Skip Navigation

Restrictions on Government Access to Health Information

45 CFR Part 160, Subpart C; 164.512(f)  (Download a copy in PDF)

Under the HIPAA Privacy Rule, government-operated health plans and health care providers must meet substantially the same requirements as private ones for protecting the privacy of individual identifiable health information. For instance, government-run health plans, such as Medicare and Medicaid plans, must take virtually the same steps to protect the claims and health information that they receive from beneficiaries as private insurance plans or health maintenance organizations (HMO). In addition, all Federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens – including any personal health information – can be shared with other agencies and with the public.
The only new authority for government involves enforcement of the protections in the Privacy Rule itself. To ensure that covered entities protect patients’ privacy as required, the Rule requires that health plans, hospitals, and other covered entities cooperate with efforts by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to investigate complaints or otherwise ensure compliance.

For more information, please review our Frequently Asked Questions about the Privacy Rule.

December 3, 2002 Revised April 3, 2003