Standards for Military Family Readiness programs

2020 Edition

Customer Rights (MIL-CR) 2: Confidentiality and Privacy Protections

The MFR program protects the confidentiality of information about customers and assumes a protective role regarding the disclosure of confidential information.


2020 Edition

Currently viewing: CUSTOMER RIGHTS (MIL-CR)



The rights and dignity of customers are respected throughout the MFR program.
Full Implementation, Outstanding Performance
A rating of (1) indicates that the programs’ practices fully meet the standard and reflect a high level of capacity.  All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions; exceptions do not impact service quality or overall performance.  
Substantial Implementation, Good Performance 
A rating of (2) indicates that a programs’ infrastructure and practices are basically sound but there is room for improvement. The majority of the standards requirements have been met and the basic framework required by the standard has been implemented.  Minor inconsistencies and practices that are not fully developed are noted; however, these do not significantly impact service quality or overall performance.
Partial Implementation, Concerning Performance
A rating of (3) indicates that significant aspects of the programs’ observed infrastructure and/or practices require significant improvement. The program has not implemented the basic framework of the standard but instead has in place only part(s) of this framework. Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  Service quality or program functioning may be compromised. Capacity is at a basic level.
Unsatisfactory Implementation and Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all. The programs’ observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.

Please see Rating Guidance for additional rating examples. 
Self-Study EvidenceOn-Site EvidenceOn-Site Activities
  • Blank release form for disclosure of confidential information (MIL-CR 2.06)
  • Description of how the MFR program maintains privacy and confidentiality when providing services remotely using technology, as applicable (MIL-CR 2.01)

Fundamental Practice

MIL-CR 2.01

The service environment is conducive to effectively providing services to customers, both in-person and remotely, in a private and confidential manner and customers are informed of any limitations to privacy and confidentiality due to service delivery locations.


 When providing services remotely using technology, implementation of this standard requires that the MFR program consider confidentiality and privacy concerns for both the location(s) where staff are providing services, and the location(s) where customers are receiving services.

Note: For more information on which of COA’s standards will be included as part of the Peer Review Team’s facility observation, please see the following tool: Facility Observation Checklist – MFR.

MIL-CR 2.02

Informed, written consent is obtained from the customer, or parent or legal guardian, prior to recording, photographing, or filming.


Fundamental Practice

MIL-CR 2.03

Access to customer files, both electronic and paper, is consistent, and limited to: 
  1. the customer or a parent or legal guardian;
  2. individuals authorized to access specific information on a "need-to-know" basis;
  3. former customers;
  4. requests for records of deceased customers; and
  5. auditors and staff from licensing or accrediting bodies consistent with the MFR program's confidentiality policy.


Examples of ways the MFR program may limit access to authorized individuals include: 
  1. limiting access based on staff role within the MFR program;
  2. ensuring the electronic system requires passwords for access to confidential information requires passwords be regularly changed, locks the user out of the system for a designated number of incorrect log in attempts, and automatically times out after a period of inactivity;
  3. disabling the passwords and access of former staff; and
  4. ensuring the system is capable of recording the person accessing confidential information in the system, and records when information is altered or deleted, also known as audit logs. 
Note: For more information on which of COA’s standards will be included as part of the Peer Review Team’s facility observation, please see the following tool: Facility Observation Checklist – MFR.

MIL-CR 2.04

When the MFR program receives a request for the release of confidential information about a customer, or when the release of confidential information is necessary for the provision of services, prior to releasing such information, the MFR program:

  1. determines if the reason to release information is valid;
  2. obtains the customer's informed, written authorization to release the information; 
  3. obtains informed, written authorization from a parent or legal guardian, as appropriate; and
  4. offers the customer a copy of the signed form authorizing the release of information, and places a copy in the customer’s file. 


In the context of this standard, “valid” means justifiable, legitimate, convincing, legally permissible, and in the best interest of the customer. Unless otherwise required by law, authorization to release confidential information is not necessary where the request for information is pursuant to a valid order of the civilian court or military tribunal. However, the customer or parent/legal guardian should still be informed that the information will be released and offered a copy of the release form before it is placed in their file. 


When there are concerns about the individual’s capacity to understand the confidential nature of the document, such as when the individual has been deemed incapacitated by the court, it may be inappropriate to provide the individual with a copy of the release form. Instead, the worker should include a copy of the release form in the customer's file and document reasons why the form was not provided.

MIL-CR 2.05

When the MFR program serves couples or families, customer files are maintained in a manner that protects the confidential information of all participants, including: 
  1. maintaining a separate file for each individual when indicated or upon request;
  2. obtaining informed, written authorization from all participants prior to disclosing confidential information from a joint customer file; and
  3. maintaining FAP information in a three-record system for survivor, alleged offender, and documentation generated outside of FAP. 
Note: Element (c) only applies to MFR programs that provide FAP treatment services. 

Fundamental Practice

MIL-CR 2.06

The release form for disclosure of confidential information includes the following elements:
  1. the name of the customer whose information will be released;
  2. the signature of the customer whose information will be released, or that of the parent or legal guardian of a person who is unable to provide authorization;
  3. the specific information to be released;
  4. the purpose for which the information is to be used;
  5. the date the release takes effect;
  6. the date, event, or condition upon which the consent expires, not to exceed one year from when the release takes effect;
  7. the name of the person(s) or organization(s) that will receive the disclosed information;
  8. the name of the person or organization that is disclosing  the confidential information; and
  9. a statement that the customer may withdraw their authorization at any time except to the extent that action has already been taken.


In relation to element (f), the expiration event or condition should relate to the customer or to the purpose of the disclosure. 


When confidential information may be released without the authorization of the customer or his or her legal guardian, elements (b) and (i) will not apply.

Research suggests that programs with clear confidentiality policies and consent form requirements have increased collaboration between providers and customers. This increased collaboration can have a positive impact on these relationships, and further open lines of communication for the future. 

Fundamental Practice

MIL-CR 2.07

The MFR program informs the customer, prior to his or her disclosure of confidential or private information, about circumstances when staff may be legally or ethically permitted or required to release such information without the customer's consent. 

Related Standards:


 Implementation of this standard includes an explanation of restricted and unrestricted reporting and the circumstances under which information must be disclosed to command and other authorities, when applicable.