potential for injury to the patient, to the physician-patient relationship, and to the treatment services. Protecting the privacy of patients' protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health. In order to provide greater protections to patients' privacy, the Department of Health and Human Services is issuing final regulations concerning the confidentiality of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA applies only to “covered entities,” such as health care plans, providers, and clearinghouses. HIPAA regulations therefore do not apply to other organizations and individuals that gain access to protected health information, including Federal officials who gain access to health records during health oversight activities.
Under the new HIPAA regulations, health oversight investigators will appropriately have ready access to medical records for oversight purposes. Health oversight investigators generally do not seek access to the medical records of a particular patient, but instead review large numbers of records to determine whether a health care provider or organization is violating the law, such as through fraud against the Medicare system. Access to many health records is often necessary in order to gain enough evidence to detect and bring enforcement actions against fraud in the health care system. Stricter rules apply under the HIPAA regulations, however, when law enforcement officials seek protected health information in order to investigate criminal activity outside of the health oversight realm.
In the course of their efforts to protect the health care system, health oversight investigators may also uncover evidence of wrongdoing unrelated to the health care system, such as evidence of criminal conduct by an individual who has sought health care. For records containing that evidence, the issue thus arises whether the information should be available for law enforcement purposes under the less restrictive oversight rules or the more restrictive rules that apply to non-oversight criminal investigations.
A similar issue has arisen in other circumstances. Under 18 U.S.C. 3486, an individual's health records obtained for health oversight purposes pursuant to an administrative subpoena may not be used against that individual patient in an unrelated investigation by law enforcement unless a judicial officer finds good cause. Under that statute, a judicial officer determines whether there is good cause by weighing the public interest and the need for disclosure against the potential for injury to the patient, to the physicianpatient relationship, and to the treatment services. It is appropriate to extend limitations on the use of health information to all situations in which the government obtains medical records for a health oversight purpose. In recognition of the increasing importance of protecting health information as shown in the medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is necessary. It is, therefore, the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual, discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations, against that indi vidual except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for
