HIPAA Regulations: The Privacy Act - Relationship to Other Federal Laws

As Contained in the HHS HIPAA  Rules

The Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of records contained in a system of records maintained by a federal agency (or its contractors) without the written request or consent of the individual to whom the record pertains. This general rule is subject to various statutory exceptions. In addition to the disclosures explicitly permitted in the statute, the Privacy Act permits agencies to disclose information for other purposes compatible with the purpose for which the information was collected by identifying the disclosure as a “routine use” and publishing notice of it in the Federal Register. The Act applies to all federal agencies and certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.

Some federal agencies and contractors of federal agencies that are covered entities under the privacy rules are subject to the Privacy Act. These entities must comply with all applicable federal statutes and regulations. For example, if the privacy regulation permits a disclosure, but the disclosure is not permitted under the Privacy Act, the federal agency may not make the disclosure. If, however, the Privacy Act allows a federal agency the discretion to make a routine use disclosure, but the privacy regulation prohibits the disclosure, the federal agency will have to apply its discretion in a way that complies with the regulation. This means not making the particular disclosure.

Comment: One comment suggested that the final rule unambiguously permit the continued operation of the statutorily established or authorized discretionary routine uses permitted under the Privacy Act for both law enforcement and health oversight.

Response: We disagree. See the discussion of the Privacy Act in "Relationship to Other Federal Laws" above.