Compliance Guide: Applying the HIPAA Military Command Exception Safely and Lawfully

Overview of the Military Command Exception

The HIPAA military command exception allows covered entities to disclose Protected Health Information (PHI) about service members to appropriate military command authorities when the disclosure is necessary to ensure the proper execution of the mission. The focus is mission readiness, including Fitness for Duty Determinations and Mission-Essential Activities.

This exception is permissive, not automatic. You may disclose only to officials with legitimate command authority and only for clearly stated command purposes. It does not convert the entire medical record into a command document; it permits targeted, Command Authorized Disclosures tied to operational needs.

Who is covered and when it applies

The exception applies to members of the U.S. Armed Forces. It does not apply to dependents or retirees unless another HIPAA provision authorizes disclosure. It may be used by military treatment facilities and, in specific scenarios, by civilian providers treating service members.

Typical command purposes

• Determining fitness to perform duties or deploy.
• Managing safety-sensitive roles (aviation, special operations, nuclear, or weapons handling).
• Coordinating duty restrictions, profiles, or line-of-duty determinations directly tied to Mission-Essential Activities.

Disclosure Requirements and Limitations

Apply the Minimum Necessary Standard to all military command disclosures. Share only the information required to satisfy the stated command need—no more, no less. Diagnosis details, full histories, and extraneous notes should be withheld unless specifically necessary for the mission purpose.

Verification and scope control

• Verify the requester’s identity and command authority before disclosing.
• Ask for the purpose in writing and map each data element disclosed to that purpose.
• Exclude specially protected categories (for example, psychotherapy notes) unless a separate rule clearly authorizes disclosure.

Documentation and accountability

• Record an accounting of the disclosure (what, to whom, when, and why) and retain it for at least six years.
• If uncertain, route requests to your privacy officer or Staff Judge Advocate. When multiple laws apply, follow the most privacy-protective rule unless a specific mandate requires otherwise.

Handling Mental Health and Substance Misuse Information

Mental health information warrants heightened care. Psychotherapy notes remain distinct and are rarely disclosable under this exception. For routine command needs, provide functional information (limitations, duty restrictions, safety concerns) rather than detailed clinical narratives.

Risk, safety, and duty impact

• Disclose when a provider determines a serious and imminent threat to health or safety that the command must address.
• Share information necessary for Fitness for Duty Determinations, inpatient admissions that affect duty status, or duty-limiting profiles.

Substance misuse considerations

When substance use treatment or diagnosis is involved, check whether stricter rules (such as federal substance use disorder confidentiality rules or state laws) apply. For Voluntary Substance Misuse Education or self-referral counseling that does not affect duty or safety, disclosure to command is generally not necessary; if a command purpose arises, disclose only the minimum necessary functional details.

Medical Appointment Notification Procedures

Commands often need to know whether a service member is meeting medical readiness obligations. You may notify the command of appointment scheduling and attendance when the information is necessary for Mission-Essential Activities, but keep content narrowly tailored.

What to share

• Appointment date, time, location, and status (scheduled, attended, rescheduled, or missed).
• Any duty limitations or readiness impacts resulting from the visit (for example, temporary profile), without disclosing full clinical details.

How to share

• Send notifications to a designated command point of contact using secure channels.
• Avoid diagnosis codes, treatment plans, or detailed notes unless they are essential for the stated command purpose.
• Document each notification as an accounting of disclosure.

Roles of Non-Military Healthcare Providers

Civilian and TRICARE network providers remain HIPAA covered entities. They may rely on the military command exception when treating service members, but only after verifying command authority and the mission-related purpose for the request.

Practical steps for civilian providers

• Confirm the patient’s active-duty status and the requester’s command role.
• Request a written statement that identifies the command purpose and need.
• Disclose only the Minimum Necessary information; when in doubt, provide functional status rather than diagnostic specifics.
• If substance use disorder treatment records or other specially protected information are involved, ensure an applicable exception or written authorization exists before disclosing.

Privacy Protections Post-Disclosure

Once PHI is disclosed to a command authority, those records are typically managed under the Privacy Act of 1974. The command must restrict access to personnel with a need-to-know for Mission-Essential Activities and maintain proper safeguards, retention schedules, and audit trails.

Rights and controls

• Commands should limit re-use and re-disclosure to the original operational purpose.
• Accounting of disclosures should be preserved, and records should be secured consistent with federal records and information security requirements.
• Service members retain HIPAA rights (such as requesting an accounting or amendment) through the covered entity that originated the record.

Best Practices for Compliance

• Define authorized command contacts and publish clear intake procedures for Command Authorized Disclosures.
• Use standardized request forms that capture authority, purpose, and the specific PHI sought, mapped to the Minimum Necessary Standard.
• Segment sensitive data (for example, psychotherapy notes) and build EHR templates that default to functional status summaries.
• Train staff annually on the military command exception, substance misuse confidentiality, and the Privacy Act of 1974.
• Maintain a robust accounting-of-disclosures log and perform periodic audits to confirm necessity and scope.
• Escalate edge cases to privacy or legal counsel before releasing information.

FAQs.

What is the military command exception to HIPAA?

It is a HIPAA provision that allows disclosure of a service member’s PHI to appropriate military command authorities when the information is needed to ensure mission readiness and safety, such as for Fitness for Duty Determinations and other Mission-Essential Activities.

When can PHI be disclosed to military commanders?

When the requester has command authority and states a legitimate mission-related need. Typical scenarios include safety concerns, deployment or duty status decisions, and enforcing medical readiness. Disclosures must follow the Minimum Necessary Standard and be documented.

Are mental health records always disclosed under the exception?

No. Only information necessary for the command’s stated purpose should be shared. Psychotherapy notes and other specially protected materials are rarely appropriate to disclose. Functional status and duty impact usually satisfy command needs without revealing detailed clinical content.

How is PHI protected after disclosure to military command?

Commands manage received information under the Privacy Act of 1974 and internal security policies. Access is limited to personnel with a mission-related need-to-know, re-disclosure is restricted, and records are secured and auditable to protect the service member’s privacy.