• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

HHS Privacy Policy Notice

This privacy policy describes what information HHS collects from you when you visit our websites and how we handle that information. This policy applies to HHS.gov and a number of other HHS websites with unique domains, such as StopBullying.gov. However, some HHS websites maintain their own privacy policies. You can find links to the applicable privacy policy in the footer of every HHS website.

For HHS.gov and other HHS websites under this privacy policy:

  • We do not collect personally identifiable information (PII) about you unless you choose to provide that information to us.
  • Any personally identifiable information (PII) you choose to provide is protected by privacy and security practices.
  • We may automatically collect and temporarily store information related to your visit to our website that is not personally identifiable information (PII).
  • HHS does not disclose, give, sell, or transfer any personally identifiable information (PII) about our visitors unless required for law enforcement or by federal law.

See the topics below for detailed information on HHS privacy:

Health Information Privacy
For more information on your health information privacy and security rights, or on the HIPAA Privacy and Security Rules, visit the HHS Office for Civil Rights website.


HHS Privacy Program

It is the mission of HHS to enhance and protect the health and well-being of all Americans. HHS fulfills that mission by providing effective health and human services and fostering advances in medicine, public health, and social services. HHS recognizes the importance of protecting the personally identifiable information (PII) entrusted to us by millions of members of public and employees alike, and has built a robust privacy program to safeguard this information and ensure that HHS upholds Americans' privacy rights.

Privacy Impact Assessments (PIAs)
The list of PIAs and Third-Party Websites and Applications (TWPA) PIAs is available at HHS Privacy Impact Assessments.

Publicly Available Agency Policies on Privacy
For a list of all publicly available HHS privacy policies, including any directives, instructions, handbooks, manuals, or other guidance, visit:

Publicly Available Agency Reports on Privacy
For a list of the Department's publicly available privacy reports, see HHS Plans & Reports.

Privacy Act Information
To learn more about what is covered under the Privacy Act, please read information about the Privacy Act at HHS. If you have privacy questions or issues regarding the Privacy Act, contact an HHS Privacy Act Official. Also see the Privacy Act of 1974 (Department of Justice).

  • System of Records Notices (SORNs)
    HHS publishes SORNs to provide public notice of the records it maintains about individuals which are retrieved by personal identifier. For a list of all of the Department's systems of records see HHS SORNs.
  • Computer Matching Notices and Agreements (CMAs)
    For the complete list of the HHS matching programs currently in effect including the matching agreements and public notice describing each program, see HHS Computer Matching Agreements.
  • Exemptions to the Privacy Act
    For more information on the Department's final rules published in the Federal Register that promulgate Privacy Act exemptions claimed for HHS's systems of records, see the HHS Privacy Act.
  • Privacy Act Implementation Rules
    For a list of Privacy Act implementation rules promulgated pursuant to 5 U.S.C. § 552a(f), see the HHS Privacy Act.
  • Instructions for Submitting a Privacy Act Request
    For instructions for individuals who wish to request access to or amendment of their records pursuant to 5 U.S.C. § 552a(d), see How to Make a Privacy Request.

Contact Information for Submitting a Privacy Question or Complaint
Individuals who wish to submit a privacy question or complaint should submit it to one of these contacts:


What is Personally Identifiable Information (PII)?

PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

PII can include:

  • Sensitive data, such as medical, financial, or legal information;
  • "Neutral" information, such as name, facial photos, or work address; and
  • Contextual information, such as a file for a specific health condition that contains a list of treated patients.

HHS Privacy Officials

Contact Information for the Senior Agency Official for Privacy

The HHS Chief Information Officer (CIO) also holds the position of Senior Agency Official for Privacy (SAOP), ensuring privacy receives senior-level recognition and has visibility across the Department.

For HHS SAOP please email:

Chief Information Officer
Senior Agency Official for Privacy
Email: PrivacyProgramMailbox@hhs.gov

Contact Information for the HHS Operating Divisions Senior Officials for Privacy

Each Operating Division has, at a minimum, a Senior Official for Privacy (SOP) to oversee privacy compliance activities. The SOP contact information is included below:

Administration for Children and Families (ACF)
Anita Alford
OCIO.Privacy@acf.hhs.gov

Administration of Community Living (ACL)
Jacques Newgen
Jacques.Newgen@acl.hhs.gov

Agency for Healthcare Research and Quality (AHRQ)
Tim Erny
AHRQSecureAHRQ@ahrq.hhs.gov

Centers for Disease Control and Prevention (CDC)
Beverly Walker
BEWalker@cdc.gov

Centers for Medicare and Medicaid Services (CMS)
Michael Pagels
privacy@cms.hhs.gov

Food and Drug Administration (FDA)
Cullen Cowley
FDAPrivacyOffice@fda.hhs.gov.

Health Resources and Services Administration (HRSA)
Brent Kopp
hrsaprivacy@hrsa.gov

Indian Health Service (IHS)
Heather H. McClane
Heather.McClane@ihs.gov

National Institutes of Health (NIH)
Celeste Dade-Vinson
privacy@mail.nih.gov

Office of Inspector General (OIG)
OIG Senior Official for Privacy
SOP@oig.hhs.gov

Office of the Secretary (OS) and Program Support Center (PSC)
Vanessa Baur
OSPrivacyMailbox@hhs.gov

Substance Abuse and Mental Health Services Administration (SAMHSA)
Ammar Ahmad
Ammar.Ahmad@samhsa.hhs.gov / Info.Privacy@samhsa.hhs.gov


Information Automatically Collected and Stored

When you visit our websites, we use Google's Universal Analytics (UA) software to automatically gather and temporarily store a variety of information about your visit. The basic information we collect during your visit includes:

  • The name of the domain you use to access the Internet (for example, Verizon.com if you are using a Verizon online account or stanford.edu if you are connecting from Stanford University's domain);
  • The date and time of your visit to our website;
  • The pages and documents you viewed on our website;
  • The URL of the website you visited prior to ours;
  • The type and version of your Web browser and operating system; and
  • Your location at the time of your visit, down to the city-level.

We do not associate any of the data we automatically collect with your personally identifiable information (PII). Instead, we aggregate this data from all users' visits in order to improve our website and provide a better user experience to our visitors. The aggregate data is available only to Web managers and other designated staff who require this information to perform their duties. We retain this information only for as long as needed for proper analysis. The Google Analytics Privacy Policy is available at https://www.google.com/intl/en/policies/privacy/


Personally Identifiable Information (PII) Voluntarily Submitted to HHS

If you choose to provide HHS with your personally identifiable information (PII) —for example, by completing a "Contact Us" form, leaving a comment, sending an email, or completing a survey—we may use that information to respond to your message and/or help us get you the information or services you requested. Submitting personally identifiable information (PII) such as name, address, telephone number, email address, etc. is voluntary and is not required to access information on our website.

We retain the information only for as long as necessary to respond to your question or request, in most cases no longer than three months. We maintain and destroy information submitted electronically as required by the Federal Records Act and the National Archives and Records Administration's (NARA) records schedules. It may be subject to disclosure in certain cases (for example, if required by a Freedom of Information Act (FOIA) request, court order, or Congressional access request, or if authorized by a Privacy Act SORN). The information is subject to the Privacy Act if maintained in a Privacy Act system.

HHS also automatically receives information when you visit our websites that is not personally identifiable information (PII). For more information, see Information Automatically Collected and Stored.

For more information, see:


Interaction with Children Online

The Department will take all reasonable steps necessary to protect the privacy and safety of any child from whom we collect information, as required by the Children's Online Privacy Protection Act (COPPA). A child's parent or guardian is required to provide consent before HHS collects, uses, or shares personally identifiable information (PII) from a child under age 13.

Specific HHS websites will provide information and instructions for how we obtain consent when collecting information about a child. The website will specify exactly what how the information is used, who sees it, and how long it is kept.

If you are under 13 and visit any websites, the law says that you and your parents are in charge of what personally identifiable information (PII) the websites can know about you. Some examples of personally identifiable information (PII) are your full name, home address, email address, phone number, age, and gender.


Cookies

Websites can automatically place small text files, known as "cookies," on their visitors' computers. Cookies identify the unique browser used by the visitor unless you delete them or they expire. On each subsequent visit to the website, the visitor's browser will retrieve the cookie, allowing HHS to aggregate the number of return visitors. HHS uses "cookies" to test and optimize our websites' design and content. We use two types of cookies on HHS websites:

  • We use session cookies to gather data for technical purposes, such as improving navigation through our website and generating statistics about how the website is used. Session cookies are temporary text files that expire when you leave our website. Cookies delete automatically from your computer as soon as they expire. We do not use session cookies to collect personally identifiable information (PII), and we do not share data collected from session cookies.
  • We use multi-session cookies, or persistent cookies, to customize our website for frequent visitors and to test variations of website design and content. Multi-session cookies are cookies that are stored over more than a single session on your computer. We do not use multi-session cookies to collect personally identifiable information (PII), and we do not share data collected from multi-session cookies. Our multi-session cookies expire two years after your last visit to our website. These cookies delete automatically from your computer as soon as they expire.

You can block cookies from your computer by opting out . Blocking session cookies from your computer will not affect your access to the content and tools on our websites. Blocking multi-session or persistent cookies may affect the personalization of the information on these websites.


Demographic and Interest Data

On some portions of our website, we have enabled Google's Universal Analytics (UA) and other third-party software (listed below) to provide aggregate demographic and interest data of our visitors. While some websites use these tools to present you with advertisements, HHS only uses them to measure demographic data. HHS has no control over advertisements presented to you on other websites. This means that third-party vendors, including Google, may show you public health campaign advertisements created by HHS and its agencies on non-government websites based on your visits to HHS websites. For the software listed below, we have included links to the company's websites where you can opt-out of having these tools collect data and/or serve you interest-based advertising.

DoubleClick: HHS uses DoubleClick to understand the characteristics and demographics of the people who visit HHS websites. HHS staff only conducts analyses on the aggregated data from DoubleClick. DoubleClick does not collect personally identifiable information (PII) from HHS websites. The DoubleClick Privacy Policy is available at https://www.google.com/intl/en/policies/privacy/.

You can opt-out of receiving DoubleClick advertising at https://support.google.com/ads/answer/2662922?hl=en.

Quantcast: HHS uses Quantcast to understand the characteristics and demographics of the people who visit HHS websites. HHS staff only conducts analyses on the aggregated data from Quantcast. Quantcast does not collect personally identifiable information (PII) from HHS websites. The Quantcast Privacy Policy is available at https://www.quantcast.com/how-we-do-it/consumer-choice/privacy-policy/.

You can opt-out of Quantcast at https://www.quantcast.com/opt-out/.


Third-Party Websites and Applications Used by HHS

HHS maintains official pages or accounts on third-party websites in order to better engage and communicate with the public. Third-party websites are websites that we do not maintain or control. We have accounts on some third-party websites so we can connect with people interested in health and human services information. Examples of third-party websites that HHS uses include YouTube, Facebook, Instagram, and Twitter.

All official HHS information available on third-party websites is also available on HHS websites. The third-party website's security and privacy policies govern your activity on their website. Users of third-party websites often share information with the public, user communities, and/or the third-party organization operating the website. It is important for you to review the privacy policies of third-party websites so you understand how they use and share your information. You should also adjust the privacy settings of your account on any third-party website to match your preferences.

If you have an account or profile with a third-party website and choose to follow, like, friend, or comment on a third-party website managed by HHS, certain personally identifiable information (PII) associated with your account may be available to us based on the privacy policies of the third-party website and your privacy settings within that website. We do not share personally identifiable information available through these websites.

HHS conducts and publishes a Privacy Impact Assessment (PIA) for each use of a third-party website. Each use of a third-party website may have unique features or practices. HHS sometimes collects and uses the information made available through third-party websites.

In order to comply with the Federal Records Act, HHS archives some information that users submit or publish when engaging with the HHS through official HHS pages or accounts on third-party websites (e.g., by sending a message, posting a comment, "following," "friending," or taking similar actions). This information may contain personally identifiable information (PII), such as an individual's username, other public account information, and any information provided in a message or comment, when such information is available based on the user's privacy settings and the terms of the site. For example:

  • On Facebook, HHS may automatically archive posts, messages, replies and comments sent to or from official HHS.gov accounts in the following sections: 'About,' 'Albums,' 'Event details,' 'Event discussions,' 'Photo activity,' 'Private messages,' 'Reviews' and 'Timeline activity'.

HHS uses the following third-party websites and applications.

AddThis: HHS offers AddThis on its websites, giving visitors the option to bookmark and share HHS website content on certain social media websites. Using AddThis on HHS websites does not require registration or personally identifiable information (PII). The AddThis Privacy Policy is available at http://www.addthis.com/privacy.

ArchiveSocial: HHS uses ArchiveSocial to interface directly with each social network to capture and preserve data in its native form. The ArchiveSocial Privacy Policy is available at https://archivesocial.com/privacy/.

Bit.ly: HHS uses Bit.ly to shorten long URLs for use in email and social media messages. Bit.ly provides analytics on how many people clicked on the URLs distributed by HHS. Bit.ly analytics do not provide any personally identifiable information (PII) about the visitors who click the shortened links. The Bit.ly Privacy Policy is available at http://bit.ly/pages/privacy.

CrazyEgg: HHS uses CrazyEgg to obtain information on how visitors are interacting with specific pages on HHS.gov websites. This allows HHS to evaluate and, if necessary or beneficial, to modify its websites to improve value and usability. The data CrazyEgg collects includes information about how visitors navigate around a website and the most commonly clicked links on a specific page. CrazyEgg does not collect personally identifiable information (PII). The Crazy Egg Privacy Policy is available at http://www.crazyegg.com/privacy.

Google AdWords: HHS occasionally uses Google AdWords to provide online advertisement delivery and tracking. HHS may employ tools provided by Google AdWords to support Display Advertising, including Remarketing, Google Display Network Impression Reporting, data collection via advertising cookies and anonymous identifiers, the DoubleClick Campaign Manager integration, and Google Analytics Demographics and Interest Reporting. This means that third-party vendors, including Google, may show you public health campaign advertisements created by HHS and its agencies on non-government websites based on your visits to HHS websites. To implement these tools, HHS and third-party vendors, including Google, use first-party cookies and third-party cookies together to inform, optimize, and serve ads based on past visits to HHS websites. These cookies collect information about visits to HHS websites, but do not collect personally identifiable information (PII). The Google AdWords Privacy Policy is available at https://www.google.com/intl/en/policies/privacy/.

Google Analytics: HHS may employ tools provided by Google Analytics to support Display Advertising, including Remarketing, Google Display Network Impression Reporting, data collection via advertising cookies and anonymous identifiers, the DoubleClick Campaign Manager integration and/or Google Analytics Demographics and Interest Reporting. This means that third-party vendors, including Google, may show you public health campaign advertisements created by HHS and its agencies on non-government websites based on your visits to HHS websites. To implement these tools, HHS and third-party vendors, including Google, use first-party cookies and third-party cookies together to inform, optimize, and serve ads based on past visits to HHS websites. These cookies collect information about visits to HHS websites, but do not collect personally identifiable information (PII). The Google Analytics Privacy Policy is available at https://www.google.com/intl/en/policies/privacy/.

Pagefreezer: HHS uses Pagefreezer archiving software to archive content from the HHS.gov website and five topical websites. This software does not require users to submit personally identifiable information (PII), nor does HHS ask for this information. Pagefreezer Privacy Policy is available at https://www.pagefreezer.com/privacy-policy/.

Qualtrics: HHS uses Qualtrics survey software approved by the Federal Risk and Authorization Management Program (FEDRamp) to collect feedback from HHS website visitors. Qualtrics is implemented on HHS websites both as on-page and pop-up surveys. HHS uses survey results to measure visitor satisfaction with HHS websites. This survey software does not require users to submit personally identifiable information (PII), nor does HHS ask for this information in its surveys. The survey reports are available only to HHS managers, members of the HHS Communications and Web Teams, and other designated HHS staff who require this information to perform their job duties. The Qualtrics Privacy Policy is available at https://www.qualtrics.com/privacy-statement/.

Salesforce: HHS uses Salesforce to email newsletters and other messages to visitors who subscribe to them on HHS websites. Only HHS staff and managers who email newsletters using Salesforce or monitor the results of email initiatives have access to the subscriber lists. Salesforce never allows access to the subscriber lists to anyone outside of HHS for any purpose. Salesforce also provides aggregate data, such as email open rates and total clicks on links. The Salesforce Privacy Policy is available at https://www.salesforce.com/company/privacy/full_privacy/.

Widgets: HHS offers widgets that provide specific HHS site content to any website that includes the widget code. You can install an HHS widget on any website simply by adding the HHS-provided code to a website's source HTML code. If you choose to install HHS widgets, they will not collect any type of personally identifiable information (PII) from your websites visitors.


Website Security

In order to maintain website security and ensure HHS websites are available to the public, we use software programs to monitor traffic and identify unauthorized attempts to upload or change information or otherwise cause damage to HHS websites. Law enforcement may use information from these tools to help identify an individual in the event of investigations and as part of any required legal process.

The U.S. Government maintains this website and there are federal laws that protect it. The government can arrest and prosecute individuals for illegal activity if they violate these laws.

Content created by Assistant Secretary for Public Affairs (ASPA)
Content last reviewed