The Privacy Act

The FOIA/Privacy Act Division, in the Office of the Assistant Secretary for Public Affairs (ASPA), is the focal point for HHS Privacy Act administration, including the HHS System of Records Notices (SORNs) and Computer Matching Agreements (CMAs).

The Privacy Act of 1974, as amended to present, including Statutory Notes (5 U.S.C. 552a),

• Protects records about individuals retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual has rights under the Privacy Act to seek access to and request correction (if applicable) or an accounting of disclosures of any such records maintained about him or her.
• Prohibits disclosure of such records without the prior, written consent of the individual(s) to whom the records pertain, unless one of the twelve disclosure exceptions enumerated in subsection (b) of the Act applies.
• Requires such records to be described in System of Records Notices (SORNs) published in the Federal Register and posted to the Internet.
• Includes rules (in Statutory Notes) governing collection of the Social Security Number (SSN), which apply regardless of whether the SSN will be included in records retrieved by personal identifier.
• With limited exceptions, prohibits maintenance of records describing how an individual exercises First Amendment rights.
• Binds only federal agencies and covers only records under the control of federal agencies (and, by contract, also applies to contractor personnel and systems used by a federal agency to maintain the records).
• HHS Privacy Act regulations (45 CFR Part 5b)
• FDA Privacy Act regulations (21 CFR Part 21)

For assistance with a Privacy Act question or complaint involving a specific HHS Operating Division’s records, you may contact the appropriate HHS Privacy Act Contacts.

To submit a Privacy Act request to HHS, please follow these instructions: How to Make a Privacy Act Request

Privacy Impact Assessments (PIAs)

E-Government Act of 2002 requires government agencies to assess the impact on privacy for systems that contain personally identifiable information in Privacy Impact Assessments (PIAs). All HHS PIAs are available online.

The Office of the Chief Information Officer (OCIO) within the Office of the Assistant Secretary for Administration (ASA) is the Departmental component responsible for compliance with the E-Government Act of 2002 and other Acts codified at 44 U.S.C. Chapter 35.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules contain privacy, security, and breach notification requirements that apply to individually identifiable health information created, received, maintained, or transmitted by health care providers who engage in certain electronic transactions, health transactions, health plans, health care clearinghouses, and their business associates.

The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the HIPAA Rules.

For questions about HIPAA or to file a HIPAA complaint, visit the OCR website (/hipaa), or call (800) 368-1019.