The Privacy Act
The FOI/Privacy Acts Division is the focal point for the administration of the Privacy Act in HHS, including the HHS Systems of Records Notices (SORN).
The Privacy Act of 1974, as amended at 5 U.S.C. 552a, protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual is entitled to access to his or her records and to request correction of these records if applicable.
The Privacy Act prohibits disclosure of these records without the written consent of the individual(s) to whom the records pertain unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act systems of records. A notice of any such system is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used.
The Privacy Act binds only Federal agencies, and covers only records in the possession and control of Federal agencies. The Department of Health and Human Services has specific Privacy Act Regulations.
If your privacy inquiry concerns a specific HHS Operating Division’s records, you may contact the appropriate HHS Privacy Act Contacts.
The Privacy Act of 1974 requires that agencies create and maintain, as necessary, System of Records Notices (SORN) as defined in the Privacy Act. A system of records consists of any item, collection, or grouping of information about an individual, where those records can be retrieved by the name of the individual or by some other type of identifier unique to the individual.
E-Government Act of 2002 requires government agencies to assess the impact on privacy for systems that collect personally identifiable information in Privacy Impact Assessments (PIAs). All HHS PIAs are available online.
The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation, “Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the HIPAA privacy regulation.
You can search the Office for Civil Rights (OCR) frequent questions database by searching or by selecting a category. If you didn’t find your answer, you can also call (800) 368-1019.