The Military Command Exception under HIPAA allows health information of military personnel to be shared with military leaders without needing the individual’s permission, if it’s necessary for carrying out military duties.
Understanding the Military Command exception
The Military Command Exception is a provision under HIPAA that permits covered entities to disclose service members' protected health information (PHI) to appropriate military command authorities for specific authorized activities related to the military mission. Note that the exception does not mandate covered entities to disclose PHI to commanders; instead, it allows them to do so if necessary for approved military activities.
This exception ensures that military commanders have access to relevant health information when making informed decisions about service members' fitness for duty, assignment capabilities, and other necessary activities for the military's operational readiness.
See also: How HIPAA and military healthcare regulations interesect
Who does it apply to?
In the context of the Military Command Exception, it specifically applies to healthcare providers who treat service members, military medical facilities, and any other covered entities that may have access to and handle the PHI of service members. These covered entities may include:
- Military healthcare providers: Healthcare providers within the Military Health System (MHS), including military hospitals, clinics, and medical personnel.
- Civilian healthcare providers: Some civilian healthcare providers may also be considered covered entities if they provide healthcare services to service members, either through contracts with the military or as part of the TRICARE program.
- Military medical facilities: This includes any medical facilities operated by the military or Department of Defense (DoD) that handle PHI of service members.
- Health plans: Health plans that provide coverage to service members and their families, including TRICARE and other military health insurance programs.
- Business associates: Business associates of covered entities that handle PHI on behalf of the military or DoD are also subject to the "Military Command Exception" if they are involved in authorized activities related to the military mission.
Limitations to the Military command exception
The "Military Command Exception" does not grant commanders direct access to a service member's electronic medical records unless explicitly authorized by the service member or permitted by the HIPAA Privacy Rule. Commanders or other authorized officials who do receive PHI from covered entities must protect the information in accordance with the Privacy Act of 1974. Information should be restricted to personnel with a specific need to know, and they should be accountable for safeguarding the information.
Under DoD Instruction 6490.08, healthcare providers generally do not notify a service member's commander about mental health care and substance misuse education services unless specific conditions or circumstances apply. Furthermore, covered entities must ensure that any disclosure under the "Military Command Exception" is consistent with the proper execution of the military mission. If any of these conditions or circumstances exist, disclosure to the commander may be required.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
Who qualifies for information disclosure under the Military Command Exception?
Armed Forces personnel, including members of the military, naval, and air forces, may have their health information disclosed under this exception.
To whom can health information be disclosed under this exception?
Health information can be disclosed to authorized military command authorities who need such information to carry out missions related to military duties.
What type of health information can be disclosed?
Any health information necessary for executing military missions, such as medical fitness, deployment readiness, or overall health status relevant to the service member's duties.
Kirsten Peremore
