HIPAA Military Command Exception Explained: When Disclosures Are Permitted and How

Military Command Exception Overview

The HIPAA Privacy Rule allows covered military treatment facilities and TRICARE entities to disclose Protected Health Information (PHI) to appropriate Military Command Authorities when necessary to ensure the proper execution of the military mission. This permissive pathway is known as the Military Command Exception. It is designed to balance operational readiness with individual privacy.

Under this exception, disclosures go only to commanders or officials designated by policy as “appropriate” recipients. You may share only what those officials need to make informed decisions about mission readiness, deployability, and unit safety. The Minimum Necessary Standard still applies, so blanket or open-ended access to medical files is not permitted.

Service members must be put on notice—typically through a Notice of Privacy Practices—that their PHI may be disclosed to command for these limited purposes. Patient authorization is not required for a disclosure that meets the Military Command Exception, but all other HIPAA safeguards remain in force.

Authorized Activities for Disclosure

Disclosures under the Military Command Exception are tied to concrete, mission-related needs. You should align each disclosure with a specific, authorized activity such as the following:

• Readiness and deployability determinations, including a Fitness for Duty Assessment or evaluation of duty-limiting conditions.
• Assignment, deployment, and re-deployment decisions where a health condition materially affects a member’s ability to perform essential tasks.
• Safety and risk management for the service member, the unit, or the public, including concerns about serious, imminent threats.
• Compliance with service policies on occupational health, immunizations, exposure incidents, and line-of-duty investigations.
• Security, clearance, or weapons-carry eligibility determinations when health status is integral to those authorizations.
• Command-directed evaluations needed to verify restrictions, quarters status, or return-to-duty timing.

Each disclosure should be specific, targeted, and documented. When a summary, profile, or readiness statement will suffice, you should avoid sending underlying clinical notes.

Disclosure Requirements and Limitations

Who may disclose and who may receive

Covered entities (for example, military treatment facilities and TRICARE health plans) may disclose PHI to identified Military Command Authorities. Recipients must have a legitimate, official need linked to mission execution; curiosity or convenience is not a valid basis.

Scope and content of PHI

Disclose only the minimum information the commander needs to make a decision—often a diagnosis category, functional limitations, expected duration, and duty recommendations. Psychotherapy notes and other specially protected materials are generally excluded from command disclosures.

Minimum Necessary Standard

The Minimum Necessary Standard governs Military Command Exception disclosures. Provide the least amount of PHI that reasonably satisfies the operational purpose. When possible, use summaries or standardized profiles instead of detailed records.

Notice and transparency

Your Notice of Privacy Practices should explain that PHI may be shared with command for readiness and mission needs. When feasible, inform the service member that a disclosure will occur, unless doing so would compromise safety or the operational need.

No general access or data mining

The exception does not grant commanders unrestricted access to medical systems or entire charts. Requests must be purpose-bound, and disclosures must be limited to what is necessary for the stated activity.

Access Restrictions to Medical Records

Commanders are not entitled to review a service member’s full medical record by default. Instead, they receive limited PHI tailored to the readiness question at hand—such as duty restrictions, temporary profiles, or anticipated timelines.

Only authorized healthcare personnel involved in treatment, payment, or healthcare operations or plan administration may access the full record. If command receives PHI, it must protect that information, restrict its use to official purposes, and prevent unauthorized re-disclosure.

Service members retain the right to access most of their own PHI and to request amendments. However, certain categories—like psychotherapy notes—are specially protected and typically excluded from routine access and command disclosures.

Privacy Protections under the Privacy Act of 1974

Because the Department of Defense is a federal agency, PHI maintained in federal systems is also subject to the Privacy Act of 1974. The Privacy Act requires agencies to collect, maintain, and use records fairly; to allow individuals to access and request amendment of their records; and to disclose records only under authorized conditions.

DoD systems publish “routine uses” that describe when records can be shared, including for readiness and mission support. The Privacy Act works alongside the HIPAA Privacy Rule: both must be satisfied before a disclosure occurs. Where the Privacy Act is stricter, you must follow the stricter rule.

Handling of Mental Health and Substance Misuse Information

Mental health information

Mental health PHI is subject to the same HIPAA framework as other PHI, with important practical guardrails often referred to as Mental Health Disclosure Restrictions. Disclosures to command should emphasize functional impact, safety concerns, and duty limitations rather than detailed therapy content. Psychotherapy notes—provider’s separate, personal notes—are given heightened protection and are generally not disclosable to command under this exception.

Substance misuse information

Substance use disorder records created by federally assisted specialty programs may be subject to additional protections under 42 CFR Part 2. Those rules are more restrictive than HIPAA and generally require the member’s written consent, a qualifying emergency, a court order, or another Part 2 exception before disclosure. The Military Command Exception under HIPAA does not override Part 2, so you must determine whether Part 2 applies before releasing any SUD-related PHI.

Practical approach for sensitive conditions

• Confirm whether the record is HIPAA-only or also covered by 42 CFR Part 2.
• Focus on functional status (what the member can and cannot safely do) and the expected duration of limitations.
• Apply the Minimum Necessary Standard and avoid detailed clinical narratives when a readiness summary will meet the need.

Disclosure Accounting and Compliance

Disclosures to command that are not for treatment, payment, or healthcare operations are generally subject to HIPAA’s accounting of disclosures. Keep a log with the date, recipient, a brief description of PHI disclosed, and the purpose. Retain documentation for the required period, and provide an accounting to the individual upon request.

Maintain written policies that define who may approve and send command disclosures, what information is appropriate to share, and how to apply the Minimum Necessary Standard. Train staff annually, audit a sample of disclosures, and implement corrective action when issues arise. Use standardized readiness letters or profiles to promote consistency and reduce over-disclosure.

When in doubt, escalate: consult privacy officers or legal counsel, verify the requester’s command authority, and confirm that no heightened protections (such as psychotherapy notes or 42 CFR Part 2) restrict the disclosure.

FAQs.

When can military command authorities receive PHI under HIPAA?

They may receive PHI when the disclosure is necessary to carry out activities essential to the military mission—such as readiness, deployability, safety, and lawful command-directed evaluations—and when the request comes from appropriate Military Command Authorities. The Minimum Necessary Standard applies, and patient authorization is not required for disclosures that meet this exception.

What types of activities justify PHI disclosure to command?

Typical justifications include Fitness for Duty Assessment, confirmation of duty-limiting conditions, deployment and assignment decisions, risk management for the member or unit, occupational health and exposure management, security or weapons eligibility, and verifying quarters status or return-to-duty timing.

Are commanders allowed access to service members' full medical records?

No. Commanders do not receive unrestricted access to full medical records. They are entitled only to the limited PHI necessary to make an informed readiness or safety decision, usually via summaries, profiles, or status updates rather than detailed clinical notes.

How is mental health information treated under the Military Command Exception?

Mental health PHI can be disclosed to command when needed for readiness or safety, but disclosures should focus on functional impact and duty limitations, not therapy details. Psychotherapy notes are specially protected and generally excluded. Substance misuse records from federally assisted programs may be governed by 42 CFR Part 2, which is more restrictive than HIPAA and often requires consent or another specific exception.