[Weekly Compilation of Presidential Documents Volume 36, Number 51 (Monday, December 25, 2000)]
[Pages 3140-3143]
[Online from the Government Publishing Office, www.gpo.gov]

<R04>
Executive Order 13181--To Protect the Privacy of Protected Health 
Information in Oversight Investigations

December 20, 2000

    By the authority vested in me as President of the United States by 
the Constitution and the laws of the United States of America, it is 
ordered as follows:
    Section 1. Policy.
    It shall be the policy of the Government of the United States that 
law enforcement may not use protected health information concerning an 
individual that is discovered during the course of health oversight 
activities for unrelated civil, administrative, or criminal 
investigations of a non-health oversight matter, except when the balance 
of relevant factors weighs clearly in favor of its use. That is, 
protected health information may not be so used unless the public 
interest and the need for disclosure clearly outweigh the potential for 
injury to the patient, to the physician-patient relationship, and to the 
treatment services. Protecting the privacy of patients' protected health 
information promotes trust in the health care system. It improves the 
quality of health care by fostering an environment in which patients can 
feel more comfortable in providing health care professionals with 
accurate and detailed information about their personal health. In order 
to provide greater protections to patients' privacy, the Department of 
Health

[[Page 3141]]

and Human Services is issuing final regulations concerning the 
confidentiality of individually identifiable health information under 
the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 
HIPAA applies only to ``covered entities,'' such as health care plans, 
providers, and clearinghouses. HIPAA regulations therefore do not apply 
to other organizations and individuals that gain access to protected 
health information, including Federal officials who gain access to 
health records during health oversight activities.
    Under the new HIPAA regulations, health oversight investigators will 
appropriately have ready access to medical records for oversight 
purposes. Health oversight investigators generally do not seek access to 
the medical records of a particular patient, but instead review large 
numbers of records to determine whether a health care provider or 
organization is violating the law, such as through fraud against the 
Medicare system. Access to many health records is often necessary in 
order to gain enough evidence to detect and bring enforcement actions 
against fraud in the health care system. Stricter rules apply under the 
HIPAA regulations, however, when law enforcement officials seek 
protected health information in order to investigate criminal activity 
outside of the health oversight realm.
    In the course of their efforts to protect the health care system, 
health oversight investigators may also uncover evidence of wrongdoing 
unrelated to the health care system, such as evidence of criminal 
conduct by an individual who has sought health care. For records 
containing that evidence, the issue thus arises whether the information 
should be available for law enforcement purposes under the less 
restrictive oversight rules or the more restrictive rules that apply to 
non-oversight criminal investigations.
    A similar issue has arisen in other circumstances. Under 18 U.S.C. 
3486, an individual's health records obtained for health oversight 
purposes pursuant to an administrative subpoena may not be used against 
that individual patient in an unrelated investigation by law enforcement 
unless a judicial officer finds good cause. Under that statute, a 
judicial officer determines whether there is good cause by weighing the 
public interest and the need for disclosure against the potential for 
injury to the patient, to the physician-patient relationship, and to the 
treatment services. It is appropriate to extend limitations on the use 
of health information to all situations in which the government obtains 
medical records for a health oversight purpose. In recognition of the 
increasing importance of protecting health information as shown in the 
medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is 
necessary. It is, therefore, the policy of the Government of the United 
States that law enforcement may not use protected health information 
concerning an individual, discovered during the course of health 
oversight activities for unrelated civil, administrative, or criminal 
investigations, against that individual except when the balance of 
relevant factors weighs clearly in favor of its use. That is, protected 
health information may not be so used unless the public interest and the 
need for disclosure clearly outweigh the potential for injury to the 
patient, to the physician-patient relationship, and to the treatment 
services.
    Sec. 2. Definitions.
(a)          ``Health oversight activities'' shall include the oversight 
            activities enumerated in the regulations concerning the 
            confidentiality of individually identifiable health 
            information promulgated by the Secretary of Health and Human 
            Services pursuant to the ``Health Insurance Portability and 
            Accountability Act of 1996,'' as amended.
(b)          ``Protected health information'' shall have the meaning 
            ascribed to it in the regulations concerning the 
            confidentiality of individually identifiable health 
            information promulgated by the Secretary of Health and Human 
            Services pursuant to the ``Health Insurance Portability and 
            Accountability Act of 1996,'' as amended.
(c)          ``Injury to the patient'' includes injury to the privacy 
            interests of the patient.
    Sec. 3. Implementation.

[[Page 3142]]

(a)          Protected health information concerning an individual 
            patient discovered during the course of health oversight 
            activities shall not be used against that individual patient 
            in an unrelated civil, administrative, or criminal 
            investigation of a non-health oversight matter unless the 
            Deputy Attorney General of the U.S Department of Justice, or 
            insofar as the protected health information involves members 
            of the Armed Forces, the General Counsel of the U.S. 
            Department of Defense, has authorized such use.
(b)          In assessing whether protected health information should be 
            used under subparagraph (a) of this section, the Deputy 
            Attorney General shall permit such use upon concluding that 
            the balance of relevant factors weighs clearly in favor of 
            its use. That is, the Deputy Attorney General shall permit 
            disclosure if the public interest and the need for 
            disclosure clearly outweigh the potential for injury to the 
            patient, to the physician-patient relationship, and to the 
            treatment services.
(c)          Upon the decision to use protected health information under 
            subparagraph (a) of this section, the Deputy Attorney 
            General, in determining the extent to which this information 
            should be used, shall impose appropriate safeguards against 
            unauthorized use.
(d)          On an annual basis, the Department of Justice, in 
            consultation with the Department of Health and Human 
            Services, shall provide to the President of the United 
            States a report that includes the following information:
      (i) the number of requests made to the Deputy Attorney General for 
      authorization to use protected health information discovered 
      during health oversight activities in a non-health oversight, 
      unrelated investigation;
      (ii) the number of requests that were granted as applied for, 
      granted as modified, or denied;
      (iii) the agencies that made the applications, and the number of 
      requests made by each agency; and
      (iv) the uses for which the protected health information was 
      authorized.
(e)          The General Counsel of the U.S. Department of Defense will 
            comply with the requirements of subparagraphs (b), (c), and 
            (d), above. The General Counsel also will prepare a report, 
            consistent with the requirements of subparagraphs (d)(i) 
            through (d)(iv), above, and will forward it to the 
            Department of Justice where it will be incorporated into the 
            Department's annual report to the President.
    Sec. 4. Exceptions.
(a)          Nothing in this Executive Order shall place a restriction 
            on the derivative use of protected health information that 
            was obtained by a law enforcement agency in a non-health 
            oversight investigation.
(b)          Nothing in this Executive Order shall be interpreted to 
            place a restriction on a duty imposed by statute.
(c)          Nothing in this Executive Order shall place any additional 
            limitation on the derivative use of health information 
            obtained by the Attorney General pursuant to the provisions 
            of 18 U.S.C. 3486.
(d)          This order does not create any right or benefit, 
            substantive or procedural, enforceable at law by a party 
            against the United States, the officers and employees, or 
            any other person.
                                            William J. Clinton
 The White House,
 December 20, 2000.

 [Filed with the Office of the Federal Register, 8:45 a.m., December 22, 
2000]

Note: This Executive order will be published in the Federal Register on 
December 26.

[[Page 3143]]