Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Law Library


A

Act to Regulate the Issue and Validity of Passports, And For Other Purposes, 1926 (as amended)

22 U.S.C. § 211a, Passports

Overview

This law provides that the U.S. Department of State is in charge of granting and issuing U.S. passports.

Americans with Disabilities Act of 1990 (ADA) & Rehabilitation Act

Americans with Disabilities Act (ADA)
Americans with Disabilities Act (ADA)
42 U.S.C. §§ 12101 et seq
42 U.S.C. § 12112(d) Discrimination
Rehabilitation Act (Rehab Act)

29 U.S.C. §§ 701 et seq (Chapter 16 Vocational Rehabilitation and Other Rehabilitation Services)

Overview

The ADA prohibits discrimination and guarantees that people with disabilities have the same opportunities as everyone else to participate in the mainstream of American life — to enjoy employment opportunities, to purchase goods and services, and to participate in State and local government programs and services. Modeled after the Civil Rights Act of 1964, which prohibits discrimination on the basis of race, color, religion, sex, or national origin – and Section 504 of the Rehabilitation Act of 1973 — the ADA is an “equal opportunity” law for people with disabilities.

The ADA, at 42 U.S.C. § 12112(d), generally prohibits medical examinations and inquiries of job applicants unless the inquiry is about the ability of the applicant to perform job related functions. The ADA does authorize medical examinations and inquiries by employers with regard to an employee’s request for reasonable accommodation for a disability. In both instances, there are confidentiality requirements that attach to the records and information gathered.

The Rehabilitation Act of 1973 (also known as the “Rehab Act”) prohibits discrimination on the basis of disability in programs run by federal agencies; programs that receive federal financial assistance; in federal employment; and in the employment practices of federal contractors. The standards for deciding if employment discrimination exists under the Rehab Act are the same as those used in Title I of the ADA.

The Rehab Act, at 29 C.F.R. § 791(f) and §793(d), provides that these sections of the ADA apply equally to those entities subject to the Rehab Act.

The Americans with Disabilities Act Amendments Act of 2008 (Public Law 110-325) (ADAAA) further amended the definition of “individual with a disability” and amended sections 12101, 12102, 12111 to 12114, 12201 and 12210 of the ADA and section 705 of the Rehab Act. The ADAAA also enacted sections 12103 and 12205a and re-designated sections 12206 to 12213.

Sources:
Introduction to the ADA
Rehabilitation Act of 1973 (disability.gov)
Titles I and V of the Americans with Disabilities Act of 1990 (ADA)
The Rehabilitation Act of 1973 (EEOC)

Aviation and Transportation Security Act of 2001

49 U.S.C. § 114 Transportation Security Administration
49 U.S.C. § 44909 Passenger Manifests
See also: Pub. Law 107-71

Overview

President Bush signed the Aviation and Transportation Security Act into law in November 2001, requiring screening conducted by federal officials, 100 percent checked baggage screening, expansion of the Federal Air Marshal Service and reinforced cockpit doors. The Transportation Security Administration (TSA) was created to oversee security in all modes of transportation.

Source:
Transportation Security Timeline

B

Bank Secrecy Act (BSA)

31 U.S.C. § 310

Overview

The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti-money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML Acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311-5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] )

Sec. 31 U.S.C. § 310 (c)(2) requires the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) to provide appropriate standards and guidelines for determining who is to be given access to the information maintained by FinCEN; what limits are to be imposed on the use of such information; and how information about activities or relationships which involve or are closely associated with the exercise of constitutional rights is to be screened out of the data maintenance system.

When investigating potential money laundering or Bank Secrecy Act (BSA) violations, the key test (related statute test) is whether, under the facts and circumstances of the particular case, the money laundering and BSA provisions are considered related to the administration of the Internal Revenue laws.

Source:
FinCEN’s Mandate from Congress

C

Census (Title 13)

Overview

The Census Bureau is bound by Title 13 of the United States Code. These laws not only provide authority for the work it does, but also provide strong protection for the information it collects from individuals and businesses. People sworn to uphold Title 13 are legally required to maintain the confidentiality of respondent data. Every person with access to respondent data is sworn for life to protect your information and understands that the penalties for violating this law are applicable for a lifetime.

Sources:
Title 13 – Protection of Confidential Information
Oath of Non-Disclosure

Children’s Online Privacy Protection Act (COPPA)

15 U.S.C. §§ 6501-6505

Overview

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Source: Federal Trade Commission “Children’s Online Privacy Protection Rule (“COPPA”)

Clinical Laboratory Improvement Amendments of 1988 (CLIA)

42 U.S.C. § 263a

Overview

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) is an amendment to the Public Health Services Act in which Congress revised the federal program for certification and oversight of clinical laboratory testing. Two subsequent amendments were made after 1988. The law continues to be cited as CLIA ’88 as named in legislation. In general terms, the CLIA regulations establish quality standards for laboratory testing performed on specimens from humans, such as blood, body fluid and tissue, for the purpose of diagnosis, prevention, or treatment of disease, or assessment of health. The Centers for Medicare & Medicaid Services (CMS) regulates all laboratory testing (except research) performed on humans in the U.S. through CLIA. In total, CLIA covers approximately 254,000 laboratory entities. The Division of Laboratory Services, within the Survey and Certification Group, under the Center for Clinical Standards and Quality (CCSQ) has the responsibility for implementing the CLIA Program.

Sources:
CLIA: Laws and Regulations (CDC)
Clinical Laboratory Improvements Act (CMS)

  • CLIA regulations allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports on the patient’s or patient’s personal representative’s request. To align with this requirement, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule also provides individuals (or their personal representatives) with the right to access test reports directly from laboratories subject to HIPAA (CLIA-certified or CLIA-exempt laboratories). While patients can also get access to their laboratory test reports from their doctors, they have the option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy. The rules are issued jointly by three agencies within the U.S. Department of Health and Human Services: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule.

    Sources:
    HHS Strengthens Patients’ Right to Access Lab Reports
    CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports (79 FR 7289, February 6, 2014)

  • 42 CFR Part 493
    45 CFR Part 164

  • U.S. Department of Health and Human Services

    Centers for Medicare and Medicaid Services

Communications Assistance for Law Enforcement Act (CALEA)

47 U.S.C. §§ 1001-1010

Overview

In response to concerns that emerging technologies such as digital and wireless communications were making it increasingly difficult for law enforcement agencies to execute authorized surveillance, Congress enacted CALEA on October 25, 1994. CALEA requires a “telecommunications carrier,” as defined by the CALEA statute, to ensure that equipment, facilities, or services that allow a customer or subscriber to “originate, terminate, or direct communications,” enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization. CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve. CALEA is limited to Telecommunications Carriers as defined by the Act and interpreted by the FCC. In addition, CALEA specifically exempts “Information Services”, which includes many Internet based communications service providers, electronic storage providers and electronic messaging services.

Source: Communications Assistance for Law Enforcement Act

Communications Act of 1934

TITLE 47—TELECOMMUNICATIONS

47 U.S.C. §§ et seq 47 U.S.C. § 222, Privacy of Customer Information
47 U.S.C. § 338(i), Privacy Rights of Satellite Subscribers
47 U.S.C. § 551, Protection of Subscriber Privacy
47 U.S.C. § 605, Unauthorized Publication or Use of Communications
See also, The Communications Act of 1934

Overview

The Communications Act of 1934 (the “Act”) combined and organized federal regulation of telephone, telegraph, and radio communications. The Act created the Federal Communications Commission (FCC) to oversee and regulate these industries. The Act is updated periodically to add provisions governing new communications technologies, such as broadcast, cable and satellite television. The Act, as amended, is an expansive statue regulating U.S. telephone, telegraph, television, and radio communications. Its seven subchapters regulate virtually all aspects of the communications and broadcasting industry, including assignment of frequencies, rates and fees, standards, competition, terms of subscriber access, commercials, broadcasting in the public interest, government use of communications systems. The Act also provides for more detailed regulation and oversight via the establishment of the FCC.

Source: The Communications Act of 1934

Consolidated Appropriations Act of 2005

Public Law No. 108-447 (see division H, title V, section 522)
Public Law No. 108-447

Overview

The Consolidated Appropriations Act of 2005 (the “Act”) requires that each agency, subject to the Act:

  • shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy. (Sec. 522(a))
  • shall establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public. (Sec. 522(b))
  • shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. (Sec. 552(c))
  • [a]t least every 2 years . . . shall have performed an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency. (Sec. 522(d))
  • [u]pon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review. (Sec. 522(e))

Confidentiality of Medical Quality Assurance Records

38 U.S.C. §§ 5701 – 5728

Overview

Records and documents created by the Department of Veterans Affairs (VA) as part of a medical quality-assurance program are confidential and privileged and may not be disclosed to any person or entity except as provided in 38 U.S.C. § 5705.

  • The VA’s National Center for Patient Safety (NCPS) has developed an internal, confidential, non-punitive system— the Patient Safety Information System. This reporting and analysis system allows users to electronically document patient safety information from across the VA so that “lessons learned” can benefit the entire system. A combined total of more than 1,000,000 root cause analysis reports and safety reports have been entered into the reporting system since it was established. Confidentiality is a key reason for the system’s success. Because the Patient Safety Information System is part of a medical quality assurance program, the information within it is protected from disclosure under 38 U.S.C. § 5705.

    Source: V.A. National Center for Patient Safety

  • Regulations Text
    38 C.F.R. § 17.500-511

Cybersecurity Information Sharing Act of 2015 (CISA)

6 U.S.C. §§ 149, 151, 1501-1510, 1521-1525, 1531-1533

Overview

On December 18, 2015, the President signed the Cybersecurity Act of 2015 (CISA) into law. Congress enacted CISA, Title I of the Cybersecurity Act, to direct the Department of Homeland Security (DHS)—in collaboration with other named agencies—to create a voluntary cybersecurity information sharing process that will protect participants from certain types of liability and encourage public and private entities to share cyber threat information in real-time while protecting the privacy and civil liberties of individuals.

Source: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015"

D

Drug Abuse Prevention, Treatment, and Rehabilitation Act

42 U.S.C § 290dd–2

Overview

Confidentiality of substance use disorder (alcohol and drug abuse) patient records is required under 42 U.S.C § 290dd–2 and 42 C.F.R Part 2. The statute and regulation require that records related to patient treatment of substance use disorders remain confidential subject to certain specific exceptions or patient consent to disclose such information. The statute extends to cover “any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

Source: Listening Session Comments on Substance Abuse Treatment Confidentiality Regulations

E

E-Government Act of 2002 (Section 208)

44 U.S.C. § 3501 note
See also, Public Law 107-347

Overview

The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems.

Privacy Impact Assessments (“PIAs”) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new information technology involving the collection, maintenance, or dissemination of information in identifiable form or that make substantial changes to existing information technology that manages information in identifiable form. A PIA is an analysis of how information in identifiable form is collected, stored, protected, shared, and managed. The purpose of a PIA is to demonstrate that system owners and developers have incorporated privacy protections throughout the entire life cycle of a system. The Act requires an agency to make PIAs publicly available, except when an agency in its discretion determines publication of the PIA would raise security concerns, reveal classified (i.e., national security) information, or sensitive (e.g., potentially damaging to a nation interest, law enforcement effort or competitive business interest contained in the assessment) information.

Source: E-government Act of 2002, Department of Justice

Education Sciences Reform Act of 2002 (ESRA)

20 U.S.C. §§ 9501-9584
20 U.S.C. § 9573 Confidentiality

Overview

Institute of Education Sciences (IES). The mission of IES is to provide rigorous evidence on which to ground education practice and policy. This is accomplished through the work of its four centers: the National Center for Education Evaluation, the National Center for Education Research, the National Center for Education Statistics, and the National Center for Special Education Research.

Section 208 of the Education Sciences Reform Act of 2002 states, “All collection, maintenance, use, and wide dissemination of data by the Institute, including each office, board, committee, and center of the Institute, shall conform with the requirements of section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

Further that “the Director shall ensure that all individually identifiable information about students, their academic achievements, their families, and information with respect to individual schools, shall remain confidential in accordance with section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

The prohibitions of Section 9573 of Title 20 include:

  • No person may use any individually identifiable information furnished…for any purpose other than a research, statistics, or evaluation purpose.
  • No person may make any publication whereby the data furnished by any particular person…can be identified.
  • No person may permit anyone other than the individuals authorized by the Director to examine the individual reports.

Electronic Communications Privacy Act of 1986 (ECPA)

18 U.S.C. §§ 1367, 2521, 2701 – 2712,3117, 3121 – 3127
18 U.S.C. § 2510 – 2522 Wire and Electronic Communications Interception and Interception of Oral Communications (Wiretap Act)
18 U.S.C. §§ 2701-12. Stored Wire and Electronic Communications and Transactional Records Access (Stored Communications Act)
18 U.S.C. §§ 3121 – 3227 Pen Registers and Trap and Trace Devices
See also: Public Law 99-508

Overview

The Electronic Communications Privacy Act (ECPA) of 1986 created additional privacy protections for stored electronic communications and updated the Federal Wiretap Act to cover electronic communications as well as oral and wire communications. Title II of the ECPA established a comprehensive system of protections for stored communications codified at 18 U.S.C. §§ 2701-2712 which has come to be referred to as the Stored Communications Act (SCA). The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically

Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986

F

Fair Credit Reporting Act (FCRA)

15 U.S.C. § 1681

Overview

Overview The Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. If your company meets the definition of a “consumer reporting agency” (CRA), if you furnish information to CRAs, or if you use that information for certain purposes, you may have obligations under the FCRA.

Source: Federal Trade Commission, Credit Reporting

Family Educational Rights and Privacy Act (FERPA)

20 U.S.C. § 1232g

Overview

FERPA protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

FERPA permits educational agencies and institutions, such as Local Education Agencies (LEA) and their constituent schools, to disclose PII from education records to State Education Agencies (SEA) and other State educational authorities without a parent’s prior consent under certain conditions. For a review of the exceptions to the general prior consent rule in FERPA, see 34 CFR § 99.31. The most common exception that relates to disclosure to a State educational authority is found in §§ 99.31(a)(3) and 99.35. The disclosure must be in connection with:

  • An audit or evaluation of Federal or State supported education programs; or
  • The enforcement of or compliance with Federal legal requirements relating to such programs.
Information collected under this provision generally must be:
  • Protected so that information is not disclosed to anyone other than the authorized representatives of the State educational authority (§ 99.35(b)(1)); and,
  • Destroyed when no longer needed for the purposes listed above (§ 99.35(b)(2))

(Note: Federal entities, entities or individuals acting as the designated authorized representatives of the Attorney General, the Comptroller General, or the Secretary of Education, as well as other third parties receiving PII from education records without consent, generally must also protect the PII from unauthorized disclosure and comply with FERPA’s recordation provisions for any authorized re-disclosure, and may only use it in accordance with FERPA and for the specific purposes for which it was disclosed.)

Sources:
Law and Guidance: Family Educational Rights and Privacy Act (FERPA)
Family Educational Rights and Privacy Act (FERPA)

Federal Agency Data Mining Reporting Act of 2007 (FADMRA)

42 U.S.C. § 2000ee-3

Overview

The Federal Agency Data Mining Reporting Act of 2007 (FADMRA) is contained in section 803 of the Implementing the Recommendations of the 9/11 Commission Act of 2007. The FADMRA provides that the head of each department or agency of the Federal Government that is engaged in any “pattern-based” data mining activity shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official. The report shall be produced in coordination with the privacy officer of that department or agency, if applicable, and shall be made available to the public, except for an annex as described in subparagraph (c).

Federal Policy for the Protection of Human Subjects (Common Rule)

42 U.S.C. § 289

Overview

On July 12, 1974, the National Research Act (Pub. L. 93-348) was signed into law, thereby creating the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (the “Commission”). The current U.S. system of protection for human research subjects is heavily influenced by the Belmont Report, written in 1979 by the Commission.

In 1985, Congress enacted 42 U.S.C. § 289, providing that “The Secretary of the U.S. Department of Health and Human Services (HHS) shall by regulation require that each entity which applies for a grant, contract, or cooperative agreement under this chapter for any project or program which involves the conduct of biomedical or behavioral research involving human subjects submit in or with its application for such grant, contract, or cooperative agreement assurances satisfactory to the Secretary that it has established (in accordance with regulations which the Secretary shall prescribe) a board (to be known as an ‘Institutional Review Board’) to review biomedical and behavioral research involving human subjects conducted at or supported by such entity in order to protect the rights of the human subjects of such research.”

The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The HHS regulations, 45 CFR part 46, include four subparts: subpart A, also known as the Federal Policy or the “Common Rule”; subpart B, additional protections for pregnant women, human fetuses, and neonates; subpart C, additional protections for prisoners; and subpart D, additional protections for children. A fifth subpart, subpart E, which concerns registration of Institutional Review Boards (IRBs) was added in 2009. For all participating departments and agencies, the Common Rule outlines the basic provisions for IRBs, informed consent, and Assurances of Compliance. Human subject research conducted or supported by each Federal department/agency is governed by the regulations of that department/agency. The head of that department/agency retains final judgment as to whether a particular activity it conducts or supports is covered by the Common Rule. If an institution seeks guidance on implementation of the Common Rule and other applicable Federal regulations, the institution should contact the department/agency conducting or supporting the research.

The HHS and fifteen other Federal departments and agencies have issued final revisions to the Federal Policy for the Protection of Human Subjects (the Common Rule). The Final Rule was published in the Federal Register on January 19, 2017. It implements new steps to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.

Sources:
The Belmont Report
Federal Policy for the Protection of Human Subjects (‘Common Rule’)
HHS Historical Highlights
Final Revisions to the Common Rule

Federal Information Security Modernization Act of 2014 (FISMA)

44 U.S.C. Chapter 35 (44 U.S.C. §§ 3551-3558)

Overview

The Federal Information Security Modernization Act requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Source: OMB Circular No. A-130, Managing Information as a Strategic Resource (July 2016)

Federal Records Act of 1950 (FRA)

44 U.S.C. Chapter 31 et seq

Overview

The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101]

The implementation of the FRA is overseen by the Archivist of the United States, who heads the National Archives and Records Administration (NARA). The Archivist provides “guidance and assistance to Federal agencies with respect to ensuring adequate and proper documentation of the policies and transactions of the Federal Government and ensuring proper records disposition.” [44 U.S.C. § 2904]

Food and Drug Administration Safety and Innovation Act (FDASIA)

21 U.S.C. §§ 301 et seq
See also: Food and Drug Administration Safety and Innovation Act (Public Law No. 112-144)

Overview

FDASIA, which amended the Federal Food, Drug, and Cosmetic Act and was signed into law on July 9, 2012, expands the authorities of the U.S. Food and Drug Administration (FDA) and strengthens the agency’s ability to safeguard and advance public health by:

  • Giving the authority to collect user fees from industry to fund reviews of innovator drugs, medical devices, generic drugs, and biosimilar biological products;
  • Promoting innovation to speed patient access to safe and effective products;
  • Increasing stakeholder involvement in FDA processes; and
  • Enhancing the safety of the drug supply chain.
Section 618 of FDASIA directed the Secretary of Health and Human Services, acting through the Commissioner of the FDA, and in consultation with the Office of the National Coordinator for Health Information Technology and the Chairman of the Federal Communications Commission, to develop a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.

Sources:
Regulatory Information: Food and Drug Administration Safety and Innovation Act (FDASIA)
Health IT Legislation: FDASIA

  • Section 618 of FDASIA imposed a one-time requirement that the U.S. Department of Health and Human Services (HHS) issue “a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.” The Office of Law Revision Counsel of the United States House of Representatives chose not to include this provision in the United States Code. The report was issued in April 2014.

    Source: Food and Drug Administration Safety and Innovation Act (Public Law No. 112-144)

  • Food and Drug Administration, Federal Communications Commission, Office of the National Coordinator for Health Information Technology

Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA)

50 U.S.C. 1801 et seq
See also: Public Law 95-511

Overview

FISA authorizes electronic surveillance and other activities to obtain foreign intelligence information. FISA has been amended repeatedly since 1978, including the FISA Amendments Act (FAA) of 2008 containing Section 702 (reflected in Title VII below) and most recently by the USA FREEDOM Act of 2015 (reflected in the various titles below). The titles of FISA are:

  • Title I – Electronic Surveillance within the United States for Foreign Intelligence Purposes
  • Title II – Conforming Amendments
  • Title III – Physical Searches within the United States for Foreign Intelligence Purposes
  • Title IV – Pen Registers and Trap and Trace Surveillance Devices for Foreign Intelligence Purposes
  • Title V – Access to Certain Business Records for Foreign Intelligence Purposes
  • Title VI – Reporting Requirement
  • Title VII – Additional Procedures Regarding Certain Persons Outside the United States
  • Title VIII – Protection of Person Assisting the Government
Source:

    • Sec. 101. Definition. (50 U.S.C. § 1801)
    • Sec. 102. Electronic surveillance authorization without court order;
    • Sec. 301. Definitions. (50 U.S.C. § 1821)
    • Sec. 302. Authorization of physical searches for foreign intelligence purposes. (50 U.S.C. § 1822)
    • Sec. 303. Application for order. (50 U.S.C. § 1823)
    • Sec. 304. Issuance of order. (50 U.S.C. § 1824)
    • Sec. 305. Use of information. (50 U.S.C. § 1825)
    • Sec. 401. Definitions. (50 U.S.C. § 1841)
    • Sec. 402. Pen registers and trap and trace devices for foreign intelligence and international terrorism investigations. (50 U.S.C. § 1842)
    • Sec. 501. Access to certain business records for foreign intelligence and international terrorism investigations. (50 U.S.C. § 1861)
    • Sec. 601. Semiannual report of the Attorney General. (50 U.S.C. § 1871)
    • Sec. 602. Declassification of Signification Decisions, Orders, and Opinions. (50 U.S.C. § 1872)
    • Sec. 603. Annual Reports. (50 U.S.C. § 1873)
    • Sec. 702. Procedures for targeting certain persons outside the United States other than United States persons. (50 U.S.C. § 1881a)
    • Sec. 703. Certain acquisitions inside the United States targeting United States persons outside the United States. (50 U.S.C. § 1881b)
    • Sec. 704. Other acquisitions targeting United States persons outside the United States. (50 U.S.C. § 1881c)
    • Sec. 705. Joint applications and concurrent authorizations. (50 U.S.C. § 1881d)
    • Sec. 706. Use of information acquired under this subchapter. (50 U.S.C. § 1881e)

Freedom of Information Act (FOIA)

5 U.S.C. § 552
See also: Full Text of the FOIA Improvement Act of 2016 (Public Law No. 114-185)
See also: U.S. Department of Justice Freedom of Information Act

Overview

Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.

G

Genetic Information Nondiscrimination Act of 2008 (GINA)

42 U.S.C. § 1320d-9, Application of HIPAA Regulations to Genetic Information
42 U.S.C. § 12112(d)(3), Employment Entrance Examination
See also: Public Law 110-233

Overview

The Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008. GINA protects individuals against discrimination based on their genetic information in health coverage and in employment. GINA is divided into two sections, or Titles.

Title I of GINA includes provisions that generally prohibit group health plans and health insurance issuers from discriminating based on genetic information. These provisions amend the Employee Retirement Income Security Act (ERISA), administered by the Department of Labor; the Public Health Service Act (PHS Act), administered by the Department of Health and Human Services (HHS); and the Internal Revenue Code (the Code), administered by the Department of Treasury (the Treasury) and the Internal Revenue Service (IRS). The Department of Labor has jurisdiction with respect to employment-based group health plans. HHS in conjunction with the States administers these provisions with respect to health insurance issuers. The Treasury and IRS administer these provisions with respect to employers. Title I of GINA also includes individual insurance market provisions under the PHS Act and privacy and confidentiality provisions under the Social Security Act, which are both within the jurisdiction of HHS.

With respect to privacy, statutory amendments were implemented under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) in January 2013 to modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of GINA. Specifically, the HIPAA Privacy Rule prohibits health plans from using or disclosing genetic information for underwriting purposes. The modifications also clarify that genetic information is health information and prohibit the use and disclosure of genetic information by covered health plans for eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

Title II of GINA prohibits the use of genetic information in making employment decisions in any aspect of employment, including hiring, firing, pay, job assignments, promotions, layoffs, training, fringe benefits, or any other term or condition of employment. It is enforced by the Equal Employment Opportunity Commission (EEOC).

Source:
Frequently Asked Questions Regarding the Genetic Information Nondiscrimination Act
What You Should Know: Questions and Answers about the Genetic Information Nondiscrimination Act (GINA) and Employment
Health Information Privacy: Genetic Information

Sections 101(d), 102(f)(4), 103(d)(7), 104(b) and 201(4) define genetic information, with regard to any individual, as information about—

  • such individual’s genetic tests,
  • the genetic tests of family members of such an individual, and
  • the manifestation of a disease or disorder in family members of such an individual.
    • The term “genetic information” does not include information about the sex or age of any individual.

    This definition was incorporated into the Employee Retirement Income Security Act (ERISA) at 29 U.S.C. § 1191b(d)); the Public Health Service Act at 42 U.S.C. § 300gg–91(d)); the Internal Revenue Code, 26 U.S.C. § 9832; and the Social Security Act at 42 U.S.C.§ 1395ss (Certification of Medicare supplemental health insurance policies).

    Section 105 in Title I of GINA, at 42 U.S.C. § 1320d–9, provides for the privacy and confidentiality of genetic information within the context of the Social Security Act, through application of the HIPAA Privacy Rule to genetic information.

    Section 206 in Title II of GINA provides for the confidentiality of genetic information in an employment setting, through the application of standards set forth in the Americans with Disabilities Act (ADA). It states that “An employer, employment agency, labor organization, or joint labor-management committee shall be considered to be in compliance with the maintenance of information requirements of this subsection with respect to genetic information subject to this subsection that is maintained with and treated as a confidential medical record under section 102(d)(3)(B) of the Americans With Disabilities Act (42 U.S.C. § 12112(d)(3)(B)).”

    26 C.F.R. § 54.9802-1
    29 C.F.R. § 1630.14
    44 C.F.R. Parts 160 and 164

    U.S. Department of Labor

    U.S. Department of Health and Human Services (HHS)

    Office for Human Research Protections (OHRP)

    U.S. Equal Employment Opportunity Commission (EEOC)

    U.S. Congressional Research Service

    H

    Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

    42 U.S.C. §§ 300jj et seq 42 U.S.C. §§ 17901 et seq
    See also: American Recovery and Reinvestment Act of 2009 (Public Law 111-5, §§ 13001-13424, §§ 4001 – 4201)

    Overview

    The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provides the U.S. Department of Health and Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. The HITECH Act amends Sections 3004 and 3005 of the Public Health Service Act to describe the processes for evaluation, adoption, and implementation of endorsed standards, implementation specifications, and certification criteria for health IT. Sections 13400-13411 of HITECH describe HHS’s work to improve privacy and security provisions for electronic exchange and use of health information, and sections 4001-4201 of HITECH establish the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to provide incentive payments for eligible professionals, hospitals, and critical access hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology.

    Sources:
    Health IT Legislation and Regulations
    Select Portions of the HITECH Act and Relationship to ONC Work

    • HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 and was signed into law on February 17, 2009.

      The HHS Office for Civil Rights implemented important privacy and security provisions of HITECH, which lays out new and specific obligations for covered entities in the event of a data breach that include notifications to individual data subjects and in some instances, to the media. Please see the entry for the Health Insurance Portability and Accountability Act (HIPAA) for more complete information regarding privacy and security provisions for electronic exchange and use of health information.

      HITECH established a process for the evaluation, adoption, and implementation of endorsed standards, implementation specifications, and certification criteria for health IT, and created an Office of the National Coordinator for Health Information Technology (ONC) within HHS to oversee this process, assisted by two advisory committees. The National Institute for Standards and Technology (NIST) conducts pilot testing for new technical standards. The resulting certification criteria regulations ensure all health IT presented for certification possess the relevant privacy and security capabilities.

      HITECH also established the Medicare and Medicaid EHR Incentive Programs, which encourage health care organizations to adopt EHRs through a staged approach. Each stage contains core requirements in the final regulations that providers must meet, including privacy and security requirements.

      Sources: 45 C.F.R. Part 170, 42 C.F.R. Part 412, 42 C.F.R. Part 495 45 C.F.R. Part 160, and 45 C.F.R. Part 164.

    • 2015 Edition Health Information Technology Certification Criteria – Final Rule

      45 C.F.R. Part 170

      Medicare and Medicaid Programs; Electronic Health Record Incentive Program – Stage 3 and Modifications to Meaningful Use in 2015 through 2017; Final Rules with Comment Period

      42 C.F.R. Part 412
      42 C.F.R. Part 495

      General Administrative Requirements

      45 C.F.R. Part 160

      Security and Privacy

      45 C.F.R. Part 160

    • U.S. Department of Health and Human Services

      Office of Civil Rights

      Office of the National Coordinator for Health Information Technology

    Health Insurance Portability and Accountability Act of 1996 (HIPAA Breach Notification Rule)

    42 U.S.C. § 17932
    See also: Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5, Div. A, title XIII, § 13402)
    See also: 45 C.F.R. §§ 164.400-414 (Subpart D)

    Overview

    Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Act”) requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach of unsecured protected health information. In some cases, the Act requires covered entities also to provide notification to the media of breaches. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary to post on an HHS Web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.

    The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of HITECH and the Genetic Information Nondiscrimination Act (GINA).

    Source: Health Information Privacy: Breach Notification Rule

    Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule)

    Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
    45 C.F.R. Part 160
    45 C.F.R. Part 164 Subparts A and E

    Overview

    The HIPAA Privacy Rule, adopted by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

    Sources:
    Health Information Privacy: The HIPAA Privacy Rule
    The Health Insurance Portability and Accountability Act of 1996

    Health Insurance Portability and Accountability Act of 1996 (HIPAA Security Rule)

    Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
    See also: 45 C.F.R. Part 160
    See also: 45 C.F.R. §§ 164.102-106 and §§ 164.302-318

    Overview

    The HIPAA Security Rule, adopted by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

    Sources:
    Health Information Privacy, The Security Rule
    Health Information Portability and Accountability Act of 1996

    Homeland Security Act of 2002

    6 USC § 101 et seq
    See also: Pub. Law 107-296 and the Office of the Director of National Intelligence Legal Reference Book

    Overview

    The Homeland Security Act of 2002 charges the Department of Homeland Security (DHS) Chief Privacy Officer with primary responsibility for ensuring that privacy considerations and protections are integrated into all DHS programs, policies, and procedures. The Chief Privacy Officer serves as the principal advisor to the DHS Secretary on privacy policy.

    The activities of the Privacy Office serve to build privacy into departmental programs.

    Sources:
    Department of Homeland Security, Privacy Office, “Fiscal Year 2016 Semiannual Report to Congress: For the period October 1, 2015 – March 31, 2016,” July 6, 2016
    DHS, Authorities and Responsibilities of the Chief Privacy Officer

    I

    Immigration and Nationality Act of 1952 (INA)

    8 U.S.C. §§ 1101 et seq
    See also: Immigration and Nationality Act (U.S. Citizenship and Immigration Services)

    Overview

    The Immigration and Nationality Act, or INA, was created in 1952. The Act has been amended many times over the years, but is still the basic body of immigration law. The INA is divided into titles, chapters, and sections. Although it stands alone as a body of law, the Act is also contained in the United States Code (U.S.C.). When browsing the INA or other statutes you will often see reference to the U.S. Code citation. For example, Section 208 of the INA deals with asylum, and is also contained in 8 U.S.C. 1158. Although it is correct to refer to a specific section by either its INA citation or its U.S. Code citation, the INA citation is more commonly used.

    Source: Immigration and Nationality Act

    Implementing Recommendations of the 9/11 Commission Act of 2007

    6 U.S.C. 101 et seq
    See also: Pub. Law 110-153 and the Office of the Director of National Intelligence Legal Reference Guide

    Overview

    This Act amended section 1016 of Intelligence Reform and Terrorism Prevention Act (IRTPA) and amended the Homeland Security Act of 2002 to expand and further refine the scope of the Information Sharing Environment (ISE).

    Individuals with Disabilities Education Act (IDEA)

    20 U.S.C. §§ 1400 et seq
    20 U.S.C. § 1417(c), Confidentiality

    Overview

    IDEA is a law ensuring services to children with disabilities throughout the nation. IDEA governs how states and public agencies provide early intervention, special education and related services to more than 6.5 million eligible infants, toddlers, children and youth with disabilities. Infants and toddlers with disabilities (from birth through age 2) and their families receive early intervention services under IDEA Part C. Children and youth (from age 3 through age 21) receive special education and related services under IDEA Part B. Parts B & C require that the Secretary of the U.S. Department of Education shall take appropriate action, in accordance with section 444 of the General Education Provisions Act (GEPA), to ensure the confidentiality of any personally identifiable data, information, and records collected or maintained by the Secretary and by State educational agencies (SEA) and local educational agencies (LEA).

    Source:
    Building the Legacy: IDEA 2004
    IDEA and FERPA Confidentiality Provisions

    Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)

    Pub. L. 108-458
    Office of the Director of National Intelligence Legal Reference Book

    Overview

    IRTPA addresses many different facets of information gathering and the intelligence community. IRPTA’s eight titles reflect its broad scope:

    • Title I – Reform of the Intelligence Community
    • Title II – Federal Bureau of Investigation
    • Title III – Security Clearances
    • Title IV – Transportation Security
    • Title V – Border Protection, Immigration, and Visa Matters
    • Title VI – Terrorism Prevention
    • Title VII – Implementation of 9/11 Commission Recommendations
    • Title VIII – Other Matters, including a requirement that the Department of Homeland Security ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and programs aimed at securing the homeland.

    Internal Revenue Code (Tax Code)

    26 U.S.C. §§ et al
    26 U.S.C. § 6103 Confidentiality and disclosure of returns and return information
    26 U.S.C. § 6713 Disclosure or use of information by preparers of returns
    26 U.S.C. § 7213 Unauthorized disclosure of information
    26 U.S.C. § 7213a Unauthorized inspection of returns or return information
    See also: Internal Revenue Service Laws and Regulations

    Overview

    Taxpayers have the right to expect that any Internal Revenue System (IRS) inquiry, examination, or enforcement action will comply with the law and be no more intrusive than necessary, and will respect all due process rights, including search and seizure protections and will provide, where applicable, a collection due process hearing.

    Taxpayers have the right to expect that any information they provide to the IRS will not be disclosed unless authorized by the taxpayer or by law. Taxpayers have the right to expect appropriate action will be taken against government officers and employees, tax return preparers, and others who wrongfully use or disclose taxpayer return information.

    Source: Your Rights as a Taxpayer

    • The Internal Revenue Code § 6103(h)(1) provides that returns and return information shall, without written request, be open to inspection by or disclosure to officers and employees of the Department of the Treasury whose official duties require such inspection or disclosure for tax administration purposes. The Internal Revenue Code § 6103(b)(4) provides that the term “tax administration” means the administration, management, conduct, direction, and supervision of the execution and application of the internal revenue laws or related statutes (or equivalent laws and statutes of a state) and tax conventions to which the United States is a party.

      Internal Revenue Code § 6713 imposes a civil penalty of $250 on any person who is engaged in the business of preparing, or providing services in connection with the preparation of returns of tax, or any person who for compensation prepares a return for another person, and who “Discloses any information furnished to him for, or in connection with, the preparation of any such return, or Uses any such information for any purpose other than to prepare, or assist in preparing, any such return. Imposition of the penalty under [this section] does not require that the disclosure be knowing or reckless as it does under Internal Revenue Code § 7216.” 26 U.S.C. §7216 is a criminal provision enacted by the U.S. Congress in 1971 that prohibits preparers of tax returns from knowingly or recklessly disclosing or using tax return information. A convicted preparer may be fined not more than $1,000 or imprisoned not more than one year or both, for each violation.

      Returns and return information may be used or disclosed to initiate or conduct a money laundering investigation if the investigation is considered for tax administration purposes according to 26 U.S.C. § 6103(b)(4). When investigating potential money laundering or Bank Secrecy Act (BSA) violations, the key test (related statute test) is whether, under the facts and circumstances of the particular case, the money laundering and Bank Secrecy Act provisions are considered related to the administration of the Internal Revenue laws. Data collected by IRS personnel pursuant to their enforcement responsibilities under the BSA in a “pure” Title 31 investigation are not return information under section 6103. In a “pure” Title 31 investigation, i.e., where no Title 26 related statute determination has been made, the information is subject to the disclosure rules found at 31 U.S.C. § 5319 et seq. When Title 31 has been determined to be a statute related to tax administration for Section 6103 purposes, the entirety of the information is covered by Section 6103 because it was received by the Secretary for the purpose of determining some individual’s liability or potential liability under the Code.

      Sources:
      IRS: Bank Secrecy Act
      IRS: Bank Secrecy Act – Disclosure
      In 1997, the Taxpayer Browsing Protection Act “amend[ed] the Internal Revenue Code of 1986 to prevent the unauthorized inspection of tax returns or tax return information


    • 26 C.F.R. § 301.7216.1 See pages 556 – 558
      See also Internal Revenue Service Laws and Regulations

    • U.S. Department of Treasury

      Treasury Department Circular 230 (Revised 6-2014), Rules Governing Practice Before the Internal Revenue Service

      Internal Revenue Service (IRS)

      Internal Revenue Procedure 2007-40, Internal Revenue Bulletin: 2007-26, Rev. Proc. 2007-40, June 25, 2007

    • U.S. Department of Treasury, Internal Revenue Service (IRS)

    J

    Justice System Improvement Act of 1979

    42 U.S.C. § 3701 et seq
    42 U.S.C. § 3789(g) Confidentiality of information

    Overview

    As a Federal statistical agency that collects, analyzes, publishes, and disseminates a wide array of information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government, the Bureau of Justice Statistics (BJS) has taken aggressive measures to protect the privacy and confidentiality of individuals from whom they obtain information. BJS has procedures in place to ensure that information collected by BJS that is identifiable to a private person may only be used and/or revealed for the statistical or research-related purpose for which it is obtained. BJS has procedures in place to ensure that copies of such information shall not, without the consent of the person to whom the information pertains, be revealed to others who are not involved in the collection and analysis of the information.

    Source: Bureau of Justice Statistics Data Quality Guidelines

    N

    National Security Act of 1947

    50 U.S.C. § 3001 et seq
    National Security Act of 1947

    Overview

    In the aftermath of World War II, the National Security Act provided a major reorganization of the U.S. defense and intelligence agencies. As amended, the Act provides “a comprehensive program for the future security of the United States” through the integration of the policies and procedures of U.S. military, intelligence, and national security agencies, and the coordination of national security policy.

    Source: National Security Act

    P

    Paperwork Reduction Act of 1995 (PRA)

    44 U.S.C. Chapter 35 et seq

    Overview

    The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information. The goals of the PRA include (1) minimizing paperwork and reporting burdens on the American public and (2) ensuring the maximum possible utility from the information that is collected.

    In support of these goals, the PRA requires Federal agencies to take specific steps before requiring or requesting information from the public. These steps include (1) seeking public comment on proposed information collections and (2) submitting proposed collections for review and approval by the Office of Management and Budget (OMB). Within OMB, the Office of Information and Regulatory Affairs (OIRA) carries out the information collection review.

    One of the purposes of the Paperwork Reduction Act is to “ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to (A) privacy and confidentiality, including section 552a of title 5; (B) security of information, including section 11332 of title 40; and (C) access to information, including section 552 of title 5.” 44 U.S.C. § 3501(8).

    Source: Office of Information and Regulatory Affairs – Regulations and the Rule Making Process

    Patient Safety and Quality Improvement Act of 2005 (PSQIA)

    42 U.S.C. § 299b-21 – b-26
    Patient Safety and Quality Improvement Act of 2005 (Public Law 109-41).

    Overview

    The Patient Safety and Quality Improvement Act of 2005 (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information, called patient safety work product. PSQIA authorizes the U.S. Department of Health and Human Services (HHS) to impose civil money penalties for violations of patient safety confidentiality. PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs). PSOs are the external experts that collect and review patient safety information.

    Source: Health Information Privacy: Patient Safety and Quality Improvement Act of 2005 Statute and Rule

    Privacy Act of 1974 (Privacy Act)

    5 U.S.C. § 552a

    Overview

    The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

    The Privacy Act requires U.S. Government agencies give public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

    Source: U.S. Department of Justice – Privacy Act of 1974

    Protection of Pupil Rights Amendment (PPRA)

    20 U.S.C. § 1232h

    Overview

    The PPRA applies to the programs and activities of a State educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education. It governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:

    • political affiliations or beliefs of the student or the student’s parent;
    • mental or psychological problems of the student or the student’s family;
    • sex behavior or attitudes;
    • illegal, anti-social, self-incriminating, or demeaning behavior;
    • critical appraisals of other individuals with whom respondents have close family relationships;
    • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
    • religious practices, affiliations, or beliefs of the student or student’s parent; or,
    • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

    PPRA also concerns marketing surveys and other areas of student privacy, parental access to information, and the administration of certain physical examinations to minors. The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under State law.

    Source: Family Policy Compliance Office: Protection of Pupil Rights Amendment (PPRA)

    Public Health Service Act (Certificates of Confidentiality)

    42 U.S.C. Ch. 6A
    42 U.S.C. § 241(d) Protection of privacy of individuals who are research subjects

    Overview

    Under section 301(d) of the Public Health Service Act (42 U.S.C. § 241(d)), the Secretary of the U.S. Department of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH). Persons authorized by the NIH to protect the privacy of research subjects may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.

    Source: Certificates of Confidentiality Background

    Public Health Service Act (Confidentiality of Health Statistics)

    42 U.S.C. Ch. 6A
    See also: 42 U.S.C. § 242m(d)
    See also: Section 308(d) of the Public Health Service Act

    Overview

    The Public Health Service Act, 42 U.S.C. Ch. 6A, provision regarding the confidentiality of health statistics prohibits the National Center for Health Statistics (NCHS) from using any personal information for any purpose other than what was described to survey participants and from sharing that information with anyone not clearly mentioned to them. This provision enables NCHS to assure respondents strict confidentiality.

    Source: How NCHS Protects Your Privacy

    U

    Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act)

    Pub.L. 114-23, 129 Stat. 268

    Overview

    The ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015’’ was enacted “to reform the authorities of the Federal Government to require the production of certain business records [e.g., call detail records], conduct electronic surveillance, use pen registers and trap and trace devices, and use other forms of information gathering for foreign intelligence, counterterrorism, and criminal purposes, and for other purposes.”

    Source: Pub.L. 114-23, 129 Stat. 268

    Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)

    Public Law 107-56

    Overview

    The USA PATRIOT Act was enacted in response to the attacks of September 11, 2001, and became law less than two months after those attacks. The Act comprises ten categories, called “titles.”

    • TITLE I—Enhancing Domestic Security against Terrorism
    • TITLE II—Enhanced Surveillance Procedures
    • TITLE III—International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
    • TITLE IV— Protecting the Border
    • TITLE V— Removing Obstacles to Investigating Terrorism
    • TITLE VI— Providing for Victims of Terrorism, Public Safety Officers, and their Families
    • TITLE VII— Increased Information Sharing for Critical Infrastructure Protection
    • TITLE VIII— Strengthening the Criminal Laws against Terrorism
    • TITLE IX— Improved Intelligence
    • TITLE X— Miscellaneous
    Source: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001

    The USA PATRIOT Act modified many major U.S. intelligence, communications, and privacy laws, including: The Electronic Communications Privacy Act (EPCA ), which modifies Title III of the Omnibus Crime Control and Safe Streets Act (the Wiretap Act ); the Foreign Intelligence Surveillance Act of 1978 (FISA); and the Communications Act of 1934. The USA PATRIOT Act has been reauthorized and amended several times since its initial enactment.

      The USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177 The reauthorizing legislation made permanent 14 of the 16 sunsetted USA PATRIOT Act provisions and placed four-year sunsets on the other two—the authority to conduct “roving” surveillance under the Foreign Intelligence Surveillance Act (FISA) and the authority to request production of business records under FISA (USA PATRIOT Act sections 206 and 215, respectively).

    Among the 14 USA PATRIOT Act provisions made permanent are:
    • Facilitating enhanced information-sharing and coordination between national security and law enforcement personnel.
    • Adding certain chemical weapons offenses, international terrorism, nuclear and weapons of mass destruction threats, and computer espionage offenses to the list of wiretap predicates.
    • Allowing Internet Service Providers to disclose customer records voluntarily to the government in emergencies involving an immediate risk of death or serious physical injury.
    • Permitting victims of computer trespass (hacking) crimes to request law enforcement assistance in monitoring trespassers on their computers.
    Source: Fact Sheet: USA Patriot Act Improvement And Reauthorization Act of 2005 (Department of Justice)
    • The USA PATRIOT Act Additional Reauthorization Amendments Act of 2006, Pub. L. No. 109-178, was written to clarify that individuals who receive FISA orders can challenge nondisclosure requirements; that individuals who receive national security letters are not required to disclose the name of their attorney; and that libraries are not wire or electronic communication service providers unless they provide specific services.
    Source: S. 2271, 112th Congress, Second Session
    • The PATRIOT Sunsets Extension Act of 2011, Pub. L. No. 112-14, amended the USA PATRIOT Improvement and Reauthorization Act of 2005 to extend until June 1, 2015, provisions concerning roving electronic surveillance orders, requests for the production of business records and other tangible things; and amended the Intelligence Reform and Terrorism Prevention Act of 2004 to extend until June 1, 2015, a provision revising the definition of an “agent of a foreign power” to include any non-U.S. person who engages in international terrorism or preparatory activities (the “lone wolf” provision).
    Source: Justice Information Sharing, USA PATRIOT Act
    • On June 2, 2015, Congress passed and the President signed the USA FREEDOM Act of 2015, Pub. L. No. 114-23. The Act reauthorized several important national security authorities; banned bulk collection under Section 215 of the USA PATRIOT Act, under the pen register and trap and trace provisions found in Title IV of Foreign Intelligence Surveillance Act (FISA), or pursuant to National Security Letters; adopted the new legal mechanism proposed by the President regarding the targeted production of telephony metadata; made significant modifications to proceedings before the FISC; and built on the U.S. Government’s unprecedented transparency about intelligence activities.
    Source: Transition to New Telephone Metadata Program (ODNI)