Skip to Content


State-24, Medical Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Notice is hereby given that the Department of State proposes to alter an existing system of records, Medical Records, State-24, pursuant to the provisions of the Privacy Act of 1974, as amended (5 U.S.C. 552a) and Office of Management and Budget Circular No. A-130, Appendix I. The Department's report was filed with the Office of Management and Budget on May 18, 2009.

It is proposed that the current system will retain the name “Medical Records.” It is also proposed that due to the expanded scope of the current system, the altered system description will include revisions and/or additions to the following sections: Categories of Individuals Covered by the Systems, Categories of Records in the System, Purpose, Safeguards and Retrievability.

Any persons interested in commenting on the altered system of records may do so by submitting comments in writing to Margaret P. Grafeld, Director; Office of Information Programs and Services; A/GIS/IPS; Department of State, SA-2; 515 22nd Street, Washington, DC 20522-8001. This system of records will be effective 40 days from the date of publication, unless we receive comments that will result in a contrary determination.

The altered system description, “Medical Records, State-24,” will read as set forth below.

Start Signature

Dated: May 18, 2009.

Steven J. Rodriguez,

Deputy Assistant Secretary of Operations, Bureau of Administration, Department of State.

End Signature


System name:

Medical Records.

System location:

Department of State, Office of Medical Services, 2401 E Street, NW., Washington, DC 20522, and Health Units at Overseas Posts.

Categories of individuals covered by the system:

U.S. Government employees, family members, and any other individuals Start Printed Page 24892eligible to participate in the health care program of the U.S. Department of State as authorized by either section 904 of the Foreign Service Act of 1980 (22 U.S.C. 4084) or other legal authority.

Categories of records in the system:

Includes name, social security number, date of birth, address to include email and phone number; reports of medical examinations and related documents; reports of treatments and other health services rendered to individuals; narrative summaries of hospital treatments; personal medical histories; reports of on-the-job injuries or illnesses; and reports on medical evacuation, and/or any other types of individually identifiable health information generated or used in the course of conducting “health care operations” as this term is defined at 45 CFR 164.501. This system includes records that contain “protected health information” as this term is defined at 45 CFR 164.501, and accordingly, does not include records maintained by the Department of State and/or other employers in their capacity as employers. This system also includes certain records maintained as part of the Department's Employee Assistance Program pursuant to 5 CFR Part 792.

Authority for maintenance of the system:

22 U.S.C. 4084, 42 U.S.C. 290dd-1, Public Law 99-570 §§ 7361-7362; 5 CFR Part 792.


The information contained in these records is used to administer the Department of State's medical program. These records are utilized and reviewed by medical and administrative personnel of the Office of Medical Services (MED) in providing health care to the individuals eligible to participate in the health care program.

Routine uses of records maintained in the system, including categories of users and the purposes of such uses:

Routine use of information from these files includes any use permitted by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule at 45 CFR Part 164 for which no authorization or opportunity to agree or object is required by the subject of the information. Specifically, we may disclose the information:

—To a “business associate,” as that term is defined at 45 CFR 160.103; to another health care provider; or to a group health plan or health insurance issuer or Health Maintenance Organization for purposes of carrying out treatment, payment or health care operations;

—To a parent, guardian or other person acting in loco parentis with respect to the subject of the information;

—To a health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the Department of State's medical program, or for such oversight activities as audits; civil, administrative, or criminal proceedings or actions; inspections; licensure or disciplinary actions;

—To a public health authority (domestic or foreign) that is authorized by law to collect or receive protected health information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions;

—To the U.S. Department of Health and Human Services (HHS), when required by the Secretary of HHS in order to investigate or determine compliance with the HIPAA;

—To a public health authority or other appropriate government authority (domestic or foreign) authorized by law to receive reports of child abuse or neglect;

—To a person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity;

—To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, to the extent MED is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation;

—To a government authority (domestic or foreign), including a social service or protective services agency, authorized by law to receive reports of abuse, neglect or domestic violence, (1) To the extent such a disclosure is required by law; (2) where in the exercise of professional judgment, the disclosure is necessary to prevent serious harm to the individual or other potential victims; or (3) where, if the subject of the information is incapacitated, a law enforcement, or other public official authorized to receive the report, represents that the information sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be adversely affected by waiting until the individual is able to agree to the disclosure;

—In the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal;

—To a law enforcement official (1) As required by law or in compliance with a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer, or a grand jury subpoena, or an administrative request, including an administrative subpoena or summons; (2) in response to a request for the purposes of identifying or locating a suspect, fugitive, material witness or missing person; in response to a request for such information about an individual who is or is suspected to be a victim of a crime; (3) where it is believed that in good faith that such information constitutes evidence of criminal conduct; or (4) in response to an emergency, where it is believed such disclosure is necessary to alert law enforcement to the commission and nature of a crime, the location of such crime or of the victim(s) of such crime, and the identity, description and location of the perpetrator of such crime;

—As necessary in order to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat;

—To authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333);

—To authorized federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879.

—To make medical suitability determinations and disclose whether or not an individual is determined to be medically suitable to the officials in the Department of State who need access to such information (1) For the purposes of a national security clearance conducted pursuant to Executive Orders 10450 and 12698; (2) as necessary to determine worldwide availability, suitability for particular assignments, suitability for mandatory service abroad under sections 101(a)(4) and 504 of the Foreign Service Act; or (3) for a family to accompany a Foreign Service member Start Printed Page 24893abroad, consistent with section 101(b)(5) and 904 of the Foreign Service Act.

—To a correctional institution or a law enforcement official having lawful custody of an individual, if the correctional institution or law enforcement official represents that such information is necessary for the provision of health care to such individual, the health and safety of other individuals or others at the correctional institution, or the administration and maintenance of the safety, security, and good order of the correctional institution;

—To appropriate domestic or foreign government officials (including but not limited to the U.S. Department of Labor), as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illnesses without regard to fault.

Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:


Records are stored in hard copy and computer media.


By individual name and date of birth.


All users are given information system security awareness training, including the procedures for handling Sensitive but Unclassified and personally identifiable information. Annual refresher training is mandatory. Before being granted access to Medical Records, a user must first be granted access to the Department of State computer system.

Remote access to the Department of State network from non-Department owned systems is only authorized through a Department approved access program. Remote access to the network is configured with the Office of Management and Budget Memorandum M-07-16 security requirements of two factor authentication and time out function.

All Department of State employees and contractors with authorized access have undergone a thorough background security investigation. Access to the Department of State, its annexes and posts overseas is controlled by security guards and admission is limited to those individuals possessing a valid identification card or individuals under proper escort. All records containing Medical Records information are maintained in secured file cabinets in restricted areas, access to which is limited to authorized personnel. Access to computerized files is password-protected and under the direct supervision of the system manager. The system manager has the capability of printing audit trails of access from the computer media, thereby permitting regular and ad hoc monitoring of computer usage.

When it is determined that a user no longer needs access, the user accounted is disabled.

Retention and disposal:

Records are retired or destroyed in accordance with published schedules of the Department of State. More specific information may be obtained by writing the Director of Medical Records, Office of Medical Services, 2401 E Street, NW., Washington, DC 20522.

System manager(s) and address:

Executive Officer, Medical Services, Room 2270, Department of State, 2401 E Street, NW., Washington, DC 20522.

Notification procedure:

Individuals who have cause to believe that the Office of Medical Services might have records pertaining to them should write to Medical Records, Office of Medical Services, Department of State, 2401 E Street NW., Washington, DC 20522. The individual must include: Name; date and place of birth; current mailing address and zip code; signature; the agency served by the medical program with which the individual was or is an employee or a dependent, and the approximate dates of such employment or dependency.

Record access procedures:

Individuals who wish to gain access to or amend records pertaining to them should write to the Director of Medical Records (Address above).

Contesting record procedures:

(See Record access procedure, above).

Record source categories:

Information contained in these records comes from the individual; hospitals; clinics; private physicians; employers; and medical professionals employed by the Department of State.

System exempted from certain provisions under the Privacy Act:


End Preamble

[FR Doc. E9-12146 Filed 5-22-09; 8:45 am]