The Privacy Act

The FOI/Privacy Acts Division is the focal point for HHS Privacy Act administration, including the HHS System of Records Notices (SORN).

The Privacy Act of 1974, as amended to present (5 U.S.C. 552a),

  • Protects records about individuals retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual has rights under the Privacy Act to seek access to and request correction (if applicable) or an accounting of disclosures of any such records maintained about him or her.
  • Prohibits disclosure of such records without the prior, written consent of the individual(s) to whom the records pertain, unless one of the twelve disclosure exceptions enumerated in subsection (b) of the Act applies.
  • Requires such records to be described in System of Records Notices (SORNs) published in the Federal Register and posted to the Internet.
  • Binds only federal agencies and covers only records under the control of federal agencies (and, by contract, also applies to contractor personnel and systems used by a federal agency to maintain the records).
  • HHS Privacy Act regulations (45 CFR Part 5b)
  • FDA Privacy Act regulations (21 CFR Part 21)

For assistance with a Privacy Act question or complaint involving a specific HHS Operating Division’s records, you may contact the appropriate HHS Privacy Act Contacts.

To submit a Privacy Act request to HHS, please follow these instructions: How to Make a Privacy Act Request

Privacy Impact Assessments (PIAs)

E-Government Act of 2002 requires government agencies to assess the impact on privacy for systems that contain personally identifiable information in Privacy Impact Assessments (PIAs). All HHS PIAs are available online.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules contain privacy, security, and breach notification requirements that apply to individually identifiable health information created, received, maintained, or transmitted by health care providers who engage in certain electronic transactions, health transactions, health plans, health care clearinghouses, and their business associates.

The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the HIPAA Rules.

For questions about HIPAA or to file a HIPAA complaint, visit the OCR website (, or call (800) 368-1019.

Content created by Freedom of Information Act (FOIA) Division
Content last reviewed