Military Health and HIPAA: What Service Members Need to Know

HIPAA Coverage of Military Healthcare Providers

Who is covered in the military health system

Military Treatment Facilities (MTFs), TRICARE as a health plan, and TRICARE-authorized network providers are HIPAA covered entities. Their vendors and contractors that handle Protected Health Information (PHI) are business associates and must meet TRICARE Compliance requirements and HIPAA safeguards.

When you receive care at an MTF or from a TRICARE-authorized civilian provider, your PHI is protected by HIPAA’s Privacy Rule and Security Rule. The Minimum Necessary Standard limits routine uses and disclosures to what is needed for the stated purpose.

How HIPAA and the Privacy Act of 1974 work together

Because MTFs are federal entities, your medical record is also a federal “system of records” governed by the Privacy Act of 1974. That law complements HIPAA by granting access and amendment rights and placing additional limits on disclosures by federal agencies.

You will receive a Notice of Privacy Practices explaining how your PHI may be used and disclosed within the military health system, including disclosures unique to military service.

Military Command Exception and PHI Disclosure

HIPAA permits specific disclosures to appropriate military command authorities to ensure the proper execution of the military mission. This is known as the Military Command Exception and applies to PHI about service members when needed for readiness, assignment, fitness for duty, and mission safety.

In practice, information shared is focused on readiness: duty limitations/profiles, deployability impacts, immunization status, and recommendations necessary to mitigate risk. The Minimum Necessary Standard still applies—only the information needed to achieve the command purpose should be disclosed.

• Who may receive: commanders and other officials designated as appropriate command authorities.
• What you can expect: notification about limitations or risks, not a wholesale release of your entire record.
• How you are informed: the Notice of Privacy Practices describes this exception, and you may later request an Accounting of Disclosures.

Privacy Protections for Mental Health and Substance Abuse

Mental health information is PHI and protected by HIPAA. Psychotherapy notes receive heightened protection and typically require your written authorization for disclosure. When there is a serious and imminent threat to health or safety, limited disclosures may be made to prevent harm, consistent with the Minimum Necessary Standard.

Substance use disorder treatment records from federally assisted programs may be subject to additional confidentiality under 42 CFR Part 2. These records usually require your written consent for release; limited exceptions (such as medical emergencies or court orders) apply and are narrowly construed.

Even when command notification is allowed or required, providers should focus on readiness-relevant facts—such as duty limitations and safety concerns—rather than detailed session content. You can ask your provider how mental health or substance use information may be shared and request confidential communications when appropriate.

Service Member Rights Under HIPAA

• Access and copies: you can inspect and obtain paper or electronic copies of your PHI and direct a copy to a third party.
• Request an amendment: if something is inaccurate or incomplete, you may ask for a correction; if denied, you will receive a written reason and can submit a statement of disagreement.
• Notice of Privacy Practices: you have the right to receive and review the notice describing permitted uses and disclosures, including the Military Command Exception.
• Request restrictions: you may ask to limit certain uses or disclosures; MTFs generally will not agree to restrictions that conflict with mission needs or law. The special right to restrict disclosure to a health plan for services paid out-of-pocket in full is rarely applicable in MTF settings.
• Confidential communications: you may request communications to an alternative address or by alternate means when reasonable.
• Accounting of Disclosures: you may request a record of non-routine disclosures (for example, those made under specific legal allowances), subject to limited exceptions.

Limitations on PHI Restrictions in Military Context

Military operations narrow your ability to block certain flows of PHI. You generally cannot restrict disclosures that are required by law, necessary to avert a serious and imminent threat, or permitted to appropriate command authorities under the Military Command Exception to support readiness and safety.

Readiness-related information—fitness-for-duty determinations, duty limitations, immunization status, and deployment-limiting conditions—may be communicated to commanders. The out-of-pocket restriction that prevents disclosure to a health plan affects billing, not safety or mission-critical disclosures, and seldom fits MTF care models.

Compliance Requirements for Military Treatment Facilities

MTFs must implement written policies, designate privacy and security officials, train their workforce, and enforce sanctions for violations. Administrative, physical, and technical safeguards under the Security Rule protect electronic PHI through role-based access, auditing, and risk management.

TRICARE Compliance requires network plans and vendors to sign business associate agreements, follow the Minimum Necessary Standard, and maintain secure systems. MTFs must provide a Notice of Privacy Practices, verify requester identity and authority, log required disclosures for an Accounting of Disclosures, and issue breach notifications if unsecured PHI is compromised.

Balancing Privacy and Military Operational Needs

The goal is to protect your privacy while ensuring commanders receive the information they need to keep you, your unit, and the mission safe. Providers should disclose only what is necessary, and you should be informed through the Notice of Privacy Practices and, when requested, via an Accounting of Disclosures.

• Ask upfront what information may be shared with command and why.
• Discuss duty limitations and readiness impacts with your clinician so recommendations are accurate and narrowly tailored.
• Use secure patient portals to review your record and keep personal copies of key documents.
• Contact the MTF privacy office if you believe your PHI was misused or you need help exercising your rights.

Conclusion

HIPAA protects your Protected Health Information across the military health system, while the Military Command Exception enables mission-focused, minimum-necessary disclosures. Understanding your rights—access, amendment, confidential communications, and an Accounting of Disclosures—helps you navigate care confidently while supporting operational readiness.

FAQs.

How does HIPAA apply to military healthcare providers?

MTFs, TRICARE as a health plan, and TRICARE-authorized providers are covered by HIPAA, which safeguards your PHI and sets security requirements. You receive a Notice of Privacy Practices that explains routine uses and special military allowances.

What is the Military Command Exception under HIPAA?

It permits disclosures of a service member’s PHI to appropriate command authorities to ensure the proper execution of the military mission. Disclosures should follow the Minimum Necessary Standard and focus on readiness, safety, and duty limitations.

Can mental health information be disclosed to military commanders?

Yes, when necessary for mission readiness or to prevent a serious and imminent threat, limited information may be shared. Psychotherapy notes and certain substance use disorder records have heightened protections, and providers should disclose only what command needs to manage risk.

What rights do service members have regarding their medical records?

You can access and copy your records, request amendments, ask for confidential communications, and obtain an Accounting of Disclosures. You also receive a Notice of Privacy Practices and can request restrictions, recognizing that some limits do not apply in the military context.