By the authority vested in me as President of the United States by
the Constitution and the laws of the United States of America, it is
ordered as follows:
Section 1. Policy.
It shall be the policy of the Government of the United States that law
enforcement may not use protected health information concerning an individual
that is discovered during the course of health oversight activities
for unrelated civil, administrative, or criminal investigations of a
non-health oversight matter, except when the balance of relevant factors
weighs clearly in favor of its use. That is, protected health information
may not be so used unless the public interest and the need for disclosure
clearly outweigh the potential for injury to the patient, to the physician-patient
relationship, and to the treatment services. Protecting the privacy
of patients' protected health information promotes trust in the health
care system. It improves the quality of health care by fostering an
environment in which patients can feel more comfortable in providing
health care professionals with accurate and detailed information about
their personal health. In order to provide greater protections to patients
privacy, the Department of Health and Human Services is issuing final
regulations concerning the confidentiality of individually identifiable
health information under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). HIPAA applies only to "covered entities,"
such as health care plans, providers, and clearinghouses. HIPAA regulations
therefore do not apply to other organizations and individuals that gain
access to protected health information, including Federal officials
who gain access to health records during health oversight activities.
Under the new HIPAA regulations, health oversight investigators will
appropriately have ready access to medical records for oversight purposes.
Health oversight investigators generally do not seek access to the medical
records of a particular patient, but instead review large numbers of
records to determine whether a health care provider or organization
is violating the law, such as through fraud against the Medicare system.
Access to many health records is often necessary in order to gain enough
evidence to detect and bring enforcement actions against fraud in the
health care system. Stricter rules apply under the HIPAA regulations,
however, when law enforcement officials seek protected health information
in order to investigate criminal activity outside of the health oversight
realm.
In the course of their efforts to protect the health care system, health
oversight investigators may also uncover evidence of wrongdoing unrelated
to the health care system, such as evidence of criminal conduct by an
individual who has sought health care. For records containing that evidence,
the issue thus arises whether the information should be available for
law enforcement purposes under the less restrictive oversight rules
or the more restrictive rules that apply to non-oversight criminal investigations.
A similar issue has arisen in other circumstances. Under 18 U.S.C.
3486, an individual's health records obtained for health oversight purposes
pursuant to an administrative subpoena may not be used against that
individual patient in an unrelated investigation by law enforcement
unless a judicial officer finds good cause. Under that statute, a judicial
officer determines whether there is good cause by weighing the public
interest and the need for disclosure against the potential for injury
to the patient, to the physician-patient relationship, and to the treatment
services. It is appropriate to extend limitations on the use of health
information to all situations in which the government obtains medical
records for a health oversight purpose. In recognition of the increasing
importance of protecting health information as shown in the medical
privacy rule, a higher standard than exists in 18 U.S.C. 3486 is necessary.
It is, therefore, the policy of the Government of the United States
that law enforcement may not use protected health information concerning
an individual, discovered during the course of health oversight activities
for unrelated civil, administrative, or criminal investigations, against
that individual except when the balance of relevant factors weighs clearly
in favor of its use. That is, protected health information may not be
so used unless the public interest and the need for disclosure clearly
outweigh the potential for injury to the patient, to the physician-patient
relationship, and to the treatment services.
Sec. 2. Definitions.
(a) "Health oversight activities" shall include the oversight
activities enumerated in the regulations concerning the confidentiality
of individually identifiable health information promulgated by the Secretary
of Health and Human Services pursuant to the "Health Insurance
Portability and Accountability Act of 1996," as amended.
(b) "Protected health information" shall have the meaning
ascribed to it in the regulations concerning the confidentiality of
individually identifiable health information promulgated by the Secretary
of Health and Human Services pursuant to the "Health Insurance
Portability and Accountability Act of 1996," as amended.
(c) "Injury to the patient" includes injury to the privacy
interests of the patient.
Sec. 3. Implementation.
(a) Protected health information concerning an individual patient discovered
during the course of health oversight activities shall not be used against
that individual patient in an unrelated civil, administrative, or criminal
investigation of a non-health oversight matter unless the Deputy Attorney
General of the U.S Department of justice, or insofar as the protected
health information involves members of the Armed Forces, the General
Counsel of the U.S. Department of Defense, has authorized such use.
(b) In assessing whether protected health information should be used
under subparagraph (a) of this section, the Deputy Attorney General
shall permit such use upon concluding that the balance of relevant factors
weighs clearly in favor of its use. That is, the Deputy Attorney General
shall permit disclosure if the public interest and the need for disclosure
clearly outweigh the potential for injury to the patient, to the physician-patient
relationship, and to the treatment services.
(c) Upon the decision to use protected health information under subparagraph
(a) of this section, the Deputy Attorney General, in determining the
extent to which this information should be used, shall impose appropriate
safeguards against unauthorized use.
(d) On an annual basis, the Department of justice, in consultation with
the Department of Health and Human Services, shall provide to the President
of the United States a report that includes the following information:
(i) the number of requests made to the Deputy Attorney General for authorization
to use protected health information discovered during health oversight
activities in a non-health oversight, unrelated investigation;
(ii) the number of requests that were granted as applied for, granted
as modified, or denied;
(iii) the agencies that made the applications, and the number of requests
made by each agency; and
(iv) the uses for which the protected health information was authorized.
(e) The General Counsel of the U.S. Department of Defense will comply
with the requirements of subparagraphs (b), (c), and (d), above. The
General Counsel also will prepare a report, consistent with the requirements
of subparagraphs (d)(i) through (d)(iv), above, and will forward it
to the Department of justice where it will be incorporated into the
Departments annual report to the President.
Sec. 4. Exceptions.
(a) Nothing in this Executive Order shall place a restriction on the
derivative use of protected health information that was obtained by
a law enforcement agency in a non-health oversight investigation.
(b) Nothing in this Executive Order shall be interpreted to place a
restriction on a duty imposed by statute.
(c) Nothing in this Executive Order shall place any additional limitation
on the derivative use of health information obtained by the Attorney
General pursuant to the provisions of 18 U.S.C. 3486.
(d) This order does not create any right or benefit, substantive or
procedural, enforceable at law by a party against the United States,
the officers and employees, or any other person.
/s/William J. Clinton
THE WHITE HOUSE,
December 20, 2000.