• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

The Privacy Act

The FOI/Privacy Acts Division is the focal point for the HHS Privacy Act administration, including the HHS Systems of Records Notices (SORN).


The Privacy Act of 1974, as amended at 5 U.S.C. 552a,

  • Protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual is entitled to access to his or her records and request correction of these records, if applicable.
  • Prohibits disclosure of records without the written consent of the individual(s) to whom the records pertain, unless one of the twelve disclosure exceptions enumerated in the Act applies.
  • .   Requires an agency to publish in the Federal Register a system of records notice for every collection of records from which information can be retrieved by a personal identifier.
  • Binds only federal agencies and covers only records in the possession and control of federal agencies. The Department of Health and Human Services has specific Privacy Act Regulations.

If your privacy inquiry concerns a specific HHS Operating Division’s records, you may contact the appropriate HHS Privacy Act Contacts.

System of Records Notices (SORNs)

The Privacy Act of 1974 requires agencies to create and maintain a System of Records Notices (SORNs).

A system of records consists of any item, collection, or grouping of information about an individualfrom which records can be retrieved searching by name or other identifier unique to the individual. SORNs identify the legal authority for collecting and storing the records, the individuals about whom the records will be collected, the kinds of information that is collected, and how the records will be used.

Privacy Impact Assessments (PIAs)

E-Government Act of 2002 requires government agencies to assess the impact on privacy for systems that contain personally identifiable information in Privacy Impact Assessments (PIAs). All HHS PIAs are available online.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains privacy protection provisions that apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.

The HHS regulation that implements the HIPAA privacy provisions, Standards for Privacy of Individually Identifiable Health Information is an HHS pplies to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the HIPAA privacy regulation.

For questions, visit the OCR FAQ database or call (800) 368-1019.

Content created by Freedom of Information Act (FOIA) Division
Content last reviewed on August 28, 2015