Law Library

About

ABCDEFGHIJKLMNOPQRSTUVWXYZ

A


Americans with Disabilities Act of 1990 (ADA) & Rehabilitation Act of 1973 (Rehab Act)
Americans with Disabilities Act (ADA)
42 U.S.C. §§ 12101 et seq
42 U.S.C. § 12112(d) Discrimination

 

Rehabilitation Act (Rehab Act)

29 U.S.C. §§ 701 et seq (Chapter 16 Vocational Rehabilitation and Other Rehabilitation Services)

 

Overview

The ADA prohibits discrimination and guarantees that people with disabilities have the same opportunities as everyone else to participate in the mainstream of American life — to enjoy employment opportunities, to purchase goods and services, and to participate in State and local government programs and services. Modeled after the Civil Rights Act of 1964, which prohibits discrimination on the basis of race, color, religion, sex, or national origin – and Section 504 of the Rehabilitation Act of 1973 — the ADA is an “equal opportunity” law for people with disabilities.

The ADA, at 42 U.S.C. § 12112(d), generally prohibits medical examinations and inquiries of job applicants unless the inquiry is about the ability of the applicant to perform job related functions. The ADA does authorize medical examinations and inquiries by employers with regard to an employee’s request for reasonable accommodation for a disability.  In both instances, there are confidentiality requirements that attach to the records and information gathered.

The Rehabilitation Act of 1973 (also known as the “Rehab Act”) prohibits discrimination on the basis of disability in programs run by federal agencies; programs that receive federal financial assistance; in federal employment; and in the employment practices of federal contractors. The standards for deciding if employment discrimination exists under the Rehab Act are the same as those used in Title I of the ADA.

The Rehab Act, at 29 C.F.R. § 791(f) and §793(d), provides that these sections of the ADA apply equally to those entities subject to the Rehab Act.

The Americans with Disabilities Act Amendments Act of 2008 (Public Law 110-325) (ADAAA) further amended the definition of “individual with a disability” and amended sections 12101, 12102, 12111 to 12114, 12201 and 12210 of the ADA and section 705 of the Rehab Act. The ADAAA also enacted sections 12103 and 12205a and re-designated sections 12206 to 12213.

Sources:

Introduction to the ADA

Rehabilitation Act of 1973 (disability.gov)

Titles I and V of the Americans with Disabilities Act of 1990 (ADA)

The Rehabilitation Act of 1973 (EEOC)

 

Helpful Tips Regulations

 Executive Orders, Memoranda, and Directives

Supplemental Material
Aviation and Transportation Security Act of 2001
49 U.S.C. § 114 Transportation Security Administration
49 U.S.C. § 44909 Passenger Manifests
See also: Pub. Law 107-71

 

Overview

President Bush signed the Aviation and Transportation Security Act into law in November 2001, requiring screening conducted by federal officials, 100 percent checked baggage screening, expansion of the Federal Air Marshal Service and reinforced cockpit doors. The Transportation Security Administration (TSA) was created to oversee security in all modes of transportation.

Source: Transportation Security Timeline

 

Regulations Executive Orders, Memoranda, and Directives Supplemental Material

 

B


Bank Secrecy Act (BSA)
31 U.S.C. § 310

 

Overview

The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti-money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML Acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311-5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] )

Sec. 31 U.S.C. § 310 (c)(2) requires the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) to provide appropriate standards and guidelines for determining who is to be given access to the information maintained by FinCEN; what limits are to be imposed on the use of such information; and how information about activities or relationships which involve or are closely associated with the exercise of constitutional rights is to be screened out of the data maintenance system.

When investigating potential money laundering or Bank Secrecy Act (BSA) violations, the key test (related statute test) is whether, under the facts and circumstances of the particular case, the money laundering and BSA provisions are considered related to the administration of the Internal Revenue laws.

Source: FinCEN’s Mandate from Congress

 

Helpful Tips Regulations Statutory Implementation Guidance Supplemental Material

C


Clinical Laboratory Improvement Amendments of 1988 (CLIA)
42 U.S.C. § 263a

 

Overview

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) is an amendment to the Public Health Services Act in which Congress revised the federal program for certification and oversight of clinical laboratory testing. Two subsequent amendments were made after 1988. The law continues to be cited as CLIA ’88 as named in legislation.

In general terms, the CLIA regulations establish quality standards for laboratory testing performed on specimens from humans, such as blood, body fluid and tissue, for the purpose of diagnosis, prevention, or treatment of disease, or assessment of health.

The Centers for Medicare & Medicaid Services (CMS) regulates all laboratory testing (except research) performed on humans in the U.S. through CLIA. In total, CLIA covers approximately 254,000 laboratory entities. The Division of Laboratory Services, within the Survey and Certification Group, under the Center for Clinical Standards and Quality (CCSQ) has the responsibility for implementing the CLIA Program.

Sources:

CLIA: Laws and Regulations (CDC)

Clinical Laboratory Improvements Act (CMS)

 

Helpful Tips Regulations Supplemental Material
Communications Assistance for Law Enforcement Act (CALEA)
47 U.S.C. §§ 1001-1010

 

Overview

In response to concerns that emerging technologies such as digital and wireless communications were making it increasingly difficult for law enforcement agencies to execute authorized surveillance, Congress enacted CALEA on October 25, 1994. CALEA requires a “telecommunications carrier,” as defined by the CALEA statute, to ensure that equipment, facilities, or services that allow a customer or subscriber to “originate, terminate, or direct communications,” enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization. CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve. CALEA is limited to Telecommunications Carriers as defined by the Act and interpreted by the FCC.  In addition, CALEA specifically exempts “Information Services”, which includes many Internet based communications service providers, electronic storage providers and electronic messaging services.

Source: Communications Assistance for Law Enforcement Act

Regulations Supplemental Material
Confidentiality of Medical Quality-Assurance Records
38 U.S.C. §§ 5701 – 5728
38 U.S.C. § 5705 Confidentiality of medical quality-assurance records

 

Overview

Records and documents created by the Department of Veterans Affairs (VA) as part of a medical quality-assurance program are confidential and privileged and may not be disclosed to any person or entity except as provided in 38 U.S.C. § 5705.

Helpful Tips Regulations

 

Consolidated Appropriations Act of 2005
Public Law No. 108-447 (see division H, title V, section 522)
5 U.S.C. §552a note

 

Overview

The Consolidated Appropriations Act of 2005 (the “Act”) requires that each agency, subject to the Act:

  • shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy.  (Sec. 522(a))
  • shall establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public.  (Sec. 522(b))
  • shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency.   (Sec. 552(c))
  • [a]t least every 2 years . . . shall have performed an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency.  (Sec. 522(d))
  • [u]pon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review.  (Sec. 522(e))
Cybersecurity Information Sharing Act of 2015 (CISA)
6 U.S.C. §§ 149, 151, 1501-1510, 1521-1525, 1531-1533

 

Overview

On December 18, 2015, the President signed the Cybersecurity Act of 2015 (CISA) into law.  Congress enacted CISA, Title I of the Cybersecurity Act, to direct the Department of Homeland Security (DHS)—in collaboration with other named agencies—to create a voluntary cybersecurity information sharing process that will protect participants from certain types of liability and encourage public and private entities to share cyber threat information in real-time while protecting the privacy and civil liberties of individuals.

Source: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015

 

Executive Orders, Memoranda, and Directives Supplemental Material
Federal Policy for the Protection of Human Subjects (Common Rule)
42 U.S.C. § 289

 

Overview

On July 12, 1974, the National Research Act (Pub. L. 93-348) was signed into law, thereby creating the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (the “Commission”). The current U.S. system of protection for human research subjects is heavily influenced by the Belmont Report, written in 1979 by the Commission.

In 1985, Congress enacted 42 U.S.C. § 289, providing that “The Secretary of the U.S. Department of Health and Human Services (HHS) shall by regulation require that each entity which applies for a grant, contract, or cooperative agreement under this chapter for any project or program which involves the conduct of biomedical or behavioral research involving human subjects submit in or with its application for such grant, contract, or cooperative agreement assurances satisfactory to the Secretary that it has established (in accordance with regulations which the Secretary shall prescribe) a board (to be known as an ‘Institutional Review Board’) to review biomedical and behavioral research involving human subjects conducted at or supported by such entity in order to protect the rights of the human subjects of such research.”

The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The HHS regulations, 45 CFR part 46, include four subparts: subpart A, also known as the Federal Policy or the “Common Rule”; subpart B, additional protections for pregnant women, human fetuses, and neonates; subpart C, additional protections for prisoners; and subpart D, additional protections for children. A fifth subpart, subpart E, which concerns registration of Institutional Review Boards (IRBs) was added in 2009.  For all participating departments and agencies, the Common Rule outlines the basic provisions for IRBs, informed consent, and Assurances of Compliance. Human subject research conducted or supported by each Federal department/agency is governed by the regulations of that department/agency. The head of that department/agency retains final judgment as to whether a particular activity it conducts or supports is covered by the Common Rule. If an institution seeks guidance on implementation of the Common Rule and other applicable Federal regulations, the institution should contact the department/agency conducting or supporting the research.

The HHS and fifteen other Federal departments and agencies have issued final revisions to the Federal Policy for the Protection of Human Subjects (the Common Rule). The Final Rule was published in the Federal Register on January 19, 2017. It implements new steps to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.

Sources:

The Belmont Report

Federal Policy for the Protection of Human Subjects (‘Common Rule’)

HHS Historical Highlights

Final Revisions to the Common Rule

 

Helpful Tips Regulations Supplemental Material

 

The Communications Act of 1934
47 U.S.C. §§ et seq
47 U.S.C. § 222, Privacy of Customer Information  
47 U.S.C. § 338(i), Privacy Rights of Satellite Subscribers
47 U.S.C. § 551, Protection of Subscriber Privacy
47 U.S.C. § 605, Unauthorized Publication or Use of Communications      
See also, The Communications Act of 1934

 

Overview

The Communications Act of 1934 (the “Act”) combined and organized federal regulation of telephone, telegraph, and radio communications. The Act created the Federal Communications Commission (FCC) to oversee and regulate these industries. The Act is updated periodically to add provisions governing new communications technologies, such as broadcast, cable and satellite television.

The Act, as amended, is an expansive statue regulating U.S. telephone, telegraph, television, and radio communications. Its seven subchapters regulate virtually all aspects of the communications and broadcasting industry, including assignment of frequencies, rates and fees, standards, competition, terms of subscriber access, commercials, broadcasting in the public interest, government use of communications systems. The Act also provides for more detailed regulation and oversight via the establishment of the FCC.

Source: The Communications Act of 1934

Regulations Statutory Implementation Guidance Supplemental Material
Title 13 – Census
13 U.S.C. et seq
13 U.S.C. § 9 Information as Confidential

 

Overview

The Census Bureau is bound by Title 13 of the United States Code. These laws not only provide authority for the work it does, but also provide strong protection for the information it collects from individuals and businesses.

People sworn to uphold Title 13 are legally required to maintain the confidentiality of respondent data. Every person with access to respondent data is sworn for life to protect your information and understands that the penalties for violating this law are applicable for a lifetime.

Sources:

Title 13 – Protection of Confidential Information

Oath of Non-Disclosure

 

Supplemental Material

D


Drug Abuse Prevention, Treatment, and Rehabilitation Act (Confidentiality of Alcohol and Drug Abuse Patient Records) (Part 2)
42 U.S.C § 290dd–2

 

Overview

Confidentiality of substance use disorder (alcohol and drug abuse) patient records is required under 42 U.S.C § 290dd–2 and 42 C.F.R Part 2. The statute and regulation require that records related to patient treatment of substance use disorders remain confidential subject to certain specific exceptions or patient consent to disclose such information. The statute extends to cover “any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

Source: Listening Session Comments on Substance Abuse Treatment Confidentiality Regulations

 

Helpful Tips Regulations Supplemental Material

E


E-Government Act of 2002 – Section 208 (E-Government Act)
44 U.S.C. § 3501 note

 

See also, Public Law 107-347

Overview

The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems.

Privacy Impact Assessments (“PIAs”) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new information technology involving the collection, maintenance, or dissemination of information in identifiable form or that make substantial changes to existing information technology that manages information in identifiable form. A PIA is an analysis of how information in identifiable form is collected, stored, protected, shared, and managed. The purpose of a PIA is to demonstrate that system owners and developers have incorporated privacy protections throughout the entire life cycle of a system. The Act requires an agency to make PIAs publicly available, except when an agency in its discretion determines publication of the PIA would raise security concerns, reveal classified (i.e., national security) information, or sensitive (e.g., potentially damaging to a nation interest, law enforcement effort or competitive business interest contained in the assessment) information.

Source: E-government Act of 2002, Department of Justice

 

Helpful Tips Statutory Implementation Guidance Executive Orders, Memoranda, and Directives
Education Sciences Reform Act of 2002 (ESRA)
20 U.S.C. §§ 9501-9584 
20 U.S.C. § 9573 Confidentiality

 

Overview

Institute of Education Sciences (IES). The mission of IES is to provide rigorous evidence on which to ground education practice and policy. This is accomplished through the work of its four centers: the National Center for Education Evaluation, the National Center for Education Research, the National Center for Education Statistics, and the National Center for Special Education Research.

Section 208 of the Education Sciences Reform Act of 2002 states, “All collection, maintenance, use, and wide dissemination of data by the Institute, including each office, board, committee, and center of the Institute, shall conform with the requirements of section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

Further that “the Director shall ensure that all individually identifiable information about students, their academic achievements, their families, and information with respect to individual schools, shall remain confidential in accordance with section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

The prohibitions of Section 9573 of Title 20 include:

  • No person may use any individually identifiable information furnished…for any purpose other than a research, statistics, or evaluation purpose.
  • No person may make any publication whereby the data furnished by any particular person…can be identified.
  • No person may permit anyone other than the individuals authorized by the Director to examine the individual reports.
Electronic Communications Privacy Act of 1986 (ECPA)
18 U.S.C. §§ 1367, 2521, 2701 – 2712, 3117, 3121 – 3127
18 U.S.C. § 2510 – 2522 Wire and Electronic Communications Interception and Interception of Oral Communications (Wiretap Act)
18 U.S.C. §§ 2701-12. Stored Wire and Electronic Communications and Transactional Records Access (Stored Communications Act)
18 U.S.C. §§ 3121 – 3227 Pen Registers and Trap and Trace Devices
See also, Public Law 99-508

 

Overview

The Electronic Communications Privacy Act (ECPA) of 1986 created additional privacy protections for stored electronic communications and updated the Federal Wiretap Act to cover electronic communications as well as oral and wire communications.  Title II of the ECPA established a comprehensive system of protections for stored communications codified at 18 U.S.C. §§ 2701-2712 which has come to be referred to as the Stored Communications Act (SCA).

The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.

Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986

Helpful Tips Supplemental Material

F


Fair Credit Reporting Act (FCRA)
15 U.S.C. § 1681

 

Overview

The Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. If your company meets the definition of a “consumer reporting agency” (CRA),  if you furnish information to CRAs, or if you use that information for certain purposes, you may have obligations under the FCRA.

Source: Federal Trade Commission, Credit Reporting

 

Regulations Statutory Implementation Guidance Supplemental Material

 

 

 

Family Educational Rights and Privacy Act (FERPA)
20 U.S.C. § 1232g

 

Overview

FERPA protects the privacy of student education records.  The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.  FERPA gives parents certain rights with respect to their children’s education records.  These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

FERPA permits educational agencies and institutions, such as Local Education Agencies (LEA) and their constituent schools, to disclose PII from education records to State Education Agencies (SEA) and other State educational authorities without a parent’s prior consent under certain conditions. For a review of the exceptions to the general prior consent rule in FERPA, see 34 CFR § 99.31. The most common exception that relates to disclosure to a State educational authority is found in §§ 99.31(a)(3) and 99.35. The disclosure must be in connection with:

  • An audit or evaluation of Federal or State supported education programs; or
  • The enforcement of or compliance with Federal legal requirements relating to such programs.

Information collected under this provision generally must be:

  • Protected so that information is not disclosed to anyone other than the authorized representatives of the State educational authority (§ 99.35(b)(1)); and,
  • Destroyed when no longer needed for the purposes listed above (§ 99.35(b)(2))

(Note: Federal entities, entities or individuals acting as the designated authorized representatives of the Attorney General, the Comptroller General, or the Secretary of Education, as well as other third parties receiving PII from education records without consent, generally must also protect the PII from unauthorized disclosure and comply with FERPA’s recordation provisions for any authorized re-disclosure, and may only use it in accordance with FERPA and for the specific purposes for which it was disclosed.)

Sources:

Law and Guidance: Family Educational Rights and Privacy Act (FERPA)

Family Educational Rights and Privacy Act (FERPA)

 

Helpful Tips Regulations Supplemental Material
Federal Agency Data Mining Reporting Act of 2007 (FADMRA)
42 U.S.C. § 2000ee-3

 

Overview

The Federal Agency Data Mining Reporting Act of 2007 (FADMRA) is contained in section 803 of the Implementing the Recommendations of the 9/11 Commission Act of 2007.

The FADMRA provides that the head of each department or agency of the Federal Government that is engaged in any “pattern-based” data mining activity shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official. The report shall be produced in coordination with the privacy officer of that department or agency, if applicable, and shall be made available to the public, except for an annex as described in subparagraph (c).

Helpful Tips Supplemental Material
Federal Information Security Modernization Act of 2014 (FISMA)
44 U.S.C. Chapter 35 (44 U.S.C. §§ 3551-3558)

 

Overview

The Federal Information Security Modernization Act requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Source: OMB Circular No. A-130, Managing Information as a Strategic Resource (July 2016)

 

Helpful Tips Executive Orders, Memoranda, and Directives Supplemental Material
Federal Records Act of 1950 (FRA)
44 U.S.C. Chapter 31 et seq

 

Overview

The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101]

The implementation of the FRA is overseen by the Archivist of the United States, who heads the National Archives and Records Administration (NARA). The Archivist provides “guidance and assistance to Federal agencies with respect to ensuring adequate and proper documentation of the policies and transactions of the Federal Government and ensuring proper records disposition.” [44 U.S.C. § 2904]

Helpful Tips Regulations Executive Orders, Memoranda, and Directives Supplemental Material
Food and Drug Administration Safety and Innovation Act (FDASIA)
21 U.S.C. §§ 301 et seq

 

See alsoFood and Drug Administration Safety and Innovation Act (Public Law No. 112-144)

 

Overview

FDASIA, which amended the Federal Food, Drug, and Cosmetic Act and was signed into law on July 9, 2012, expands the authorities of the U.S. Food and Drug Administration (FDA) and strengthens the agency’s ability to safeguard and advance public health by:

  • Giving the authority to collect user fees from industry to fund reviews of innovator drugs, medical devices, generic drugs, and biosimilar biological products;
  • Promoting innovation to speed patient access to safe and effective products;
  • Increasing stakeholder involvement in FDA processes; and
  • Enhancing the safety of the drug supply chain.

Section 618 of FDASIA directed the Secretary of Health and Human Services, acting through the Commissioner of the FDA, and in consultation with the Office of the National Coordinator for Health Information Technology and the Chairman of the Federal Communications Commission, to develop a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.

Sources:

Regulatory Information: Food and Drug Administration Safety and Innovation Act (FDASIA)

Health IT Legislation: FDASIA

 

Helpful Tips Supplemental Material
Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA)
50 U.S.C. 1801 et seq
See also, Public Law 95-511

 

Overview

FISA authorizes electronic surveillance and other activities to obtain foreign intelligence information.  FISA has been amended repeatedly since 1978, including the FISA Amendments Act (FAA) of 2008 containing Section 702 (reflected in Title VII below) and most recently by the USA FREEDOM Act of 2015 (reflected in the various titles below).  The titles of FISA are:

  • Title I – Electronic Surveillance within the United States for Foreign Intelligence Purposes
  • Title II – Conforming Amendments
  • Title III – Physical Searches within the United States for Foreign Intelligence Purposes
  • Title IV – Pen Registers and Trap and Trace Surveillance Devices for Foreign Intelligence Purposes
  • Title V – Access to Certain Business Records for Foreign Intelligence Purposes
  • Title VI – Reporting Requirement
  • Title VII – Additional Procedures Regarding Certain Persons Outside the United States
  • Title VIII – Protection of Person Assisting the Government

 

Helpful Tips

Freedom of Information Act (FOIA)
5 U.S.C. § 552
See also, Full Text of the FOIA Improvement Act of 2016 (Public Law No. 114-185)
See also, U.S. Department of Justice Freedom of Information Act

Overview

Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.

 

Statutory Implementation Guidance Executive Orders, Memoranda, and Directives Supplemental Material
Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act)
Pub.L. 114-23, 129 Stat. 268

 

Overview

The ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015’’ was enacted “to reform the authorities of the Federal Government to require the production of certain business records [e.g., call detail records], conduct electronic surveillance, use pen registers and trap and trace devices, and use other forms of information gathering for foreign intelligence, counterterrorism, and criminal purposes, and for other purposes.”

Source: Pub.L. 114-23, 129 Stat. 268

 

Helpful Tips Supplemental Material

G


Genetic Information Nondiscrimination Act of 2008 (GINA)
42 U.S.C. § 1320d-9, Application of HIPAA Regulations to Genetic Information
42 U.S.C. § 12112(d)(3), Employment Entrance Examination

 

See also, Public Law 110-233

Overview

The Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008.  GINA protects individuals against discrimination based on their genetic information in health coverage and in employment.  GINA is divided into two sections, or Titles.

Title I of GINA includes provisions that generally prohibit group health plans and health insurance issuers from discriminating based on genetic information. These provisions amend the Employee Retirement Income Security Act (ERISA), administered by the Department of Labor; the Public Health Service Act (PHS Act), administered by the Department of Health and Human Services (HHS); and the Internal Revenue Code (the Code), administered by the Department of Treasury (the Treasury) and the Internal Revenue Service (IRS). The Department of Labor has jurisdiction with respect to employment-based group health plans. HHS in conjunction with the States administers these provisions with respect to health insurance issuers. The Treasury and IRS administer these provisions with respect to employers. Title I of GINA also includes individual insurance market provisions under the PHS Act and privacy and confidentiality provisions under the Social Security Act, which are both within the jurisdiction of HHS.

With respect to privacy, statutory amendments were implemented under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) in January 2013 to modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of GINA. Specifically, the HIPAA Privacy Rule prohibits health plans from using or disclosing genetic information for underwriting purposes. The modifications also clarify that genetic information is health information and prohibit the use and disclosure of genetic information by covered health plans for eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

Title II of GINA prohibits the use of genetic information in making employment decisions in any aspect of employment, including hiring, firing, pay, job assignments, promotions, layoffs, training, fringe benefits, or any other term or condition of employment.  It is enforced by the Equal Employment Opportunity Commission (EEOC).

Sources:

 

Helpful Tips Regulations Supplemental Material

H


Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
42 U.S.C. §§ 300jj et seq; 42 U.S.C. §§ 17901 et seq
See also, American Recovery and Reinvestment Act of 2009 (Public Law 111-5, §§ 13001-13424, §§ 4001 – 4201)

 

Overview

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provides the U.S. Department of Health and Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. The HITECH Act amends Sections 3004 and 3005 of the Public Health Service Act to describe the processes for evaluation, adoption, and implementation of endorsed standards, implementation specifications, and certification criteria for health IT.  Sections 13400-13411 of HITECH describe HHS’s work to improve privacy and security provisions for electronic exchange and use of health information, and sections 4001-4201 of HITECH establish the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to provide incentive payments for eligible professionals, hospitals, and critical access hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology.

Sources:

Health IT Legislation and Regulations

Select Portions of the HITECH Act and Relationship to ONC Work

 

Helpful Tips Regulations Supplemental Material

 

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule
42 U.S.C. § 17932

 

See also, Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5, Div. A, title XIII, § 13402)

 

See also, 45 C.F.R. §§ 164.400-414 (Subpart D)

 

Overview

Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Act”) requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach of unsecured protected health information. In some cases, the Act requires covered entities also to provide notification to the media of breaches. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary to post on an HHS Web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of HITECH and the Genetic Information Nondiscrimination Act (GINA).

Source: Health Information Privacy: Breach Notification Rule

 

Helpful Tips Regulations Supplemental Material
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
45 C.F.R. Part 160
45 C.F.R. Part 164 Subparts A and E
 

Overview

The HIPAA Privacy Rule, adopted by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Sources:

Health Information Privacy: The HIPAA Privacy Rule 

The Health Insurance Portability and Accountability Act of 1996

Helpful Tips Supplemental Material
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
See also, 45 C.F.R. Part 160
See also, 45 C.F.R. §§ 164.102-106 and §§ 164.302-318

 

Overview

The HIPAA Security Rule, adopted by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Sources:

Health Information Privacy, The Security Rule 

Health Information Portability and Accountability Act of 1996

Helpful Tips Supplemental Material
Homeland Security Act of 2002
6 USC § 101 et seq
See also, Pub. Law 107-296 and the Office of the Director of National Intelligence Legal Reference Book

 

Overview

 The Homeland Security Act of 2002 charges the Department of Homeland Security (DHS) Chief Privacy Officer with primary responsibility for ensuring that privacy considerations and protections are integrated into all DHS programs, policies, and procedures. The Chief Privacy Officer serves as the principal advisor to the DHS Secretary on privacy policy.

The activities of the Privacy Office serve to build privacy into departmental programs.

Sources:

Department of Homeland Security, Privacy Office, “Fiscal Year 2016 Semiannual Report to Congress: For the period October 1, 2015 – March 31, 2016,” July 6, 2016

DHS, Authorities and Responsibilities of the Chief Privacy Officer

Helpful Tips Executive Orders, Memoranda, and Directives

 

I


Immigration and Nationality Act of 1952 (INA)
8 U.S.C. §§ 1101 et seq
See also: Immigration and Nationality Act (U.S. Citizenship and Immigration Services)

 

Overview

The Immigration and Nationality Act, or INA, was created in 1952. The Act has been amended many times over the years, but is still the basic body of immigration law.  The INA is divided into titles, chapters, and sections. Although it stands alone as a body of law, the Act is also contained in the United States Code (U.S.C.).  When browsing the INA or other statutes you will often see reference to the U.S. Code citation. For example, Section 208 of the INA deals with asylum, and is also contained in 8 U.S.C. 1158. Although it is correct to refer to a specific section by either its INA citation or its U.S. Code citation, the INA citation is more commonly used.

Source: Immigration and Nationality Act

 

Helpful Tips Regulations Executive Orders, Memoranda, and Directives Supplemental Material

 

Implementing Recommendations of the 9/11 Commission Act of 2007
6 U.S.C. 101 et seq
See also, Pub. Law 110-153 and the Office of the Director of National Intelligence Legal Reference Guide

 

Overview

This Act amended section 1016 of Intelligence Reform and Terrorism Prevention Act (IRTPA) and amended the Homeland Security Act of 2002 to expand and further refine the scope of the Information Sharing Environment (ISE).

 

Helpful Tips Executive Orders, Memoranda, and Directives
Individuals with Disabilities Education Act (IDEA)
20 U.S.C. §§ 1400 et seq
20 U.S.C. § 1417(c), Confidentiality

 

Overview

IDEA is a law ensuring services to children with disabilities throughout the nation.  IDEA governs how states and public agencies provide early intervention, special education and related services to more than 6.5 million eligible infants, toddlers, children and youth with disabilities.

Infants and toddlers with disabilities (from birth through age 2) and their families receive early intervention services under IDEA Part C.  Children and youth (from age 3 through age 21) receive special education and related services under IDEA Part B.

Parts B & C require that the Secretary of the U.S. Department of Education shall take appropriate action, in accordance with section 444 of the General Education Provisions Act (GEPA), to ensure the confidentiality of any personally identifiable data, information, and records collected or maintained by the Secretary and by State educational agencies (SEA) and local educational agencies (LEA).

Sources:

Building the Legacy: IDEA 2004

IDEA and FERPA Confidentiality Provisions

 

Regulations Supplemental Material
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)
Pub. L. 108-458
See also, Office of the Director of National Intelligence Legal Reference Book

 

Overview

IRTPA addresses many different facets of information gathering and the intelligence community.  IRPTA’s eight titles reflect its broad scope:

  • Title I – Reform of the Intelligence Community
  • Title II – Federal Bureau of Investigation
  • Title III – Security Clearances
  • Title IV – Transportation Security
  • Title V – Border Protection, Immigration, and Visa Matters
  • Title VI – Terrorism Prevention
  • Title VII – Implementation of 9/11 Commission Recommendations
  • Title VIII – Other Matters, including a requirement that the Department of Homeland Security ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and programs aimed at securing the homeland.

 

Helpful Tips Executive Orders, Memoranda, and Directives
Internal Revenue Code (Tax Code)
26 U.S.C. §§ et al
26 U.S.C. § 6103 Confidentiality and disclosure of returns and return information
26 U.S.C. § 6713 Disclosure or use of information by preparers of returns
26 U.S.C. § 7213 Unauthorized disclosure of information
26 U.S.C. § 7213a Unauthorized inspection of returns or return information

 

See also, Internal Revenue Service Laws and Regulations

Overview

Taxpayers have the right to expect that any Internal Revenue System (IRS) inquiry, examination, or enforcement action will comply with the law and be no more intrusive than necessary, and will respect all due process rights, including search and seizure protections and will provide, where applicable, a collection due process hearing.

Taxpayers have the right to expect that any information they provide to the IRS will not be disclosed unless authorized by the taxpayer or by law. Taxpayers have the right to expect appropriate action will be taken against government officers and employees, tax return preparers, and others who wrongfully use or disclose taxpayer return information.

Source: Your Rights as a Taxpayer

Helpful Tips Regulations Statutory Implementation Guidance Supplemental Material

J


Judicial Redress Act of 2015 (JRA)

5 U.S.C. § 552a note

See also, Judicial Redress Act of 2015 (Public Law No. 114-126).

Overview

The Judicial Redress Act of 2015 authorizes the Department of Justice (DOJ) to designate foreign countries or regional economic integration organizations whose natural citizens may bring civil actions under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States to prevent, investigate, detect, or prosecute criminal offenses.

The citizens of such countries or organizations may bring a civil action against: (1) U.S. agencies that intentionally or willfully violate conditions for disclosing records without the consent of the individual to whom the record pertains; and (2) U.S. agencies designated by DOJ, with the concurrence of the agency, that refuse an individual’s request to review or amend his or her records.

Source: Judicial Redress Act 

Supplemental Material
Justice System Improvement Act of 1979
42 U.S.C. § 3701 et seq
42 U.S.C. § 3789(g) Confidentiality of information

Overview

As a Federal statistical agency that collects, analyzes, publishes, and disseminates a wide array of information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government, the Bureau of Justice Statistics (BJS) has taken aggressive measures to protect the privacy and confidentiality of individuals from whom they obtain information. BJS has procedures in place to ensure that information collected by BJS that is identifiable to a private person may only be used and/or revealed for the statistical or research-related purpose for which it is obtained. BJS has procedures in place to ensure that copies of such information shall not, without the consent of the person to whom the information pertains, be revealed to others who are not involved in the collection and analysis of the information.

Source: Bureau of Justice Statistics Data Quality Guidelines

 

Regulations Supplemental Material

K


no content

L


no content

M


no content

N


National Security Act of 1947
50 U.S.C. § 3001 et seq

See also, National Security Act of 1947

 

Overview

In the aftermath of World War II, the National Security Act provided a major reorganization of the U.S. defense and intelligence agencies. As amended, the Act provides “a comprehensive program for the future security of the United States” through the integration of the policies and procedures of U.S. military, intelligence, and national security agencies, and the coordination of national security policy.

Source: National Security Act

Helpful Tips Executive Orders, Memoranda, and Directives

O


no content

P


Act to Regulate the Issue and Validity of Passports, And For Other Purposes, 1926 (as amended)
22 U.S.C. § 211a, Passports

 

Overview

This law provides that the U.S. Department of State is in charge of granting and issuing U.S. passports.

 

Helpful Tips Regulations Executive Orders, Memoranda, and Directives Supplemental Material
Paperwork Reduction Act of 1995 (PRA)
44 U.S.C. Chapter 35 et seq

 

Overview

The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information. The goals of the PRA include (1) minimizing paperwork and reporting burdens on the American public and (2) ensuring the maximum possible utility from the information that is collected.

In support of these goals, the PRA requires Federal agencies to take specific steps before requiring or requesting information from the public. These steps include (1) seeking public comment on proposed information collections and (2) submitting proposed collections for review and approval by the Office of Management and Budget (OMB). Within OMB, the Office of Information and Regulatory Affairs (OIRA) carries out the information collection review.

One of the purposes of the Paperwork Reduction Act is to “ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to (A) privacy and confidentiality, including section 552a of title 5; (B) security of information, including section 11332 of title 40; and (C) access to information, including section 552 of title 5.” 44 U.S.C. § 3501(8).

Source:

Office of Information and Regulatory Affairs – Regulations and the Rule Making Process

Helpful Tips Regulations Executive Orders, Memoranda, and Directives
Patient Safety and Quality Improvement Act of 2005 (PSQIA)
42 U.S.C. § 299b-21 – b-26
See also, Patient Safety and Quality Improvement Act of 2005 (Public Law 109-41).

 

Overview

The Patient Safety and Quality Improvement Act of 2005 (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues.  To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information, called patient safety work product.  PSQIA authorizes the U.S. Department of Health and Human Services (HHS) to impose civil money penalties for violations of patient safety confidentiality.  PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs).  PSOs are the external experts that collect and review patient safety information.

Source: Health Information Privacy: Patient Safety and Quality Improvement Act of 2005 Statute and Rule

Helpful Tips Regulations Implementation Guidance Supplemental Material
Privacy Act of 1974 (Privacy Act)
5 U.S.C. § 552a

 

Overview

 

The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Act requires U.S. Government agencies give public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Source: U.S. Department of Justice – Privacy Act of 1974

Helpful Tips Statutory Implementation Guidance

 

Executive Orders, Memoranda, and Directives Supplemental Material
Protection of Pupil Rights Amendment (PPRA)
20 U.S.C. § 1232h

Overview

The PPRA applies to the programs and activities of a State educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education.  It governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:

  • political affiliations or beliefs of the student or the student’s parent;
  • mental or psychological problems of the student or the student’s family;
  • sex behavior or attitudes;
  • illegal, anti-social, self-incriminating, or demeaning behavior;
  • critical appraisals of other individuals with whom respondents have close family relationships;
  • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • religious practices, affiliations, or beliefs of the student or student’s parent; or,
  • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

PPRA also concerns marketing surveys and other areas of student privacy, parental access to information, and the administration of certain physical examinations to minors.  The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under State law.

Source:

Family Policy Compliance Office: Protection of Pupil Rights Amendment (PPRA)

While the Family Educational Rights and Privacy Act (FERPA) protects PII from education records maintained by a school or district, PPRA is invoked when personal information is collected from the student. The use of online educational services may give rise to situations where the school or district provides FERPA-protected data to open accounts for students, and subsequent information gathered through the student’s interaction with the online educational service may implicate PPRA. Student information collected or maintained as part of an online educational service may be protected under FERPA, under PPRA, under both statutes, or not protected by either. Which statute applies depends on the content of the information, how it is collected or disclosed, and the purposes for which it is used.

It is important to remember that even though PPRA only applies to K-12 institutions, there is no time limit on the limitations governing the use of personal information collected from students for marketing purposes. So, for example, while PPRA would not limit the use of information collected from college students for marketing, it would restrict the use of information collected from students while they were still in high school (if no notice or opportunity to opt-out was provided) even after those students graduate.

Source:

Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices

Helpful Tips Regulations Supplemental Material

 

Public Health Service Act (Certificates of Confidentiality)
42 U.S.C. Ch. 6A
42 U.S.C. § 241(d)  Protection of privacy of individuals who are research subjects

Overview

Under section 301(d) of the Public Health Service Act (42 U.S.C. § 241(d)), the Secretary of the U.S. Department of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH). Persons authorized by the NIH to protect the privacy of research subjects may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.

Source: Certificates of Confidentiality Background

 

Regulations Statutory Implementation Guidance Supplemental Material
Public Health Service Act (Confidentiality of Health Statistics)
42 U.S.C. Ch. 6A
See also, 42 U.S.C. § 242m(d)

 

See also, Section 308(d) of the Public Health Service Act

 

Overview

The Public Health Service Act, 42 U.S.C. Ch. 6A, provision regarding the confidentiality of health statistics prohibits the National Center for Health Statistics (NCHS) from using any personal information for any purpose other than what was described to survey participants and from sharing that information with anyone not clearly mentioned to them. This provision enables NCHS to assure respondents strict confidentiality.

Source: How NCHS Protects Your Privacy

Supplemental Material

Q


no content

R


Protection of Patient Rights (Confidentiality of Certain Medical Records)
38 U.S.C. §§ 7331 – 7334 
38 U.S.C. § 7332 Confidentiality of certain medical records

 

Overview

Records of the identity, diagnosis, prognosis, or treatment of any patient or subject which are maintained in connection with the performance of any program or activity relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus, or sickle cell anemia which is carried out by or for the Department of Veterans Affairs shall be confidential, and such records may be disclosed only for purposes and under the circumstances expressly authorized by the statute.

Source: 38 U.S.C. § 7332

 

Regulations Supplemental Material
Right to Financial Privacy Act of 1978 (RFPA)
12 U.S.C. §§ 3401 – 3420, 3422
12 U.S.C. § 3402 Access to financial records by Government authorities prohibited; exceptions

 

Overview

The Right to Financial Privacy Act of 1978 was enacted to provide the financial records of financial institution customers a reasonable amount of privacy from federal government scrutiny.   The Act establishes specific procedures that government authorities must follow when requesting a customer’s financial records from a bank or other financial institution.  It also imposes duties and limitations on financial institutions prior to the release of information sought by government agencies.

To obtain access to, copies of, or information contained in a customer’s financial records, a government authority, generally, must first obtain one of the following:

  •  An authorization, signed and dated by the customer, that identifies the records, the reasons the records are being requested, and the customer’s rights under the act
  • An administrative subpoena or summons
  • A search warrant
  • A judicial subpoena
  • A formal written request by a government agency (to be used only if no administrative summons or subpoena authority is available)

A financial institution may not release a customer’s financial records until the government authority seeking the records certifies in writing that it has complied with the applicable provision of the act.  In addition, the institution must maintain a record of all instances in which a customer’s records are disclosed to a government authority pursuant to customer authorization.  The records should include the date, the name of the government authority, and an identification of the records disclosed.  Generally, the customer has a right to inspect the records.

A customer may collect civil penalties from any government agency or department that obtains, or any financial institution or employee of the institution who discloses, information in violation of the act.

Source:

Consumer Compliance Handbook: Right to Financial Privacy

Helpful Tips Supplemental Material

S


Social Security Act, Section 1106, Disclosure of Information in Possession of Agency
42 U.S.C. § 1306
See also, Social Security Administration, “Compilation of the Social Security Laws”

Overview

In 1937, the original Social Security Board (the “Board”) established Regulation No. 1. This simple document guaranteed the confidentiality and privacy of all records compiled by the Board. The regulation was needed to ensure the confidentiality of records furnished by employees, employers and others so that these sources of information would not be reluctant to submit complete and accurate information.

In 1939, Section 1106 of the Social Security Act was enacted. It became the statutory basis for maintaining the confidentiality of Social Security Administration records.

Section 1106(a) of the Social Security Act authorizes the Social Security Administration to disclose only as prescribed in regulations by the head of the agency.  This applies generally to all information obtained in the administration of the Social Security Act, regardless of whether the information is personal, and regardless of how the information is obtained.  The prohibitions against disclosure apply to any person who comes into possession of the information.

Sources:

Program Operations Manual System, Development of Policy on Confidentiality and Disclosure

Program Operations Manual System, Statute and Regulations for Disclosure

 

Helpful Tips Supplemental Material

T


Title V – Confidential Information Protection and Statistical Efficiency Act of 2002 of the E-Government Act of 2002 (CIPSEA)
44 U.S.C. § 3501 note

 

See also, Title V – Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (Public Law No. 107-347)

Overview

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality protections for statistical information collections, such as surveys and censuses, as well as for other statistical activities, such as data analysis, modeling, and sample design, that are sponsored or conducted by Federal agencies.

 

 

Statutory Implementation Guidance Executive Orders, Memoranda, and Directives Supplemental Material

U


Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
Public Law 107-56

 

Overview

 The USA PATRIOT Act was enacted in response to the attacks of September 11, 2001, and became law less than two months after those attacks.

The Act comprises ten categories, called “titles.”

  • TITLE I—Enhancing Domestic Security against Terrorism
  • TITLE II—Enhanced Surveillance Procedures
  • TITLE III—International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
  • TITLE IV— Protecting the Border
  • TITLE V— Removing Obstacles to Investigating Terrorism
  • TITLE VI— Providing for Victims of Terrorism, Public Safety Officers, and their Families
  • TITLE VII— Increased Information Sharing for Critical Infrastructure Protection
  • TITLE VIII— Strengthening the Criminal Laws against Terrorism
  • TITLE IX— Improved Intelligence
  • TITLE X— Miscellaneous

Source: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001

 

Helpful Tips Executive Orders, Memoranda, and Directives

V


no content

W


no content

X


no content

Y


no content

Z


no content

This topical index is provided for your convenience only; it does not constitute legal interpretation, description, or characterization of the laws in the Law Library, nor does it in any way reflect Federal Government views or opinions about the laws. The inclusion or non-inclusion of a law under a particular topic is in no way an indication of the applicability or inapplicability of other topic headings that may be relevant to the law.

Children and StudentsCommunicationsFinancial PrivacyLaws of General ApplicationHealth and MedicalHuman ServicesLaw EnforcementNational Security and IntelligenceStatistical Data ConfidentialityTravel and Privacy

Children and Students


Family Educational Rights and Privacy Act (FERPA)
20 U.S.C. § 1232g

 

Overview

FERPA protects the privacy of student education records.  The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.  FERPA gives parents certain rights with respect to their children’s education records.  These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

FERPA permits educational agencies and institutions, such as Local Education Agencies (LEA) and their constituent schools, to disclose PII from education records to State Education Agencies (SEA) and other State educational authorities without a parent’s prior consent under certain conditions. For a review of the exceptions to the general prior consent rule in FERPA, see 34 CFR § 99.31. The most common exception that relates to disclosure to a State educational authority is found in §§ 99.31(a)(3) and 99.35. The disclosure must be in connection with:

  • An audit or evaluation of Federal or State supported education programs; or
  • The enforcement of or compliance with Federal legal requirements relating to such programs.

Information collected under this provision generally must be:

  • Protected so that information is not disclosed to anyone other than the authorized representatives of the State educational authority (§ 99.35(b)(1)); and,
  • Destroyed when no longer needed for the purposes listed above (§ 99.35(b)(2))

(Note: Federal entities, entities or individuals acting as the designated authorized representatives of the Attorney General, the Comptroller General, or the Secretary of Education, as well as other third parties receiving PII from education records without consent, generally must also protect the PII from unauthorized disclosure and comply with FERPA’s recordation provisions for any authorized re-disclosure, and may only use it in accordance with FERPA and for the specific purposes for which it was disclosed.)

Sources:

Law and Guidance: Family Educational Rights and Privacy Act (FERPA)

Family Educational Rights and Privacy Act (FERPA)

 

Helpful Tips Regulations Supplemental Material
Individuals with Disabilities Education Act (IDEA)
20 U.S.C. §§ 1400 et seq
20 U.S.C. § 1417(c), Confidentiality

 

Overview

IDEA is a law ensuring services to children with disabilities throughout the nation.  IDEA governs how states and public agencies provide early intervention, special education and related services to more than 6.5 million eligible infants, toddlers, children and youth with disabilities.

Infants and toddlers with disabilities (from birth through age 2) and their families receive early intervention services under IDEA Part C.  Children and youth (from age 3 through age 21) receive special education and related services under IDEA Part B.

Parts B & C require that the Secretary of the U.S. Department of Education shall take appropriate action, in accordance with section 444 of the General Education Provisions Act (GEPA), to ensure the confidentiality of any personally identifiable data, information, and records collected or maintained by the Secretary and by State educational agencies (SEA) and local educational agencies (LEA).

Sources:

Building the Legacy: IDEA 2004

IDEA and FERPA Confidentiality Provisions

 

Regulations Supplemental Material
Protection of Pupil Rights Amendment (PPRA)
20 U.S.C. § 1232h

Overview

The PPRA applies to the programs and activities of a State educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education.  It governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:

  • political affiliations or beliefs of the student or the student’s parent;
  • mental or psychological problems of the student or the student’s family;
  • sex behavior or attitudes;
  • illegal, anti-social, self-incriminating, or demeaning behavior;
  • critical appraisals of other individuals with whom respondents have close family relationships;
  • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • religious practices, affiliations, or beliefs of the student or student’s parent; or,
  • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

PPRA also concerns marketing surveys and other areas of student privacy, parental access to information, and the administration of certain physical examinations to minors.  The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under State law.

Source:

Family Policy Compliance Office: Protection of Pupil Rights Amendment (PPRA)

While the Family Educational Rights and Privacy Act (FERPA) protects PII from education records maintained by a school or district, PPRA is invoked when personal information is collected from the student. The use of online educational services may give rise to situations where the school or district provides FERPA-protected data to open accounts for students, and subsequent information gathered through the student’s interaction with the online educational service may implicate PPRA. Student information collected or maintained as part of an online educational service may be protected under FERPA, under PPRA, under both statutes, or not protected by either. Which statute applies depends on the content of the information, how it is collected or disclosed, and the purposes for which it is used.

It is important to remember that even though PPRA only applies to K-12 institutions, there is no time limit on the limitations governing the use of personal information collected from students for marketing purposes. So, for example, while PPRA would not limit the use of information collected from college students for marketing, it would restrict the use of information collected from students while they were still in high school (if no notice or opportunity to opt-out was provided) even after those students graduate.

Source:

Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices

Helpful Tips Regulations Supplemental Material

 

Communications


The Communications Act of 1934
47 U.S.C. §§ et seq
47 U.S.C. § 222, Privacy of Customer Information  
47 U.S.C. § 338(i), Privacy Rights of Satellite Subscribers
47 U.S.C. § 551, Protection of Subscriber Privacy
47 U.S.C. § 605, Unauthorized Publication or Use of Communications      
See also, The Communications Act of 1934

 

Overview

The Communications Act of 1934 (the “Act”) combined and organized federal regulation of telephone, telegraph, and radio communications. The Act created the Federal Communications Commission (FCC) to oversee and regulate these industries. The Act is updated periodically to add provisions governing new communications technologies, such as broadcast, cable and satellite television.

The Act, as amended, is an expansive statue regulating U.S. telephone, telegraph, television, and radio communications. Its seven subchapters regulate virtually all aspects of the communications and broadcasting industry, including assignment of frequencies, rates and fees, standards, competition, terms of subscriber access, commercials, broadcasting in the public interest, government use of communications systems. The Act also provides for more detailed regulation and oversight via the establishment of the FCC.

Source: The Communications Act of 1934

Regulations Statutory Implementation Guidance Supplemental Material

Financial Privacy


Bank Secrecy Act (BSA)
31 U.S.C. § 310

 

Overview

The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti-money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML Acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311-5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] )

Sec. 31 U.S.C. § 310 (c)(2) requires the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) to provide appropriate standards and guidelines for determining who is to be given access to the information maintained by FinCEN; what limits are to be imposed on the use of such information; and how information about activities or relationships which involve or are closely associated with the exercise of constitutional rights is to be screened out of the data maintenance system.

When investigating potential money laundering or Bank Secrecy Act (BSA) violations, the key test (related statute test) is whether, under the facts and circumstances of the particular case, the money laundering and BSA provisions are considered related to the administration of the Internal Revenue laws.

Source: FinCEN’s Mandate from Congress

 

Helpful Tips Regulations Statutory Implementation Guidance Supplemental Material
Consolidated Appropriations Act of 2005
Public Law No. 108-447 (see division H, title V, section 522)
5 U.S.C. §552a note

 

Overview

The Consolidated Appropriations Act of 2005 (the “Act”) requires that each agency, subject to the Act:

  • shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy.  (Sec. 522(a))
  • shall establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public.  (Sec. 522(b))
  • shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency.   (Sec. 552(c))
  • [a]t least every 2 years . . . shall have performed an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency.  (Sec. 522(d))
  • [u]pon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review.  (Sec. 522(e))
Fair Credit Reporting Act (FCRA)
15 U.S.C. § 1681

 

Overview

The Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. If your company meets the definition of a “consumer reporting agency” (CRA),  if you furnish information to CRAs, or if you use that information for certain purposes, you may have obligations under the FCRA.

Source: Federal Trade Commission, Credit Reporting

 

Regulations Statutory Implementation Guidance Supplemental Material

 

 

 

Internal Revenue Code (Tax Code)
26 U.S.C. §§ et al
26 U.S.C. § 6103 Confidentiality and disclosure of returns and return information
26 U.S.C. § 6713 Disclosure or use of information by preparers of returns
26 U.S.C. § 7213 Unauthorized disclosure of information
26 U.S.C. § 7213a Unauthorized inspection of returns or return information

 

See also, Internal Revenue Service Laws and Regulations

Overview

Taxpayers have the right to expect that any Internal Revenue System (IRS) inquiry, examination, or enforcement action will comply with the law and be no more intrusive than necessary, and will respect all due process rights, including search and seizure protections and will provide, where applicable, a collection due process hearing.

Taxpayers have the right to expect that any information they provide to the IRS will not be disclosed unless authorized by the taxpayer or by law. Taxpayers have the right to expect appropriate action will be taken against government officers and employees, tax return preparers, and others who wrongfully use or disclose taxpayer return information.

Source: Your Rights as a Taxpayer

Helpful Tips Regulations Statutory Implementation Guidance Supplemental Material
Right to Financial Privacy Act of 1978 (RFPA)
12 U.S.C. §§ 3401 – 3420, 3422
12 U.S.C. § 3402 Access to financial records by Government authorities prohibited; exceptions

 

Overview

The Right to Financial Privacy Act of 1978 was enacted to provide the financial records of financial institution customers a reasonable amount of privacy from federal government scrutiny.   The Act establishes specific procedures that government authorities must follow when requesting a customer’s financial records from a bank or other financial institution.  It also imposes duties and limitations on financial institutions prior to the release of information sought by government agencies.

To obtain access to, copies of, or information contained in a customer’s financial records, a government authority, generally, must first obtain one of the following:

  •  An authorization, signed and dated by the customer, that identifies the records, the reasons the records are being requested, and the customer’s rights under the act
  • An administrative subpoena or summons
  • A search warrant
  • A judicial subpoena
  • A formal written request by a government agency (to be used only if no administrative summons or subpoena authority is available)

A financial institution may not release a customer’s financial records until the government authority seeking the records certifies in writing that it has complied with the applicable provision of the act.  In addition, the institution must maintain a record of all instances in which a customer’s records are disclosed to a government authority pursuant to customer authorization.  The records should include the date, the name of the government authority, and an identification of the records disclosed.  Generally, the customer has a right to inspect the records.

A customer may collect civil penalties from any government agency or department that obtains, or any financial institution or employee of the institution who discloses, information in violation of the act.

Source:

Consumer Compliance Handbook: Right to Financial Privacy

Helpful Tips Supplemental Material

Laws of General Application


E-Government Act of 2002 – Section 208 (E-Government Act)
44 U.S.C. § 3501 note

 

See also, Public Law 107-347

Overview

The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems.

Privacy Impact Assessments (“PIAs”) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new information technology involving the collection, maintenance, or dissemination of information in identifiable form or that make substantial changes to existing information technology that manages information in identifiable form. A PIA is an analysis of how information in identifiable form is collected, stored, protected, shared, and managed. The purpose of a PIA is to demonstrate that system owners and developers have incorporated privacy protections throughout the entire life cycle of a system. The Act requires an agency to make PIAs publicly available, except when an agency in its discretion determines publication of the PIA would raise security concerns, reveal classified (i.e., national security) information, or sensitive (e.g., potentially damaging to a nation interest, law enforcement effort or competitive business interest contained in the assessment) information.

Source: E-government Act of 2002, Department of Justice

 

Helpful Tips Statutory Implementation Guidance Executive Orders, Memoranda, and Directives
Federal Information Security Modernization Act of 2014 (FISMA)
44 U.S.C. Chapter 35 (44 U.S.C. §§ 3551-3558)

 

Overview

The Federal Information Security Modernization Act requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Source: OMB Circular No. A-130, Managing Information as a Strategic Resource (July 2016)

 

Helpful Tips Executive Orders, Memoranda, and Directives Supplemental Material
Federal Records Act of 1950 (FRA)
44 U.S.C. Chapter 31 et seq

 

Overview

The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101]

The implementation of the FRA is overseen by the Archivist of the United States, who heads the National Archives and Records Administration (NARA). The Archivist provides “guidance and assistance to Federal agencies with respect to ensuring adequate and proper documentation of the policies and transactions of the Federal Government and ensuring proper records disposition.” [44 U.S.C. § 2904]

Helpful Tips Regulations Executive Orders, Memoranda, and Directives Supplemental Material
Freedom of Information Act (FOIA)
5 U.S.C. § 552
See also, Full Text of the FOIA Improvement Act of 2016 (Public Law No. 114-185)
See also, U.S. Department of Justice Freedom of Information Act

Overview

Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.

 

Statutory Implementation Guidance Executive Orders, Memoranda, and Directives Supplemental Material
Judicial Redress Act of 2015 (JRA)

5 U.S.C. § 552a note

See also, Judicial Redress Act of 2015 (Public Law No. 114-126).

Overview

The Judicial Redress Act of 2015 authorizes the Department of Justice (DOJ) to designate foreign countries or regional economic integration organizations whose natural citizens may bring civil actions under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States to prevent, investigate, detect, or prosecute criminal offenses.

The citizens of such countries or organizations may bring a civil action against: (1) U.S. agencies that intentionally or willfully violate conditions for disclosing records without the consent of the individual to whom the record pertains; and (2) U.S. agencies designated by DOJ, with the concurrence of the agency, that refuse an individual’s request to review or amend his or her records.

Source: Judicial Redress Act 

Supplemental Material
Paperwork Reduction Act of 1995 (PRA)
44 U.S.C. Chapter 35 et seq

 

Overview

The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information. The goals of the PRA include (1) minimizing paperwork and reporting burdens on the American public and (2) ensuring the maximum possible utility from the information that is collected.

In support of these goals, the PRA requires Federal agencies to take specific steps before requiring or requesting information from the public. These steps include (1) seeking public comment on proposed information collections and (2) submitting proposed collections for review and approval by the Office of Management and Budget (OMB). Within OMB, the Office of Information and Regulatory Affairs (OIRA) carries out the information collection review.

One of the purposes of the Paperwork Reduction Act is to “ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to (A) privacy and confidentiality, including section 552a of title 5; (B) security of information, including section 11332 of title 40; and (C) access to information, including section 552 of title 5.” 44 U.S.C. § 3501(8).

Source:

Office of Information and Regulatory Affairs – Regulations and the Rule Making Process

Helpful Tips Regulations Executive Orders, Memoranda, and Directives
Privacy Act of 1974 (Privacy Act)
5 U.S.C. § 552a

 

Overview

 

The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Act requires U.S. Government agencies give public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Source: U.S. Department of Justice – Privacy Act of 1974

Helpful Tips Statutory Implementation Guidance

 

Executive Orders, Memoranda, and Directives Supplemental Material

Health and Medical


Americans with Disabilities Act of 1990 (ADA) & Rehabilitation Act of 1973 (Rehab Act)
Americans with Disabilities Act (ADA)
42 U.S.C. §§ 12101 et seq
42 U.S.C. § 12112(d) Discrimination

 

Rehabilitation Act (Rehab Act)

29 U.S.C. §§ 701 et seq (Chapter 16 Vocational Rehabilitation and Other Rehabilitation Services)

 

Overview

The ADA prohibits discrimination and guarantees that people with disabilities have the same opportunities as everyone else to participate in the mainstream of American life — to enjoy employment opportunities, to purchase goods and services, and to participate in State and local government programs and services. Modeled after the Civil Rights Act of 1964, which prohibits discrimination on the basis of race, color, religion, sex, or national origin – and Section 504 of the Rehabilitation Act of 1973 — the ADA is an “equal opportunity” law for people with disabilities.

The ADA, at 42 U.S.C. § 12112(d), generally prohibits medical examinations and inquiries of job applicants unless the inquiry is about the ability of the applicant to perform job related functions. The ADA does authorize medical examinations and inquiries by employers with regard to an employee’s request for reasonable accommodation for a disability.  In both instances, there are confidentiality requirements that attach to the records and information gathered.

The Rehabilitation Act of 1973 (also known as the “Rehab Act”) prohibits discrimination on the basis of disability in programs run by federal agencies; programs that receive federal financial assistance; in federal employment; and in the employment practices of federal contractors. The standards for deciding if employment discrimination exists under the Rehab Act are the same as those used in Title I of the ADA.

The Rehab Act, at 29 C.F.R. § 791(f) and §793(d), provides that these sections of the ADA apply equally to those entities subject to the Rehab Act.

The Americans with Disabilities Act Amendments Act of 2008 (Public Law 110-325) (ADAAA) further amended the definition of “individual with a disability” and amended sections 12101, 12102, 12111 to 12114, 12201 and 12210 of the ADA and section 705 of the Rehab Act. The ADAAA also enacted sections 12103 and 12205a and re-designated sections 12206 to 12213.

Sources:

Introduction to the ADA

Rehabilitation Act of 1973 (disability.gov)

Titles I and V of the Americans with Disabilities Act of 1990 (ADA)

The Rehabilitation Act of 1973 (EEOC)

 

Helpful Tips Regulations

 Executive Orders, Memoranda, and Directives

Supplemental Material
Clinical Laboratory Improvement Amendments of 1988 (CLIA)
42 U.S.C. § 263a

 

Overview

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) is an amendment to the Public Health Services Act in which Congress revised the federal program for certification and oversight of clinical laboratory testing. Two subsequent amendments were made after 1988. The law continues to be cited as CLIA ’88 as named in legislation.

In general terms, the CLIA regulations establish quality standards for laboratory testing performed on specimens from humans, such as blood, body fluid and tissue, for the purpose of diagnosis, prevention, or treatment of disease, or assessment of health.

The Centers for Medicare & Medicaid Services (CMS) regulates all laboratory testing (except research) performed on humans in the U.S. through CLIA. In total, CLIA covers approximately 254,000 laboratory entities. The Division of Laboratory Services, within the Survey and Certification Group, under the Center for Clinical Standards and Quality (CCSQ) has the responsibility for implementing the CLIA Program.

Sources:

CLIA: Laws and Regulations (CDC)

Clinical Laboratory Improvements Act (CMS)

 

Helpful Tips Regulations Supplemental Material
Confidentiality of Medical Quality-Assurance Records
38 U.S.C. §§ 5701 – 5728
38 U.S.C. § 5705 Confidentiality of medical quality-assurance records

 

Overview

Records and documents created by the Department of Veterans Affairs (VA) as part of a medical quality-assurance program are confidential and privileged and may not be disclosed to any person or entity except as provided in 38 U.S.C. § 5705.

Helpful Tips Regulations

 

Drug Abuse Prevention, Treatment, and Rehabilitation Act (Confidentiality of Alcohol and Drug Abuse Patient Records) (Part 2)
42 U.S.C § 290dd–2

 

Overview

Confidentiality of substance use disorder (alcohol and drug abuse) patient records is required under 42 U.S.C § 290dd–2 and 42 C.F.R Part 2. The statute and regulation require that records related to patient treatment of substance use disorders remain confidential subject to certain specific exceptions or patient consent to disclose such information. The statute extends to cover “any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

Source: Listening Session Comments on Substance Abuse Treatment Confidentiality Regulations

 

Helpful Tips Regulations Supplemental Material
Federal Policy for the Protection of Human Subjects (Common Rule)
42 U.S.C. § 289

 

Overview

On July 12, 1974, the National Research Act (Pub. L. 93-348) was signed into law, thereby creating the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (the “Commission”). The current U.S. system of protection for human research subjects is heavily influenced by the Belmont Report, written in 1979 by the Commission.

In 1985, Congress enacted 42 U.S.C. § 289, providing that “The Secretary of the U.S. Department of Health and Human Services (HHS) shall by regulation require that each entity which applies for a grant, contract, or cooperative agreement under this chapter for any project or program which involves the conduct of biomedical or behavioral research involving human subjects submit in or with its application for such grant, contract, or cooperative agreement assurances satisfactory to the Secretary that it has established (in accordance with regulations which the Secretary shall prescribe) a board (to be known as an ‘Institutional Review Board’) to review biomedical and behavioral research involving human subjects conducted at or supported by such entity in order to protect the rights of the human subjects of such research.”

The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The HHS regulations, 45 CFR part 46, include four subparts: subpart A, also known as the Federal Policy or the “Common Rule”; subpart B, additional protections for pregnant women, human fetuses, and neonates; subpart C, additional protections for prisoners; and subpart D, additional protections for children. A fifth subpart, subpart E, which concerns registration of Institutional Review Boards (IRBs) was added in 2009.  For all participating departments and agencies, the Common Rule outlines the basic provisions for IRBs, informed consent, and Assurances of Compliance. Human subject research conducted or supported by each Federal department/agency is governed by the regulations of that department/agency. The head of that department/agency retains final judgment as to whether a particular activity it conducts or supports is covered by the Common Rule. If an institution seeks guidance on implementation of the Common Rule and other applicable Federal regulations, the institution should contact the department/agency conducting or supporting the research.

The HHS and fifteen other Federal departments and agencies have issued final revisions to the Federal Policy for the Protection of Human Subjects (the Common Rule). The Final Rule was published in the Federal Register on January 19, 2017. It implements new steps to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.

Sources:

The Belmont Report

Federal Policy for the Protection of Human Subjects (‘Common Rule’)

HHS Historical Highlights

Final Revisions to the Common Rule

 

Helpful Tips Regulations Supplemental Material

 

Food and Drug Administration Safety and Innovation Act (FDASIA)
21 U.S.C. §§ 301 et seq

 

See alsoFood and Drug Administration Safety and Innovation Act (Public Law No. 112-144)

 

Overview

FDASIA, which amended the Federal Food, Drug, and Cosmetic Act and was signed into law on July 9, 2012, expands the authorities of the U.S. Food and Drug Administration (FDA) and strengthens the agency’s ability to safeguard and advance public health by:

  • Giving the authority to collect user fees from industry to fund reviews of innovator drugs, medical devices, generic drugs, and biosimilar biological products;
  • Promoting innovation to speed patient access to safe and effective products;
  • Increasing stakeholder involvement in FDA processes; and
  • Enhancing the safety of the drug supply chain.

Section 618 of FDASIA directed the Secretary of Health and Human Services, acting through the Commissioner of the FDA, and in consultation with the Office of the National Coordinator for Health Information Technology and the Chairman of the Federal Communications Commission, to develop a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.

Sources:

Regulatory Information: Food and Drug Administration Safety and Innovation Act (FDASIA)

Health IT Legislation: FDASIA

 

Helpful Tips Supplemental Material
Genetic Information Nondiscrimination Act of 2008 (GINA)
42 U.S.C. § 1320d-9, Application of HIPAA Regulations to Genetic Information
42 U.S.C. § 12112(d)(3), Employment Entrance Examination

 

See also, Public Law 110-233

Overview

The Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008.  GINA protects individuals against discrimination based on their genetic information in health coverage and in employment.  GINA is divided into two sections, or Titles.

Title I of GINA includes provisions that generally prohibit group health plans and health insurance issuers from discriminating based on genetic information. These provisions amend the Employee Retirement Income Security Act (ERISA), administered by the Department of Labor; the Public Health Service Act (PHS Act), administered by the Department of Health and Human Services (HHS); and the Internal Revenue Code (the Code), administered by the Department of Treasury (the Treasury) and the Internal Revenue Service (IRS). The Department of Labor has jurisdiction with respect to employment-based group health plans. HHS in conjunction with the States administers these provisions with respect to health insurance issuers. The Treasury and IRS administer these provisions with respect to employers. Title I of GINA also includes individual insurance market provisions under the PHS Act and privacy and confidentiality provisions under the Social Security Act, which are both within the jurisdiction of HHS.

With respect to privacy, statutory amendments were implemented under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) in January 2013 to modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of GINA. Specifically, the HIPAA Privacy Rule prohibits health plans from using or disclosing genetic information for underwriting purposes. The modifications also clarify that genetic information is health information and prohibit the use and disclosure of genetic information by covered health plans for eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

Title II of GINA prohibits the use of genetic information in making employment decisions in any aspect of employment, including hiring, firing, pay, job assignments, promotions, layoffs, training, fringe benefits, or any other term or condition of employment.  It is enforced by the Equal Employment Opportunity Commission (EEOC).

Sources:

 

Helpful Tips Regulations Supplemental Material
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
42 U.S.C. §§ 300jj et seq; 42 U.S.C. §§ 17901 et seq
See also, American Recovery and Reinvestment Act of 2009 (Public Law 111-5, §§ 13001-13424, §§ 4001 – 4201)

 

Overview

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provides the U.S. Department of Health and Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. The HITECH Act amends Sections 3004 and 3005 of the Public Health Service Act to describe the processes for evaluation, adoption, and implementation of endorsed standards, implementation specifications, and certification criteria for health IT.  Sections 13400-13411 of HITECH describe HHS’s work to improve privacy and security provisions for electronic exchange and use of health information, and sections 4001-4201 of HITECH establish the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to provide incentive payments for eligible professionals, hospitals, and critical access hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology.

Sources:

Health IT Legislation and Regulations

Select Portions of the HITECH Act and Relationship to ONC Work

 

Helpful Tips Regulations Supplemental Material

 

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule
42 U.S.C. § 17932

 

See also, Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5, Div. A, title XIII, § 13402)

 

See also, 45 C.F.R. §§ 164.400-414 (Subpart D)

 

Overview

Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Act”) requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach of unsecured protected health information. In some cases, the Act requires covered entities also to provide notification to the media of breaches. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary to post on an HHS Web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of HITECH and the Genetic Information Nondiscrimination Act (GINA).

Source: Health Information Privacy: Breach Notification Rule

 

Helpful Tips Regulations Supplemental Material
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
45 C.F.R. Part 160
45 C.F.R. Part 164 Subparts A and E
 

Overview

The HIPAA Privacy Rule, adopted by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Sources:

Health Information Privacy: The HIPAA Privacy Rule 

The Health Insurance Portability and Accountability Act of 1996

Helpful Tips Supplemental Material
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
See also, 45 C.F.R. Part 160
See also, 45 C.F.R. §§ 164.102-106 and §§ 164.302-318

 

Overview

The HIPAA Security Rule, adopted by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Sources:

Health Information Privacy, The Security Rule 

Health Information Portability and Accountability Act of 1996

Helpful Tips Supplemental Material
Patient Safety and Quality Improvement Act of 2005 (PSQIA)
42 U.S.C. § 299b-21 – b-26
See also, Patient Safety and Quality Improvement Act of 2005 (Public Law 109-41).

 

Overview

The Patient Safety and Quality Improvement Act of 2005 (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues.  To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information, called patient safety work product.  PSQIA authorizes the U.S. Department of Health and Human Services (HHS) to impose civil money penalties for violations of patient safety confidentiality.  PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs).  PSOs are the external experts that collect and review patient safety information.

Source: Health Information Privacy: Patient Safety and Quality Improvement Act of 2005 Statute and Rule

Helpful Tips Regulations Implementation Guidance Supplemental Material
Protection of Patient Rights (Confidentiality of Certain Medical Records)
38 U.S.C. §§ 7331 – 7334 
38 U.S.C. § 7332 Confidentiality of certain medical records

 

Overview

Records of the identity, diagnosis, prognosis, or treatment of any patient or subject which are maintained in connection with the performance of any program or activity relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus, or sickle cell anemia which is carried out by or for the Department of Veterans Affairs shall be confidential, and such records may be disclosed only for purposes and under the circumstances expressly authorized by the statute.

Source: 38 U.S.C. § 7332

 

Regulations Supplemental Material
Public Health Service Act (Certificates of Confidentiality)
42 U.S.C. Ch. 6A
42 U.S.C. § 241(d)  Protection of privacy of individuals who are research subjects

Overview

Under section 301(d) of the Public Health Service Act (42 U.S.C. § 241(d)), the Secretary of the U.S. Department of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH). Persons authorized by the NIH to protect the privacy of research subjects may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.

Source: Certificates of Confidentiality Background

 

Regulations Statutory Implementation Guidance Supplemental Material

Human Services


Social Security Act, Section 1106, Disclosure of Information in Possession of Agency
42 U.S.C. § 1306
See also, Social Security Administration, “Compilation of the Social Security Laws”

Overview

In 1937, the original Social Security Board (the “Board”) established Regulation No. 1. This simple document guaranteed the confidentiality and privacy of all records compiled by the Board. The regulation was needed to ensure the confidentiality of records furnished by employees, employers and others so that these sources of information would not be reluctant to submit complete and accurate information.

In 1939, Section 1106 of the Social Security Act was enacted. It became the statutory basis for maintaining the confidentiality of Social Security Administration records.

Section 1106(a) of the Social Security Act authorizes the Social Security Administration to disclose only as prescribed in regulations by the head of the agency.  This applies generally to all information obtained in the administration of the Social Security Act, regardless of whether the information is personal, and regardless of how the information is obtained.  The prohibitions against disclosure apply to any person who comes into possession of the information.

Sources:

Program Operations Manual System, Development of Policy on Confidentiality and Disclosure

Program Operations Manual System, Statute and Regulations for Disclosure

 

Helpful Tips Supplemental Material

Law Enforcement


Communications Assistance for Law Enforcement Act (CALEA)
47 U.S.C. §§ 1001-1010

 

Overview

In response to concerns that emerging technologies such as digital and wireless communications were making it increasingly difficult for law enforcement agencies to execute authorized surveillance, Congress enacted CALEA on October 25, 1994. CALEA requires a “telecommunications carrier,” as defined by the CALEA statute, to ensure that equipment, facilities, or services that allow a customer or subscriber to “originate, terminate, or direct communications,” enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization. CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve. CALEA is limited to Telecommunications Carriers as defined by the Act and interpreted by the FCC.  In addition, CALEA specifically exempts “Information Services”, which includes many Internet based communications service providers, electronic storage providers and electronic messaging services.

Source: Communications Assistance for Law Enforcement Act

Regulations Supplemental Material
Electronic Communications Privacy Act of 1986 (ECPA)
18 U.S.C. §§ 1367, 2521, 2701 – 2712, 3117, 3121 – 3127
18 U.S.C. § 2510 – 2522 Wire and Electronic Communications Interception and Interception of Oral Communications (Wiretap Act)
18 U.S.C. §§ 2701-12. Stored Wire and Electronic Communications and Transactional Records Access (Stored Communications Act)
18 U.S.C. §§ 3121 – 3227 Pen Registers and Trap and Trace Devices
See also, Public Law 99-508

 

Overview

The Electronic Communications Privacy Act (ECPA) of 1986 created additional privacy protections for stored electronic communications and updated the Federal Wiretap Act to cover electronic communications as well as oral and wire communications.  Title II of the ECPA established a comprehensive system of protections for stored communications codified at 18 U.S.C. §§ 2701-2712 which has come to be referred to as the Stored Communications Act (SCA).

The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.

Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986

Helpful Tips Supplemental Material
Federal Agency Data Mining Reporting Act of 2007 (FADMRA)
42 U.S.C. § 2000ee-3

 

Overview

The Federal Agency Data Mining Reporting Act of 2007 (FADMRA) is contained in section 803 of the Implementing the Recommendations of the 9/11 Commission Act of 2007.

The FADMRA provides that the head of each department or agency of the Federal Government that is engaged in any “pattern-based” data mining activity shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official. The report shall be produced in coordination with the privacy officer of that department or agency, if applicable, and shall be made available to the public, except for an annex as described in subparagraph (c).

Helpful Tips Supplemental Material

National Security and Intelligence


Cybersecurity Information Sharing Act of 2015 (CISA)
6 U.S.C. §§ 149, 151, 1501-1510, 1521-1525, 1531-1533

 

Overview

On December 18, 2015, the President signed the Cybersecurity Act of 2015 (CISA) into law.  Congress enacted CISA, Title I of the Cybersecurity Act, to direct the Department of Homeland Security (DHS)—in collaboration with other named agencies—to create a voluntary cybersecurity information sharing process that will protect participants from certain types of liability and encourage public and private entities to share cyber threat information in real-time while protecting the privacy and civil liberties of individuals.

Source: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015

 

Executive Orders, Memoranda, and Directives Supplemental Material
Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA)
50 U.S.C. 1801 et seq
See also, Public Law 95-511

 

Overview

FISA authorizes electronic surveillance and other activities to obtain foreign intelligence information.  FISA has been amended repeatedly since 1978, including the FISA Amendments Act (FAA) of 2008 containing Section 702 (reflected in Title VII below) and most recently by the USA FREEDOM Act of 2015 (reflected in the various titles below).  The titles of FISA are:

  • Title I – Electronic Surveillance within the United States for Foreign Intelligence Purposes
  • Title II – Conforming Amendments
  • Title III – Physical Searches within the United States for Foreign Intelligence Purposes
  • Title IV – Pen Registers and Trap and Trace Surveillance Devices for Foreign Intelligence Purposes
  • Title V – Access to Certain Business Records for Foreign Intelligence Purposes
  • Title VI – Reporting Requirement
  • Title VII – Additional Procedures Regarding Certain Persons Outside the United States
  • Title VIII – Protection of Person Assisting the Government

 

Helpful Tips

Homeland Security Act of 2002
6 USC § 101 et seq
See also, Pub. Law 107-296 and the Office of the Director of National Intelligence Legal Reference Book

 

Overview

 The Homeland Security Act of 2002 charges the Department of Homeland Security (DHS) Chief Privacy Officer with primary responsibility for ensuring that privacy considerations and protections are integrated into all DHS programs, policies, and procedures. The Chief Privacy Officer serves as the principal advisor to the DHS Secretary on privacy policy.

The activities of the Privacy Office serve to build privacy into departmental programs.

Sources:

Department of Homeland Security, Privacy Office, “Fiscal Year 2016 Semiannual Report to Congress: For the period October 1, 2015 – March 31, 2016,” July 6, 2016

DHS, Authorities and Responsibilities of the Chief Privacy Officer

Helpful Tips Executive Orders, Memoranda, and Directives

 

Implementing Recommendations of the 9/11 Commission Act of 2007
6 U.S.C. 101 et seq
See also, Pub. Law 110-153 and the Office of the Director of National Intelligence Legal Reference Guide

 

Overview

This Act amended section 1016 of Intelligence Reform and Terrorism Prevention Act (IRTPA) and amended the Homeland Security Act of 2002 to expand and further refine the scope of the Information Sharing Environment (ISE).

 

Helpful Tips Executive Orders, Memoranda, and Directives
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)
Pub. L. 108-458
See also, Office of the Director of National Intelligence Legal Reference Book

 

Overview

IRTPA addresses many different facets of information gathering and the intelligence community.  IRPTA’s eight titles reflect its broad scope:

  • Title I – Reform of the Intelligence Community
  • Title II – Federal Bureau of Investigation
  • Title III – Security Clearances
  • Title IV – Transportation Security
  • Title V – Border Protection, Immigration, and Visa Matters
  • Title VI – Terrorism Prevention
  • Title VII – Implementation of 9/11 Commission Recommendations
  • Title VIII – Other Matters, including a requirement that the Department of Homeland Security ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and programs aimed at securing the homeland.

 

Helpful Tips Executive Orders, Memoranda, and Directives
National Security Act of 1947
50 U.S.C. § 3001 et seq

See also, National Security Act of 1947

 

Overview

In the aftermath of World War II, the National Security Act provided a major reorganization of the U.S. defense and intelligence agencies. As amended, the Act provides “a comprehensive program for the future security of the United States” through the integration of the policies and procedures of U.S. military, intelligence, and national security agencies, and the coordination of national security policy.

Source: National Security Act

Helpful Tips Executive Orders, Memoranda, and Directives
Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act)
Pub.L. 114-23, 129 Stat. 268

 

Overview

The ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015’’ was enacted “to reform the authorities of the Federal Government to require the production of certain business records [e.g., call detail records], conduct electronic surveillance, use pen registers and trap and trace devices, and use other forms of information gathering for foreign intelligence, counterterrorism, and criminal purposes, and for other purposes.”

Source: Pub.L. 114-23, 129 Stat. 268

 

Helpful Tips Supplemental Material
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
Public Law 107-56

 

Overview

 The USA PATRIOT Act was enacted in response to the attacks of September 11, 2001, and became law less than two months after those attacks.

The Act comprises ten categories, called “titles.”

  • TITLE I—Enhancing Domestic Security against Terrorism
  • TITLE II—Enhanced Surveillance Procedures
  • TITLE III—International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
  • TITLE IV— Protecting the Border
  • TITLE V— Removing Obstacles to Investigating Terrorism
  • TITLE VI— Providing for Victims of Terrorism, Public Safety Officers, and their Families
  • TITLE VII— Increased Information Sharing for Critical Infrastructure Protection
  • TITLE VIII— Strengthening the Criminal Laws against Terrorism
  • TITLE IX— Improved Intelligence
  • TITLE X— Miscellaneous

Source: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001

 

Helpful Tips Executive Orders, Memoranda, and Directives

Statistical Data Confidentiality


Education Sciences Reform Act of 2002 (ESRA)
20 U.S.C. §§ 9501-9584 
20 U.S.C. § 9573 Confidentiality

 

Overview

Institute of Education Sciences (IES). The mission of IES is to provide rigorous evidence on which to ground education practice and policy. This is accomplished through the work of its four centers: the National Center for Education Evaluation, the National Center for Education Research, the National Center for Education Statistics, and the National Center for Special Education Research.

Section 208 of the Education Sciences Reform Act of 2002 states, “All collection, maintenance, use, and wide dissemination of data by the Institute, including each office, board, committee, and center of the Institute, shall conform with the requirements of section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

Further that “the Director shall ensure that all individually identifiable information about students, their academic achievements, their families, and information with respect to individual schools, shall remain confidential in accordance with section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

The prohibitions of Section 9573 of Title 20 include:

  • No person may use any individually identifiable information furnished…for any purpose other than a research, statistics, or evaluation purpose.
  • No person may make any publication whereby the data furnished by any particular person…can be identified.
  • No person may permit anyone other than the individuals authorized by the Director to examine the individual reports.
Justice System Improvement Act of 1979
42 U.S.C. § 3701 et seq
42 U.S.C. § 3789(g) Confidentiality of information

Overview

As a Federal statistical agency that collects, analyzes, publishes, and disseminates a wide array of information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government, the Bureau of Justice Statistics (BJS) has taken aggressive measures to protect the privacy and confidentiality of individuals from whom they obtain information. BJS has procedures in place to ensure that information collected by BJS that is identifiable to a private person may only be used and/or revealed for the statistical or research-related purpose for which it is obtained. BJS has procedures in place to ensure that copies of such information shall not, without the consent of the person to whom the information pertains, be revealed to others who are not involved in the collection and analysis of the information.

Source: Bureau of Justice Statistics Data Quality Guidelines

 

Regulations Supplemental Material
Public Health Service Act (Confidentiality of Health Statistics)
42 U.S.C. Ch. 6A
See also, 42 U.S.C. § 242m(d)

 

See also, Section 308(d) of the Public Health Service Act

 

Overview

The Public Health Service Act, 42 U.S.C. Ch. 6A, provision regarding the confidentiality of health statistics prohibits the National Center for Health Statistics (NCHS) from using any personal information for any purpose other than what was described to survey participants and from sharing that information with anyone not clearly mentioned to them. This provision enables NCHS to assure respondents strict confidentiality.

Source: How NCHS Protects Your Privacy

Supplemental Material
Title 13 – Census
13 U.S.C. et seq
13 U.S.C. § 9 Information as Confidential

 

Overview

The Census Bureau is bound by Title 13 of the United States Code. These laws not only provide authority for the work it does, but also provide strong protection for the information it collects from individuals and businesses.

People sworn to uphold Title 13 are legally required to maintain the confidentiality of respondent data. Every person with access to respondent data is sworn for life to protect your information and understands that the penalties for violating this law are applicable for a lifetime.

Sources:

Title 13 – Protection of Confidential Information

Oath of Non-Disclosure

 

Supplemental Material
Title V – Confidential Information Protection and Statistical Efficiency Act of 2002 of the E-Government Act of 2002 (CIPSEA)
44 U.S.C. § 3501 note

 

See also, Title V – Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (Public Law No. 107-347)

Overview

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality protections for statistical information collections, such as surveys and censuses, as well as for other statistical activities, such as data analysis, modeling, and sample design, that are sponsored or conducted by Federal agencies.

 

 

Statutory Implementation Guidance Executive Orders, Memoranda, and Directives Supplemental Material

Travel and Privacy


Act to Regulate the Issue and Validity of Passports, And For Other Purposes, 1926 (as amended)
22 U.S.C. § 211a, Passports

 

Overview

This law provides that the U.S. Department of State is in charge of granting and issuing U.S. passports.

 

Helpful Tips Regulations Executive Orders, Memoranda, and Directives Supplemental Material
Aviation and Transportation Security Act of 2001
49 U.S.C. § 114 Transportation Security Administration
49 U.S.C. § 44909 Passenger Manifests
See also: Pub. Law 107-71

 

Overview

President Bush signed the Aviation and Transportation Security Act into law in November 2001, requiring screening conducted by federal officials, 100 percent checked baggage screening, expansion of the Federal Air Marshal Service and reinforced cockpit doors. The Transportation Security Administration (TSA) was created to oversee security in all modes of transportation.

Source: Transportation Security Timeline

 

Regulations Executive Orders, Memoranda, and Directives Supplemental Material

 

Immigration and Nationality Act of 1952 (INA)
8 U.S.C. §§ 1101 et seq
See also: Immigration and Nationality Act (U.S. Citizenship and Immigration Services)

 

Overview

The Immigration and Nationality Act, or INA, was created in 1952. The Act has been amended many times over the years, but is still the basic body of immigration law.  The INA is divided into titles, chapters, and sections. Although it stands alone as a body of law, the Act is also contained in the United States Code (U.S.C.).  When browsing the INA or other statutes you will often see reference to the U.S. Code citation. For example, Section 208 of the INA deals with asylum, and is also contained in 8 U.S.C. 1158. Although it is correct to refer to a specific section by either its INA citation or its U.S. Code citation, the INA citation is more commonly used.

Source: Immigration and Nationality Act

 

Helpful Tips Regulations Executive Orders, Memoranda, and Directives Supplemental Material