Editorial Notes
References in Text

The Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (g)(1), (2)(D), is Puspan. L. 104–191, Aug. 21, 1996, 110 Stat. 1936. For complete classification of this Act to the Code, see Short Title of 1996 Amendments note set out under section 201 of this title and Tables.

The Internal Revenue Code of 1986, referred to in subsec. (j)(4)(D)(i), (ii), is classified generally to Title 26, Internal Revenue Code.

Prior Provisions

A prior section 1173 of act Aug. 14, 1935, was classified to section 1320c–22 of this title prior to the general amendment of part B of this subchapter by Puspan. L. 97–248.

Amendments

2010—Subsec. (a)(1)(B). Puspan. L. 111–148, § 10109(a)(1)(A), inserted before period at end “, and subject to the requirements under paragraph (5)”.

Subsec. (a)(2)(J). Puspan. L. 111–148, § 1104(span)(2)(A), added subpar. (J).

Subsec. (a)(4). Puspan. L. 111–148, § 1104(span)(2)(B), added par. (4).

Subsec. (a)(5). Puspan. L. 111–148, § 10109(a)(1)(B), added par. (5).

Subsecs. (g) to (j). Puspan. L. 111–148, § 1104(span)(2)(C), added subsecs. (g) to (j).

Statutory Notes and Related Subsidiaries
Guidance on Protected Health Information

Puspan. L. 116–136, div. A, title III, § 3224, Mar. 27, 2020, 134 Stat. 380, provided that: “Not later than 180 days after the date of enactment of this Act [Mar. 27, 2020], the Secretary of Health and Human Services shall issue guidance on the sharing of patients’ protected health information pursuant to section 160.103 of title 45, Code of Federal Regulations (or any successor regulations) during the public health emergency declared by the Secretary of Health and Human Services under section 319 of the Public Health Service Act (42 U.S.C. 247d) with respect to COVID–19, during the emergency involving Federal primary responsibility determined to exist by the President under section 501(span) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5191(span)) with respect to COVID–19, and during the national emergency declared by the President under the National Emergencies Act (50 U.S.C. 1601 et seq.) with respect to COVID–19. Such guidance shall include information on compliance with the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) and applicable policies, including such policies that may come into effect during such emergencies.”

Making T–MSIS Data on Substance Use Disorders Available to Researchers

Puspan. L. 115–271, title I, § 1015(span), Oct. 24, 2018, 132 Stat. 3922, provided that:

“(1)In general.—The Secretary [probably means the Secretary of Health and Human Services] shall publish in the Federal Register a system of records notice for the data specified in paragraph (2) for the Transformed Medicaid Statistical Information System, in accordance with section 552a(e)(4) of title 5, United States Code. The notice shall outline policies that protect the security and privacy of the data that, at a minimum, meet the security and privacy policies of SORN 09–70–0541 for the Medicaid Statistical Information System.
“(2)Required data.—The data covered by the systems of records notice required under paragraph (1) shall be sufficient for researchers and States to analyze the prevalence of substance use disorders in the Medicaid beneficiary population and the treatment of substance use disorders under Medicaid across all States (including the District of Columbia, Puerto Rico, the United States Virgin Islands, Guam, the Northern Mariana Islands, and American Samoa), forms of treatment, and treatment settings.
“(3)Initiation of data-sharing activities.—Not later than January 1, 2019, the Secretary shall initiate the data-sharing activities outlined in the notice required under paragraph (1).”

Accessing, Sharing, and Using Health Data for Research Purposes

Puspan. L. 114–255, div. A, title II, § 2063, Dec. 13, 2016, 130 Stat. 1080, provided that:

“(a)Guidance Related to Remote Access.—Not later than 1 year after the date of enactment of this Act [Dec. 13, 2016], the Secretary of Health and Human Services (referred to in this section as the ‘Secretary’) shall issue guidance clarifying that subparagraph (B) of section 164.512(i)(1)(ii) of part 164 of the Rule (prohibiting the removal of protected health information by a researcher) does not prohibit remote access to health information by a researcher for such purposes as described in section 164.512(i)(1)(ii) of part 164 of the Rule so long as—
“(1) at a minimum, security and privacy safeguards, consistent with the requirements of the Rule, are maintained by the covered entity and the researcher; and
“(2) the protected health information is not copied or otherwise retained by the researcher.
“(span)Guidance Related to Streamlining Authorization.—Not later than 1 year after the date of enactment of this Act, the Secretary shall issue guidance on the following:
“(1)Authorization for use and disclosure of health information.—Clarification of the circumstances under which the authorization for the use or disclosure of protected health information, with respect to an individual, for future research purposes contains a sufficient description of the purpose of the use or disclosure, such as if the authorization—
“(A) sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research;
“(B) either—
“(i) states that the authorization will expire on a particular date or on the occurrence of a particular event; or
“(ii) states that the authorization will remain valid unless and until it is revoked by the individual; and
“(C) provides instruction to the individual on how to revoke such authorization at any time.
“(2)Reminder of the right to revoke.—Clarification of the circumstances under which it is appropriate to provide an individual with an annual notice or reminder that the individual has the right to revoke such authorization.
“(3)Revocation of authorization.—Clarification of appropriate mechanisms by which an individual may revoke an authorization for future research purposes, such as described in paragraph (1)(C).
“(c)Working Group on Protected Health Information for Research.—
“(1)Establishment.—Not later than 1 year after the date of enactment of this Act [Dec. 13, 2016], the Secretary shall convene a working group to study and report on the uses and disclosures of protected health information for research purposes, under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191) [see Tables for classification].
“(2)Members.—The working group shall include representatives of—
“(A) relevant Federal agencies, including the National Institutes of Health, the Centers for Disease Control and Prevention, the Food and Drug Administration, and the Office for Civil Rights;
“(B) the research community;
“(C) patients;
“(D) experts in civil rights, such as privacy rights;
“(E) developers of health information technology;
“(F) experts in data privacy and security;
“(G) health care providers;
“(H) bioethicists; and
“(I) other experts and entities, as the Secretary determines appropriate.
“(3)Report.—Not later than 1 year after the date on which the working group is convened under paragraph (1), the working group shall conduct a review and submit a report to the Secretary containing recommendations on whether the uses and disclosures of protected health information for research purposes should be modified to allow protected health information to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals’ privacy rights. In conducting the review and making recommendations, the working group shall—
“(A) address, at a minimum—
“(i) the appropriate manner and timing of authorization, including whether additional notification to the individual should be required when the individual’s protected health information will be used or disclosed for such research;
“(ii) opportunities for individuals to set preferences on the manner in which their protected health information is used in research;
“(iii) opportunities for patients to revoke authorization;
“(iv) notification to individuals of a breach in privacy;
“(v) existing gaps in statute, regulation, or policy related to protecting the privacy of individuals, and
“(vi) existing barriers to research related to the current restrictions on the uses and disclosures of protected health information; and
“(B) consider, at a minimum—
“(i) expectations and preferences on how an individual’s protected health information is shared and used;
“(ii) issues related to specific subgroups of people, such as children, incarcerated individuals, and individuals with a cognitive or intellectual disability impacting capacity to consent;
“(iii) relevant Federal and State laws;
“(iv) models of facilitating data access and levels of data access, including data segmentation, where applicable;
“(v) potential impacts of disclosure and non-disclosure of protected health information on access to health care services; and
“(vi) the potential uses of such data.
“(4)Report submission.—The Secretary shall submit the report under paragraph (3) to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives, and shall post such report on the appropriate Internet website of the Department of Health and Human Services.
“(5)Termination.—The working group convened under paragraph (1) shall terminate the day after the report under paragraph (3) is submitted to Congress and made public in accordance with paragraph (4).
“(d)Definitions.—In this section:
“(1)The rule.—References to ‘the Rule’ refer to part 160 or part 164, as appropriate, of title 45, Code of Federal Regulations (or any successor regulation).
“(2)Part 164.—References to a specified section of ‘part 164’, refer to such specified section of part 164 of title 45, Code of Federal Regulations (or any successor section).”

Clarification on Permitted Uses and Disclosures of Protected Health Information

Puspan. L. 114–255, div. B, title XI, § 11003, Dec. 13, 2016, 130 Stat. 1270, provided that:

“(a)In General.—The Secretary [of Health and Human Services], acting through the Director of the Office for Civil Rights, shall ensure that health care providers, professionals, patients and their families, and others involved in mental or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information under the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 [Puspan. L. 104–191] (42 U.S.C. 1320d–2 note).
“(span)Guidance.—
“(1)Issuance.—In carrying out subsection (a), not later than 1 year after the date of enactment of this section [Dec. 13, 2016], the Secretary shall issue guidance clarifying the circumstances under which, consistent with regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996, a health care provider or covered entity may use or disclose protected health information.
“(2)Circumstances addressed.—The guidance issued under this section shall address circumstances including those that—
“(A) require the consent of the patient;
“(B) require providing the patient with an opportunity to object;
“(C) are based on the exercise of professional judgment regarding whether the patient would object when the opportunity to object cannot practicably be provided because of the incapacity of the patient or an emergency treatment circumstance; and
“(D) are determined, based on the exercise of professional judgment, to be in the best interest of the patient when the patient is not present or otherwise incapacitated.
“(3)Communication with family members and caregivers.—In addressing the circumstances described in paragraph (2), the guidance issued under this section shall clarify permitted uses or disclosures of protected health information for purposes of—
“(A) communicating with a family member of the patient, caregiver of the patient, or other individual, to the extent that such family member, caregiver, or individual is involved in the care of the patient;
“(B) in the case that the patient is an adult, communicating with a family member of the patient, caregiver of the patient, or other individual involved in the care of the patient;
“(C) in the case that the patient is a minor, communicating with the parent or caregiver of the patient;
“(D) involving the family members or caregivers of the patient, or others involved in the patient’s care or care plan, including facilitating treatment and medication adherence;
“(E) listening to the patient, or receiving information with respect to the patient from the family or caregiver of the patient;
“(F) communicating with family members of the patient, caregivers of the patient, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
“(G) communicating to law enforcement and family members or caregivers of the patient about the admission of the patient to receive care at, or the release of a patient from, a facility for an emergency psychiatric hold or involuntary treatment.”

Development and Dissemination of Model Training Programs

Puspan. L. 114–255, div. B, title XI, § 11004, Dec. 13, 2016, 130 Stat. 1271, provided that:

“(a)Initial Programs and Materials.—Not later than 1 year after the date of the enactment of this Act [Dec. 13, 2016], the Secretary [of Health and Human Services], in consultation with appropriate experts, shall identify the following model programs and materials, or (in the case that no such programs or materials exist) recognize private or public entities to develop and disseminate each of the following:
“(1) Model programs and materials for training health care providers (including physicians, emergency medical personnel, psychiatrists, including child and adolescent psychiatrists, psychologists, counselors, therapists, nurse practitioners, physician assistants, behavioral health facilities and clinics, care managers, and hospitals, including individuals such as general counsels or regulatory compliance staff who are responsible for establishing provider privacy policies) regarding the permitted uses and disclosures, consistent with the standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.) and regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 [Puspan. L. 104–191] (42 U.S.C. 1320d–2 note) and such part C, of the protected health information of patients seeking or undergoing mental or substance use disorder treatment.
“(2) A model program and materials for training patients and their families regarding their rights to protect and obtain information under the standards and regulations specified in paragraph (1).
“(span)Periodic Updates.—The Secretary shall—
“(1) periodically review and update the model programs and materials identified or developed under subsection (a); and
“(2) disseminate the updated model programs and materials to the individuals described in subsection (a).
“(c)Coordination.—The Secretary shall carry out this section in coordination with the Director of the Office for Civil Rights within the Department of Health and Human Services, the Assistant Secretary for Mental Health and Substance Use, the Administrator of the Health Resources and Services Administration, and the heads of other relevant agencies within the Department of Health and Human Services.
“(d)Input of Certain Entities.—In identifying, reviewing, or updating the model programs and materials under subsections (a) and (span), the Secretary shall solicit the input of relevant national, State, and local associations; medical societies; licensing boards; providers of mental and substance use disorder treatment; organizations with expertise on domestic violence, sexual assault, elder abuse, and child abuse; and organizations representing patients and consumers and the families of patients and consumers.
“(e)Funding.—There are authorized to be appropriated to carry out this section—
“(1) $4,000,000 for fiscal year 2018;
“(2) $2,000,000 for each of fiscal years 2019 and 2020; and
“(3) $1,000,000 for each of fiscal years 2021 and 2022.”

Delay in Transition From ICD–9 to ICD–10 Code Sets

Puspan. L. 113–93, title II, § 212, Apr. 1, 2014, 128 Stat. 1047, provided that: “The Secretary of Health and Human Services may not, prior to October 1, 2015, adopt ICD–10 code sets as the standard for code sets under section 1173(c) of the Social Security Act (42 U.S.C. 1320d–2(c)) and section 162.1002 of title 45, Code of Federal Regulations.”

Promulgation of Rules

Puspan. L. 111–148, title I, § 1104(c), Mar. 23, 2010, 124 Stat. 153, provided that:

“(1)Unique health plan identifier.—The Secretary [of Health and Human Services] shall promulgate a final rule to establish a unique health plan identifier (as described in section 1173(span) of the Social Security Act (42 U.S.C. 1320d–2(span))) based on the input of the National Committee on Vital and Health Statistics. The Secretary may do so on an interim final basis and such rule shall be effective not later than October 1, 2012.
“(2)Electronic funds transfer.—The Secretary shall promulgate a final rule to establish a standard for electronic funds transfers (as described in section 1173(a)(2)(J) of the Social Security Act, as added by subsection (span)(2)(A)). The Secretary may do so on an interim final basis and shall adopt such standard not later than January 1, 2012, in a manner ensuring that such standard is effective not later than January 1, 2014.
“(3)Health claims attachments.—The Secretary shall promulgate a final rule to establish a transaction standard and a single set of associated operating rules for health claims attachments (as described in section 1173(a)(2)(B) of the Social Security Act (42 U.S.C. 1320d–2(a)(2)(B))) that is consistent with the X12 Version 5010 transaction standards. The Secretary may do so on an interim final basis and shall adopt a transaction standard and a single set of associated operating rules not later than January 1, 2014, in a manner ensuring that such standard is effective not later than January 1, 2016.”

Activities and Items for Initial Consideration; ICD Coding Crosswalks

Puspan. L. 111–148, title X, § 10109(span), (c), Mar. 23, 2010, 124 Stat. 916, provided that:

“(span)Activities and Items for Initial Consideration.—For purposes of section 1173(a)(5) of the Social Security Act [42 U.S.C. 1320d–2(a)(5)], as added by subsection (a), the Secretary of Health and Human Services (in this section referred to as the ‘Secretary’) shall, not later than January 1, 2012, seek input on activities and items relating to the following areas:
“(1) Whether the application process, including the use of a uniform application form, for enrollment of health care providers by health plans could be made electronic and standardized.
“(2) Whether standards and operating rules described in section 1173 of the Social Security Act should apply to the health care transactions of automobile insurance, worker’s compensation, and other programs or persons not described in section 1172(a) of such Act (42 U.S.C. 1320d–1(a)).
“(3) Whether standardized forms could apply to financial audits required by health plans, Federal and State agencies (including State auditors, the Office of the Inspector General of the Department of Health and Human Services, and the Centers for Medicare & Medicaid Services), and other relevant entities as determined appropriate by the Secretary.
“(4) Whether there could be greater transparency and consistency of methodologies and processes used to establish claim edits used by health plans (as described in section 1171(5) of the Social Security Act (42 U.S.C. 1320d(5))).
“(5) Whether health plans should be required to publish their timeliness of payment rules.
“(c) ICD Coding Crosswalks.—
“(1) ICD–9 to icd–10 crosswalk.—The Secretary shall task the ICD–9–CM Coordination and Maintenance Committee to convene a meeting, not later than January 1, 2011, to receive input from appropriate stakeholders (including health plans, health care providers, and clinicians) regarding the crosswalk between the Ninth and Tenth Revisions of the International Classification of Diseases (ICD–9 and ICD–10, respectively) that is posted on the website of the Centers for Medicare & Medicaid Services, and make recommendations about appropriate revisions to such crosswalk.
“(2)Revision of crosswalk.—For purposes of the crosswalk described in paragraph (1), the Secretary shall make appropriate revisions and post any such revised crosswalk on the website of the Centers for Medicare & Medicaid Services.
“(3)Use of revised crosswalk.—For purposes of paragraph (2), any revised crosswalk shall be treated as a code set for which a standard has been adopted by the Secretary for purposes of section 1173(c)(1)(B) of the Social Security Act (42 U.S.C. 1320d–2(c)(1)(B)).
“(4)Subsequent crosswalks.—For subsequent revisions of the International Classification of Diseases that are adopted by the Secretary as a standard code set under section 1173(c) of the Social Security Act (42 U.S.C. 1320d–2(c)), the Secretary shall, after consultation with the appropriate stakeholders, post on the website of the Centers for Medicare & Medicaid Services a crosswalk between the previous and subsequent version of the International Classification of Diseases not later than the date of implementation of such subsequent revision.”

Recommendations With Respect to Privacy of Certain Health Information

Puspan. L. 104–191, title II, § 264, Aug. 21, 1996, 110 Stat. 2033, provided that:

“(a)In General.—Not later than the date that is 12 months after the date of the enactment of this Act [Aug. 21, 1996], the Secretary of Health and Human Services shall submit to the Committee on Labor and Human Resources and the Committee on Finance of the Senate and the Committee on Commerce and the Committee on Ways and Means of the House of Representatives detailed recommendations on standards with respect to the privacy of individually identifiable health information.
“(span)Subjects for Recommendations.—The recommendations under subsection (a) shall address at least the following:
“(1) The rights that an individual who is a subject of individually identifiable health information should have.
“(2) The procedures that should be established for the exercise of such rights.
“(3) The uses and disclosures of such information that should be authorized or required.
“(c)Regulations.—
“(1)In general.—If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act [42 U.S.C. 1320d–2(a)] (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act [Aug. 21, 1996], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act. Such regulations shall address at least the subjects described in subsection (span).
“(2)Preemption.—A regulation promulgated under paragraph (1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.
“(d)Consultation.—In carrying out this section, the Secretary of Health and Human Services shall consult with—
“(1) the National Committee on Vital and Health Statistics established under section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)); and
“(2) the Attorney General.”

Executive Documents
Ex. Ord. No. 13181. To Protect the Privacy of Protected Health Information in Oversight Investigations

Ex. Ord. No. 13181, Dec. 20, 2000, 65 F.R. 81321, provided:

By the authority vested in me as President of the United States by the Constitution and the laws of the United States of America, it is ordered as follows:

Section 1. Policy.

It shall be the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. Protecting the privacy of patients’ protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health. In order to provide greater protections to patients’ privacy, the Department of Health and Human Services is issuing final regulations concerning the confidentiality of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 [Puspan. L. 104–191, see Tables for classification] (HIPAA). HIPAA applies only to “covered entities,” such as health care plans, providers, and clearinghouses. HIPAA regulations therefore do not apply to other organizations and individuals that gain access to protected health information, including Federal officials who gain access to health records during health oversight activities.

Under the new HIPAA regulations, health oversight investigators will appropriately have ready access to medical records for oversight purposes. Health oversight investigators generally do not seek access to the medical records of a particular patient, but instead review large numbers of records to determine whether a health care provider or organization is violating the law, such as through fraud against the Medicare system. Access to many health records is often necessary in order to gain enough evidence to detect and bring enforcement actions against fraud in the health care system. Stricter rules apply under the HIPAA regulations, however, when law enforcement officials seek protected health information in order to investigate criminal activity outside of the health oversight realm.

In the course of their efforts to protect the health care system, health oversight investigators may also uncover evidence of wrongdoing unrelated to the health care system, such as evidence of criminal conduct by an individual who has sought health care. For records containing that evidence, the issue thus arises whether the information should be available for law enforcement purposes under the less restrictive oversight rules or the more restrictive rules that apply to non-oversight criminal investigations.

A similar issue has arisen in other circumstances. Under 18 U.S.C. 3486, an individual’s health records obtained for health oversight purposes pursuant to an administrative subpoena may not be used against that individual patient in an unrelated investigation by law enforcement unless a judicial officer finds good cause. Under that statute, a judicial officer determines whether there is good cause by weighing the public interest and the need for disclosure against the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. It is appropriate to extend limitations on the use of health information to all situations in which the government obtains medical records for a health oversight purpose. In recognition of the increasing importance of protecting health information as shown in the medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is necessary. It is, therefore, the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual, discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations, against that individual except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.

Sec. 2. Definitions.

(a) “Health oversight activities” shall include the oversight activities enumerated in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the “Health Insurance Portability and Accountability Act of 1996,” as amended [Puspan. L. 104–191, see Tables for classification].

(span) “Protected health information” shall have the meaning ascribed to it in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the “Health Insurance Portability and Accountability Act of 1996,” as amended.

(c) “Injury to the patient” includes injury to the privacy interests of the patient.

Sec. 3. Implementation.

(a) Protected health information concerning an individual patient discovered during the course of health oversight activities shall not be used against that individual patient in an unrelated civil, administrative, or criminal investigation of a non-health oversight matter unless the Deputy Attorney General of the U.S Department of Justice, or insofar as the protected health information involves members of the Armed Forces, the General Counsel of the U.S. Department of Defense, has authorized such use.

(span) In assessing whether protected health information should be used under subparagraph (a) of this section, the Deputy Attorney General shall permit such use upon concluding that the balance of relevant factors weighs clearly in favor of its use. That is, the Deputy Attorney General shall permit disclosure if the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.

(c) Upon the decision to use protected health information under subparagraph (a) of this section, the Deputy Attorney General, in determining the extent to which this information should be used, shall impose appropriate safeguards against unauthorized use.

(d) On an annual basis, the Department of Justice, in consultation with the Department of Health and Human Services, shall provide to the President of the United States a report that includes the following information:

(i) the number of requests made to the Deputy Attorney General for authorization to use protected health information discovered during health oversight activities in a non-health oversight, unrelated investigation;

(ii) the number of requests that were granted as applied for, granted as modified, or denied;

(iii) the agencies that made the applications, and the number of requests made by each agency; and

(iv) the uses for which the protected health information was authorized.

(e) The General Counsel of the U.S. Department of Defense will comply with the requirements of subparagraphs (span), (c), and (d), above. The General Counsel also will prepare a report, consistent with the requirements of subparagraphs (d)(i) through (d)(iv), above, and will forward it to the Department of Justice where it will be incorporated into the Department’s annual report to the President.

Sec. 4. Exceptions.

(a) Nothing in this Executive Order shall place a restriction on the derivative use of protected health information that was obtained by a law enforcement agency in a non-health oversight investigation.

(span) Nothing in this Executive Order shall be interpreted to place a restriction on a duty imposed by statute.

(c) Nothing in this Executive Order shall place any additional limitation on the derivative use of health information obtained by the Attorney General pursuant to the provisions of 18 U.S.C. 3486.

(d) This order does not create any right or benefit, substantive or procedural, enforceable at law by a party against the United States, the officers and employees, or any other person.

William J. Clinton.