MEMORANDUM FOR RECORD

SUBJECT: Opine Concerning HIPAA Effect on OIC Access to Profile

1. BLUF. A brigade level Officer-in-charge (OIC) does not violate the Health Insurance
Portability and Accountability Act of 1986 when requesting access to profile limitations of
subordinate Service Members. However, command involvement is necessary to closely
tailor any information provided.

2. FACTS. Brigade-level S4 OIC requested the parameters of profile issued for the
assigned Master Sergeant (MSG, E-8). MSG originally stated that she was on profile
and limited duty for a knee injury. The MSG continued to cite the profile limitations to
avoid participating in a large scale field exercise. OIC asked for a copy of the profile to
accommodate the MSG while executing the S4 responsibilities in a dual environment,
field and garrison.MSG refused to provide the profile citing HIPAA protections.

3. LAW. The disclosure of personal health information (PHI) is controlled by HIPAA as

enacted by Department of Defense Instruction(DODI) 6025.18, Health Insurance
Portability And Accountability Act (HIPAA) Privacy Rule Compliance In DOD Health
Care Programs. PHI is defined as Individually identifiable health information that is
transmitted or maintained by electronic or any other form or medium. (Id.) For purposes
of Paragraph 4.4.k.(1)(a), appropriate military command authorities are: All commanders
who exercise authority over an individual who is a Service member, or other person
designated by such a commander to receive PHI in order to carry out an activity under
the commander’s authority. In accordance with Paragraph 4.4.k.(1)(a), the PHI of an
individual who is a Service member may be used or disclosed to: determine the
member’s fitness to perform any particular mission, assignment, order, or duty, including
compliance with any actions required as a precondition to performance of such mission,
assignment, order, or duty. (DoDM 6025.184.4.k(1)(c)(2)). DODI 6025.18-R outlines
what is often referred to as the "military command exception," which authorizes that "a
covered entity (including a covered entity not part of or affiliated with the Department of
Defense) may use and disclose the protected health information of individuals who are
Armed Forces personnel for activities deemed necessary by appropriate military
command authorities to assure the proper execution of the military mission."

1
4. ANALYSIS. The physical profile and request for restricted duty of the MSG was
issued by a medical provider at Carl R. Darnell Army Medical Center, a covered entity.
Therefore, any identifiable personal health information must comply with HIPAA. The
military exception allows for disclosure to a commander to determine execution of the
military mission. Additionally, the unit surgeon or physician assistant would be covered
entities that could communicate with the hospital provider without violating HIPAA. The
question is, whether the OIC of a brigade-level section of the command would qualify as
a commander included under the military exception. On an initial reading, it would
appear that they would not as they don’t have command authority over their section.
They are in charge but not commanders. However, a reading of DODI 6025.18, para.
4.4.k.(1)(a), a commander could designate another to receive information on a need to
know policy with HIPAA protections reiterated. It is recommended that this designation
is in writing, thus providing notice to all effected Service Members about the access to
their PHI by someone other than the commander. It would also be recommended that
the information provided be limited to the least amount necessary to determine
accommodations for temporary conditions. To execute the military mission, the person
in charge needs to know the limitations of their team members. If a Service Member is
not willing to provide the information voluntarily, supervisors need a process to receive
the needed information. This analysis is limited to the facts of a profile restricting
physical activity. An analysis regarding substance abuse care or behavioral health
information could be different.

5. RECOMMENDATIONS.

a. The brigade commander ICW the brigade surgeon and legal advisor should
develop a policy wherein brigade-level OICs should have access to the PHI included in
profiles restricting the physical activity of the Service Members assigned to their section
if denied access by the Service Member.
b. The policy should restrict access to the minimum amount of information to make a
determination of the Service Member’s participation in their assigned duties and
activities.

3. The point of contact for this opine is the undersigned at email@mail.mil or DSN ###-
###-####.

2
3