Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
Breadcrumb
  1. Home
  2. Grants & Contracts
  3. Contracts
  4. Contract Policies & Regulations
  5. HHS Acquisition Regulations (HHSAR)
  6. Part 324—Protection of Privacy and Freedom of Information
  • HHS Acquisition Regulations
    • Part 301—HHS Acquisition Regulation System
    • Part 302—Definitions of Words and Terms
    • Part 303—Improper Business Practices and Personal Conflicts of Interest
    • Part 304—Administrative Matters
    • Part 305—Publicizing Contract Actions
    • Part 306—Competition Requirements
    • Part 307—Acquisition Planning
    • Part 308—Required Sources of Supplies and Services
    • Part 309—Contractor Qualifications
    • Part 310—Market Research
    • Part 311—Describing Agency Needs
    • Part 312—Acquisition of Commercial Items
    • Part 314—Sealed Bidding
    • Part 315—Contracting by Negotiation
    • Part 316—Types of Contracts
    • Part 317—Special Contracting Methods
    • Part 319—Small Business Programs
    • Part 322—Application of Labor Laws to Government Acquisitions
    • Part 323—Renewable Energy Technologies, Occupational Safety
    • Part 324—Protection of Privacy and Freedom of Information
    • Part 326—Other Socioeconomic Programs
    • Part 327—Patents, Data, and Copyrights
    • Part 330—Cost Accounting Standards
    • Part 331—Contract Cost Principles and Procedures
    • Part 332—Contract Financing
    • Part 333—Protests, Disputes, and Appeals
    • Part 334—Major System Acquisition
    • Part 335—Research and Development Contracting
    • Part 336—Construction and Architect-Engineer Contracts
    • Part 337—Service Contracting—General
    • Part 339—Acquisition of Information Technology
    • Part 342—Contract Administration
    • Part 352—Solicitation Provisions and Contract Clauses
    • Part 370—Special Programs Affecting Acquisition
    • Subpart 313.3—Simplified Acquisition Methods

Part 324—Protection of Privacy and Freedom of Information

(SUBCHAPTER D—SOCIOECONOMIC PROGRAMS)

Sections:

  • Subpart 324.1—Protection of Individual Privacy
    • 324.103 Procedures for the Privacy Act.
    • 324.104 Restrictions on Contractor Access to Government or Third Party Information.
    • 324.105 Contract clauses.
  • Subpart 324.70—Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    • 324.7000 Scope of subpart.
    • 324.7001 Policy on Compliance with HIPAA Business Associate Contract Requirements.

Authority: 5 U.S.C. 301; 40 U.S.C. 121(c)(2).


Subpart 324.1—Protection of Individual Privacy

324.103 Procedures for the Privacy Act.

(a) The contracting officer shall review all acquisition request documentation to determine whether the requirements of the Privacy Act of 1974 (5 U.S.C. 552a) are applicable. The Privacy Act requirements apply when a contract or order requires the contractor to design, develop, or operate any Privacy Act system of records on individuals to accomplish an agency function. When applicable, the contracting officer shall include the two Privacy Act clauses required by Federal Acquisition Regulation (FAR) 24.104 in the solicitation and contract or order. In addition, the contracting officer shall include the two FAR Privacy Act clauses, and other pertinent information specified in this subpart, in any modification which results in the Privacy Act requirements becoming applicable to a contract or order.

(b) The contracting officer shall ensure that the statement of work or performance work statement (SOW or PWS) specifies the system(s) of records or proposed system(s) of records to which the Privacy Act and the implementing regulations are applicable or may be applicable. The contracting officer shall send the contractor a copy of 45 CFR part 5b, which includes the rules of conduct and other Privacy Act requirements.

(c) The contracting officer shall ensure that the contract SOW or PWS specifies for both the Privacy Act and the Federal Records Act the disposition to be made of the system(s) of records upon completion of contract performance. The contract SOW or PWS may require the contractor to destroy the records, remove personal identifiers, or turn the records over to the contracting officer. If there is a legitimate need for a contractor to keep copies of the records after completion of a contract, the contractor must take measures, as approved by the contracting officer, to keep the records confidential and protect the individuals’ privacy.

(d) For any acquisition subject to Privacy Act requirements, the requiring activity prior to award shall prepare and have published in the Federal Register a "system notice," describing the Department of Health and Human Services’ (HHS) intent to establish a new system of records on individuals, to make modifications to an existing system, or to disclose information in regard to an existing system. The requiring activity shall attach a copy of the system notice to the acquisition plan or other acquisition request documentation. If a system notice is not attached, the contracting officer shall inquire about its status and shall obtain a copy from the requiring activity for inclusion in the contract file. If a notice for the system of records has not been published in the Federal Register, the contracting officer may proceed with the acquisition but shall not award the contract until the system notice is published and the contracting officer verifies its publication.

Back to top

324.104 Restrictions on Contractor Access to Government or Third Party Information.

The contracting officer shall establish the restrictions that govern the contractor employees’ access to Government or third party information in order to protect the information from unauthorized use or disclosure.

Back to top

324.105 Contract clauses.

(a) The contracting officer shall insert the clause at 352.224-70, Privacy Act, in solicitations, contracts, and orders that require the design, development, or operation of a system of records to notify the contractor that it and its employees are subject to criminal penalties for violations of the Privacy Act (5 U.S.C. 552a(i)) to the same extent as HHS employees. The clause also requires the contractor to ensure each of its employees knows the prescribed rules of conduct in 45 CFR part 5b and each contractor employee is aware that he or she is subject to criminal penalties for violations of the Privacy Act. These requirements also apply to all subcontracts awarded under the contract or order that require the design, development, or operation of a system of records.

(b) The contracting officer shall insert the clause at 352.224-71, Confidential Information, in solicitations, contracts, and orders that require access to Government or to third party information.

Back to top

Subpart 324.70—Health Insurance Portability and Accountability Act of 1996

324.7000 Scope of subpart.

All individually identifiable health information that is Protected Health Information (PHI), as defined in 45 CFR 160.103 shall be administered in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) implementing regulations at 45 CFR parts 160 and 164 (the HIPAA Privacy, Security, and Breach Notification Rules). The term “HIPAA” is used in this part to refer to title II, subtitle F of the HIPAA statute, at part C of title XI of the Social Security Act, 42 U.S.C. 1320d et seq., section 264 of HIPAA, subtitle D of title XIII of the American Recovery and Reinvestment Act of 2009, and regulations under such provisions.

Back to top

324.7001 Policy on Compliance with HIPAA business associate contract requirements.

(a) HHS is a HIPAA “covered entity” that is a “hybrid entity” as these terms are defined at sections 160.103 and 164.103 respectively. As such, only the portions of HHS that the Secretary has designated as “health care components” (HCC) as defined at section 164.103, are subject to HIPAA. HHS’ HCCs may utilize persons or entities known as “business associates,” as defined at section 160.103. Generally, “business associate” means a “person” as defined by section 160.103 (including contractors, and third-party vendors, etc.) if or when the person or entity:

(1) Creates, receives, maintains, or transmits “protected health information”, as the term is defined at section 160.103, on behalf of an HHS HCC to carry out HHS HIPAA “covered functions” as that term is defined at 164.103; or

(2) Provides certain services to an HHS HCC that involve PHI.

(b) Where the Department as a covered entity is required by 45 CFR 164.502(e)(1) and 164.504(e) and, if applicable, sections 164.308(b)(3) and 164.314(a), to enter into a HIPAA business associate contract, the relevant HCC contracting officer, acting on behalf of the Department, shall ensure that such contract meets the requirements at section 164.504(e)(2) and, if applicable, section 164.314(a)(2).


Other Sections of the HHSAR:

  • HHS Acquisition Regulations Table of Contents
  • Previous Part: Part 323 Environment, Energy and Water Efficiency, Renewable Energy Technologies, Occupational Safety, and Drug–Free Workplace
  • Next Part: Part 326 Other Socioeconomic Programs

Back to top

Content last reviewed December 18, 2015
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy