Department of Justice Seal

Office of the Deputy Attorney General

Washington, D.C. 20530

October 15, 1998


TO: Heads of Department Components
All United States Attorneys
FROM: Eric H. Holder, Jr
Deputy Attorney General
SUBJECT: Protection and Confidentiality of Individually Identifiable Medical Information

This Memorandum is being distributed to re-emphasize the paramount importance of protecting the confidentiality of individually identifiable health information and protecting the privacy of individuals whose health information is received by the Department in its law enforcement activities. While it is often necessary and appropriate for us to obtain such information in the area of law enforcement investigations, we should make every effort to assure that individual privacy is protected.

As a consequence of the Department's growing number of health care fraud matters, the volume of documents containing individually identifiable health information received and managed by the Department's employees has significantly increased. The Attorney General, in conjunction with the Secretary of Health and Human Services, issued "Guidelines for Implementation of the Health Care Fraud & Abuse Control Program" in January 1997, which directly address the protection of the confidentiality of individually identifiable health information and the privacy of those individuals whose health information is disclosed to Federal, State and local law enforcement programs in connection with activities conducted pursuant to the Health Care Fraud and Abuse Control Program. (Section VI "Confidentiality Procedures: Provision and Use of Information and Data"). The Department is firmly committed to strict adherence to these guidelines and further intends that they be applied to all individually identifiable health information, without regard to the purpose for which the information is received by the Department.

The term "individually identifiable health information" should not be interpreted narrowly. There are many instances where information which discloses something about the medical condition of an individual is included in documents which may not traditionally be considered part of a "medical chart," for example, in health care billing records, in laboratory testing reports, or in insurance documents. Also, beyond a patient's name and social security number, other information (such as spouse's name, unique hospital patient number, emergency contact individual and number, hospital procedure combined with discharge date or birth date) could be used to individually identify a patient, depending on the circumstances.

We can take various steps to protect the individually identifiable health information which comes into our possession. For example, when defense requests are made for discovery or production of health information in the possession of the government, the presumption should be that it is incumbent on the government to obtain a protective order, either by consent or motion, which restricts the further dissemination of health information, limits access to such information to those individuals necessary to the defense, and requires the destruction or return of such information when it is no longer needed. Furthermore, when health information must be included in motions or submitted as exhibits at trial, wherever possible, this information should either be redacted to remove individual patient identifiers, submitted under seal, or blind coded to protect patient identities from unnecessary public disclosure, all with court permission if required. Assistant United States Attorneys and Department attorneys should consult with their supervisors or case reviewers before introducing medical records on the public record. Within individual Departmental offices, access to individually identifiable health information should be restricted to those persons who have a legitimate need for access.

Medical record privacy is a matter of growing public awareness and concern and it is incumbent on all employees of the Department to treat health information with the utmost care and discretion. All practicable steps to protect the privacy of individuals and the confidentiality of individually identifiable health information must be taken. I attach a copy of Section VI "Confidentiality Procedures: Provision and Use of Information and Data," of the "Guidelines for Implementation of the Health Care Fraud & Abuse Control Program" on January 1, 1996, for your reference.

Guidelines for Implementation of the Health Care Fraud & Abuse Control Program