Protection and Confidentiality of Individually Identifiable Medical Information

Office of the Deputy Attorney General

Washington, D.C. 20530

October 15, 1998

MEMORANDUM

TO: Heads of Department Components
All United States Attorneys
FROM: Eric H. Holder, Jr
Deputy Attorney General
SUBJECT: Protection and Confidentiality of Individually Identifiable Medical Information

This Memorandum is being distributed to re-emphasize the
paramount importance of protecting the confidentiality of
individually identifiable health information and protecting the
privacy of individuals whose health information is received by the
Department in its law enforcement activities. While it is often
necessary and appropriate for us to obtain such information in the
area of law enforcement investigations, we should make every effort
to assure that individual privacy is protected.

As a consequence of the Department's growing number of health
care fraud matters, the volume of documents containing individually
identifiable health information received and managed by the
Department's employees has significantly increased. The Attorney
General, in conjunction with the Secretary of Health and Human
Services, issued "Guidelines for Implementation of the Health Care
Fraud & Abuse Control Program" in January 1997, which directly
address the protection of the confidentiality of individually
identifiable health information and the privacy of those individuals
whose health information is disclosed to Federal, State and local
law enforcement programs in connection with activities conducted
pursuant to the Health Care Fraud and Abuse Control Program.
(Section VI "Confidentiality Procedures: Provision and Use of
Information and Data"). The Department is firmly committed to strict
adherence to these guidelines and further intends that they be
applied to all individually identifiable health information, without
regard to the purpose for which the information is received by the
Department.

The term "individually identifiable health information" should
not be interpreted narrowly. There are many instances where
information which discloses something about the medical condition of
an individual is included in documents which may not traditionally
be considered part of a "medical chart," for example, in health care
billing records, in laboratory testing reports, or in insurance
documents. Also, beyond a patient's name and social security number,
other information (such as spouse's name, unique hospital patient
number, emergency contact individual and number, hospital procedure
combined with discharge date or birth date) could be used to
individually identify a patient, depending on the circumstances.

We can take various steps to protect the individually
identifiable health information which comes into our possession. For
example, when defense requests are made for discovery or production
of health information in the possession of the government, the
presumption should be that it is incumbent on the government to
obtain a protective order, either by consent or motion, which
restricts the further dissemination of health information, limits
access to such information to those individuals necessary to the
defense, and requires the destruction or return of such information
when it is no longer needed. Furthermore, when health information
must be included in motions or submitted as exhibits at trial,
wherever possible, this information should either be redacted to
remove individual patient identifiers, submitted under seal, or
blind coded to protect patient identities from unnecessary public
disclosure, all with court permission if required. Assistant United
States Attorneys and Department attorneys should consult with their
supervisors or case reviewers before introducing medical records on
the public record. Within individual Departmental offices, access to
individually identifiable health information should be restricted to
those persons who have a legitimate need for access.

Medical record privacy is a matter of growing public awareness
and concern and it is incumbent on all employees of the Department
to treat health information with the utmost care and discretion. All
practicable steps to protect the privacy of individuals and the
confidentiality of individually identifiable health information must
be taken. I attach a copy of Section VI "Confidentiality Procedures:
Provision and Use of Information and Data," of the "Guidelines for
Implementation of the Health Care Fraud & Abuse Control Program" on
January 1, 1996, for your reference.

Attachment:
Guidelines for Implementation of the Health Care Fraud & Abuse Control Program