Checklist: Documenting and Disclosing Under the HIPAA Military Command Exception

Military Command Exception Overview

The HIPAA Military Command Exception permits a covered entity that is part of the Armed Forces to share Protected Health Information with appropriate command authorities for mission readiness and lawful command activities. The goal is to inform command decisions while safeguarding individual privacy.

In Department of Defense healthcare settings, disclosures flow only to authorized officials with a legitimate need, such as a service member’s commander or designee. You should focus on operational impact, not broad clinical details, and use Authorized Disclosure pathways defined by policy.

• Disclose only when a command authority is the recipient and the purpose is mission-related.
• Apply the Minimum Necessary Standard to every disclosure.
• Limit information to function and risk, avoiding unrelated diagnoses or narratives.
• Document each disclosure contemporaneously and accurately.

Disclosure Requirements and Limitations

Verify command authority before sharing

Confirm the requester’s identity, role, and authority to receive PHI. If the request comes through staff, ensure they are acting for the commander and the stated purpose aligns with the exception.

Apply the Minimum Necessary Standard

Disclose only information needed to address the mission task. Describe current restrictions, prognosis relevant to duty, safety considerations, and expected review dates rather than detailed test results or full histories.

Respect categorical limits

Do not disclose psychotherapy notes, unrelated conditions, or family history unless specifically necessary and permitted. Avoid blanket releases and minimize narrative details that are not essential to the command decision.

Authorized Military Activities

Fitness for Duty Determination

Share information strictly tied to Fitness for Duty Determination, such as duty limitations, temporary profiles, and whether the member can safely perform essential tasks. Frame the disclosure around capability and risk, not diagnostic minutiae.

Readiness, deployment, and safety decisions

You may disclose information needed for deployment status, occupational certification, weapons handling, aviation, diving, or other high-risk duties. Provide concise functional assessments and time-bound restrictions relevant to the specific activity.

Mental Health and Substance Misuse Privacy

Command notification triggers

Notify command when information is necessary to mitigate a serious and foreseeable risk, implement safety restrictions, manage inpatient admissions, or address acute impairments that affect mission performance. Emphasize functional impact and risk management steps.

What to share—and what to withhold

Share fitness-impacting facts: current risk level, restrictions, treatment compliance relevant to duty, and follow-up milestones. Do not disclose therapy session content or psychotherapy notes absent a separate, valid authorization.

Substance misuse considerations

For substance-related care, limit disclosures to what command needs to manage safety, readiness, or mandated programs. Additional federal confidentiality rules may apply to certain programs; when they do, follow the stricter standard.

Documentation and Compliance Procedures

PHI Documentation Requirements

• Record date and time, requester identity and authority, and the specific purpose.
• List the exact information disclosed and how the Minimum Necessary Standard was applied.
• Note the legal/policy basis used, transmission method, and any safeguards employed.
• Maintain retention consistent with policy and include the disclosure in applicable logs.

Operational workflow

• Intake and verify the command request.
• Consult the record and isolate only mission-relevant facts.
• Prepare a concise summary focused on function, restrictions, and timelines.
• Disclose to the authorized recipient and document immediately.
• Schedule a review date if the restriction or profile is time-limited.

Training and oversight

Ensure workforce training covers the Military Command Exception, role-based access, and PHI Documentation Requirements. Conduct periodic audits to confirm disclosures are justified, minimal, and properly logged.

Privacy Protections Beyond HIPAA

Privacy Act of 1974

When records are maintained in a federal system of records, the Privacy Act of 1974 also governs collection, use, and disclosure. Align HIPAA and Privacy Act requirements, and default to the more protective rule when they differ.

Other federal and state rules

Some programs—especially certain substance use disorder services—carry additional federal confidentiality protections. State laws may also be more stringent for specific data types; apply the stricter rule where it complements federal policy.

Sensitive records

Psychotherapy notes and similarly sensitive materials receive heightened protection. Treat them as excluded from routine command disclosures unless a separate, valid authorization or specific legal basis exists.

Non-Military Personnel Exclusions

The Military Command Exception applies to members of the Armed Forces. It does not extend to civilian employees, contractors, or family members receiving care. For those populations, use standard HIPAA pathways such as patient authorization or another lawful basis.

• For civilian workplace inquiries, request a HIPAA authorization tailored to the employer’s question.
• For dependents or retirees, follow ordinary privacy rules; do not route disclosures through command channels.
• When in doubt, narrow the request, verify authority, and seek legal or privacy office guidance.

Conclusion

To disclose under the HIPAA Military Command Exception, verify authority, limit to the Minimum Necessary Standard, center on function and risk, and document precisely. This approach supports mission needs while honoring privacy and regulatory compliance.

FAQs

What is the Military Command Exception under HIPAA?

It is a HIPAA provision that allows covered entities within the Armed Forces to share specific PHI with command authorities when needed for mission readiness and lawful command activities, with strict limits and documentation.

How should disclosures be documented under this exception?

Record who requested the information, their authority, the purpose, what PHI you disclosed, how you applied the Minimum Necessary Standard, the legal basis used, the transmission method, and any follow-up or review dates.

When can mental health information be disclosed to commanders?

Disclose when needed to address serious and foreseeable risk, inpatient admissions, acute impairment affecting duty, or other readiness decisions. Share functional impact, restrictions, and timelines—never psychotherapy notes without separate authorization.

Does the Military Command Exception apply to civilian employees?

No. It applies to members of the Armed Forces. For civilian employees, contractors, family members, or retirees, use standard HIPAA pathways such as patient authorization or another lawful basis for any disclosure.