NIH Office of Management Assessment
logo
About the OMA
News & Events
Internet Links
logo

What's NewContact Us!Site Index
Management Support

OMA Collage
Program IntegrityOutside Review and LiaisonQuality ManagementManagment Support
Management Support
Quicklinks Quicklinks
IC Privacy Coordinators Privacy News
PMC Meetings Privacy Brochure
PCG Meetings OCIO Website
Privacy Training NIH Encryption Web Page
PIA Training FAQs
Privacy Act SORNs Glossary
SORN Checklist References
PIA Form HHS Cybersecurity Program
NEAR/NCAT/HEAR/SPORT Access Form Privacy SharePoint Site
Guide for Handling Sensitive Information

Main Menu - Privacy Information Main Menu Privacy Act PIAs Web Privacy HSPD-12 FISMA Incident Reporting Training Resources Policy and Memoranda

The Privacy Act of 1974: 5 U.S.C. Section 552a, as amended

Overview and Requirements

The Privacy Act aims to protect the privacy of personal information held by the Federal government and was created in response to concerns about how both computerized and paper-based records systems might impact an individual's right to privacy. It safeguards privacy through the implementation of the Code of Fair Information Practices into operational and procedural requirements. Government agencies must provide records pertaining to an individual upon request from that individual, if the records are maintained in a Privacy Act system of records. In addition the Privacy Act places restrictions on how agencies can share an individual's data with other people and agencies.

The Privacy Act requires agencies to:

  • Publish the details of all of their “system of records” in the Federal Register;
  • Show an individual any records kept on them, make copies, and correct any factually incorrect information;
  • Provide members of the public with a notification statement to explain the legal authorization to collect information, the purpose of the collection, the intended use of the information, to whom it may be disclosed, and what, if any, consequences there will be if the information is not provided;
  • Set limits on how agencies can share an individual's data; and
  • Follow the "fair information practices" when gathering and handling personal data.

The Privacy Act identifies key mandates for Federal agencies to protect members of the public:

  • Applies to Federal records about U.S. citizens and permanent residents;
  • Limits an agency’s ability to disclose information in a "system of records";
  • Restricts the sharing of personal information between agencies;
  • Requires agencies to retain the minimum amount of information "relevant and necessary" to accomplish purposes; and
  • Requires that agencies keep a correct account of when, and to whom, it discloses information.

The Privacy Act contains multiple provisions for handling systems of records:

  • Defines a record as any item, collection, or group of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph (Privacy Act, 5 U.S.C. Section 552a(a)(4));
  • Defines a system of records as a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Privacy Act, 5 U.S.C. Section 552a(a)(5));
  • Requires agencies to provide a Privacy Act Notice when collecting personal information in order to provide an explanation of the intended uses for obtaining information;
  • Requires the agency collecting the information to publish a System Of Record Notice (SORN) in the Federal Register no less than 40 days prior to collection of the information;
  • Charges the Office of Management and Budget (OMB) with developing guidelines on how agencies should interpret and implement provisions of the Privacy Act;
  • Provides "right of action" for members of the public when an agency violates the Privacy Act;
  • Provides law enforcement exemptions; and
  • Requires Government agencies to disclose personally identifiable information (PII) so long as it is captured in the SORN’s ‘routine uses’ when creating or altering the system of records.

NIH Privacy Act Exceptions & Exemptions

The Privacy Act provides that the agency will provide access to records within our possession unless one of the exceptions or general/specific exemptions applies. The exact language of the exemptions can be found in the Privacy Act.

Most of the NIH Privacy Act Systems of Records are non-exempt, meaning that there is no exemption rule claimed for the systems of records. It means the records contained with the system are releasable to the subject of the file in their entirety. However, there are exceptions to the rule:

  • Records that contain information about a third party; and
  • Information that is not about the subject of the file, and therefore not accessible under the Privacy Act.

Records that are excepted from Privacy Act access include:

(d)(5) – 5 U.S.C. Section 552a(d)(5) (Litigation Protection) – "records compiled in reasonable anticipation of a civil action or proceeding."

Records that are exempted from Privacy Act access include:

General Exemptions 5 U.S.C. Section 552a(j):

  • (j)(1) – 5 U.S.C. Section 552a(j)(1) (CIA Systems of Records) – "records maintained by the Central Intelligence Agency"; and
  • (j)(2) – 5 U.S.C. Section 552a(j)(2) (Criminal Investigatory Records) – "records maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws". This requirement is usually met by such obvious law enforcement components as the FBI, DEA and BATF. In addition, Justice Department components such as the U.S. Parole Commission, the Federal Bureau of Prisons, and the Office of the Pardon Attorney, have been held to qualify as "principal function" criminal law enforcement entities.

Specific Exemptions 5 U.S.C. Section 552a(k):

  • (k)(1) – 5 U.S.C. Section 552a(k)(1) (Classified Records) - "subject to the provisions of section 552(b)(1) of this title";
  • (k)(2) – 5 U.S.C. Section 552a(k)(2) (Law Enforcement Investigative Records) - "investigatory material compiled for law enforcement purposes other than material within the scope of subsection (j)(2) of this section";
  • (k)(3) – 5 U.S.C. Section 552a(k)(3) (Secret Service Records) - "records maintained in connection with providing protective services to the President of the United States or other individuals pursuant to Section 3056 of Title 18";
  • (k)(4) – 5 U.S.C. Section 552a(k)(4) (Statistical Records) - "records required by statute to be maintained and used solely as statistical records";
  • (k)(5) – 5 U.S.C. Section 552a(k)(5) (Background Investigative Records) - "investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9-27-75], under an implied promise that the identity of the source would be held in confidence";
  • (k)(6) – 5 U.S.C. Section 552a(k)(6) (Testing Records) - "testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process"; and
  • (k)(7) – 5 U.S.C. Section 552a(k)(7) (Military Evaluation Records) - "evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9-25-75], under an implied promise that the identity of the source would be held in confidence".

How Do I Submit a Privacy Act (PA) Request for Records?

The Privacy Act of 1974, 5 U.S.C. Section 552a, as amended, affects the ways in which Federal agencies and their employees collect, maintain, use, and disseminate information concerning individuals. The primary purpose of the Act is to safeguard personal privacy by requiring safeguards for personal information collected or maintained by Federal agencies, and by providing individuals access to, and the right to amend, records that agencies maintain about them.

The Department of Health and Human Services (HHS) regulations govern the notification and access requirements for Privacy Act systems of records maintained by NIH. In accordance with Department policy, NIH may not maintain records on individuals unless: (1) it is relevant and necessary to accomplish an NIH or Department function required by statute or Executive Order; (2) the information in the record is acquired to the greatest extent practicable directly from the subject individual (when maintenance of the record may result in a determination about the subject individual’s rights, benefits or privileges under Federal programs); and (3) you, as the individual providing the record, are informed at the time the record is collected of the authority NIH has for requesting the record (45CFR Section 5b.4(a)).

When a Privacy Act record exists in a system of records, the subject individual (the individual to whom the record pertains) may request access to his or her record.

However, it is the responsibility of the requestor "to specify which systems of records they wish to have searched and the records to which they wish to have access" (45CFR5b.5(a)(2)).

Because the Privacy Act requires that a Federal agency inform individuals of their rights at the time an agency collects personally identifiable information, you should be aware of instances in which NIH may have collected information from or about you. By providing NIH with the specific Institute or Center (IC) at NIH where a study may have been conducted, you will enhance our ability to find any records we may have about you in our systems, if any. Upon receipt of a written request, we will refer your letter to the appropriate NIH Institute or office for response. Should you have further questions, please contact the NIH OSOP at the address below.

In cases where an individual knows that a specific record exists and wishes to obtain access to a record contained within this system of record, they may write to the System Manager listed in the applicable SORN. For a complete list of all SORNs used at NIH, visit:
http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm.

Individuals may also contact the appropriate IC Privacy Coordinator, found at:
http://oma.od.nih.gov/about/contact/browse.asp?fa_id=3.

The individual should reasonably specify the record contents being sought. The individual may also request an accounting of disclosure of their records, if any.

To determine if a record exists, write to the System Manager as indicated above.

When preparing your PA request, please follow these instructions:

  • Submit a written request (requests sent via facsimile or electronic mail will not be accepted as the identity of the requestor cannot be verified);
  • Verify your identity by providing either a notarization of the request or a written certification that you are who you claim to be and understand that the knowing and willful request of a record pertaining to an individual under false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine;
  • Provide the subject individual’s name and current mailing address. An individual requesting notification or access to sensitive records, such as medical records, may be required to further verify identity with regard to particulars in the requested record, e.g., date of place of birth, educational institution attended, social security number, etc;
  • State that the records are requested under the Privacy Act of 1974, as amended;
  • Identify the records requested. It is the requester’s responsibility "to specify which systems of records he wishes to have searched and the records to which he wishes to have access" (45CFR5b.5(a)(2)). Be as specific as possible and include the approximate dates the information was collected, the types of information collected, or the official or responsible official responsible for the collection of information where known);
  • Include a daytime telephone number in the event that additional information is needed before responding to requests; and
  • Mark the outside of the envelope "Privacy Act Request" and mail it to the appropriate System Manager or IC Privacy Coordinator listed on the NIH Systems of Record Notice. You may also send it to the NIH Privacy Act Officer at the following address:
    NIH Privacy Act Officer
    National Institutes of Health
    6011 Executive Boulevard
    Suite 601, MSC 7669
    Bethesda, Maryland 20892-7669

Medical Records:

Individuals requesting reproduction of partial or complete medical records from the NIH Clinical Center need to also provide NIH-527 "Authorization for the Release of Medical Information," which can be obtained by contacting the following:

NIH Clinical Center
Medical Record Department
Attention: Medicolegal Section
10 Center Drive, MSC 1192
Building 10, Room 1N216
Bethesda, Maryland 20892-1192
(301) 496-3331

The patient, or parent/guardian or legal designee of a minor or incompetent patient, may request release of medical information. The request must be made in writing and signed by the patient or patient's parent/guardian/legal designee. The parent/guardian/designee must provide adequate documentation to verify their relationship to the patient as well as their identity to prove the relationship.

Individuals will be granted access to their medical records unless the System Manager determines that such access is likely to have an adverse effect on the individual and potentially cause harm.

In such cases when the System Manager has determined that the nature of the record information requires medical interpretation, the subject of the record shall be requested to designate in writing, a responsible representative who will be willing to review the record and inform the subject individual of its contents at the representative's discretion. The representative may be a physician, health professional, or other responsible individual. In this case, the medical record will be sent to the designated representative. Individuals will be informed in writing if the record is sent to the representative. This same procedure will apply in cases where a parent/guardian/legal designee requests notification of, or access to, a minor or incompetent patient’s medical record.

Background Investigation Records:

To request Privacy Act records collected as part of a background investigation necessary to issue an NIH I.D., please visit: http://www.hhs.gov/foia/

Privacy Act Fees

45CFR Section 5b.13 Fees.
(a) Policy

Where applicable, fees for copying records will be charged in accordance with the schedule set forth in this section:

  • Fees may only be charged when an individual requests that a copy be made of the record to which he/she is granted access;
  • No fee may be charged for making a search of the system of records whether the search is manual, mechanical, or electronic;
  • Where a copy of the record must be made in order to provide access to the record (e.g., computer printout where no screen reading is available), the copy will be made available to the individual without cost; and
  • Where a medical record is made available to a representative designated by the individual or to a physician or health professional designated by a parent or guardian under section 5b.6 of this part, no fee will be charged.

(b) Fee schedule. The fee schedule for the Department is as follows:

  • Copying of records susceptible to photocopying - $.10 per page;
  • Copying records not susceptible to photocopying – at actual cost to be determined on a case-by-case basis; and
  • No charge will be made if the total amount of copying does not exceed $25.00.

How Do I Submit a Privacy Act Appeal for Denial of Records?

Requesters who wish to appeal the denial of records, must do so within 30 days of the receipt of a letter from NIH. The following information should be provided:

  • Reasons why the requested information should be released under the Act; and
  • Why the denial may be in error.

Privacy Act requesters submitting an appeal should attach a copy of their original request and response letter to their appeal, clearly mark the letter and the outside envelope "Privacy Act Appeal"" and mail the documents to the following address:

Deputy Assistant Secretary for Public Affairs
U.S. Department of Health and Human Services
Parklawn Building, Room 17A-46
5600 Fishers Lane
Rockville, MD 20857

How Do I Submit a Privacy Act Appeal for Refusal to Correct or Amend a Record?

Records that contain information that is inaccurate, incomplete, untimely, or irrelevant may be amended. To contest such information, individuals should contact the System Manager. The individual should reasonably identify the record, specify the information contested, the corrective action sought, and state the reason(s) for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

Requesters who wish to appeal the refusal of NIH to correct or amend the individual’s record must do so within 30 days of the receipt of a letter from NIH. The following information should be provided:

  • Reasons why the requested information should be corrected or amended under the Act; and
  • Why the denial may be in error.

PA requesters wishing to submit an appeal should attach a copy of their original request and response letter to their appeal, clearly mark the letter and the outside envelope "Privacy Act Appeal" and mail the documents to the following address:

NIH Privacy Act Officer
National Institutes of Health
6011 Executive Boulevard
Suite 601, MSC 7669
Bethesda, Maryland 20892-7669

How Do I Know if Something is Personally Identifiable Information (PII) or Sensitive Information?

The links below provide information regarding PII and sensitive information

OCIO Information Security - Personally Identifiable Information:
http://ocio.nih.gov/security/PIIProtection.html

Guide for Identifying Sensitive Information Including PII:
http://ocio.nih.gov/security/NIH_Sensitive_Info_Guide.doc

Encryption FAQs:
http://cit.nih.gov/Support/FAQ/EncryptionFAQ/default.htm

Suspected or Confirmed Privacy Incidents

NIH will report and take action to remediate privacy incidents involving the disclosure of personally identifiable information (PII) according to law, regulations, and applicable Office of Management and Budget (OMB), HHS, and NIH policies.

Policies and Procedures

NIH Manual Chapter 1825 – Information Collection from the Public:
http://www1.od.nih.gov/oma/manualchapters/management/1825/

NIH Manual Chapter 1745 – NIH Information Technology (IT) Privacy Program:
http://www3.od.nih.gov/oma/manualchapters/management/1745/

Paperwork Reduction Act and PRA/OMB Clearance: Policies and Procedures:
http://oma.od.nih.gov/ms/privacy/Paperwork Reduction Act and PRA_OMB Clearance.ppt

Roles and Responsibilities

NIH PRIVACY ACT OFFICER AND IC PRIVACY COORDINATORS

Education and Outreach

NIH Privacy Awareness Training:
http://irtsectraining.nih.gov

HHS Privacy Awareness Training:
http://hhsu.learning.hhs.gov/PrivacyAwareness/index.html

Frequently Asked Questions (FAQs)

1. Why have a Privacy Act?

  • We have a constitutional right to privacy. Amendment IV of the U.S. Constitution says “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”;
  • Information is affected by the collection, maintenance, use and dissemination by Federal agencies; and
  • The use of the internet, computers and other technology create the possibility for faster and greater distribution, which could lead to greater harm.

2. What does the Privacy Act do?

  • Limits the collection of personal information;
  • Prevents secret Government record systems;
  • Prevents secret use of Government records;
  • States individual's right to see and correct records;
  • Requires safeguards to be implemented to protect the security and accuracy of the information; and
  • Allows for civil remedies and criminal penalties to be assessed for violations under the Privacy Act.

3. Who does the Privacy Act cover and not cover?

  • The Privacy Act covers:
    • U.S. citizens
    • Resident aliens
  • The Privacy Act does not cover:
    • Non-resident aliens
    • The deceased
    • Organizations

4. When is NIH allowed to collect my information?

  • NIH may not legally maintain records on individuals unless:
    • The information is relevant and necessary to accomplish an NIH or Department function required by statute or Executive Order;
    • The information in the record is acquired to the greatest extent practicable directly from the subject individual; and
    • The individual providing the record is informed when the record is collected under the authority NIH has for requesting the record.

5. When are supervisor notes considered agency records?

  • Supervisor notes are agency records when they are:
    • Used as the basis for an employment action; and
    • Otherwise made a part of an employee’s personnel file and treated as official agency documentation.
  • Supervisor notes are NOT agency records when they are:
    • The personal property of the supervisor only;
    • Never circulated or shared with others;
    • Never passed to replacement supervisors or those acting in the absence of the supervisor;
    • Used as memory joggers only; and
    • Not used as official agency documentation.

6. What is a Privacy Act Records System?

  • A group of records (more than one), not available in the public domain;
  • A record that contains information about an individual that is personal in nature (i.e., name, age, sex, gender, ethnicity, home address, phone, SSN, medical credentials, medical, financial and/or educational background, etc.); and
  • A record designed to be retrieved by the individual’s name, or another personal identifier such as an ID number, protocol number, photo, fingerprint, etc.

7. What is a System of Records Notice (SORN)?

  • A document posted in the Federal Register that notifies the public of what information is contained in a specific system and how that information is collected, used, maintained, and disseminated in relation to other systems; and
  • A SORN also explains how individuals may gain access to information about themselves.

8. How do I submit a records request?

  • An individual who wishes to request a specific record must submit a request in writing to the appropriate NIH Institute or Center (IC) that collected and maintains that record;
  • The written request should be as specific as possible. Please describe what type of information was collected, who collected it, why it was collected, when it was collected, and, if known, who (individual or organization) collected it; and
  • For more details regarding this process, please reference the "How Do I Submit a Privacy Act (PA) Request for Records?" segment of the Privacy Act section of this website.

9. How do I amend an incorrect record?

  • An individual who notices that a record is incorrect must submit a request in writing to the appropriate NIH IC that collected and maintains that record;
  • The written notice should include the current record and provide an accurate correction of the record; and
  • For more details regarding this process, please reference the "How Do I Submit a Privacy Act (PA) Request for Records?" segment of the Privacy Act section of this website.

10. Can I appeal the denial to access or correct my information?

  • Requesters who wish to appeal NIH’s decision deny access to correct or amend his or her record must do so within 30 days of the receipt of a decision letter from NIH. Appeals should include the following information:
    • Reasons why the requested information should be corrected or amended under the Act; and
    • Why the denial may be in error.
  • PA requesters wishing to submit an appeal should attach to their appeal, a copy of their original request and response letter, clearly mark the letter and the outside envelope "Privacy Act Appeal" and mail the documents to the following address:

    NIH Privacy Act Officer
    National Institutes of Health
    6011 Executive Boulevard
    Suite 601, MSC 7669
    Bethesda, Maryland 20892-7669

11. Are there circumstances in which certain information cannot be released?

  • NIH will provide access to records within their possession unless one of the exceptions or exemptions applies:
    • The records contain information about a third party;
    • Information that is not about the subject of the file, and therefore not accessible under the Privacy Act;
    • Records were compiled in reasonable anticipation of a civil action or proceeding;
    • Records are maintained by the CIA; or
    • Records are maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws.
  • For more specific details regarding exemptions, please reference the "NIH Privacy Act Exceptions & Exemptions" segment of the Privacy Act section of this website.

12. Where can I find information regarding the Paperwork Reduction Act (PRA) / Office of Management and Budget (OMB) Clearance procedures?

  • NIH PRA/OMB Website: http://www.hhs.gov/ocio/policy/collection/infocollectfaq.html
  • The Paperwork Reduction Act (PRA) of 1995 requires agencies to obtain approval from OMB prior to soliciting and/or obtaining identical information from ten or more members of the public in multiple forms. PRA/OMB approval is required whether the Federal agency collects the information itself or uses an outside agent or contractor. OMB requires 90-120 days to approve new information collections and renew existing approvals.
  • You can click on the Office of Extramural Research (OER) Intranet website at: http://odoerdb2.od.nih.gov/oer/policies/project_clearance/pcb.htm to obtain a list of NIH PRA/OMB Project Clearance Liaisons, and get more information about whether your IT system has been approved for PRA/OMB information collection.

13. Where can I find information about the HIPAA Privacy Rule?

  • For additional information on a wide range of topics about the Privacy Rule, please visit the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Privacy Rule Web Site at: www.hhs.gov/ocr/hipaa/, You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at: www.hhs.gov/ocr.

14. Where can I find guidance regarding the HIPAA Privacy Rule and the Electronic Exchange of Health Information?

  • The HHS OCR has published new HIPAA Privacy Rule guidance as part of the Department’s Privacy and Security Toolkit to implement The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework). The Privacy and Security Framework and Toolkit is designed to establish privacy and security principles for health care stakeholders engaged in the electronic exchange of health information and includes tangible tools to facilitate implementation of these principles. The new HIPAA Privacy Rule guidance in the Toolkit discusses how the Privacy Rule supports and can facilitate electronic health information exchange in a networked environment. In addition, the guidance includes documents that address electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to and supports the use of Personal Health Records. HIPAA guidance documents are available at: http://www.hhs.gov/ocr/hipaa/hit/. For more information on the Privacy and Security Framework and to view other documents in the Privacy and Security Toolkit, visit: http://www.hhs.gov/healthit/privacy/framework.html.

15. Can I subscribe to an electronic listserv in order to receive information sent directly to my email inbox?

16. Who can I contact if a person or organization covered by the Privacy Rule violates my health information privacy rights?

  • NIH does not meet the definition of a “covered entity” and is therefore not covered by HIPAA because it does not bill third parties for the health care they receive at the Clinical Center. However, if you believe that a person or organization outside of NIH who is covered by the Privacy Rule (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rule, you may file a complaint with OCR. For additional information about how to file a complaint, see the Fact Sheet "How to File a Health Information Privacy Complaint," available at: http://www.hhs.gov/ocr/privacyhowtofile.htm.

17. Where can I find information about the Family Educational rights and Privacy Act (FERPA) regulation and other helpful information?

  • FERPA is a Federal law that protects the privacy of students’ “education records.” (See 20 U.S.C. § 1232g; 34 CFR Part 99). The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information and gives patients rights over their health information. The guidance is available at: http://www.hhs.gov/ocr/hipaa. Information about the Family Policy Compliance Office (FPCO) is available at: http://www.ed.gov/policy/gen/guid/fpco/index.html.

18. Where can I find U.S. Department of Health and Human Services (HHS) and U.S. Department of Education (ED) joint guidance on the application of FERPA and HIPPA to Student Health Records?

  • The Departments of Education and Health and Human Services have jointly released guidance to explain the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and to address apparent confusion on the part of school administrators, health care professionals, and others as to how these two laws apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those disclosures related to health and safety emergency situations. The guidance was developed in response to the “Report to the President on Issues Raised by the Virginia Tech Tragedy” (June 13, 2007) as well as to address questions the respective Departments have heard generally from stakeholders regarding the intersection of the HIPAA Privacy Rule and FERPA. The Departments of Health and Human Services and Education are committed to a continuing dialogue with school officials and other professionals on these important matters affecting the safety and security of our nation’s schools. While this guidance seeks to answer many questions that school officials and others have had about the intersection of these federal laws, ongoing discussions may cause more issues to emerge. Contact information for submitting additional questions or suggestions for purposes of informing future guidance is provided at the end of the guidance document available at: http://www.hhs.gov/vtreport.html.

The Freedom of Information Act (FOIA), Public Law 104-231

Learn more about the process to request personal records on file at NIH at: http://www.nih.gov/icd/od/foia/index.htm
FOIA text: http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191

Learn more about the HIPAA privacy rule and how it impacts NIH research at: http://privacyruleandresearch.nih.gov/
HIPAA text: http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf

HHS Office of Civil Rights - HIPAA Privacy Rule Website:
http://www.hhs.gov/ocr/hipaa/

Family Educational Rights and Privacy Act (FERPA)

Family Educational Rights and Privacy Act (FERPA):
http://www.ed.gov/policy/gen/guid/fpco/index.html

Definitions

Fair Information Practices: A general term for a set of standards that govern the collection, maintenance, use, and dissemination of personal information by Federal agencies and address issues of privacy.

Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments)

Note: The acronyms IIF and PII are often used interchangeably.

Privacy Act Information: Any type of IIF/PII collected and maintained on an individual that is in a records system designated to be retrieved by the individual; name or some unique identifier assigned to the individual.

Privacy Act Record: "Any item, collection, or group of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." 5 U.S.C. § 552a(a)(4)

Routine Use: Under the Privacy Act, regarding the disclosure of a record, the use of such record for a purpose that is compatible with the purpose for which it was collected. (Defined in the Privacy Act of 1974)

Sensitive Information: Any information the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled under [the Privacy Act] but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. (Defined in the Computer Security Act of 1987)

System of Records Notice (SORN): All systems with Privacy Act information contained within them require publication of a “System Notice” in the Federal Register that informs the public of what information is contained in the system, how it is used, how individuals may gain access to information about themselves, and other specific aspects of the system. (Defined in HHS Cybersecurity Program Information Security Program Privacy Impact Assessment (PIA) Guide)

References

Privacy Act of 1974 (5 U.S.C. Section 552a, as amended):
http://www.justice.gov/opcl/privstat.htm
http://www.justice.gov/opcl/1974privacyact-overview.htm

Freedom of Information Act:
http://www.usdoj.gov/oip/foiastat.htm

OMB Instructions for Complying with the President’s Memorandum "Privacy and Personal Information in Federal Records":
http://www.whitehouse.gov/omb/memoranda/m99-05-b.html

Children's Online Privacy Protection Act of 1998:
http://www.ftc.gov/ogc/coppa1.htm

Circular No. A-130:
http://63.161.169.137/omb/circulars/a130/a130.html

HHS Cyber Security Privacy Website:
http://intranet.hhs.gov/infosec/privacy.html

HHS Privacy Act Regulations:
http://www.access.gpo.gov/nara/cfr/waisidx_99/45cfr5b_99.html

NIH, HHS, and Federal Privacy Act Systems of Records Notices (SORNs):
http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm

SORN Checklist:
http://oma.od.nih.gov/ms/privacy/System of Records Notice Review Checklist.doc

NIH Privacy Act Notification - Criteria and Sample Statements to be considered for posting on NIH websites as well as paper and electronic forms used to collect information:
http://oma.od.nih.gov/ms/privacy/NSCriteria.doc

NIH Website Privacy Policy Statement:
http://www.nih.gov/about/privacy.htm

Return to the top

 

 

National Institutes of Health OMA Home

Last updated on:
March 24, 2009

National Institutes of Health
OMA Disclaimer & Privacy Notice