Billing Code: 4410-36
DEPARTMENT OF JUSTICE
[CPCLO Order No. 003-2024]
Privacy Act of 1974; Systems of Records
AGENCY: Federal Bureau of Prisons, United States Department of Justice.
ACTION: Notice of a modified system of records.
SUMMARY: Pursuant to the Privacy Act of 1974 and Office of Management and
Budget (OMB) Circular No. A-108, notice is hereby given that the Federal Bureau of
Prisons (hereinafter the Bureau or FBOP), a component within the United States
Department of Justice (DOJ or Department), proposes to modify a system of records
notice titled, “Inmate Physical and Mental Health Record System,” JUSTICE/BOP-007,
last modified on May 25, 2017, in order to consolidate previously published
modifications of the system of records into one document to promote transparency. The
modifications also incorporate OMB guidance, technological advancements, and changes
to four (4) routine uses.
DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable upon
publication, subject to a 30-day period in which to comment on the routine uses,
described below. Therefore, please submit any comments by [INSERT DATE 30 DAYS
AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER].
ADDRESSES: The public, OMB, and Congress are invited to submit any comments: by
mail to the United States Department of Justice, Office of Privacy and Civil Liberties,
ATTN: Privacy Analyst, Two Constitution Square (2CON), 145 N Street, NE, Suite
8W.300, Washington, DC 20002; by facsimile at 202-307-0693; or by email at
privacy.compliance@usdoj.gov. To ensure proper handling, please reference the above
CPCLO Order No. on your correspondence.

FOR FURTHER INFORMATION CONTACT: Eugene Baime, Supervisory
Attorney, Freedom of Information Act and Privacy Act Section, Office of General
Counsel, Federal Bureau of Prisons, 320 First Street NW, Suite 924A, Washington, DC
20534, BOP-OGC-EFOIA-S@BOP.GOV, 202-616-7750.
SUPPLEMENTARY INFORMATION: FBOP is modifying this system of records to
consolidate earlier modifications of the system of records into one document to promote
transparency. For a detailed list of previously published modifications, please review the
“History” section below. Additionally, modifications to the system of records have been
made to incorporate OMB guidance, technological advancements, and the modification
of four (4) routine uses. Pursuant to OMB Circular No. A-108, various sections were
rearranged, and various section titles were edited.
FBOP also has changed the “System Location” section by adding to the list of
locations where records may be maintained contractor-operated correctional facilities,
National Archive Centers, secure cloud computing environments, and contracted storage
facilities. FBOP has updated the “Addresses” section to reflect administrative changes.
FBOP has made a slight change to the Purpose(s) of the System to add the Attorney
General as one of the parties that this system assists. FBOP has updated the “Categories
of Individuals Covered by the System” to clarify that it includes those individuals under
custody for criminal and civil commitments. FBOP has updated the “Categories of
Records” in the system to include additional identifying particulars and information
regarding specific health conditions.
FBOP has added modified routine uses that: allow medical health care
professionals to access former inmates’ medical records for continuity of care purposes,
and eliminating the requirement the records only be provided for pre-existing condition
(see RU b); include specific mention of the United States Probation Office (see RU c);
permit Members of Congress to request and receive records at the bequest of the

authorized next-of-kin for inmates who are mentally or physically incapacitated (see RU
g); and account for authorized disclosures related to Coronavirus-19 (SARS-CoV-2) and
other unknown infectious diseases (see RU j). Additionally, previously published routine
uses on breach procedures have been consolidated here to make them easier to find.
FBOP also has made a slight change in the “Policies and Practices for Storage of
Records” section by adding a federally-authorized secure cloud as a location where files
may be stored. FBOP has updated the “Policies and Practices for Retrieval of Records”
section to include additional identifying particulars. FBOP had made an update to the
“Administrative, Technical, and Physical Safeguards” section to clarify that access to
data is facilitated via strong authentication and data is segregated to limit staff’s ability to
update data absent authorization.
FBOP has updated the “Record Access Procedures,” “Contesting Record
Procedures,” and “Notification Procedures” to include more detail on how one may
access, contest, or receive notifications about records. Specifically, the “Records Access
Procedures” section recognizes updated methods of record access for authorized next-ofkin, former inmates, and attorneys representing current and former inmates in criminal or
civil matters.
FBOP continues to assert the same Privacy Act exemptions as previously
published in the Federal Register. See 28 CFR 16.97(a) and (n).
In accordance with 5 U.S.C. 552a(r), the Department has provided a report to
OMB and Congress on this notice of a modified system of records.
Dated: May 28, 2024.
Peter A. Winn,
Acting Chief Privacy and Civil Liberties Officer,
United States Department of Justice.

JUSTICE/BOP–007
SYSTEM NAME AND NUMBER: Inmate Physical and Mental Health Record
System, JUSTICE/BOP–007
SYSTEM LOCATION:
Records may be retained at any Department of Justice authorized location,
including the Central Office of FBOP, its Regional Offices, and any correctional facilities
operated by FBOP or its contractors, and FBOP’s National Archive Centers. A list of
Bureau system locations may be found at 28 CFR part 503 and on the Internet at
https://www.bop.gov. Records within this system of records may be transferred to a
Department-authorized cloud service provider, in which records would be limited to
locations within the United States.
SYSTEM MANAGER(S):
Assistant Director, Health Services Division, Federal Bureau of Prisons; 320
First Street NW., Washington, DC 20534
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
This system is established and maintained under the authority of 18 U.S.C.
3621, 4014, 4042, 4082, 4241 et seq., 5003, and section 11201 of chapter 1 of subtitle C
of title XI of the National Capital Revitalization and Self- Government Improvement
Act of 1997.
PURPOSE(S) OF THE SYSTEM:
This system assists the Attorney General and the Bureau in providing
appropriate health care to persons in the custody of the Bureau. It provides for the
maintenance and release of records concerning the medical, mental, and dental health
of persons in the Bureau’s custody.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Individuals currently or formerly under the custody of the Attorney General
and/or the Director of the Bureau, including those individuals under custody for criminal
and civil commitments.
CATEGORIES OF RECORDS IN THE SYSTEM:
Records in this system include: (1) identification data, including name, inmate
register number, date of birth, Social Security number, FBI number, alien registration
number, system-generated identification number, miscellaneous identification numbers,
drug testing data and DNA samples and analysis; (2) medical and dental history and
examinations (past and present), including diagnosis and treatment notes, records, and
pharmaceutical information; (3) medical information concerning deaths of inmates; (4)
offense information, including Pre-Sentence Reports; (5) designations of inmates from
parent facilities to medical facilities, including date and type of referral; (6) precertifications authorizing inmates to receive care at local medical facilities, including
authorized and actual length of stay, and all associated cost information; (7) mental
health and drug abuse information, including interview summaries or reports with health
care professionals, testing data, and progress or observation notes, generated and
maintained by Bureau staff; (8) mental health and drug abuse information generated
outside the Bureau by other corrections agencies and health care providers such as
surgical clinics, mental hospitals, private therapists, etc.; (9) urine surveillance reports of
drug program participants; (10) automated data, including Electronic Signatures,
Sensitive Medical Data (SMD), Medical Duty Status (MDS), and Diagnosis Group
(DGN); and (11) information concerning individuals with a specific health condition or
status such as cancer, diabetes, infectious/communicable disease(s), HIV, Coronavirus19, Tuberculosis, immunizations, suicidal behavior, or disabilities.
RECORD SOURCE CATEGORIES:
Records are generated by: (1) individuals currently or formerly under Bureau

custody; (2) Bureau staff; (3) community health care providers, including individuals,
hospitals, and/or other professionals involved in the medical, mental, and dental care of
inmates and/or former inmates; and (4) other Federal and/or State, local or Tribal
agencies, including those preparing or providing information on Pre-Sentence Reports.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
Relevant data from this system will be disclosed as follows:
(a) To contractors, grantees, experts, consultants, students, and others performing or
working on a contract, service, grant, cooperative agreement, or other assignment for
the Federal Government, when necessary to accomplish an agency function related to
providing appropriate health care to persons in the custody of the Bureau;
(b) To community health care professionals, including physicians, psychiatrists,
psychologists, and State and Federal medical facility personnel who are providing
treatment to former Federal inmates for continuity of care purposes;
(c) To Federal, State, local, foreign and international law enforcement agencies and
officials, including the United States Probation Office, for law enforcement purposes
such as investigations, possible criminal prosecutions, civil court actions, or
regulatory proceedings;
(d) To a court or adjudicative body before which the Department of Justice or the
Bureau is authorized to appear when any of the following is a party to litigation or has
an interest in litigation and such records are determined by the Bureau to be arguably
relevant to the litigation: (1) the Bureau, or any subdivision thereof, or (2) any
Department or Bureau employee in his or her official capacity, or (3) any Department
or Bureau employee in his or her individual capacity where the Department has
agreed to provide representation for the employee, or (4) the United States, where the
Bureau determines that the litigation is likely to affect it or any of its subdivisions;

(e) In an appropriate proceeding before a court or administrative or regulatory body
when records are determined by the Department to be arguably relevant to the
proceeding, including Federal, State, and local licensing agencies or associations
which require information concerning the suitability or eligibility of an individual for
a license or permit;
(f) To the news media and the public pursuant to 28 CFR 50.2, unless it is
determined that release of the specific information in the context of a particular case
would constitute an unwarranted invasion of personal privacy;
(g) To a Member of Congress or staff acting upon the Member’s behalf when the
Member or staff requests the information on behalf of and at the request of the
individual who is the subject of the record or the individual’s authorized next-of-kin
if the individual is mentally or physically incapacitated;
(h) To the National Archives and Records Administration and General Services
Administration in records management inspections conducted under the authority of
44 U.S.C. 2904 and 2906;
(i) To any person or entity to the extent necessary to prevent immediate loss of life
or serious bodily injury; and
(j) For information relating to infectious diseases, as follows: (1) To State health
departments and/ or the Center for Disease Control, pursuant to State and/or Federal
laws requiring notice of cases of reportable infectious diseases or immunization status
regarding certain infectious diseases; (2) To the United States Probation Office in the
district where an inmate is being released from Bureau custody on parole, placement in
a community-based program, furlough, or full-term release, when the inmate is known
to be HIV positive, under treatment for exposure to or active Tuberculosis (TB), tested
positive for the Coronavirus-19, and is required to be quarantined with local, State, or
Federal guidance, or immunization status regarding certain infectious diseases required

by law; (3) To the Director of a Residential Reentry Center (halfway house) receiving
an inmate from Bureau custody when the inmate is known to be HIV positive, under
treatment for exposure to or active TB, tested positive for the Coronavirus-19 and is
required to be quarantined with local, State, or Federal guidance, or immunization
status regarding certain infectious diseases required by law; (4) To the
physician/provider of a Bureau or non-Bureau staff, or other person exposed to a bloodborne pathogen while lawfully present in a Bureau facility, for the purpose of providing
prophylaxis or other treatment and counseling;
(k) The Department may disclose relevant and necessary information to a former
employee of the Department for purposes of: responding to an official inquiry by a
Federal, State, or local government entity or professional licensing authority, in
accordance with applicable Department regulations; or facilitating communications
with a former employee that may be necessary for personnel-related or other official
purposes where the Department requires information and/or consultation assistance
from the former employee regarding a matter within that person’s former area of
responsibility;
(l) To appropriate agencies, entities, and persons when: (1) the Department suspects
or has confirmed that there has been a breach of the system of records; (2) the
Department has determined that as a result of the suspected or confirmed breach there
is a risk of harm to individuals, the Department (including its information systems,
programs, and operations), the Federal Government, or national security; and (3) the
disclosure made to such agencies, entities, and persons is reasonably necessary to assist
in connection with the Department’s efforts to respond to the suspected or confirmed
breach or to prevent, minimize, or remedy such harm; and
(m) To another Federal agency or Federal entity, when the Department determines that
information from this system of records is reasonably necessary to assist the recipient

agency or entity in (1) responding to a suspected or confirmed breach, or (2)
preventing, minimizing, or remedying the risk of harm to individuals, the recipient
agency or entity (including its information systems, programs, and operations), the
Federal Government, or national security, resulting from a suspected or confirmed
breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Information maintained in the system is stored in electronic media in Bureau
facilities via a configuration of personal computer, client/server, and mainframe systems,
and/or federally-authorized cloud architecture and may be accessed by only those staff
with a need-to-know at all Bureau and contractor facilities. Some information may be
stored on computerized media, e.g., hard disk, magnetic tape, digital recordings, and/or
Compact or Digital Video Discs (CD/DVDs). Documentary (paper) records are
maintained in manual file folders.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by identifying data of the persons covered by this system,
including name, inmate register number, FBI number, Social Security number, alien
registration number, system-generated identification number, or miscellaneous
identification number. Records are also retrievable by institution, date, or type of
incident (e.g. inmate misconduct investigation).
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF
RECORDS:
Records in this system are retained for a period of thirty (30) years after the
expiration of the sentence. Records of an unsentenced inmate are retained for a period of
thirty (30) years after the inmate’s release from confinement. Documentary records are
destroyed by shredding; computer records are destroyed by degaussing and/or shredding.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Information is safeguarded in accordance with Federal IT security requirements
and Bureau rules and policy governing automated information systems security,
including physical security and access controls. These safeguards include the
maintenance of records and technical equipment in restricted areas, the use of encryption
to protect data, and the required use of strong user authentication to access the system.
Only those authorized personnel who require access to perform their official duties may
access the system equipment and the information in the system. The data is also
segregated and encrypted, and staff’s ability to update inmate data is restricted absent
authorization. Documentary records are maintained in secure areas in locked fireproof
cabinets in guarded buildings and accessed only by authorized personnel.
RECORD ACCESS PROCEDURES:
The Attorney General has exempted this system of records from the notification,
access, amendment, and contest procedures of the Privacy Act. These exemptions apply
only to the extent that the information in this system is subject to exemption pursuant to
5 U.S.C. 552a(j). Where compliance would not appear to interfere with or adversely
affect the purposes of the system, or the overall law enforcement/intelligence process,
the applicable exemption (in whole or in part) may be waived by the BOP in its sole
discretion.
All requests for records may be made by writing to the Director, Federal Bureau
of Prisons, 320 First Street NW, Washington, DC 20534, and should be clearly marked
“Privacy Act Request.” In addition, the requester must provide a notarized statement or
an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following
format: If executed outside the United States: “I declare (or certify, verify, or state)
under penalty of perjury under the laws of the United States of America that the
foregoing is true and correct. Executed on [date]. [Signature].” If executed within the

United States, its territories, possessions, or commonwealths: “I declare (or certify,
verify, or state) under penalty of perjury that the foregoing is true and correct. Executed
on [date]. [Signature].”
While no specific form is required, requesters may obtain a form (Form DOJ–
361) for use in certification of identity, available at
https://www.justice.gov/oip/page/file/1280011/download. In the initial request, the
requester may also include any other identifying data that the requester may wish to
furnish to assist the BOP in making a reasonable search. The request should include a
return address for use by the BOP in responding; requesters are also encouraged to
include a telephone number to facilitate BOP contacts related to processing the request.
A determination of whether a record may be accessed will be made after a request is
received.
The authorized next-of-kin must provide legal support of his/her status. A
statement may be substituted if it is notarized or sworn under penalty of perjury. To
obtain records for former inmates, the medical professional’s statement must be
notarized or sworn under penalty of perjury. To obtain records for current inmates, a
notation in the inmate’s medical records from the treating medical professional stating
the inmate is mentally incapable of making decision on his/her own behalf is required.
Former inmates’ requesting their own records must include the former inmate’s
full name, current address, date and place of birth. The signature on the request must be
notarized or sworn under penalty of perjury. A DOJ-Form 361 may be used to satisfy the
signature requirements.
Attorneys’ requests for medical records of their clients in civil or criminal matters
must include the current or former inmate’s full name, current address, date and place of
birth. The inmate’s written authorization to provide the medical records to an attorney
must be notarized or sworn under penalty of perjury. A DOJ-Form 361 may be used to

satisfy the authorization requirements. An attorney may complete and sign the DOJ-361
or submit a statement either notarized or sworn under penalty of perjury on behalf of the
inmate if: (1) the attorney submits a statement either notarized or sworn under penalty of
perjury s/he represents the inmate; and (2) The attorney proffers the medical records are
necessary to adequately represent his/her client.
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or amend records maintained in this system of
records must direct their requests to the address indicated in the “RECORD ACCESS
PROCEDURES” section, above. All requests to contest or amend records must be in
writing and the envelope and letter should be clearly marked “Privacy Act Amendment
Request.” All requests must state clearly and concisely what record is being contested,
the reasons for contesting it, and the proposed amendment to the record. Some
information may be exempt from the amendment provisions as described in the
“EXEMPTIONS PROMULGATED FOR THE SYSTEM” section below. An individual
who is the subject of a record in this system of records may contest or amend those
records that are not exempt. A determination of whether a record is exempt from the
amendment provisions will be made after a request is received.
More information regarding the Department’s procedures for amending or
contesting records in accordance with the Privacy Act can be found at 28 CFR 16.46,
“Requests for Amendment or Correction of Records.”
NOTIFICATION PROCEDURES:
Individuals may be notified if a record in this system of records pertains to them
when the individuals request information utilizing the same procedures as those identified
in the “RECORD ACCESS PROCEDURES” section, above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
The Attorney General has exempted this system from subsections (c)(3) and (4),

(d), (e)(1), (e)(2), (e)(3), (e)(4) (H), (e)(5), (e)(8); (f); and (g) of the Privacy Act
pursuant to 5 U.S.C. 552a(j). See 28 CFR 16.97(a) and (n). Rules have been
promulgated in accordance with the requirements of 5 U.S.C., 553(b), (c) and (e), and
have been published in the Federal Register.
HISTORY:
67 FR 11712 (March 15, 2002): Last published in full;
72 FR 3410 (January 25, 2007): Added routine use;
82 FR 24147 (May 25, 2017): Rescinded 72 FR 3410 and added routine uses.
Billing Code 4410-36

[FR Doc. 2024-12221 Filed: 6/11/2024 8:45 am; Publication Date: 6/12/2024]