The guidance below may be relied upon by private sector and governmental health providers and health plans outside the Military Health System (MHS).
Providers and health plans who disclose protected health information to military commanders must make reasonable efforts to limit the disclosure to the "minimum necessary" for assuring proper execution of the military mission. See DoD 6025.18-R , paragraph C8.2; 45 CFR 164.502(b), 164.514(d).
Military command authorities receiving protected health information are not covered entities subject to the HIPAA Privacy Rule, but they are subject to the Privacy Act of 1974 and DoD 5400.11-R , "DoD Privacy Program," May 14, 2007.
To “dispel the stigma of seeking mental health care and/or substance misuse education services,” DoD requires the following:
Healthcare providers shall follow a presumption that they are not to notify a Service member’s commander when the Service member obtains mental health care or substance abuse education services. … Unless this presumption is overcome by one of the notification standards listed in Enclosure 2 of this Instruction, there shall be no command notification. [DoDI 6490.08, paragraph 3.b]
Military commanders who receive protected health information, particularly when it involves mental health or substance abuse education, have special responsibilities to safeguard the information received and limit any further disclosure in accordance with the Privacy Act. See DoDI 6490.08 (Enclosure 2, paragraph 3), which provides:
COMMANDERS. Commanders shall protect information provided pursuant to this Instruction and DoD Directive 5400.11 …, as they should with any other health information. Information provided shall be restricted to personnel with a specific need to know; that is, access to the information must be necessary for the conduct of official duties. Such personnel shall also be accountable for protecting the information. Commanders must also reduce stigma through positive regard for those who seek mental health assistance to restore and maintain their mission readiness, just as they would view someone seeking treatment for any other medical issue.
Department of Health and Human Services (HHS) Guidance
DoD 6025.18-R, DoD Health Information Privacy Regulation, January 24, 2003, paragraph C7.11.1
68 Fed. Reg. 17357-58 (April 9, 2003) (notice required by 45 CFR 164.512(k)(1)(i))
DoDI 6025.18, Privacy of Individually Identifiable
Health Information in DoD Health Care Programs, Dec. 2, 2009, paragraph 4.b
DoDI 6490.08, Command Notification Requirements to Dispel Stigma in Providing Mental Health Care to Service Members, August 17, 2011
TMA Privacy Office Information Paper (Updated March 2013): Military Command Exception and Disclosing PHI of Armed Forces Personnel
Information on Service policies is available at the following Web pages:
Release of Protected Health Information, Oct. 18, 2010 (Army)
Release of Protected Health Information to Commanders, Oct. 8, 2010 (Army). This page includes links to OTSG/MEDCOM Policy Memo 10-042, Release of Protected Health Information (PHI) to Unit Command Officials, Jun. 30, 2010, and other resources (AKO/DKO log-in required)
The Military Commander and the Law, 2008 edition (Air Force), pp. 271-74