HIPAA Policies for Military Health Facilities: Compliance Requirements and DoD Exceptions

HIPAA Applicability to Military Health Facilities

Military treatment facilities (MTFs), TRICARE health plans, and other Military Health System components that deliver or pay for care are HIPAA covered entities. They must safeguard Protected Health Information (PHI) under the Privacy and Security Rules and, when applicable, the Breach Notification Rule. Command units themselves are not covered entities when acting solely as commanders or employers, but PHI maintained by MTFs remains protected.

Who is covered and what that means

• MTFs and TRICARE health plans must implement administrative, physical, and technical safeguards for electronic PHI, manage workforce access, and maintain role-based controls.
• Business associates (e.g., billing, IT, telehealth contractors) must sign agreements and meet Security Rule requirements.
• The Minimum Necessary Standard applies to most uses and disclosures other than treatment, disclosures to the individual, and certain required-by-law releases.
• Public Health Exemptions allow reporting to public health authorities (for example, communicable disease or adverse event reporting) and are distinct from any military-specific permissions.

Military Command Exception

The Military Command Exception permits HIPAA covered entities within the Armed Forces to disclose PHI about service members to appropriate military command authorities for mission-essential purposes. Typical purposes include determining fitness for duty, deployment, or other readiness determinations. It does not apply to dependents, retirees, or most civilian employees.

Permissible purposes and typical recipients

• Mission readiness: deployment-limiting conditions, duty restrictions, and return-to-duty status.
• Fitness, suitability, and assignment determinations, including compliance with medical profiles or orders.
• Serious and imminent threats to health or safety where command involvement is needed to mitigate risk.

Guardrails you must apply

• Disclose only to appropriate command authorities designated by policy, and verify identity and role before sharing.
• Limit the content to the Minimum Necessary Standard; share status and restrictions rather than full diagnoses when feasible.
• Document the disclosure as a non–treatment, payment, or operations (non-TPO) disclosure for accounting purposes.
• Do not disclose psychotherapy notes under this exception, and never use it for general curiosity or discipline fishing.

Mental Health and Substance Abuse Disclosures

Mental health information is PHI and is generally subject to the same HIPAA protections as other clinical data, with important added Mental Health Disclosure Restrictions. Psychotherapy notes receive heightened protection, and federally assisted substance use disorder programs may also be subject to 42 CFR Part 2, which can be stricter than HIPAA.

Psychotherapy notes

Psychotherapy notes (the clinician’s separate, personal notes from counseling sessions) generally require a specific patient authorization before disclosure. Limited exceptions exist, such as to avert a serious and imminent threat or where disclosure is expressly required by law. Routine command updates should not include psychotherapy notes; use objective status and duty-impact information instead.

Substance use disorder information

Records from federally assisted substance use disorder programs are often protected by 42 CFR Part 2. Disclosures to commanders typically require the service member’s written consent or a qualifying exception (for example, a bona fide medical emergency or a court order). When HIPAA and Part 2 both apply, follow the more protective rule and share only the minimum necessary.

Medical Appointment Notifications

Appointment reminders are permitted as part of treatment communications under the HIPAA Privacy Rule. You may use phone, mail, secure portals, or email/text for reminders, provided you safeguard ePHI under the Security Rule and limit message content.

• Keep content minimal: date, time, location, callback number, and generic instructions. Avoid diagnoses, unit affiliations, or deployment status.
• Use the Minimum Necessary Standard for internal workflows and apply reasonable safeguards (for example, discreet voicemail). Offer secure messaging when feasible and honor reasonable patient preferences for confidential communications.
• Do not send reminders to a commander or unit address; reminders go to the patient unless the patient designates another recipient.

Non-Military Providers

Civilian network providers and hospitals caring for service members are HIPAA covered entities but are not themselves entitled to use the Military Command Exception. They should handle requests from commanders like any other third-party request for PHI.

• Disclose to command only with a valid HIPAA authorization naming the commander, when required by law, to avert a serious and imminent threat, or under other narrowly tailored HIPAA permissions.
• When performing an employer-requested fitness-for-duty or workplace medical evaluation, you may disclose the results to the employer as permitted by HIPAA’s occupational health provisions—limited to work-related findings.
• If you are a business associate or subcontractor for a DoD covered entity, follow the applicable agreement and safeguard ePHI under the Security Rule.

Patient Rights under HIPAA

Service members retain HIPAA rights, though certain requests can be declined when a disclosure is required or specifically permitted by law or policy. Understanding these rights helps you navigate care, readiness needs, and privacy.

• Access and copies: You may obtain your records, with standard exceptions (for example, psychotherapy notes or where access would endanger someone).
• Amendments: You can request corrections to inaccurate or incomplete information; denials must be explained and may be appealed.
• Accounting of disclosures: You can request an accounting of non-TPO disclosures, which generally includes Military Command Exception disclosures unless restricted by law.
• Restrictions: You may ask an MTF to limit certain uses or disclosures; the MTF may decline if it conflicts with mission needs or legal allowances.
• Confidential communications: You can request alternative addresses or contact methods; MTFs must accommodate reasonable requests when feasible.
• Notice of Privacy Practices: You are entitled to receive an NPP that explains routine uses, Public Health Exemptions, and the Military Command Exception.

DoD Health Information Privacy Regulation

The Department of Defense Health Information Privacy Regulation implements HIPAA across the Military Health System. It defines appropriate command authorities, specifies what information may be shared for readiness, operationalizes the Minimum Necessary Standard, and sets training, sanctions, and breach response expectations. It aligns HIPAA Privacy and Security Rules with military operational needs while preserving core patient protections.

Conclusion

Military health facilities must balance mission readiness with robust privacy. Apply the Minimum Necessary Standard, verify command authority, document non-TPO disclosures, and honor patient rights. Non-military providers should not treat command requests as automatic—share only when HIPAA permits or the patient authorizes.

FAQs.

What is the Military Command Exception under HIPAA?

It allows HIPAA covered entities within the Armed Forces to disclose a service member’s PHI to appropriate command authorities for mission-essential purposes, such as fitness for duty or deployment decisions. Disclosures must be limited to the minimum necessary and documented, and the exception does not extend to dependents or retirees.

How does HIPAA apply to mental health disclosures in military health facilities?

Mental health information is PHI and generally protected. Psychotherapy notes have special safeguards and typically require explicit patient authorization. Command notifications are permitted only for defined readiness or safety needs, and any disclosure must be limited in scope. If 42 CFR Part 2 applies to substance use disorder records, stricter consent rules often govern.

What patient rights are protected under HIPAA for service members?

You have rights to access and request copies, seek amendments, obtain an accounting of non-TPO disclosures, request reasonable restrictions, and ask for confidential communications. Facilities provide a Notice of Privacy Practices that explains routine uses and permissible exceptions, including command and public health.

When can commanders access a soldier's protected health information?

Commanders may receive PHI only for mission-related purposes—such as readiness, fitness, safety threats, or compliance with medical profiles—and only the minimum necessary information should be shared. Requests must come from an appropriate command authority, and disclosures should be documented; routine clinical details or psychotherapy notes are not shared absent a qualifying exception or authorization.