skip to content
Release Of Information To The Military

Release Of Information To The Military

Legal HIMformation
(December 2007)

The HIPAA Privacy Rule authorizes the release of protected health information ("PHI") pertaining to active duty military personnel without their authorization "for activities deemed necessary by appropriate military command authorities to ensure the proper execution of the military mission," so long as an authorization notice has been published in the Federal Register.  45 C.F.R. 164.512(k).  Such notices were issued in 2003 by the Department of Defense and the Department of Homeland Security (Coast Guard), and they remain in effect.  Pursuant to those authorization notices, "appropriate military command authorities" who can request the PHI are: (1) the patient/military personnel's commanding officer or a person designated by that commanding officer; (2) the Secretary of Defense or the Secretary of the military branch to which the patient/military personnel belongs; or (3) any person designated by any Secretary listed above.

Additionally, PHI may be obtained by military command authorities for the following purposes:  (1) to determine the patient/military personnel's fitness for duty; (2) to determine the patient/military personnel's fitness to perform any particular mission, assignment, or order; (3) to carry out activities pursuant to the military's health surveillance guidelines; (4) to report casualties in any military operation or activity; and (5) "to carry out any other activity necessary to the proper execution of the mission of the armed forces."  The release categories are very broad, with item 5 being particularly expansive.

Although in many states an argument can be made that "more stringent" state law might not permit such disclosure, there is a strong body of Federal case law that holds that military personnel are in a unique position from the rest of the population and that they do not have the same rights of privacy as civilians because their military mission and the needs of the Armed Forces come first.  So, assuming that military personnel are not wellinformed about the distinctions between civilians and themselves with regard to HIPAA privacy rights, what can providers do to clarify things?

First, a provider might consider editing the language in its Notice of Privacy Practices to alert active duty military personnel that their PHI may be released for such purposes above and beyond national security/intelligence reasons.  Second, for providers in large military communities, you should consider having a memorandum of understanding (MOU) with the base command authorities specifying how requests for PHI will be made, by whom, and the procedures for handling this information.  In our experience, MOUs are very helpful in meeting everyone's expectations of routine privacy protecting behavior.  Third, providers might consider some type of form or other documentation (either within or outside the context of an MOU) that would permit the military requestor to certify that the PHI is being requested for one of the five authorized reasons listed above.

Finally, providers are reminded that dependents of military personnel are not treated in the same way as their military sponsors.  Although PHI can be disclosed to TriCare for payment purposes without patient permission (because of the enrollment agreement made with TriCare), all other uses and disclosures of PHI are governed by traditional HIPAA principles, including the provider's "more stringent" state law and "minimum necessary" analyses.

Associated Industries

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.