-medical PII (e.g., a unit alpha roster or
information from an individual’s personnel file) must be properly reported through the
Installation Privacy Office for their handling and investigation, but do not require
coordination through the AFMS HIPAA team. (T-0) Reference DoD 5400.11-R, C1.5.1,
C10.6.1.
6.1.3. MTFs must establish a standard procedure to receive and investigate HIPAA-related
complaints and allegations of non-compliance. (T-0) The MTF may elect to use existing
Patient Advocate services as a focal point for receiving complaints, or refer individuals
directly to the MTF HPO.
6.1.4. The MTF HPO will normally investigate all HIPAA-related complaints and prepare a
written report of the investigation. (T-1)
6.2. Department of Health and Human Services (HHS) inquiries. These are high-visibility,
time sensitive issues. Complaints received by HHS are forwarded to the DHA PCLO for
dissemination to the appropriate service-level Privacy Officer. (T-1)
6.2.1. Procedures for processing HHS inquiries.
6.2.1.1. Upon receiving a notification of inquiry the AFMS HPO will prepare a cover
letter to inform AFMOA HIPAA of the inquiry; the letter will include guidance regarding
investigation and documentation requirements, and establish a suspense date for returning
the completed investigation to AFMS HPO. The cover letter will be packaged with the
HHS inquiry and forwarded to the AFMOA HIPAA team for processing. AFMS HIPAA
team will maintain a log of all HHS inquiry actions and responses. (T-1)
6.2.1.2. The AFMOA HIPAA team will forward the cover letter and inquiry
documentation to the appropriate MTF. Additionally, the team will provide SME
assistance to MTF personnel as necessary in conducting the investigation and in ensuring
a comprehensive response is prepared for submission to HHS.
6.2.1.3. Once completed, the MTF response and all required documentation will be
submitted to the AFMOA HIPAA team for quality review and submission to the AFMS
HPO. (T-1) The AFMS HPO will review and approve the report, then submit to the
DHA PCLO for review and final processing.
6.2.2. The MTF HPO must immediately notify AFMOA HIPAA in the event an HHS
inquiry bypasses the normal routing chain and is received directly at MTF-level. (T-1) The
AFMOA HIPAA team will ensure appropriate tracking and response procedures are initiated
as described above; MTFs are not permitted to respond directly to HHS Field
Representatives.
32 AFI41-200 25 JULY 2017
6.3. Identification.
6.3.1. Workforce members that become aware of an actual or possible loss of control,
unauthorized disclosure, or unauthorized access to PII or PHI, in verbal, paper, or electronic
form, must immediately report the circumstances of the event to the organization‘s
BRC/HPO. (T-0)
6.3.2. Upon being notified of a potential or actual breach, the BRC/HPO will evaluate the
preliminary facts to determine if an actual or possible loss of control, unauthorized
disclosure, or unauthorized access to PII or PHI has occurred. (T-1)
6.3.2.1. Based on this initial assessment, the BRC/HPO will either document the basis
for determining no breach has occurred and take no further action, or initiate an
investigation, including breach response procedures, as applicable. (T-0) Note that not
all incidents meet the definition of a breach under HIPAA.
6.3.3. The MTF HPO will ensure that the breach timelines, determinations, and notifications
are made IAW paragraph 6.4.1. and the “Breach Timeline & Notification” flow chart. (T-1)
The flow chart is located on the AFMOA Health Information Compliance Team KX website
and provides a process flow to ensure that requirements under HIPAA are accomplished.
6.3.4. Assigning investigators and their authority.
6.3.4.1. In cases where the MTF Commander appoints an investigating officer (IO), the
MTF HPO will serve as SME to the investigator. (T-1)
6.3.4.2. If the complaint involves the actions of the MTF HPO or a disclosure where the
individual received the advice of the MTF HPO, the MTF Commander shall appoint an
IO. (T-1) In these cases, the MLC/SJA or the AFMOA HIPAA SMEs can provide
subject matter expertise to the IO.
6.3.4.2.1. If the complaint involves the actions of the MTF Commander, the
MAJCOM will appoint an IO.
6.3.5. For complaints involving e-PHI, the MTF HPO will collaborate with the HSO to
ensure an integrated review of the incident. (T-1)
6.4. Investigation.
6.4.1. Reporting Timeline. FIRST, CONTACT AFMOA HIPAA IMMEDIATELY FOR
GUIDANCE BEFORE FILING A US-CERT. The time requirements for breach reporting
and mitigation begin at the time the breach is discovered or becomes known, IAW HIPAA.
Located on the AFMOA Health Information Compliance Team KX website is the Breach
Timeline & Notification flow chart that graphically demonstrates the activities that occur at
various stages of the breach determination (discovery through the first hour, first hour to the
end of the first day, second through the notification requirement within ten days, HIPAA
Risk Assessment, and media notifications). Reference DoD 5400.11-R, C1.5.1.2.
6.4.1.1. Within ONE HOUR from the breach becoming known.
6.4.1.1.1. Initial notification actions and associated reporting activities occur in rapid
sequence, and in some circumstances may occur simultaneously. The BRC/HPO will:
AFI41-200 25 JULY 2017 33
6.4.1.1.2. Notify the AFMOA HIPAA team
[email protected], the respective AFMOA HIPAA
representative, AND the Installation Privacy Act Official with preliminary facts of the
incident, and if applicable, the organization‘s Information Systems Security Officer
for incidents involving e-PHI or information systems. (T-1)
6.4.1.1.3. Submit US-CERT ONLY if a Federal information system has been
potentially compromised, pursuant to AFI 33-332, paragraph 1.1.2.4.5.2. US-CERT
filings are required within one hour of the PII breach being identified by an agency’s
top-level Computer Security Incident Response Team (CSIRT), Security Operations
Center (SOC), or information technology department, as described in the 2017 “US-
CERT Federal Incident Notification Guidelines,” published by the United States
Computer Emergency Readiness Team, Department of Homeland Security (DHS).
(T-1) In the event of future US-CERT notification guidance published by DHS, the
future guidance will prevail.
6.4.1.1.3.1. In cases where US-CERT reporting is required, initiate notification at
https://forms.us-cert.gov/report. (T-1) Print a copy of the completed US-
CERT notification and document the US-CERT confirmation number. (T-1)
6.4.1.1.3.2. Maintain a copy of the US-CERT notification. (T-1)
6.4.1.2. Within 24 HOURS from the breach becoming known.
6.4.1.2.1. The BRC/HPO will continue activities to contain the exposure of
information and limit the magnitude of the incident as quickly as practical. (T-2)
This could be as simple as securing loose documentation or as complex as securing
electronic information systems and networks. Other actions include securing physical
evidence and evaluating associated information systems and activities for collateral
risks and vulnerabilities.
6.4.1.2.1.1. Initiate a local events log and maintain comprehensive documentation
of dates, times, significant communications, mitigation activities, and events
throughout the duration of the incident. (T-0)
6.4.1.2.2. Prepare an initial assessment of the incident utilizing the DD Form 2959,
Defense Privacy and Civil Liberties Division (DPCLD) Breach of Personally
Identifiable Information (PII) Report. (T-1)
6.4.1.2.3. For situations in which there is a lost or missing service treatment record
(STR), all search requirements must be exhausted before the record is declared lost
IAW AFI 41-210, paragraph 5.7.5.4. (T-1) Lost or missing STRs should be treated
as one initial/final after action report IAW paragraph 6.7.1.5.
6.4.1.2.4. Submit the initial DD Form 2959 via e-mail to AFMOA HIPAA
([email protected]) and the Installation Privacy Act Official.
(T-1)
6.4.1.2.4.1. If breach notifications are required under both HIPAA and Privacy
Act, the BRC/HPO must work closely with the Installation Privacy Act Official
throughout the course of incident to ensure all reporting and individual
notification actions are accomplished. (T-1)
34 AFI41-200 25 JULY 2017
6.4.1.2.4.1.1. If the Privacy Act Official determines reporting under the
Privacy Act is not required, fully document the decision and maintain the
documentation in the case file. (T-1) The BRC/HPO will still need to
evaluate the circumstances to determine if reporting is required under HIPAA.
(T-0)
6.4.1.2.4.1.2. Installation Privacy Act Official will forward the DD Form
2959 to the Air Force Privacy Office (SAF/A6PP) within 24 hours IAW AFI
33-332, paras. 1.1.2.4.5.4 and 1.1.2.4.5.5.
6.4.1.2.4.1.3. (T-1) SAF/A6PP, IAW applicable Privacy Act policies and
procedures, has agreed to facilitate any reporting requirements to the DPCLD
for Privacy Act breaches only.
6.4.1.2.4.1.4. SAF/A6PP has appropriate access to systems to input the
information from the DD Form 2959 into the DPCLD Compliance and
Reporting Tool (CART).
6.4.1.2.4.2. AFMOA HIPAA will forward the DD Form 2959 to DHA PCLO,
with a copy to the AFMS HPO within 24 hours of becoming aware of the breach.
6.4.1.2.4.3. Do not delay submission of the initial report while gathering
additional information.
6.4.1.2.5. Additional Notifications may be required.
6.4.1.2.5.1. Ensure the Information Systems Security Officer is notified of an
ePHI incident. The security team will notify the servicing Network Control Center
(NCC) and submit follow-up reports as necessary to meet established timelines
based on the category of incident. (T-2)
6.4.1.2.5.1.1. Information Assurance personnel will initiate simultaneous
incident response procedures while the BRC/HPO continues with breach
reporting activities. (T-2)
6.4.1.2.5.1.2. The security team may be required to submit additional reports
depending on the type of system involved and whether the incident involved a
confirmed network/system intrusion or changes to Information Operations
Condition (INFOCON).
6.4.1.2.5.2. Upon direction of organizational leadership, notify the local Security
Forces or Office of Special Investigations (OSI) if the commission of a crime is
known or suspected. (T-2)
6.4.1.2.5.3. Notify the organization’s appropriate representative(s) for incidents
involving the loss or suspected loss of a government authorized credit card or
financial data associated with the card. (T-1)
6.4.1.2.5.4. If the incident involves contractors, the contracting officer should be
engaged as soon as possible for contract compliance issues.
6.4.1.2.6. With the facts of the incident known, the BRC/HPO will assess whether
the incident is an exception to the breach definition or the level of probability that
AFI41-200 25 JULY 2017 35
PHI was compromised and make a recommendation to organizational leadership
regarding the need to notify affected individuals of the compromise. (T-0)
6.4.1.2.6.1. A HIPAA breach excludes:
6.4.1.2.6.1.1. Any unintentional acquisition, access, or use of PHI by a
workforce member or person acting under the authority of the MTF or a
business associate, if such acquisition, access, or use was made in good faith
and within the scope of authority and does not result in further use or
disclosure in a manner not permitted (Exception 1).
6.4.1.2.6.1.2. Any inadvertent disclosure by a person who is authorized to
access PHI at the MTF or business associate to another person authorized to
access PHI at the same MTF or business associate, or organized health care
arrangement in which the MTF may participate, and the information received
as a result of such disclosure is not further used or disclosed in a manner not
permitted (Exception 2).
6.4.1.2.6.1.3. A disclosure of PHI where the MTF or business associate has a
good faith belief that an unauthorized person to whom the disclosure was
made would not reasonably have been able to retain such information
(Exception 3).
6.4.1.2.6.2. If any of the above exceptions apply, the incident does not require the
distribution of a breach notification letter to the patient.
6.4.1.2.6.2.1. The MTF HPO must document the exception and maintain it in
the investigation file IAW document retention requirements. (T-0)
6.4.1.3. Investigation.
6.4.1.3.1. All incidents involving the compromise of PII and PHI must be thoroughly
investigated and the level of risk and compromise associated with the incident must
be assessed. (T-0) Minor incidents may be easily investigated and resolved by the
BRC/HPO alone, whereas more complex or sensitive incidents may necessitate the
activation of the organization‘s IRT or appointment of an investigating officer.
6.4.1.3.1.1. A HIPAA Privacy Incident Report (HIPAA PIR) must be completed
for each HIPAA privacy incident and submitted to AFMOA HIPAA. (T-1) The
report is located on the AFMOA Health Information Compliance Team KX
website.
6.4.1.3.2. MTF HPO or IO should interview individuals (active duty, government
employees, contractor, or civilian) involved in the complaint or breach as necessary to
the investigation, and have access to any and all PHI required to resolve the
complaint or breach. The HPO should consult with the servicing legal officer prior to
conducting interviews to determine what, if any, specific requirements apply.
6.4.1.3.3. When assessing the nature and extent of the compromise, when there is a
low probability of compromise or there is no compromise, no notification to the
individual is required as it might create unnecessary concern or confusion. (T-2) The
BRC/HPO must thoroughly document the circumstances of all breaches and the
decisions made relative to each of the factors identified in the HIPAA PIR; the
36 AFI41-200 25 JULY 2017
documentation must clearly demonstrate the rationale behind the notification
determination as described in 45 CFR §164.402, paragraph (2) regarding the
presumption of a breach and the four factors. (T-0)
6.4.1.3.4. The DD Form 2959 may be updated and re-submitted to the Installation
Privacy Act Official and AFMOA HIPAA team as additional information and follow-
up actions become known throughout the course of the investigation.
6.4.1.3.5. If the findings of the investigation confirm a breach occurred, the MTF
HPO will recommend corrective actions to the MTF Commander, or MAJCOM if the
investigation involves the Commander. (T-1) The MTF HPO will also recommend
actions to mitigate, to the extent possible, any harmful effect of a confirmed breach.
(T-0)
6.4.1.3.5.1. Actions taken reduce the severity of the incident and prevent similar
recurrences.
6.4.1.3.5.1.1. Written attestation is one form of mitigation that can occur
when PHI has been released to an incorrect or unintended recipient. The
MDG should:
6.4.1.3.5.1.1.1. Contact the recipient and request the return or destruction of
the PHI, if it has not been reported to the HPO by the recipient already.
6.4.1.3.5.1.1.2. Obtain from the recipient a written attestation (e.g., via e-
mail or fax) that they have either returned or destroyed “any and all PHI and
retained no copies or further used or disclosed the PHI to any another person
or entity.”
6.4.1.3.5.1.1.3. Situations where an attestation may be required include:
6.4.1.3.5.1.1.3.1. When an individual has received PHI belonging to
another patient (copies of medical records/documents) and the individual
does not have an obligation to protect the PHI; or
6.4.1.3.5.1.1.3.2. When an (unintended) individual or entity has
incorrectly received PHI (misdirected e-mail, mail, CD-ROM, or fax)
and the individual/entity has no obligation under HIPAA or the Privacy
Act to protect PHI or PII.
6.4.1.3.5.1.2. Retain the written attestation in the investigation file IAW the
investigation document retention requirements. (T-1)
6.4.1.3.6. The MTF is required to apply sanctions (disciplinary action) depending on
the nature of the incident. (T-0)
6.4.1.3.6.1. Members of the military may be sanctioned in accordance with the
provisions of AFI 36-2907 or the Uniform Code of Military Justice.
6.4.1.3.6.2. Civilian employees may be sanctioned in accordance with the
provisions of AFI 36-704.
6.4.1.3.6.3. Contractor personnel may be sanctioned in accordance with
applicable procurement regulations.
AFI41-200 25 JULY 2017 37
6.4.1.3.7. An MTF may not threaten, intimidate, coerce, harass, discriminate against,
or take any other retaliatory action against any individual for: filing of a complaint;
testifying, assisting, or participating in an investigation, compliance review,
proceeding, or hearing; or opposing any act or practice that involves the
impermissible disclosure of PHI (in violation of the HIPAA rules. (T-0)
6.4.1.3.8. Disclosures by whistleblowers. An MTF is not considered to have violated
HIPAA if a member of its workforce or a business associate discloses PHI, provided
that the workforce member or business associate believes in good faith that the MTF
has engaged in conduct that is unlawful or otherwise violates professional or clinical
standards, or that the care, services, or conditions provided by the MTF potentially
endangers one or more patients, workers, or the public; and
6.4.1.3.8.1. The disclosure is to a health oversight agency or public health
authority authorized by law to investigate or otherwise oversee the relevant
conduct or conditions of the MTF or to an appropriate health care accreditation
organization for the purpose of reporting the allegation of failure to meet
professional standards or misconduct by the covered entity; or an attorney
retained by or on behalf of the workforce member or business associate for the
purpose of determining the legal options of the workforce member or business
associate with regard to the conduct described above.
6.4.1.3.9. Disclosures by workforce members who are victims of a crime. An MTF
is not considered to have violated HIPAA if a member of its workforce who is the
victim of a criminal act discloses PHI to a law enforcement official, provided that the
PHI disclosed is about the suspected perpetrator of the criminal act; and the PHI
disclosed is limited to the information listed in DoD 6025.18-R, C8.6.2.
6.5. Notification Procedures to Affected Individuals.
6.5.1. The Privacy Act and HIPAA have different notification timelines.
6.5.1.1. If a breach has been confirmed under both the Privacy Act and HIPAA,
notification to affected individuals is required within the ten (10) working days after the
loss, theft, or compromise is confirmed and the identities of the affected individuals is
ascertained, as established by DoD 5400.11-R and AFI 33-332. (T-0)
6.5.1.2. If a breach has been confirmed under HIPAA only, notification to affected
individuals is required without unreasonable delay and in no case later than 60 calendar
days after discovery of a breach. (T-0)
6.5.2. The BRC/HPO will ensure notification letters are prepared in accordance with DoD
5400.11-R, paragraph C1.5.1.5., and the notification content required by HIPAA outlined in
45 CFR §164.404(b) and (b). (T-0)
6.5.2.1. The content of the Privacy Act notification template is not sufficient to meet the
HIPAA notice requirements. The following two additional elements must be
incorporated into the letter: (T-0)
6.5.2.1.1. The date of the breach and the date of the discovery of the breach, if
known.
38 AFI41-200 25 JULY 2017
6.5.2.1.2. The contact procedures for the recipient to ask questions or learn additional
information. This information must include a toll free telephone number, an e-mail
address, Web site, or postal address. (T-0)
6.5.3. A sample HIPAA Individual Notification letter template can be found on the AFMOA
Health Information Compliance Team KX website. This template includes the elements
required by both the Privacy Act and HIPAA.
6.5.4. Letters will be endorsed by the Group Commander/organizational equivalent or above,
and delivered by first class mail. (T-0)
6.5.5. In cases where the individual is deceased, deliver notification to the Next of Kin
(NOK) or personal representative, if their address is known. (T-0) Reference 45 CFR
§164.404(d).
6.5.6. The MTF has the burden of proof to demonstrate that all notifications have been
made.
6.5.7. In the event that the breach involves 500+ residents of a state or jurisdiction, the MTF
is required to notify prominent media outlets serving the state or jurisdiction. (T-0)
Reference 45 CFR §164.406(a).
6.5.7.1. AFMOA HIPAA and Public Affairs Office will assist the affected organization
and MAJCOM leadership to develop required notifications to prominent media outlets
serving the State or jurisdiction in which the breach occurred.
6.5.8. Notifications to HHS/OCR shall be delivered IAW paragraph 6.6.2.2.1.
6.6. Other Reporting Requirements.
6.6.1. When insufficient or out-of-date contact information prevents written notification to
the individual, a substitute form of notice, reasonably calculated to reach the individual, may
be used.
6.6.1.1. When the number of individuals that cannot be contacted is fewer than ten, the
substitute notice may be provided by an alternate form of written notice, telephone, or
other means.
6.6.1.2. When the number of individuals that cannot be contacted is ten or more, the
substitute notice must be in the form of either a conspicuous posting for a period of 90
days on the home page of the website of the organization involved, or conspicuous notice
in major print or broadcast media in geographic areas where the individuals affected by
the breach likely reside. (T-0) The substitute notice must also include a toll-free phone
number that remains active for at least 90 days where an individual can learn whether the
individual’s unsecured PHI may be included in the breach. (T-0)
6.6.1.2.1. Activation of a toll-free number and associated costs are the responsibility
of the affected organization.
6.6.1.2.2. The AFMOA HIPAA Team will coordinate with the affected organization
as necessary to ensure reporting and notification requirements are fully implemented.
6.6.2. Health and Human Services Reporting and Documentation Requirements.
AFI41-200 25 JULY 2017 39
6.6.2.1. The AFMOA HIPAA Team will ensure DHA PCLO receives all necessary
information for completion of the HHS reporting requirements.
6.6.2.2. AFMOA HIPAA will forward breach information to the DHA PCLO, with a
copy to AFMS HPO, for review and submission to HHS.
6.6.2.2.1. DHA PCLO will make submissions to HHS, either:
6.6.2.2.1.1. At the same time of notification to the affected individuals for
breaches involving 500 or greater individuals as required by 45 CFR §164.408(b);
or
6.6.2.2.1.2. At the time they are received or during the annual reporting period
(NLT 28 February of each year) for breaches involving fewer than 500
individuals as required by 45 CFR §164.408(c).
6.6.3. Law Enforcement may request a delay in notification in situations where making
notification would impede a criminal investigation. Follow procedures outlined in 45 CFR
§164.412, an additionally in DoD 5400.11-R, C1.5.1.4.1., for responding to law enforcement
requests to delay notification.
6.6.3.1. Consult with the AFMOA HIPAA team when any concerns arise regarding a
delay in notification. (T-1)
6.6.3.2. Requests for delay by law enforcement must be in writing and include a date or
time frame in which notification can be made. (T-0)
6.6.3.3. If the request cannot be obtained in writing, the verbal request must be
documented and is only valid for 30 days. (T-0) For the delay to be extended beyond the
30 day period law enforcement will need to submit a written request. (T-0)
6.6.3.4. Account for the disclosure IAW paragraph 3.7. if no request for temporary
suspension is made or upon the expiration of a temporary suspension. (T-0)
6.6.4. Notification not required. In cases where notification to affected individuals is
determined to be unnecessary, the BRC/HPO must fully document the rationale for not
providing notification to affected individuals; the burden of proof for not notifying affected
individuals rests with the MTF. (T-0)
6.7. Incident Closure.
6.7.1. Close-out actions. The BRC/HPO has oversight and responsibility for ensuring all
mitigation and reporting activities are completed. (T-0) The following actions should be
accomplished prior to closing the incident:
6.7.1.1. If initially consulted, re-convene the IRT to validate all mitigation and
restoration actions have been accomplished. (T-1)
6.7.1.2. The MTF HPO will respond to the complainant in writing, as necessary,
regarding resolution of the complaint in accordance with local guidance. (T-2)
6.7.1.3. Develop Lessons Learned and convey information to organizational and AFMS
leadership as appropriate. (T-2)
6.7.1.4. Update local procedures as necessary based on Lessons Learned. (T-1)
40 AFI41-200 25 JULY 2017
6.7.1.5. Update and complete DD Form 2959 final after action report and HIPAA PIR
risk assessment, and submit, along with a copy of the redacted notification letter (if
applicable), to AFMOA HIPAA ([email protected]) and the
Installation Privacy Official (if applicable). (T-1)
6.7.1.6. Complete the case file and ensure all activity logs, documentation, and
miscellaneous support materials associated with the incident are properly filed and
retained IAW HIPAA. (T-0)
AFI41-200 25 JULY 2017 41
Chapter 7
USE OF ELECTRONIC COMMUNICATIONS
7.1. Use of E-mail. All communications of PHI must be properly safeguarded. (T-0)
7.1.1. Use of e-mail to transmit PHI is authorized between AFMS personnel, providers, and
medical personnel, or with external parties (e.g., non-co-located treatment facilities, medical
centers, other MTFs, providers, payers, public health, health oversight, business associates,
etc.) that involves business or mission related activities, in support of the AFMS/MTF, and
For Official Use Only (FOUO) purposes.
7.1.1.1. E-mails must comply with encryption and digital signature requirements, and be
for a permissible use/disclosure as described in AFI 33-332 and the DoD 6025.18-R.
7.1.1.2. If sending encrypted documents in an e-mail, do not include PHI in the body of
the e-mail. (T-1)
7.1.2. The use of e-mail between AFMS personnel/providers/medical personnel and a patient
for clinical consultation is not authorized. Secure messaging is the approved mechanism for
clinical consultation. See paragraph 7.3. for secure messaging guidance.
7.1.2.1. Common examples of clinical consultation include, but are not limited to:
7.1.2.1.1. Providing healthcare consultation or advice.
7.1.2.1.2. Discussion of services and treatment options.
7.1.2.1.3. Communications of sensitive medical conditions or situations that require
more rigorous protections of privacy, such as HIV status, STI, mental illness, or
chemical dependency.
7.1.3. For Official Use Only (FOUO). FOUO is a designation applied to unclassified
information that may be exempt from mandatory release to the public under the Freedom of
Information Act (FOIA).
7.1.3.1. Add “FOUO” to the beginning of the subject line, followed by the subject. Do
NOT annotate any PHI in the subject line. (T-1)
7.1.3.2. Insert the following confidentiality statement at the BEGINNING of the e-mail
message (T-1): “FOR OFFICIAL USE ONLY. This electronic transmission contains
For Official Use Only (FOUO) information which must be protected by the Privacy Act,
AFI 33-332, the Health Insurance Portability and Accountability Act, and DoD 6025.18-
R. The information may be exempt from mandatory disclosure under the Freedom of
Information Act, 5 USC § 552. Unauthorized disclosure or misuse of this information
may result in criminal and/or civil penalties. Further distribution is prohibited without
the approval of the author of this message unless the recipient has a need-to-know in the
performance of official duties. If you have received this message in error, please notify
the sender by reply e-mail and delete all copies of this message.”
7.1.3.3. Do not indiscriminately use FOUO disclaimers or encryption on messages not
warranting it. (T-1) Use it only in situations when you are actually transmitting personal
information required to be protected For Official Use Only purposes.
42 AFI41-200 25 JULY 2017
7.1.4. Organizational E-mail Boxes. E-mails containing PHI may be sent to
organizational/office e-mail addresses as long as the Org box complies with encryption and
digital signature requirements and is a permissible use/disclosure as described in AFI 33-332
and the HIPAA Privacy and Security Rules.
7.1.4.1. Individuals with access to the organizational/office e-mail boxes must have a
need for the information as proper recipients of the PHI. (T-1)
7.2. Non-Clinical Communications with Patients.
7.2.1. Non-clinical communications with patients are permissible, but must comply with the
limitations outlined below. (T-1) These one-way communications to a patient’s personal e-
mail or cell phone via text messaging are permissible under limited circumstances and are
subject to the minimum amount of information necessary to carry out the task. Common
examples of non-clinical communications include, but are not limited to:
7.2.1.1. Prescription pick-up reminders.
7.2.1.2. Appointment reminders.
7.2.1.3. Appointment no-show letters.
7.2.1.4. Sending non-clinical administrative blank forms (e.g., DD 2870, DD 2871,
VLER opt-out).
7.2.1.5. Distributing general education materials (not patient specific health education
materials).
7.3. Secure Messaging. AFMS approved secure messaging programs are the only authorized
methods for clinical consultation and advice (collectively “clinical consultation”) between
AFMS personnel/providers and patients. All medical encounters done through secure messaging
must be fully documented in the patient’s medical/dental record IAW paragraph 7.3.2.1. (T-1)
7.3.1. Registration for participation in secure messaging programs can be accomplished
through face-to-face communications, registration forms, online registration, or other AFMS
approved registration/enrollment processes.
7.3.2. Providers must ensure that relevant treatment related clinical information within the
secure messaging system is captured within the patients’ EHR. (T-1)
7.3.2.1. AHLTA T-Con documentation.
7.3.2.1.1. The entire message must be copied and pasted into an AHLTA T-Con.
Each T-Con must be reviewed, acknowledged, and electronically signed by the
provider in accordance with established business practices. (T-1)
7.3.2.1.1.1. Once the message has been copied to the AHTLA T-Con, the original
e-mail or secure messaging communication will not be retained. (T-1)
7.3.2.1.2. E-communications must have a standard header “virtual visit-
communication” preceding each message copied and pasted into AHLTA and each
“reason for T-Con” placed in AHLTA must have the same standard header, “virtual
visit-communication” if it is related to an e-communication. (T-1)
AFI41-200 25 JULY 2017 43
7.3.2.1.3. An image may be imported directly into a patient encounter note before a
provider electronically signs, as long as the image can be imported without delaying
the coding process.
7.3.2.1.3.1. The image should be directly related or significantly support the
provider's findings or recommendations, i.e., his or her subjective, objective,
assessment, plan (SOAP).
7.3.2.1.4. The following CPT Codes will be used: Online evaluation and
management provided by a privileged provider will use Code 99444. Non-physician
will use Code 98969 for On-line Medical Evaluation. (T-1)
7.4. Text Messaging.
7.4.1. Text Messages may be used for non-clinical communications and may only contain
the minimum amount of information necessary to send a meaningful, but efficient message to
the patient.
7.4.1.1. Text messages should be limited to use for appointment reminders, pharmacy
pick-up, and other low-risk communications that do not contain medical information
(e.g., drug name, condition, diagnosis).
7.4.1.2. Text messages must not be used for treatment-related clinical consultations
between providers and patients or any activities that require documentation in the
patient’s health record. (T-1)
7.4.1.3. Text messages must originate from government devices or systems. Use of
personal devices to communicate with patients is not permitted. (T-1)
7.5. Appointment Reminders.
7.5.1. Appointment reminders must contain only the minimum amount of information
necessary to accomplish the task. (T-1) General information regarding the appointment may
be provided, including: patient's name, time and date of appointment, and appointment
location. Appointment reminders can be in the form of e-mail, text message, or other
mechanisms approved by the AFMS.
7.6. Electronic Copies of Health Records.
7.6.1. A patient has the right under HIPAA to request copies of their health record and to
have the information transmitted directly to another person designated by the patient. If the
information is maintained in one or more designated record set electronically, and if the
patient requests an electronic copy of such information, the AFMS must provide the patient
with access to the electronic information in the form and format requested by the patient, if it
is readily producible, or, if not, in a readable electronic form and format as agreed to by the
AFMS and the patient. (T-0) Reference DoD 6025.18-R, Chapter 11.
7.6.2. Requests for copies of health records should be referred to the ROI department. ROI
or the MTF HPO is the designated point of release and can respond to patient requests.
7.6.3. MTFs are permitted to send patients copies of their records via unencrypted emails.
Prior to transmission, the MTF must:
7.6.3.1. Advise the patient of the risks associated with unencrypted e-mail; (T-0)
44 AFI41-200 25 JULY 2017
7.6.3.2. Provide the patient with an option of how they wish to receive the records; and
7.6.3.3. Permit the patient an opportunity to agree or object. (T-0)
7.6.3.4. If the patient elects unencrypted e-mail with password-protection to a personal e-
mail address, the MTF must send the password via a separate e-mail than the one
containing the records.
7.6.4. Documentation of a patient’s E-mail Directive to receive health information via
unencrypted e-mail or password-protection must be maintained by the ROI department along
with the access request IAW paragraph 3.9. (T-0) DoD 6025.18-R, C14.10.
7.6.4.1. The E-mail Directive is only applicable to the access request for which it was
obtained and is for one time use only.
7.6.4.2. A sample E-mail Directive statement is located in Attachment 2, Figure A2.1. It
is strongly recommended that the language contained in Attachment 2 be used in its
entirety. Additional information regarding processes can be found on the AFMOA
Health Information Compliance Team KX website.
7.6.4.3. Where available, the AFNet DSET PHI icon/button in Microsoft Outlook is
available for use when sending PHI via unencrypted e-mail. The PHI button acts as a
reminder that the E-mail Directive must be obtained from the patient prior to
transmission. (T-1)
7.6.4.3.1. By clicking the PHI button, the sender is confirming an E-mail Directive
has been obtained from the patient.
7.6.5. WARNING: Information related to sensitive medical conditions or situations that
require more rigorous protections of privacy, such as HIV status, STI, mental illness, or
chemical dependency, will not be transmitted in an unsecured/unencrypted manner. (T-1)
7.7. Social Media. Under no circumstances will information or photos of a patient be posted on
social media sites. (T-1)
7.7.1. Engaging in discussions or posting of pictures on social media that identify or could
potentially identify a patient, whether on a restricted, closed, or public site, is prohibited.
7.7.2. Some common personal identifiers that can potentially identify an individual, include
but are not limited to: name; geo-location; device identifiers and serial numbers; biometric
identifiers, including finger and voice prints; full face photographic images and any
comparable images; and any other unique identifying number, characteristic, or code (e.g.,
tattoos). (T-0) Reference DoD 6025.18-R, C8.1.3.3.
7.8. Other Types of E-Communications.
7.8.1. Use of the U. S. Army Aviation and Missile Research Development and Engineering
Center Safe File Access Exchange (AMRDEC SAFE) or other Large File Transmission
Applications. AMRDEC SAFE, or other approved applications, can be used to transmit
documents containing PII/PHI where the file size is too large for transmission through
normal e-mail channels, subject to the following requirements: (T-0) Reference FIPS PUB
140-2 and DoDI 8580.02, Enclosure 4, Section 3.
7.8.1.1. Files containing PHI must be encrypted. (T-1)
AFI41-200 25 JULY 2017 45
7.8.1.1.1. Prior to uploading any file to AMRDEC SAFE, use approved encryption
applications, such as Encryption Wizard, to encrypt the document/files.
7.8.1.1.2. Encrypt all PHI in accordance with the requirements of the Federal
Information Processing Standard (FIPS) Publication 140-2, Security Requirements
for Cryptographic Modules. (T-0)
7.8.1.2. When using AMRDEC SAFE, both the sender and recipient(s) will
automatically receive, via e-mail, a password that will permit access to the AMRDEC
SAFE application. This password is different from the one created during the encryption
process.
7.8.1.3. For the encrypted PHI file, provide the decryption key/password to the
designated recipient by a means other than AMRDEC SAFE (e.g., phone, separate e-
mail). (T-1)
7.8.2. See the AFMOA Health Information Compliance Team KX website for additional
information on the use of AMRDEC SAFE or any other approved large file transfer
applications.
7.9. Fax transmissions.
7.9.1. All faxes containing PHI are subject to the safeguards requirements outlined in the
HIPAA Privacy Rule. (T-0)
7.9.1.1. However, not all fax transmissions are ePHI. Only computer-generated faxes
are subject to the HIPAA security rule.
7.9.2. Limit fax transmission to only the documentation necessary to meet the requester’s
needs. (T-1)
7.9.2.1. Ensure a cover sheet is sent with the documentation to include: (T-1)
7.9.2.1.1. Date of fax transmission.
7.9.2.1.2. Sending facility’s name, address, telephone and fax numbers.
7.9.2.1.3. Sender’s name.
7.9.2.1.4. Receiving facility’s name, address, telephone and fax numbers.
7.9.2.1.5. Receiver’s name.
7.9.2.1.6. Number of pages transmitted including cover page.
7.9.2.1.7. Include the confidentiality statement, found in paragraph 7.1.3.2., on each
fax cover sheet. (T-1)
7.9.3. Any misdirected faxes must be reported to the MTF HIPAA Privacy Officer, who will
advise on required follow up action. (T-0)
7.9.3.1. If the documentation is received by anyone other than the intended recipient, the
burden is on the sender to remedy the error. (T-1)
7.9.3.2. If the transmission does not reach the intended recipient’s system, check the
internal logging system of the facsimile machine to determine where the transmission
was sent. (T-1)
46 AFI41-200 25 JULY 2017
7.9.3.2.1. Send a request to the incorrect number explaining that the information was
misdirected and asking for return of the documents via mail or confirmation that the
documents have been destroyed and no copies retained. (T-1)
7.9.4. To help protect confidentiality, establish specific policies and procedures for handling
documents received via facsimile. (T-0) Include the following minimum rules:
7.9.4.1. All fax machines used to transmit and receive PHI must be located in a secure or
supervised location. (T-1)
7.9.4.2. Remove documents as soon as the transmission completes. (T-1)
7.9.4.3. Count pages to ensure transmission of all intended information. Check for
legibility and notify sender of problems. (T-1)
7.9.4.4. Read the cover letter and comply with instructions for verifying receipt, if
applicable. (T-1)
7.9.4.5. Process the documents, if appropriate, or notify the authorized recipient that a
facsimile transmission has been received.(T-1)
7.9.4.5.1. Seal the documents in an envelope and deliver to the authorized recipient
or hold for recipient “pick-up.” (T-2)
7.10. Tele-Health. Tele-health is the use of electronic applications, systems, media, clinical
information management, encrypted telecommunications technologies, and video to provide or
support treatment-related healthcare, patient and professional health-related education, public
health, and health administration when distance separates the participants. Tele-health embraces
several innovative and exciting aspects of modern healthcare including, but not limited to,
centralized operations, secure messaging between provider and patient, virtual patient e-health
record access, on-line patient appointment booking, professional diagnostic imaging, and remote
surgical/specialty consulting capabilities.
7.10.1. Treatment-Related Professional Consultation. When telemedicine is applied to
conduct a real-time professional office visit or consultation between providers where the e-
mail message and the conversation occurs, the event must be fully documented in the
patient’s health record by either or both healthcare providers. (T-1) Reference AFI 44-102,
Medical Care Management, and AFI 44-172.
AFI41-200 25 JULY 2017 47
Chapter 8
HEALTH RECORD AUDITS FOR HIPAA INVESTIGATIONS
8.1. Purpose.
8.1.1. Health record audits are a mechanism for determining access to a patient’s EHR (i.e.
for treatment, payment, and health care operation functions). To assist in the investigation of
impermissible access, audit reports can serve as a valuable tool when determining if EHRs
have been inappropriately accessed. Audit reports are not part of the designated record set,
and therefore, are not subject to a patient’s right to access under HIPAA. However, if the
audit report is maintained or retrieved by the individual's name or other personal identifier,
the individual may be entitled to access the report under the Privacy Act.
8.1.2. The MTF Commanders will ensure that a minimum of two Health Record Auditors
(HRAs) are appointed, trained, and provided the appropriate access to the health records
systems to facilitate the generation of audit reports. (T-1) The MTF HIPAA Privacy and/or
Security Officers may be appointed as HRAs.
8.1.3. The MTF HIPAA Privacy Officer’s (HPO) office will maintain a signed copy of the
MTF/CC HRA appointment letter. (T-1) The MTF HPO will review the letter annually to
ensure the names of the identified HRAs are accurate and correct. (T-1)
8.1.4. The HPO or HSO will be the point(s) of contact for requesting health record audits.
(T-1)
8.1.4.1. Requests for health record audits will contain the following information: (T-1)
8.1.4.1.1. Name/rank of the requestor
8.1.4.1.2. Requestor’s office symbol
8.1.4.1.3. Date of request
8.1.4.1.4. Reason for the audit
8.1.4.1.5. Details of the audit (e.g., patient name, user name, date range, etc.)
8.1.5. The HPO/HSO will obtain MTF/CC or designee approval of health audit record
request. (T-1)
8.1.6. The HPO/HSO will coordinate completion of the audit with the Information Systems
Office. (T-1)
8.1.7. The HPO/HSO and SGH or MDG/CC will review the audit prior to providing the
results to the requestor. (T-1)
8.1.8. The HPO/HSO will maintain documentation of the audit for 6 years. (T-0) Reference
DoD 6025.18-R, C14.10..
8.2. Requesting a Health Record Audit for Breach Incidents.
8.2.1. Once the HPO has determined that an audit is required to assist in a breach
investigation, the HPO will obtain MTF/CC or designee written approval to run the audit
report. (T-1)
48 AFI41-200 25 JULY 2017
8.2.2. The signed approval letter will be provided to the HRA to generate the audit report.
(T-1)
8.2.3. Once the audit report is generated, the report will be provided to the HPO for analysis
to determine if health records were impermissibly accessed. (T-1) The HPO will consult
with other MTF functionals as needed. (T-1)
8.2.4. The results of the audit report analysis will be documented in the DD Form 2959,
when applicable. (T-1)
8.3. Document Retention for Audit Requests.
8.3.1. The MTF HPO will maintain audit documentation (e.g., MTF/CC approval/denial
letters, audit reports, etc.) for six years. (T-0) Reference DoD 6025.18-R, C14.10..
8.3.1.1. Paper copies must be kept in a locked container in the MTF HPO’s office. (T-0)
8.3.1.2. Electronic copies must be retained in a secure manner so that they are not
accessible by individuals without a need-to-know. (T-0)
AFI41-200 25 JULY 2017 49
Chapter 9
OTHER BUSINESS RELATIONSHIPS
9.1. Business Associates. Business Associate Agreements (BAAs) and/or Data Use/Sharing
Agreements (DSA), required by DoD 6025.18-R, must be incorporated into MTF contracts
and/or Memorandum of Understanding/Agreements (MOU/As), as necessary. (T-0)
9.1.1. DoD 6025.18-R, C3.1. establishes responsibilities for business associates that are
components of the Department of Defense. A written BAA is not required. Consult with
MTF HPO and MLC/SJA for any additional agreements that might be required.
9.1.1.1. For example: When the Emergency Medical Services (EMS) program is under
the authority of the installation senior medical officer, but the EMS personnel are
attached to the Civil Engineering Squadron (CES), even though they perform or assist in
performing a function or activity involving the use or disclosure of individually
identifiable health information on behalf of the EMS program, they are a business
associate.
9.1.2. In the event that an external vendor/contractor is determined to be a business associate
of the MTF, the MTF must have a written BAA in place. The most current BAA template
can be found on the AFMOA Health Information Compliance Team KX website.
9.1.2.1. The BAA should be incorporated into the master agreement between the MTF
and vendor/contractor.
9.1.3. If deviations from the AFMS approved BAA or DSA are requested by the business
associate, the MTF should submit the agreement to the MTF HPO for review. The MTF
HPO will work with MLC/SJA for review/approval prior to signing.
9.1.4. Business associates are required to complete HIPAA privacy training.
9.1.5. The MTF should work with the MTF HPO and contracting office for an accurate
inventory of business associates and agreements.
9.2. Health Information Exchanges/Organizations (HIE/O). HIE/Os allow providers secure
access to share a patient’s health information electronically.
9.2.1. The DoD is a participant in the eHealth Exchange and has executed the required Data
Use and Reciprocal Support Agreement (DURSA) that represents a framework for broad-
based information exchange among participants. As such, it is currently the only approved
HIE/O for use by MTFs.
9.2.2. For any requests for participation in a HIE/O, other than as outlined above, contact the
AFMOA HIPAA team for additional guidance and information.
50 AFI41-200 25 JULY 2017
9.3. Patient Safety Organizations (PSO). It is permissible for MTFs to participate in patient
safety activities, as defined in 42 CFR 3.20, and are deemed to be part of the MTFs health care
operations. PSOs must be treated as business associates IAW paragraph 9.1. (T-0)
MARK A. EDIGER
Lieutenant General, USAF, MC, CFS
Surgeon General
AFI41-200 25 JULY 2017 51
Attachment 1
GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION
References
Public Law 10-233, Genetic Information Nondiscrimination Act of 2008, May 21, 2008 (also
known as “GINA”), as amended
Public Law 104-191, Health Insurance Portability and Accountability Act of 1996, August 21,
1996 (also known as “HIPAA”), as amended
Public Law 111-5, American Recovery and Reinvestment Act of 2009, February 17, 2009 (also
known as the “HITECH Act”)
5 USC §522, The Freedom of Information Act, as amended
5 USC §522a, The Privacy Act of 1974, as amended
18 USC §922, Unlawful Acts
20 USC §1232g, Family Educational and Privacy Rights
42 CFR §3.20, Patient Safety Organizations and Patient Safety Work Product
45 CFR Part 160 (Subparts C-E) of title 45, CFR as amended (also known as “HIPAA
Enforcement Rule”)
45 CFR Parts 160 and 164 (Subpart C) of title 45, CFR as amended (also known as the “HIPAA
Security Rule”)
45 CFR Parts 160 and 164 (Subpart D) of title 45, CFR as amended (also known as the “HIPAA
Breach Rule”)
45 CFR Parts 160 and 164 (Subpart E) of title 45, CFR, as amended (also known as the “HIPAA
Privacy Rule”)
Federal Information Processing Standards (FIPS) Publication 140-2
DoD Directive 2310.01E, DoD Detainee Program, August 19, 2014
DoDD 5400.11, DoD Privacy Program, October 29, 2014
DoD 5400.11-R, Department of Defense Privacy Program, May 14, 2007
DoD 6025.18-R, DoD Health Information Privacy Regulation, January 24, 2003
DoDI 5210.42, DoD Nuclear Weapons Personnel Reliability Assurance, April 27, 2016
DoDI 6490.04, Mental Health Evaluations of Members of the Military Services, March 4, 2013
DoDI 6490.08, Command Notification Requirements to Dispel Stigma in Providing Mental
Health Care to Service Members, August 17, 2011
DoDI 6495.02, Sexual Assault Prevention and Response (SAPR) Program Procedures, July 7,
2015
DoDI 8580.02, Security of Individually Identifiable Health Information in DoD Health Care
Programs, August 12, 2015
52 AFI41-200 25 JULY 2017
AFPD 33-3, Information Management, September 8, 2011
AFPD 41-2, Medical Support, June 28, 2013
AFI 10-712, Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Process,
December 17, 2015
AFI 33-200, Air Force Cybersecurity Program Management, August 31, 2015
AFI 33-332, Air Force Privacy and Civil Liberties Program, January 12, 2015
AFI 33-360, Publications and Forms Management, December 1, 2015
AFI 36-704, Discipline and Adverse Actions, July 22, 1994
AFI 36-2115, Assignments within the Reserve Components, April 8, 2005
AFI 36-2907, Unfavorable Information File (UIF) Program, November 26, 2014
AFI 40-301, Family Advocacy Program, November 16, 2015
AFI 41-210, TRICARE Operations and Patient Administration Functions, June 6, 2012
AFI 44-102, Medical Care Management, March 17, 2015
AFI 44-172, Mental Health, November 12, 2015
AFI 48-123, Medical Examinations and Standards, November 5, 2013
AFI 48-145, Occupational and Environmental Health Program, July 22, 2014, incorporating
Change 1, August 27, 2015
AFI 51-301, Civil Litigation, June 20, 2002
AFI 51-604, Appointment to and Assumption of Command, February 11, 2016
AFI 90-6001, Sexual Assault Prevention and Response (SAPR) Program, May 21, 2015
AFMAN 13-501, Nuclear Weapons Personnel Reliability Program (PRP), May 29, 2015
AFMAN 33-282, Computer Security (COMPUSEC), March 27, 2012
AFMAN 33-363, Management of Records, March 1, 2008
AFMAN 48-146, Occupational & Environmental Health Program Management, October 9,
2012, incorporating Change 1, December 5, 2012
Adopted Forms
DD Form 2825, Internal Receipt
DD Form 2870, Authorization for Disclosure of Medical or Dental Information
DD Form 2871, Request to Restrict Medical or Dental Information
DD Form 2959, Defense Privacy and Civil Liberties Division (DPCLD) Breach of Personally
Identifiable Information (PII) Report
AF Form 847, Recommendation for Change of Publication
AF Form 1488, Daily Log of Patients Treated for Injuries
AFI41-200 25 JULY 2017 53
Abbreviations and Acronyms
AFDPO—Air Force Departmental Publishing Office
AFH—Air Force Handbook
AFIS—Air Force Inspection System
AFMAN—Air Force Manual
AFMOA—Air Force Medical Operations Agency
AFMOA HIPAA—AFMOA Health Benefits HIPAA team
AFMS—Air Force Medical Service
AFMSA—Air Force Medical Support Agency
AFRC—Air Force Reserve Command
AFRIMS RDS—Air Force Records Information Management System Records Disposition
Schedule
ANG—Air National Guard
ARC—Air Reserve Component
ARRA—American Recovery and Reinvestment Act of 2009
BAA—Business Associate Agreement
BRC—Breach Response Coordinator
CART—Compliance and Reporting Tool
CDE—Command Directed Evaluation
CO—Certifying Official
DHA—Defense Health Agency
DHS—Department of Homeland Security
DoD—Department of Defense
DPCLD—Defense Privacy and Civil Liberties Division
DURSA—Data Use and Reciprocal Support Agreement
DVA—Department of Veterans Affairs
EHR—Electronic Health Record
ePHI—electronic Protected Health Information
FIPS—Federal Information Processing Standard
FOIA—Freedom of Information Act
FOUO—For Official Use Only
GINA—Genetic Information Nondiscrimination Act of 2008
HHS—Department of Health and Human Services
54 AFI41-200 25 JULY 2017
HIE/O—Health Information Exchange/Organization
HIPAA PIR—HIPAA Privacy Incident Report
HIPAA—Health Insurance Portability and Accountability Act of 1996
HITECH—Health Information Technology for Economic and Clinical Health Act
HPO—HIPAA Privacy Officer
HRA—Health Record Auditor
HSO—HIPAA Security Officer
IEN—Patient Internal Entry Number
IMR—Individual Medical Readiness
INFOCON—Information Operations Condition
IO—Investigating Officer
IRT—Incident Response Team
JKO—Joint Knowledge Online
MDGI—Medical Group Instruction
MHS—Military Health System
MOA—Memorandum of Agreement
MTF—Medical Treatment Facility
NCC—Network Control Center
NCR—National Capitol Region
NICS—National Instant Criminal Background Check System
NOK—Next of Kin
NoPP—Notice of Privacy Practices
OCR—Office for Civil Rights
ONC—National Coordinator for Health Information Technology
OPR—Office of Primary Responsibility
OSI—Office of Special Investigations
OSHA—Occupational Safety and Health Administration
PCLO—Privacy and Civil Liberties Office
PCM—Primary Care Manager
PHIMT—Protected Health Information Management Tool
PHI—Protected Health Information
PII—Personally Identifiable Information
AFI41-200 25 JULY 2017 55
PRAP—Personnel Reliability Assurance Program
PSO—Patient Safety Organizations
RO—Reviewing Official
ROI—Release of Information department
SME—Subject Matter Expertise
SOAP—subjective, objective, assessment, plan
SRA—Security Risk Assessment Tool
SSN—Social Security Number
STR—Service Treatment Record
TOPA—TRICARE Operations and Patient Administration
TPO—Treatment, Payment, and Healthcare Operations
UHM—Unit Health Monitor
Terms
Active Duty—Applies to members serving full-time duty in the active military service of the
United States. It includes members of the Reserve Component serving on active duty or full-
time training duty, but does not include full-time National Guard duty. The term Inactive Duty
for Training (IDT) does not apply to this definition when considering healthcare eligibility. See
AFI 36-2115, for more details.
Air Reserve Component (ARC)—Units, organizations, and members of the Air National Guard
(ANG) and the Air Force Reserve Command (AFRC).
Approval Authority—Senior leader responsible for contributing to and implementing policies
and guidance/procedures pertaining to his/her functional area(s) (e.g., heads of functional two-
letter offices).
Authorization—DD Form 2870, Authorization for Disclosure of Medical or Dental
Information. A valid authorization must contain the core elements required by the HIPAA
privacy rule, and be signed by the patient or legal representative. A covered entity may not
disclose information without the patient’s written authorization, except for when a use or
disclosure is permissible, without an authorization or an opportunity to agree or object.
Breach—The acquisition, access, use, or disclosure of PHI in a manner not permitted under the
HIPAA Privacy Rule which compromises the security or privacy of the PHI.
(1) Breach excludes:
(i) Any unintentional acquisition, access, or use of PHI by a workforce member or person acting
under the authority of a covered entity or a business associate, if such acquisition, access, or use
was made in good faith and within the scope of authority and does not result in further use or
disclosure in a manner not permitted by the Privacy Rule.
(ii) Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or
business associate to another person authorized to access PHI at the same covered entity or
business associate, or organized health care arrangement in which the covered entity participates,
56 AFI41-200 25 JULY 2017
and the information received as a result of such disclosure is not further used or disclosed in a
manner not permitted by the Privacy Rule.
(iii) A disclosure of PHI where a covered entity or business associate has a good faith belief that
an unauthorized person to whom the disclosure was made would not reasonably have been able
to retain such information.
(2) Except as provided in the breach exclusions of this definition, an acquisition, access, use, or
disclosure of PHI in a manner not permitted under the Privacy Rule is presumed to be a breach
unless the covered entity or business associate, as applicable, demonstrates that there is a low
probability that the PHI has been compromised based on a risk assessment of at least the
following factors:
(i) The nature and extent of the PHI involved, including the types of identifiers and the
likelihood of re-identification;
(ii) The unauthorized person who used the PHI or to whom the disclosure was made;
(iii) Whether the PHI was actually acquired or viewed; and
(iv) The extent to which the risk to the PHI has been mitigated.
Child—The natural or adopted child of a sponsor, or in some cases for purposes of determining
eligibility for military health benefits, the unadopted step-child of a sponsor, or the legal ward of
a sponsor. To determine whether a minor child may consent to certain classes of healthcare,
refer to applicable state law, or for overseas locations local Medical Group Operating
Instructions.
Commander—The principle commissioned officer responsible for all activities, operations, and
resources under his/her control. Synonymous with commanding officer and commanding officer
in charge.
Complaint—A written statement submitted to a covered entity's HIPAA Privacy Officer or to
the HHS Office for Civil Rights alleging that the covered entity has violated an individual's
health information privacy rights or committed a violation of the HIPAA Privacy or Security
Rule provisions.
De-identified Healthcare Information—Health information that does not identify an individual
and with respect to which there is no reasonable basis to believe that the information can be used
to identify an individual is not individually identifiable health information. A covered entity
may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical
and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the
information could be used, alone or in combination with other reasonably available information,
by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or
(2)(i) The identifiers of the individual or of relatives, employers, or household members of the
individual, are removed, including but not limited to: names; all geographic subdivisions smaller
than a State; all elements of dates (except year) for dates directly related to an individual and all
ages over 89; telephone numbers; fax numbers; and social security numbers.
Defense Health Information Management System (DHIMS)—The DHIMS information
management/technology (IM/IT) system helps capture, manage and share health data across the
DoD enterprise. As a component of the Military Health System (MHS) Chief Information
AFI41-200 25 JULY 2017 57
Office, DHIMS applications are built upon the functional, technical and operational perspectives
of theater and clinical medical professionals. This new program office, created as a result of the
merger between the Clinical Information Technology Program Office (CITPO), Resources
Information Technology Program Office (RITPO), and the Theater Medical Information Medical
Program—Joint (TMIP-J), manages the development, deployment, and maintenance of the
systems that make up AHLTA – the military’s electronic health record.
eHealth Exchange—The eHealth Exchange is a group of federal agencies and non-federal
organizations that came together under a common mission and purpose to improve patient care,
streamline disability benefit claims, and improve public health reporting through secure, trusted,
and interoperable health information exchange. Participating organizations mutually agree to
support a common set of standards and specifications that enable the establishment of a secure,
trusted, and interoperable connection among all participating Exchange organizations and have
executed the Data Use and Reciprocal Support Agreement (DURSA).
E-mail Directive—Documentation showing that the patient has requested copies of their health
records through unencrypted e-mail, has been advised of the risks of the delivery mechanism,
and still wishes to receive the communication.
Financial Remuneration—Direct or indirect payment from or on behalf of a third party whose
product or service is being described. Direct or indirect payment does not include any payment
for treatment of an individual.
HIPAA Privacy Officer—The member of the MTF or Component who is the designated point
of contact for the MTF or Component and is responsible for the development and
implementation of the policies and procedures of the entity, program oversight, and the handling
HIPAA Privacy complaints. Such workforce member may be a member of a Uniform Service, a
DoD civilian employee, or a contractor of the covered entity.
HIPAA Privacy Rule—45 CFR Part 160 and Part 164. Part 160 contains general administrative
provisions (including enforcement) that are relevant to the privacy provisions contained in Part
164.
HIPAA Rules—The rules issued by HHS and captured in the HIPAA Privacy, Security,
Enforcement, and Breach Rules.
Jurisdiction—A geographic area smaller than a state, such as a county, city, or town, for
determining the number of residents of a jurisdiction involved in a breach.
Medical Care—Inpatient, outpatient, dental care, and related professional services.
Medical Treatment Facility Commander—The person appointed on orders as the
commanding officer of the military treatment facility.
Military Health System (MHS)—All DoD health plans and all DoD health care providers that
are, in the case of institutional providers, organized under the management authority of, or in
the case of covered individual providers, assigned to or employed by, the DHA, the Surgeon
General of the Army, the Surgeon General of the Navy, or the Surgeon General of the Air
Force.
Notice Of Privacy Practices (NoPP)—The notice of the MHS' practices and procedures with
respect to safeguarding the confidentiality, integrity, and availability of an individual’s PHI, and
the rights of individuals with respect to their PHI.
58 AFI41-200 25 JULY 2017
Opt Out—The choice by a non-active duty beneficiary to not permit sharing of his or her health
data by MHS with non-MHS eHealth Exchange partners.
Organized Health Care Arrangement—Organized health care arrangement means:
(1) A clinically integrated care setting in which individuals typically receive health care from
more than one health care provider;
(2) An organized system of health care in which more than one covered entity participates, and
in which the participating covered entities:
(i) Hold themselves out to the public as participating in a joint arrangement; and
(ii) Participate in joint activities that include at least one of the following:
(A) Utilization review, in which health care decisions by participating covered entities are
reviewed by other participating covered entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which treatment provided by participating
covered entities is assessed by other participating covered entities or by a third party on their
behalf; or
(C) Payment activities, if the financial risk for delivering health care is shared, in part or in
whole, by participating covered entities through the joint arrangement and if protected health
information created or received by a covered entity is reviewed by other participating covered
entities or by a third party on their behalf for the purpose of administering the sharing of
financial risk.
(3) A group health plan and a health insurance issuer or HMO with respect to such group health
plan, but only with respect to protected health information created or received by such health
insurance issuer or HMO that relates to individuals who are or who have been participants or
beneficiaries in such group health plan;
(4) A group health plan and one or more other group health plans each of which are maintained
by the same plan sponsor; or
(5) The group health plans described in paragraph (4) of this definition and health insurance
issuers or HMOs with respect to such group health plans, but only with respect to protected
health information created or received by such health insurance issuers or HMOs that relates to
individuals who are or have been participants or beneficiaries in any of such group health plans.
Power of Attorney—A legal document authorizing an individual to act as the attorney-in-fact or
agent of the grantor. General rules and individual state laws specify when a power of attorney is
required. Refer any questions pertaining to powers of attorney to the MLC/JA.
Reserve Components—Reserve components of the Armed Forces of the United States are: The
Air National Guard of the United States, The Air Force Reserve, The Army National Guard of
the United States, The Army Reserve, The Naval Reserve, The Marine Corps Reserve, The Coast
Guard Reserve. For the purpose of this instruction, the term also includes the reserve members
of the commissioned corps of the United States Public Health Service and National Oceanic and
Atmospheric Administration.
Risk Analysis—A thorough assessment of the potential threats to, and vulnerabilities of, the
confidentiality, integrity, and availability of systems containing electronic PHI (e-PHI) held by
the covered entity or business associate.
Risk Assessment—An evaluation to determine the presumption of a breach and the probability
that PHI has been compromised based on at least the following factors: (1) The nature and
extent of the PHI involved, including the types of identifiers and the likelihood of re-
AFI41-200 25 JULY 2017 59
identification; (2) The unauthorized person who used the PHI or to whom the disclosure was
made; (3) Whether the PHI was actually acquired or viewed; and (4) The extent to which the risk
to the PHI has been mitigated.
Sensitive Medical Records or Information—Health records, correspondence (including
working papers), and laboratory results, which may have an adverse effect on the patient’s
morale, character, medical progress, or mental health, or other person(s). This includes the
specific location or description of illness or injury, which may prove embarrassing to the patient
or reflect poor taste. Highly sensitive records include but are not limited to alleged or confirmed
information relating to the treatment of patients for sexual assault, criminal actions (including
child or spouse abuse), psychiatric or social conditions, or venereal disease.
Subcontractor—A person to whom a business associate delegates a function, activity, or
service, other than in the capacity of a member of the workforce of such business associate.
Unsecured PHI—PHI that is not rendered unusable, unreadable, or indecipherable to
unauthorized persons through the use of a technology or methodology specified by the Secretary
in the guidance issued under section 13402(h)(2) of Pub. L. 111-5.
VLER Health—Virtual Lifetime Electronic Record (VLER) Health is a set of programs that
manages the electronic exchange of beneficiary health information among VA, DoD, other
federal agencies, and private partners.
60 AFI41-200 25 JULY 2017
Attachment 2
E-MAIL DIRECTIVE
Figure A2.1. Sample E-Mail Text for Informing Patients of the Risk of Unencrypted E-
mail and Password-Protected Documents Containing PHI
Dear [insert patient name],
This email is to verify the email address you provided to receive a copy of your medical record
in electronic format. Please read the following information. If you still wish to receive copies of
your records via unencrypted email or password protected only, simply “reply” with your
agreement to this electronic communication, along with the method of receipt. If we have not
received a reply by [insert date], we will assume that you do not wish to receive your records in
this manner and your request will be processed in accordance with standard mailing procedures.
Method of Receipt (Please select one option):
Encrypted to a .mil address
Unencrypted without password-protected records to a personal e-mail address
Unencrypted with password-protection to a personal e-mail address
Access & Risk Statements:
(a) Do not use e-mail for emergency or time-sensitive communications.
(b) You may elect to receive copies of your records in electronic format to you or to a person
you designate in writing. If you elect to receive your records by email, you understand that due
to the unsecure nature of unencrypted or password-protected only communications, there is a
potential that anyone who may have the ability to access your e-mail or account could see your
medical information.
(c) You also understand that once the Air Force has transmitted the information to you or your
designee, it is no longer under the control of the Air Force and a person or entity may access the
electronic communication with or without the Air Force’s or your knowledge or permission and
view any and all of the communications and medical information contained therein, at no fault of
the Air Force or its employees.
(d) We do not transmit sensitive medical conditions or information, including HIV status, STI,
mental illness, or alcohol or drug abuse treatment programs that require more rigorous
protections of privacy, by unencrypted e-mail or password-protection only.
(e) Requests for records may take no more than twenty (20) business days for response and
processing in accordance with the DoD and AFI regulations/instructions.
(f) Your agreement to receive copies of records via unencrypted e-mail or password-protected-
only pertains only to this current access request received by the Air Force and does not apply to
any future requests.
By replying to this e-mail, along with method indicated above, you acknowledge the privacy
risks associated with using unencrypted or password-protected only communications.
[insert signature block]