July 30, 2003
MEMORANDUM FOR HEADS OF DEPARTMENT COMPONENTS AND UNITED STATES ATTORNEYS
FROM: Larry D. Thompson
Deputy Attorney General
SUBJECT: Impact of HHS Privacy Rules on Department Operations
In the course of its duties, the Department of Justice routinely obtains medical records that contain individually identifiable information. These matters include, but are not limited to, federal tort litigation, violent crime prosecutions, child exploitation matters, health care fraud investigations, environmental crimes, civil rights investigations, the provision of medical care to individuals held in custody, and the provision of protective services to government officials.
As of April 14, 2003, health care providers, health care clearinghouses, and most health plans ("covered entities")[FN1] can disclose individually identifiable "protected health information" (PHI) only as permitted under federal regulations promulgated by the Secretary of Health and Human Services. These rules, titled the "Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually Identifiable Health Information" (the "Rules"), govern any disclosure of PHI by covered entities, regardless of the purpose of the request, the manner in which it was requested, or the identity or function of the requestor.[FN2] For example, whether a covered entity is served with a grand jury subpoena, a civil investigative demand, an Inspector General subpoena, a trial subpoena, or receives an oral request, the covered entity can make a disclosure only in compliance with the Rules. Even in those matters where a government agency is our "client," if that agency is a covered entity (for example, a government hospital), it must abide by the Rules when disclosing protected health information to us for purposes of representation. Disclosures of protected health information in contravention of the Rules can subject an offender to civil monetary penalties or criminal prosecution. The criminal statute, which includes both misdemeanor and felony offenses, is found at 42 U.S.C. § 1320d-6.
It is incumbent on all Department components to be conversant with the limitations imposed on covered entities. While the Rules do not directly govern how the Department of Justice obtains and uses personal medical records (except if an individual component of the Department is also a covered entity), the Rules dictate the circumstances under which covered entities can make disclosures to us. The continued lawful disclosure of protected health information by covered entities will be facilitated whenever, in the frst instance, the Department identifies the provision of the Rules that permits a covered entity to make a disclosure requested by the Department and provides sufficient representations to assure the covered entity that the requested disclosure is permitted. For example, the Rules permit covered entities to make disclosures to the Department when it is investigating health care fraud, engaged in traditional law enforcement activities and investigations, or representing government agencies that are covered entities. However, the response of the covered entity will be governed by which provision of the Rules applies to the particular purpose for which the Department has made the request for disclosure. For example, covered entities are permitted to disclose only limited information to law enforcement agencies for the purpose of identifying and locating fugitives.
You should also be aware that these Rules do not supersede the prior guidance issued by the Department concerning the protection of confidentiality of medical information. The advent of these Rules provides an ideal opportunity to refamiliarize ourselves with the existing Department guidance and Presidential Executive Order No. 13181 on protecting the confidentiality of medical information. The 1997 Health Care Fraud and Abuse Control Program and Guidelines, promulgated by the Attorney General and the Secretary of Health and Human Services pursuant to the HIPAA, contain specific medical records privacy provisions applicable to health care fraud cases. The Deputy Attorney General (DAG) Memorandum dated October 15, 1998, on protection and confidentiality of individually identifiable health information, emphasized that these privacy provisions apply to all medical records received by the Department of Justice for all types of cases, not just cases pertaining to health care fraud. The memo stated that the term "medical records" should be interpreted broadly to include not only traditional patient files but also any health records or reports or health care billing records that contain individually identifiable health information or identify a person's health condition or treatment, whether through narrative, test results, or commonly used descriptive coding of treatment procedures or diagnoses. Such records may be in hard copy or electronic form. On August 30, 2000, a more detailed DAG memorandum provided guidelines on requesting, storing, using, and disposing of medical information and included a review of various statutory provisions that continue to be effective and govern the manner in whch we can obtain or use certain medical information, such as substance abuse patient records or records covered by the Federal Privacy Act, among others. Finally, Presidential Executive Order 13181, dated December 20, 2000, imposed limitations on the derivative use of certain derivative use of certain health information for subsequent non-health care fraud matters, which was first disclosed during a health care fraud investigation.
Materials concerning the Rules, as well as the HIPAA Fraud and Abuse Control Program Guidelines, the prior Deputy Attorney General guidance memos and Presidential Executive Order 13181 are contained in the Health Care Fraud Policy Manual, which can be found on the Department's Intranet. Also posted will be model forms for use in preparing requests to covered entities for the disclosure of protected health information. The Department also will conduct training sessions on the Rules.
FN 1. "Small health plans," namely those with annual receipts under $5 million, have until April 14, 2004, before the rule becomes enforceable against them. 45 C.F.R. 160.103.
FN 2. These rules can be found at 45 C.F.R. Parts 160 and 164.
[added February 2009] [cited in USAM 9-44.150]