Good morning. I am John Bentivoglio, Special Counsel for Health Care Fraud in the Office of the Deputy Attorney General. I also serve as the Department's Chief Privacy Officer. I appreciate this opportunity to present the Department's views on medical records privacy legislation.

The Department supports the enactment of federal legislation to protect the confidentiality of patient health information. We recognize that patient medical records contain sensitive personal information, including past and present medical conditions, family medical history, prescription drugs, and similar information. And we are aware of the studies and reports on the misuse of confidential health information by employers, insurance companies, and private-sector entities. Accordingly, the Department supports the recommendations in the September 1997 report by the Secretary of Health and Human Services, which outlined a comprehensive framework for federal medical records privacy standards, including guidelines to ensure the security of identifiable health information, federal safeguards and consumer controls of information in medical records, and holding health care entities responsible for employees who misuse protected information.⁽¹⁾

In addition, we support the recommendations in the Secretary's report that call for strong sanctions for violations of patient confidentiality, including criminal penalties for knowing and intentional violations of federal medical records privacy laws.

At the same time, we urge you to recognize and accommodate the needs of the law enforcement community to investigate and prosecute civil and criminal offenses and to protect public safety. In many cases, our ability to investigate and prosecute serious crimes - including violent crime, health care fraud, and other offenses - turns on our ability to obtain individually identifiable health information in a timely and appropriate manner. We are able to do so under current law and we have used such authority in a responsible manner. Moreover, law enforcement agencies have a strong incentive not to disclose investigative information, including confidential health information, beyond those with a need to know for law enforcement purposes.

The following examples, however, provide compelling evidence of situations where law enforcement needs access to such records:

• During the course of a rape in Washington, D.C., the victim slams a car door on the assailant's hand, possibly causing serious injuries. Local police immediately contact emergency rooms in Washington, D.C., Maryland and Virginia to determine if anyone matching the assailant's description has been treated for a hand injury.

• A law enforcement agency conducts a comprehensive review of patient medical charts during an investigation of a hospital suspected of billing health insurance plans for services that were never provided. During this lawful review, investigators discover notations in one medical chart that the patient has been physically assaulting other patients causing serious physical injury. Hospital executives decide not to report these incidents to authorities in order to cover up inadequate staff coverage during the time of the assaults.

• A person who recently has been released from a psychiatric facility barricades himself inside the offices of his former employer, kills two people, and holds several more hostage. Negotiators need immediate access to his medical record to understand the kidnapper's diagnosis, discover what medications he may be taking, contact his psychiatrist, and to assist in resolving the situation without further loss of life.

These are just some examples where individually identifiable health information is disclosed to, and used by, law enforcement in a lawful and appropriate manner. In some cases, the need for health information is limited but urgent. For example, in the rape scenario described above, police are not seeking the entire medical file of a patient - rather, they simply need to know if a person matching the assailant's description has been treated for a hand injury within the past 24 hours. However, even though they are not in "hot pursuit" of a suspect, they need immediate access to such information.

In other cases, such as in a Medicare billing fraud, investigators will need access to hundreds of patient medical records, generally through an administrative or grand jury subpoena, or a civil investigative demand. In this scenario, it would be extremely burdensome, and in some cases impossible, to provide each patient with advance notice and an opportunity to be heard before the subpoena is enforced. Furthermore, notice to patients will unfairly and publicly broadcast law enforcement suspicion of a provider before any charges have been brought. Also, providers who receive premature notice that they are under investigation have the opportunity to destroy evidence or conceal assets that might be seized in the future.

Law enforcement has an excellent track record in obtaining and using health information in an appropriate manner and in protecting its confidentiality. We are not aware of any systemic or widespread misuse of confidential health information by law enforcement. Federal, state and local law enforcement agencies are already subject to a wide array of constitutional, statutory, regulatory and administrative requirements that protect the confidentiality of health information and insure that it is obtained and used only for official law enforcement activities. At the federal level, access to medical records generally is obtained through administrative or grand jury subpoenas or search warrants. Grand jury proceedings are governed by strict secrecy rules. Search warrants must be approved by a neutral magistrate and supported by probable cause. Many agencies have internal rules and regulations governing access to, and disclosure of, investigative information, including health information. Law enforcement prosecutors are bound by ethical proscriptions not to improperly obtain and use evidence. Finally, as a practical matter, law enforcement has a strong interest in not publicly disclosing the fruits of an on-going investigation.

The Department of Justice has taken a number of internal steps to safeguard the privacy of confidential health information consistent with our law enforcement responsibilities. Since health care fraud investigations frequently require access to patient medical information, the joint DOJ-HHS guidelines implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) include detailed guidance on access to, and use of, individually identifiable health information.⁽²⁾ In October 1998 the Deputy Attorney General issued a memorandum to all DOJ personnel reiterating the importance of protecting the confidentiality of medical records, reaffirming the privacy safeguards in the HIPAA guidelines, and describing additional steps DOJ personnel should take to safeguard confidential health information. Health records confidentiality is a recurring subject covered in training of Department health care attorneys and investigative agencies. The Department is in the process of developing even more specific guidance governing the disclosure, use and handling of health information.

Given the frequent and sometimes urgent need for law enforcement access to health information, the Department recommends that we maintain current federal and state privacy protections. Any new restrictions would seriously impair law enforcement's ability to combat violent crime, health care fraud, and other illegal activities. Consistent with this position, we do not believe that any new authority is necessary. We urge the Committee to follow the September 1997 report of the Secretary of Health and Services, which recommends that law enforcement agencies be protected from new restrictions and be provided no additional authority to access medical records. As the Committee moves forward, we would appreciate the opportunity to work with the Committee on the development of patient privacy legislation.

Again, I appreciate the opportunity to present the Department's views on these issues and look forward to answering any questions you might have. Thank you.

1. "Confidentiality of individually-identifiable health information," recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act (September 1997).

2. "Guidelines Implementing the "Health Care Fraud and Abuse Control Program, Section VI: Confidentiality Procedures: Provision and Use of Information and Data," (January 24, 1997)