
The Health Insurance Portability and Accountability Act (HIPAA) sets out rules for the protection of health information, but there are exceptions where this information can be disclosed without an individual's authorization. One such exception is the Military Command Exception, which permits the disclosure of protected health information of Armed Forces personnel under certain circumstances. This exception allows military leaders to access relevant health information to make informed decisions about service members' fitness for duty and other necessary activities for the military's operational readiness. While the military has historically had greater access to medical records, recent regulations have limited this access, and service members can file HIPAA complaints if they feel their privacy rights have been violated.
| Characteristics | Values |
|---|---|
| Military Command Exception | Permits the disclosure of protected health information (PHI) of Armed Forces personnel under special circumstances |
| Military Command Exception applicability | Covered entities may disclose PHI to military command authorities for activities related to the military mission |
| PHI access without permission | Military commanders can access PHI to make informed decisions about fitness for duty, assignments, and other necessary activities |
| PHI access with permission | Commanders can access a service member's electronic medical record if authorized by the member or the HIPAA Privacy Rule |
| HIPAA applicability | HIPAA and privacy rights are limited in the military, but the Privacy Act and HIPAA do apply |
| HIPAA compliance | Military personnel who violate HIPAA may face disciplinary or administrative action; members can file HIPAA complaints with the DoD entity, DHA Privacy Office, or HHS |
| HIPAA Privacy Rule exceptions | Disclosure to healthcare providers for treatment, disclosure to the individual, disclosure for complaint investigation, disclosure required by law, etc. |
Explore related products
$27.36 $64.99
What You'll Learn

Military Command Exception
The Health Insurance Portability and Accountability Act (HIPAA) includes the Military Command Exception, which permits the disclosure of protected health information (PHI) of Armed Forces personnel under special circumstances. This exception applies to HIPAA-covered entities, which include military treatment facilities.
Under this exception, covered entities may disclose the PHI of service members to appropriate military command authorities for authorized activities. This disclosure is permitted without the patient's authorization and is intended for reporting on the patient's fitness for duty, fitness to perform an assignment, or fitness to perform any other activity necessary for a military mission. Appropriate military command authorities include commanders who exercise authority over a service member or another person designated by a commander.
It is important to note that the Military Command Exception does not require covered entities to disclose PHI to commanders; it only permits such disclosure if deemed necessary for the proper execution of a military mission. Additionally, the exception does not grant commanders direct access to a service member's electronic medical record unless authorized by the service member or the HIPAA Privacy Rule.
The Military Command Exception allows for the disclosure of PHI to assure the proper execution of military missions while maintaining the privacy and security of service members' health information. It strikes a balance between the need for disclosure in certain circumstances and the protection of individuals' health information.
Lexington Law: Judgment Help or Hindrance?
You may want to see also
Explore related products

Protected health information (PHI)
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and includes a Privacy Rule that safeguards Protected Health Information (PHI). PHI is any information within an individual's medical record that can be used to personally identify them and was created, used, or disclosed during diagnosis, treatment, or other healthcare services. This includes identifiers such as names, addresses, dates of birth, medical record numbers, health plan beneficiary numbers, and vehicle and device identifiers, among others.
PHI is strictly governed by HIPAA, and covered entities (CEs) must adhere to specific guidelines to ensure the confidentiality, integrity, and security of PHI. This includes implementing comprehensive administrative, physical, and technical safeguards for both electronic and hard copy PHI. Employees handling PHI should be trained in secure practices, such as creating strong passwords and promptly reporting data breaches.
HIPAA permits the disclosure of PHI under certain circumstances, such as for patient care and research, and in limited datasets for public health, healthcare operations, and public interest activities. Additionally, under the Military Command Exception, PHI of Armed Forces personnel may be disclosed to appropriate military command authorities if deemed necessary for the proper execution of a military mission. However, this exception does not permit direct access to a service member's electronic medical record without separate authorization.
PHI plays a critical role in patient care and healthcare operations, and its protection is essential to maintaining patient privacy and trust. Non-compliance with HIPAA regulations can result in civil monetary or criminal penalties.
Practicing Law: State-by-State Licensing for Lawyers
You may want to see also

Disclosure to military authorities
The Health Insurance Portability and Accountability Act (HIPAA) generally prohibits the disclosure of protected health information (PHI). However, under the Military Command Exception to the HIPAA Privacy Rule, there are special circumstances where covered entities, such as a DoD covered entity (CE), are permitted to disclose the PHI of service members and Armed Forces personnel to military authorities.
This exception allows for the disclosure of PHI to commanders or other appropriate military command authorities who exercise authority over a service member or a person designated by a commander. The information can only be disclosed for authorized activities deemed necessary to ensure the proper execution of a military mission. If disclosure is made, only the minimum amount of information necessary should be provided, in accordance with the HIPAA Privacy Rule.
It is important to note that the Military Command Exception does not grant commanders direct access to a service member's electronic medical records unless explicitly authorized by the service member or permitted by the HIPAA Privacy Rule. Commanders or other authorized officials who receive PHI from covered entities must protect the disclosed information in compliance with the Privacy Act of 1974.
The Military Command Exception applies to members of the military, naval, and air forces. It allows for the disclosure of health information to authorized military command authorities who require such information to carry out missions related to their military duties. This exception does not require covered entities to disclose PHI to commanders but permits them to do so under the specified conditions.
Scientific Laws: Unbreakable or Flexible?
You may want to see also

HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of HIPAA. The Privacy Rule standards address the use and disclosure of individuals' health information, collectively known as the Administrative Simplification provisions.
The HIPAA Privacy Rule provides a federal standard to safeguard the privacy of personal health information and gives patients an array of rights with respect to that information. This includes the right to examine and obtain a copy of their health records, request corrections, and control how their health information is used and disclosed. The Privacy Rule defines Protected Health Information (PHI) to include identifiers maintained in the same designated record set. All patients and plan members must be given a HIPAA Notice of Privacy Practices on the first encounter or as soon as reasonably possible. The Notice must explain what PHI may be disclosed, to whom, and why, as well as an individual's right to access, amend, or transfer their PHI.
Entities regulated by the Rule are obligated to comply with all its applicable requirements. This includes health plans, health care clearinghouses, and healthcare providers that transmit health information electronically. These are referred to as "covered entities." Business associates are also required to comply with the HIPAA Security Rule and, depending on the nature of the service, any applicable standards of the Administrative Requirements and HIPAA Privacy Rule.
Under the Military Command Exception to the HIPAA Privacy Rule, covered entities may use and disclose the PHI of Armed Forces members for activities deemed "necessary by appropriate military command authorities to assure the proper execution of the military mission." This exception does not require the disclosure of PHI to commanders, nor does it permit a commander's direct access to a service member's electronic medical record unless authorized by the service member or the HIPAA Privacy Rule.
Evolution of Law: Dynamic and Ever-Changing
You may want to see also

Disciplinary action for violation
The Health Insurance Portability and Accountability Act (HIPAA) permits the protected health information (PHI) of Armed Forces personnel to be disclosed under special circumstances. This is known as the Military Command Exception to the HIPAA Privacy Rule. Under this exception, covered entities may use and disclose the personal health information of military personnel if it is deemed necessary by the appropriate military command authorities to ensure the proper execution of a military mission. This exception does not require covered entities to disclose PHI to commanders but permits the disclosure. It is important to note that commanders do not have direct access to a service member's electronic medical record unless authorized by the service member or the HIPAA Privacy Rule.
When it comes to disciplinary action for violations of HIPAA, there are a few things to consider. Firstly, it is important to identify those involved in the breach and determine the type of breach that occurred. The recommended disciplinary actions for different types of breaches should be outlined in your organization's policy manual. For example, disciplinary action for a level 1 breach is typically not severe in nature. On the other hand, a level 3 breach may require the involvement of legal counsel to protect your organization.
In terms of penalties, HIPAA violations can result in civil and criminal penalties. The civil penalty structure is tiered, with the secretary of HHS having discretion in determining the penalty amount based on the nature and extent of the violation and the resulting harm. Financial penalties serve as a deterrent and hold entities accountable for protecting patient privacy and the confidentiality of health data. The penalty for unknowingly violating HIPAA is considered a penalty for disregarding security, and there is no excuse for such a violation. State Attorneys General can also issue additional fines, and affected individuals may be able to bring a class action lawsuit against the organization responsible for the violation.
To prevent HIPAA violations, organizations should implement comprehensive hiring processes and effective training programs. While annual training is common, it is important to make sure that employees find these sessions engaging and helpful rather than a waste of time.
Town vs State: Can Local Laws Override Statewide Ones?
You may want to see also
Frequently asked questions
The Military Command Exception is a provision under HIPAA that permits health information of military personnel to be shared with military leaders without needing the individual’s permission, if it’s deemed necessary for carrying out military duties and ensuring operational readiness.
PHI includes medical records, treatment information, and other personal health details.
PHI can be disclosed under certain circumstances, such as for public health activities, FDA-regulated activities, research purposes (with approval), and in cases of communicable diseases. It can also be shared with the individual the information is about or their personal representative.
Military personnel who violate HIPAA may face disciplinary or administrative action, and other sanctions may apply to DoD civilian employees and contractors. Members who feel their rights have been violated can file a HIPAA complaint with the DoD entity, the DHA Privacy Office, or HHS.













