[Federal Register Volume 65, Number 248 (Tuesday, December 26, 2000)]
[Presidential Documents]
[Pages 81321-81323]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-33004]


 
 
                         Presidential Documents 
 
 

  Federal Register / Vol. 65, No. 248 / Tuesday, December 26, 2000 / 
Presidential Documents  

 ___________________________________________________________________

 Title 3--
 The President

[[Page 81321]]

                Executive Order 13181 of December 20, 2000

                
To Protect the Privacy of Protected Health 
                Information in Oversight Investigations

                By the authority vested in me as President of the 
                United States by the Constitution and the laws of the 
                United States of America, it is ordered as follows:

                Section 1. Policy.

                It shall be the policy of the Government of the United 
                States that law enforcement may not use protected 
                health information concerning an individual that is 
                discovered during the course of health oversight 
                activities for unrelated civil, administrative, or 
                criminal investigations of a non-health oversight 
                matter, except when the balance of relevant factors 
                weighs clearly in favor of its use. That is, protected 
                health information may not be so used unless the public 
                interest and the need for disclosure clearly outweigh 
                the potential for injury to the patient, to the 
                physician-patient relationship, and to the treatment 
                services. Protecting the privacy of patients' protected 
                health information promotes trust in the health care 
                system. It improves the quality of health care by 
                fostering an environment in which patients can feel 
                more comfortable in providing health care professionals 
                with accurate and detailed information about their 
                personal health. In order to provide greater 
                protections to patients' privacy, the Department of 
                Health and Human Services is issuing final regulations 
                concerning the confidentiality of individually 
                identifiable health information under the Health 
                Insurance Portability and Accountability Act of 1996 
                (HIPAA). HIPAA applies only to ``covered entities,'' 
                such as health care plans, providers, and 
                clearinghouses. HIPAA regulations therefore do not 
                apply to other organizations and individuals that gain 
                access to protected health information, including 
                Federal officials who gain access to health records 
                during health oversight activities.

                Under the new HIPAA regulations, health oversight 
                investigators will appropriately have ready access to 
                medical records for oversight purposes. Health 
                oversight investigators generally do not seek access to 
                the medical records of a particular patient, but 
                instead review large numbers of records to determine 
                whether a health care provider or organization is 
                violating the law, such as through fraud against the 
                Medicare system. Access to many health records is often 
                necessary in order to gain enough evidence to detect 
                and bring enforcement actions against fraud in the 
                health care system. Stricter rules apply under the 
                HIPAA regulations, however, when law enforcement 
                officials seek protected health information in order to 
                investigate criminal activity outside of the health 
                oversight realm.

                In the course of their efforts to protect the health 
                care system, health oversight investigators may also 
                uncover evidence of wrongdoing unrelated to the health 
                care system, such as evidence of criminal conduct by an 
                individual who has sought health care. For records 
                containing that evidence, the issue thus arises whether 
                the information should be available for law enforcement 
                purposes under the less restrictive oversight rules or 
                the more restrictive rules that apply to non-oversight 
                criminal investigations.

                A similar issue has arisen in other circumstances. 
                Under 18 U.S.C. 3486, an individual's health records 
                obtained for health oversight purposes pursuant to an 
                administrative subpoena may not be used against that 
                individual patient in an unrelated investigation by law 
                enforcement unless a judicial officer finds good cause. 
                Under that statute, a judicial officer determines

[[Page 81322]]

                whether there is good cause by weighing the public 
                interest and the need for disclosure against the 
                potential for injury to the patient, to the physician-
                patient relationship, and to the treatment services. It 
                is appropriate to extend limitations on the use of 
                health information to all situations in which the 
                government obtains medical records for a health 
                oversight purpose. In recognition of the increasing 
                importance of protecting health information as shown in 
                the medical privacy rule, a higher standard than exists 
                in 18 U.S.C. 3486 is necessary. It is, therefore, the 
                policy of the Government of the United States that law 
                enforcement may not use protected health information 
                concerning an individual, discovered during the course 
                of health oversight activities for unrelated civil, 
                administrative, or criminal investigations, against 
                that indi vidual except when the balance of relevant 
                factors weighs clearly in favor of its use. That is, 
                protected health information may not be so used unless 
                the public interest and the need for disclosure clearly 
                outweigh the potential for injury to the patient, to 
                the physician-patient relationship, and to the 
                treatment services.

                Sec. 2. Definitions. 

                    (a) ``Health oversight activities'' shall include 
                the oversight activities enumerated in the regulations 
                concerning the confidentiality of individually 
                identifiable health information promulgated by the 
                Secretary of Health and Human Services pursuant to the 
                ``Health Insurance Portability and Accountability Act 
                of 1996,'' as amended.
                    (b) ``Protected health information'' shall have the 
                meaning ascribed to it in the regulations concerning 
                the confidentiality of individually identifiable health 
                information promulgated by the Secretary of Health and 
                Human Services pursuant to the ``Health Insurance 
                Portability and Accountability Act of 1996,'' as 
                amended.
                    (c) ``Injury to the patient'' includes injury to 
                the privacy interests of the patient.

                Sec. 3. Implementation. 

                    (a) Protected health information concerning an 
                individual patient discovered during the course of 
                health oversight activities shall not be used against 
                that individual patient in an unrelated civil, 
                administrative, or criminal investigation of a non-
                health oversight matter unless the Deputy Attorney 
                General of the U.S Department of Justice, or insofar as 
                the protected health information involves members of 
                the Armed Forces, the General Counsel of the U.S. 
                Department of Defense, has authorized such use.
                    (b) In assessing whether protected health 
                information should be used under subparagraph (a) of 
                this section, the Deputy Attorney General shall permit 
                such use upon concluding that the balance of relevant 
                factors weighs clearly in favor of its use. That is, 
                the Deputy Attorney General shall permit disclosure if 
                the public interest and the need for disclosure clearly 
                outweigh the potential for injury to the patient, to 
                the physician-patient relationship, and to the 
                treatment services.
                    (c) Upon the decision to use protected health 
                information under subparagraph (a) of this section, the 
                Deputy Attorney General, in determining the extent to 
                which this information should be used, shall impose 
                appropriate safeguards against unauthorized use.
                    (d) On an annual basis, the Department of Justice, 
                in consul tation with the Department of Health and 
                Human Services, shall provide to the President of the 
                United States a report that includes the following 
                information:
                    (i) the number of requests made to the Deputy 
                Attorney General for authorization to use protected 
                health information discovered during health oversight 
                activities in a non-health oversight, unrelated 
                investigation;
                    (ii) the number of requests that were granted as 
                applied for, granted as modified, or denied;
                    (iii) the agencies that made the applications, and 
                the number of requests made by each agency; and

[[Page 81323]]

                    (iv) the uses for which the protected health 
                information was authorized.
                    (e) The General Counsel of the U.S. Department of 
                Defense will comply with the requirements of 
                subparagraphs (b), (c), and (d), above. The General 
                Counsel also will prepare a report, consistent with the 
                requirements of subparagraphs (d)(i) through (d)(iv), 
                above, and will forward it to the Department of Justice 
                where it will be incorporated into the Department's 
                annual report to the President.

                Sec. 4. Exceptions.

                    (a) Nothing in this Executive Order shall place a 
                restriction on the derivative use of protected health 
                information that was obtained by a law enforcement 
                agency in a non-health oversight investigation.
                    (b) Nothing in this Executive Order shall be 
                interpreted to place a restriction on a duty imposed by 
                statute.
                    (c) Nothing in this Executive Order shall place any 
                additional limitation on the derivative use of health 
                information obtained by the Attorney General pursuant 
                to the provisions of 18 U.S.C. 3486.
                    (d) This order does not create any right or 
                benefit, substantive or procedural, enforceable at law 
                by a party against the United States, the officers and 
                employees, or any other person.

                    (Presidential Sig.)

                THE WHITE HOUSE,

                     December 20, 2000.

[FR Doc. 00-33004
Filed 12-22-00; 8:45 am]
Billing code 3195-01-P