Skip to main content


Law Library
A    B    C    D    E    F    G    H    I    J    K    L    M    N    O    P    Q    R    S    T    U    V    W    X    Y    Z   

A


Americans with Disabilities Act of 1990 (ADA) & Rehabilitation Act of 1973
(Rehab Act)

Americans with Disabilities Act (ADA)
Americans with Disabilities Act (ADA)
42 U.S.C. §§ 12101 et seq
42 U.S.C. § 12112(d) Discrimination

 

Rehabilitation Act (Rehab Act)

29 U.S.C. §§ 701 et seq (Chapter 16 Vocational Rehabilitation and Other Rehabilitation Services)

 

Overview

The ADA prohibits discrimination and guarantees that people with disabilities have the same opportunities as everyone else to participate in the mainstream of American life — to enjoy employment opportunities, to purchase goods and services, and to participate in State and local government programs and services. Modeled after the Civil Rights Act of 1964, which prohibits discrimination on the basis of race, color, religion, sex, or national origin – and Section 504 of the Rehabilitation Act of 1973 — the ADA is an “equal opportunity” law for people with disabilities.

The ADA, at 42 U.S.C. § 12112(d), generally prohibits medical examinations and inquiries of job applicants unless the inquiry is about the ability of the applicant to perform job related functions. The ADA does authorize medical examinations and inquiries by employers with regard to an employee’s request for reasonable accommodation for a disability. In both instances, there are confidentiality requirements that attach to the records and information gathered.

The Rehabilitation Act of 1973 (also known as the “Rehab Act”) prohibits discrimination on the basis of disability in programs run by federal agencies; programs that receive federal financial assistance; in federal employment; and in the employment practices of federal contractors. The standards for deciding if employment discrimination exists under the Rehab Act are the same as those used in Title I of the ADA.

The Rehab Act, at 29 C.F.R. § 791(f) and §793(d), provides that these sections of the ADA apply equally to those entities subject to the Rehab Act.

The Americans with Disabilities Act Amendments Act of 2008 (Public Law 110-325) (ADAAA) further amended the definition of “individual with a disability” and amended sections 12101, 12102, 12111 to 12114, 12201 and 12210 of the ADA and section 705 of the Rehab Act. The ADAAA also enacted sections 12103 and 12205a and re-designated sections 12206 to 12213.

Sources:

Introduction to the ADA

Rehabilitation Act of 1973 (disability.gov)

Titles I and V of the Americans with Disabilities Act of 1990 (ADA)

The Rehabilitation Act of 1973 (EEOC)

 

Aviation and Transportation Security Act of 2001

49 U.S.C. § 114 Transportation Security Administration
49 U.S.C. § 44909 Passenger Manifests
See also: Pub. Law 107-71

 

Overview

President Bush signed the Aviation and Transportation Security Act into law in November 2001, requiring screening conducted by federal officials, 100 percent checked baggage screening, expansion of the Federal Air Marshal Service and reinforced cockpit doors. The Transportation Security Administration (TSA) was created to oversee security in all modes of transportation.

Source: Transportation Security Timeline


Back to top

B


Bank Secrecy Act (BSA)

31 U.S.C. § 310

 

Overview

The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the Act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an anti-money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML Acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311-5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] )

Sec. 31 U.S.C. § 310 (c)(2) requires the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) to provide appropriate standards and guidelines for determining who is to be given access to the information maintained by FinCEN; what limits are to be imposed on the use of such information; and how information about activities or relationships which involve or are closely associated with the exercise of constitutional rights is to be screened out of the data maintenance system.

When investigating potential money laundering or Bank Secrecy Act (BSA) violations, the key test (related statute test) is whether, under the facts and circumstances of the particular case, the money laundering and BSA provisions are considered related to the administration of the Internal Revenue laws.

Source: FinCEN’s Mandate from Congress


Back to top

C


Children’s Online Privacy Protection Act (COPPA)

15 U.S.C. §§ 6501-6505

 

Overview

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Source: Federal Trade Commission “Children’s Online Privacy Protection Rule (“COPPA”)

Clinical Laboratory Improvement Amendments of 1988 (CLIA)(BSA)

42 U.S.C. § 263a

 

Overview

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) is an amendment to the Public Health Services Act in which Congress revised the federal program for certification and oversight of clinical laboratory testing. Two subsequent amendments were made after 1988. The law continues to be cited as CLIA ’88 as named in legislation. In general terms, the CLIA regulations establish quality standards for laboratory testing performed on specimens from humans, such as blood, body fluid and tissue, for the purpose of diagnosis, prevention, or treatment of disease, or assessment of health. The Centers for Medicare & Medicaid Services (CMS) regulates all laboratory testing (except research) performed on humans in the U.S. through CLIA. In total, CLIA covers approximately 254,000 laboratory entities. The Division of Laboratory Services, within the Survey and Certification Group, under the Center for Clinical Standards and Quality (CCSQ) has the responsibility for implementing the CLIA Program.

Sources:
CLIA: Laws and Regulations (CDC)
Clinical Laboratory Improvements Act (CMS)


Communications Assistance for Law Enforcement Act (CALEA)

47 U.S.C. §§ 1001-1010

 

Overview

In response to concerns that emerging technologies such as digital and wireless communications were making it increasingly difficult for law enforcement agencies to execute authorized surveillance, Congress enacted CALEA on October 25, 1994. CALEA requires a “telecommunications carrier,” as defined by the CALEA statute, to ensure that equipment, facilities, or services that allow a customer or subscriber to “originate, terminate, or direct communications,” enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization. CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve. CALEA is limited to Telecommunications Carriers as defined by the Act and interpreted by the FCC. In addition, CALEA specifically exempts “Information Services”, which includes many Internet based communications service providers, electronic storage providers and electronic messaging services.



Source: Communications Assistance for Law Enforcement Act


Consolidated Appropriations Act of 2005

Public Law No. 108-447 (see division H, title V, section 522)
Public Law No. 108-447

 

Overview

The Consolidated Appropriations Act of 2005 (the “Act”) requires that each agency, subject to the Act:

  • shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy. (Sec. 522(a))
  • shall establish and implement comprehensive privacy and data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer, storage and security of information in an identifiable form relating to the agency employees and the public. (Sec. 522(b))
  • shall prepare a written report of its use of information in an identifiable form, along with its privacy and data protection policies and procedures and record it with the Inspector General of the agency to serve as a benchmark for the agency. (Sec. 552(c))
  • [a]t least every 2 years . . . shall have performed an independent, third party review of the use of information in identifiable form as the privacy and data protection procedures of the agency. (Sec. 522(d))
  • [u]pon completion of a review, the Inspector General of an agency shall submit to the head of that agency a detailed report on the review. (Sec. 522(e))


Confidentiality of Medical Quality Assurance Records

38 U.S.C. §§ 5701 – 5728

 

Overview

Records and documents created by the Department of Veterans Affairs (VA) as part of a medical quality-assurance program are confidential and privileged and may not be disclosed to any person or entity except as provided in 38 U.S.C. § 5705.


Cybersecurity Information Sharing Act of 2015 (CISA)

6 U.S.C. §§ 149, 151, 1501-1510, 1521-1525, 1531-1533

 

Overview

On December 18, 2015, the President signed the Cybersecurity Act of 2015 (CISA) into law. Congress enacted CISA, Title I of the Cybersecurity Act, to direct the Department of Homeland Security (DHS)—in collaboration with other named agencies—to create a voluntary cybersecurity information sharing process that will protect participants from certain types of liability and encourage public and private entities to share cyber threat information in real-time while protecting the privacy and civil liberties of individuals.

Source: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015"


Federal Policy for the Protection of Human Subjects (Common Rule)

42 U.S.C. § 289

 

Overview

On July 12, 1974, the National Research Act (Pub. L. 93-348) was signed into law, thereby creating the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (the “Commission”). The current U.S. system of protection for human research subjects is heavily influenced by the Belmont Report, written in 1979 by the Commission.

In 1985, Congress enacted 42 U.S.C. § 289, providing that “The Secretary of the U.S. Department of Health and Human Services (HHS) shall by regulation require that each entity which applies for a grant, contract, or cooperative agreement under this chapter for any project or program which involves the conduct of biomedical or behavioral research involving human subjects submit in or with its application for such grant, contract, or cooperative agreement assurances satisfactory to the Secretary that it has established (in accordance with regulations which the Secretary shall prescribe) a board (to be known as an ‘Institutional Review Board’) to review biomedical and behavioral research involving human subjects conducted at or supported by such entity in order to protect the rights of the human subjects of such research.”

The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The HHS regulations, 45 CFR part 46, include four subparts: subpart A, also known as the Federal Policy or the “Common Rule”; subpart B, additional protections for pregnant women, human fetuses, and neonates; subpart C, additional protections for prisoners; and subpart D, additional protections for children. A fifth subpart, subpart E, which concerns registration of Institutional Review Boards (IRBs) was added in 2009. For all participating departments and agencies, the Common Rule outlines the basic provisions for IRBs, informed consent, and Assurances of Compliance. Human subject research conducted or supported by each Federal department/agency is governed by the regulations of that department/agency. The head of that department/agency retains final judgment as to whether a particular activity it conducts or supports is covered by the Common Rule. If an institution seeks guidance on implementation of the Common Rule and other applicable Federal regulations, the institution should contact the department/agency conducting or supporting the research.

The HHS and fifteen other Federal departments and agencies have issued final revisions to the Federal Policy for the Protection of Human Subjects (the Common Rule). The Final Rule was published in the Federal Register on January 19, 2017. It implements new steps to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.

Sources:
The Belmont Report
Federal Policy for the Protection of Human Subjects (‘Common Rule’)
HHS Historical Highlights
Final Revisions to the Common Rule


The Communications Act of 1934


47 U.S.C. §§ et seq 47 U.S.C. § 222, Privacy of Customer Information
47 U.S.C. § 338(i), Privacy Rights of Satellite Subscribers
47 U.S.C. § 551, Protection of Subscriber Privacy
47 U.S.C. § 605, Unauthorized Publication or Use of Communications
See also, The Communications Act of 1934

 

Overview

The Communications Act of 1934 (the “Act”) combined and organized federal regulation of telephone, telegraph, and radio communications. The Act created the Federal Communications Commission (FCC) to oversee and regulate these industries. The Act is updated periodically to add provisions governing new communications technologies, such as broadcast, cable and satellite television. The Act, as amended, is an expansive statue regulating U.S. telephone, telegraph, television, and radio communications. Its seven subchapters regulate virtually all aspects of the communications and broadcasting industry, including assignment of frequencies, rates and fees, standards, competition, terms of subscriber access, commercials, broadcasting in the public interest, government use of communications systems. The Act also provides for more detailed regulation and oversight via the establishment of the FCC.

Source: The Communications Act of 1934


Title 13 – Census

 

Overview

The Census Bureau is bound by Title 13 of the United States Code. These laws not only provide authority for the work it does, but also provide strong protection for the information it collects from individuals and businesses. People sworn to uphold Title 13 are legally required to maintain the confidentiality of respondent data. Every person with access to respondent data is sworn for life to protect your information and understands that the penalties for violating this law are applicable for a lifetime.

Sources:
Title 13 – Protection of Confidential Information
Oath of Non-Disclosure



Back to top

D



Drug Abuse Prevention, Treatment, and Rehabilitation Act (Confidentiality of Alcohol and Drug Abuse Patient Records) (Part 2)

42 U.S.C § 290dd–2

 

Overview

Confidentiality of substance use disorder (alcohol and drug abuse) patient records is required under 42 U.S.C § 290dd–2 and 42 C.F.R Part 2. The statute and regulation require that records related to patient treatment of substance use disorders remain confidential subject to certain specific exceptions or patient consent to disclose such information. The statute extends to cover “any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”T

Source: Listening Session Comments on Substance Abuse Treatment Confidentiality Regulations



Back to top

E



E-Government Act of 2002 – Section 208 (E-Government Act)

44 U.S.C. § 3501 note

See also, Public Law 107-347

 

Overview

The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems.

Privacy Impact Assessments (“PIAs”) are required by Section 208 of the E-Government Act for all Federal government agencies that develop or procure new information technology involving the collection, maintenance, or dissemination of information in identifiable form or that make substantial changes to existing information technology that manages information in identifiable form. A PIA is an analysis of how information in identifiable form is collected, stored, protected, shared, and managed. The purpose of a PIA is to demonstrate that system owners and developers have incorporated privacy protections throughout the entire life cycle of a system. The Act requires an agency to make PIAs publicly available, except when an agency in its discretion determines publication of the PIA would raise security concerns, reveal classified (i.e., national security) information, or sensitive (e.g., potentially damaging to a nation interest, law enforcement effort or competitive business interest contained in the assessment) information.

Source: E-government Act of 2002, Department of Justice


Education Sciences Reform Act of 2002 (ESRA)

20 U.S.C. §§ 9501-9584

20 U.S.C. § 9573 Confidentiality

 

Overview

Institute of Education Sciences (IES). The mission of IES is to provide rigorous evidence on which to ground education practice and policy. This is accomplished through the work of its four centers: the National Center for Education Evaluation, the National Center for Education Research, the National Center for Education Statistics, and the National Center for Special Education Research.

Section 208 of the Education Sciences Reform Act of 2002 states, “All collection, maintenance, use, and wide dissemination of data by the Institute, including each office, board, committee, and center of the Institute, shall conform with the requirements of section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

Further that “the Director shall ensure that all individually identifiable information about students, their academic achievements, their families, and information with respect to individual schools, shall remain confidential in accordance with section 552a of title 5, United States Code, the confidentiality standards of subsection (c) of this section, and sections 444 and 445 of the General Education Provisions Act (20 U.S.C. §§ 1232g, 1232h).”

The prohibitions of Section 9573 of Title 20 include:

  • No person may use any individually identifiable information furnished…for any purpose other than a research, statistics, or evaluation purpose.
  • No person may make any publication whereby the data furnished by any particular person…can be identified.
  • No person may permit anyone other than the individuals authorized by the Director to examine the individual reports.


Electronic Communications Privacy Act of 1986 (ECPA)

18 U.S.C. §§ 1367, 2521, 2701 – 2712,3117, 3121 – 3127

18 U.S.C. § 2510 – 2522 Wire and Electronic Communications Interception and Interception of Oral Communications (Wiretap Act)
18 U.S.C. §§ 2701-12. Stored Wire and Electronic Communications and Transactional Records Access (Stored Communications Act)
18 U.S.C. §§ 3121 – 3227 Pen Registers and Trap and Trace Devices
See also: Public Law 99-508

 

Overview

The Electronic Communications Privacy Act (ECPA) of 1986 created additional privacy protections for stored electronic communications and updated the Federal Wiretap Act to cover electronic communications as well as oral and wire communications. Title II of the ECPA established a comprehensive system of protections for stored communications codified at 18 U.S.C. §§ 2701-2712 which has come to be referred to as the Stored Communications Act (SCA). The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically

Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986



Back to top

F



Fair Credit Reporting Act (FCRA)

15 U.S.C. § 1681

 

Overview

Overview The Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. If your company meets the definition of a “consumer reporting agency” (CRA), if you furnish information to CRAs, or if you use that information for certain purposes, you may have obligations under the FCRA.

Source: Federal Trade Commission, Credit Reporting


Family Educational Rights and Privacy Act (FERPA)

20 U.S.C. § 1232g

 

Overview

FERPA protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

FERPA permits educational agencies and institutions, such as Local Education Agencies (LEA) and their constituent schools, to disclose PII from education records to State Education Agencies (SEA) and other State educational authorities without a parent’s prior consent under certain conditions. For a review of the exceptions to the general prior consent rule in FERPA, see 34 CFR § 99.31. The most common exception that relates to disclosure to a State educational authority is found in §§ 99.31(a)(3) and 99.35. The disclosure must be in connection with:

  • An audit or evaluation of Federal or State supported education programs; or
  • The enforcement of or compliance with Federal legal requirements relating to such programs.
Information collected under this provision generally must be:
  • Protected so that information is not disclosed to anyone other than the authorized representatives of the State educational authority (§ 99.35(b)(1)); and,
  • Destroyed when no longer needed for the purposes listed above (§ 99.35(b)(2))

(Note: Federal entities, entities or individuals acting as the designated authorized representatives of the Attorney General, the Comptroller General, or the Secretary of Education, as well as other third parties receiving PII from education records without consent, generally must also protect the PII from unauthorized disclosure and comply with FERPA’s recordation provisions for any authorized re-disclosure, and may only use it in accordance with FERPA and for the specific purposes for which it was disclosed.)

Sources:
Law and Guidance: Family Educational Rights and Privacy Act (FERPA)
Family Educational Rights and Privacy Act (FERPA)


Federal Agency Data Mining Reporting Act of 2007 (FADMRA)

42 U.S.C. § 2000ee-3

 

Overview

The Federal Agency Data Mining Reporting Act of 2007 (FADMRA) is contained in section 803 of the Implementing the Recommendations of the 9/11 Commission Act of 2007. The FADMRA provides that the head of each department or agency of the Federal Government that is engaged in any “pattern-based” data mining activity shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official. The report shall be produced in coordination with the privacy officer of that department or agency, if applicable, and shall be made available to the public, except for an annex as described in subparagraph (c).


Federal Information Security Modernization Act of 2014 (FISMA)

44 U.S.C. Chapter 35 (44 U.S.C. §§ 3551-3558)

 

Overview

The Federal Information Security Modernization Act requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Source: OMB Circular No. A-130, Managing Information as a Strategic Resource (July 2016)


Federal Records Act of 1950 (FRA)

44 U.S.C. Chapter 31 et seq

 

Overview

The FRA provides that “the head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.” [44 U.S.C. § 3101]

The implementation of the FRA is overseen by the Archivist of the United States, who heads the National Archives and Records Administration (NARA). The Archivist provides “guidance and assistance to Federal agencies with respect to ensuring adequate and proper documentation of the policies and transactions of the Federal Government and ensuring proper records disposition.” [44 U.S.C. § 2904]


Food and Drug Administration Safety and Innovation Act (FDASIA)

21 U.S.C. §§ 301 et seq

See also:Food and Drug Administration Safety and Innovation Act (Public Law No. 112-144)

 

Overview

FDASIA, which amended the Federal Food, Drug, and Cosmetic Act and was signed into law on July 9, 2012, expands the authorities of the U.S. Food and Drug Administration (FDA) and strengthens the agency’s ability to safeguard and advance public health by:

  • Giving the authority to collect user fees from industry to fund reviews of innovator drugs, medical devices, generic drugs, and biosimilar biological products;
  • Promoting innovation to speed patient access to safe and effective products;
  • Increasing stakeholder involvement in FDA processes; and
  • Enhancing the safety of the drug supply chain.
Section 618 of FDASIA directed the Secretary of Health and Human Services, acting through the Commissioner of the FDA, and in consultation with the Office of the National Coordinator for Health Information Technology and the Chairman of the Federal Communications Commission, to develop a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.

Sources:
Regulatory Information: Food and Drug Administration Safety and Innovation Act (FDASIA)
Health IT Legislation: FDASIA


Foreign Intelligence Surveillance Act of 1978 and Amendments (FISA)

50 U.S.C. 1801 et seq

See also: Public Law 95-511

 

Overview

FISA authorizes electronic surveillance and other activities to obtain foreign intelligence information. FISA has been amended repeatedly since 1978, including the FISA Amendments Act (FAA) of 2008 containing Section 702 (reflected in Title VII below) and most recently by the USA FREEDOM Act of 2015 (reflected in the various titles below). The titles of FISA are:

  • Title I – Electronic Surveillance within the United States for Foreign Intelligence Purposes
  • Title II – Conforming Amendments
  • Title III – Physical Searches within the United States for Foreign Intelligence Purposes
  • Title IV – Pen Registers and Trap and Trace Surveillance Devices for Foreign Intelligence Purposes
  • Title V – Access to Certain Business Records for Foreign Intelligence Purposes
  • Title VI – Reporting Requirement
  • Title VII – Additional Procedures Regarding Certain Persons Outside the United States
  • Title VIII – Protection of Person Assisting the Government


Source:



Freedom of Information Act (FOIA)

5 U.S.C. § 552

See also:Full Text of the FOIA Improvement Act of 2016 (Public Law No. 114-185)
See also:U.S. Department of Justice Freedom of Information Act

 

Overview

Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.


Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act)

Pub.L. 114-23, 129 Stat. 268


 

Overview

The ‘‘Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015’’ or the ‘‘USA FREEDOM Act of 2015’’ was enacted “to reform the authorities of the Federal Government to require the production of certain business records [e.g., call detail records], conduct electronic surveillance, use pen registers and trap and trace devices, and use other forms of information gathering for foreign intelligence, counterterrorism, and criminal purposes, and for other purposes.”

Source: Pub.L. 114-23, 129 Stat. 268



Back to top

H


Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

42 U.S.C. §§ 300jj et seq 42 U.S.C. §§ 17901 et seq

See also:American Recovery and Reinvestment Act of 2009 (Public Law 111-5, §§ 13001-13424, §§ 4001 – 4201)

 

Overview

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provides the U.S. Department of Health and Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. The HITECH Act amends Sections 3004 and 3005 of the Public Health Service Act to describe the processes for evaluation, adoption, and implementation of endorsed standards, implementation specifications, and certification criteria for health IT. Sections 13400-13411 of HITECH describe HHS’s work to improve privacy and security provisions for electronic exchange and use of health information, and sections 4001-4201 of HITECH establish the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to provide incentive payments for eligible professionals, hospitals, and critical access hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology.

Sources:
Health IT Legislation and Regulations
Select Portions of the HITECH Act and Relationship to ONC Work


Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule

42 U.S.C. § 17932

See also:Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5, Div. A, title XIII, § 13402)
See also:45 C.F.R. §§ 164.400-414 (Subpart D)

 

Overview

Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Act”) requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach of unsecured protected health information. In some cases, the Act requires covered entities also to provide notification to the media of breaches. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary to post on an HHS Web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of HITECH and the Genetic Information Nondiscrimination Act (GINA).

Source: Health Information Privacy: Breach Notification Rule


Health Insurance Portability and Accountability Act of 1996 Privacy Rule

Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)

45 C.F.R. Part 160
45 C.F.R. Part 164 Subparts A and E

 

Overview

The HIPAA Privacy Rule, adopted by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Sources:
Health Information Privacy: The HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act of 1996


Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule

Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)

See also:45 C.F.R. Part 160
See also:45 C.F.R. §§ 164.102-106 and §§ 164.302-318

 

Overview

The HIPAA Security Rule, adopted by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Sources:
Health Information Privacy, The Security Rule
Health Information Portability and Accountability Act of 1996


Homeland Security Act of 2002

6 USC § 101 et seq

See also: Pub. Law 107-296 and the Office of the Director of National Intelligence Legal Reference Book

 

Overview

The Homeland Security Act of 2002 charges the Department of Homeland Security (DHS) Chief Privacy Officer with primary responsibility for ensuring that privacy considerations and protections are integrated into all DHS programs, policies, and procedures. The Chief Privacy Officer serves as the principal advisor to the DHS Secretary on privacy policy.

The activities of the Privacy Office serve to build privacy into departmental programs.

Sources:
Department of Homeland Security, Privacy Office, “Fiscal Year 2016 Semiannual Report to Congress: For the period October 1, 2015 – March 31, 2016,” July 6, 2016
DHS, Authorities and Responsibilities of the Chief Privacy Officer


Back to top

I


Immigration and Nationality Act of 1952 (INA)

8 U.S.C. §§ 1101 et seq

See AlsoImmigration and Nationality Act (U.S. Citizenship and Immigration Services)

 

Overview

The Immigration and Nationality Act, or INA, was created in 1952. The Act has been amended many times over the years, but is still the basic body of immigration law. The INA is divided into titles, chapters, and sections. Although it stands alone as a body of law, the Act is also contained in the United States Code (U.S.C.). When browsing the INA or other statutes you will often see reference to the U.S. Code citation. For example, Section 208 of the INA deals with asylum, and is also contained in 8 U.S.C. 1158. Although it is correct to refer to a specific section by either its INA citation or its U.S. Code citation, the INA citation is more commonly used.

Source: Immigration and Nationality Act


Implementing Recommendations of the 9/11 Commission Act of 2007

6 U.S.C. 101 et seq

See also: Pub. Law 110-153 and the Office of the Director of National Intelligence Legal Reference Guide

 

Overview

This Act amended section 1016 of Intelligence Reform and Terrorism Prevention Act (IRTPA) and amended the Homeland Security Act of 2002 to expand and further refine the scope of the Information Sharing Environment (ISE).


Individuals with Disabilities Education Act (IDEA)

20 U.S.C. §§ 1400 et seq

20 U.S.C. § 1417(c), Confidentiality

 

Overview

IDEA is a law ensuring services to children with disabilities throughout the nation. IDEA governs how states and public agencies provide early intervention, special education and related services to more than 6.5 million eligible infants, toddlers, children and youth with disabilities. Infants and toddlers with disabilities (from birth through age 2) and their families receive early intervention services under IDEA Part C. Children and youth (from age 3 through age 21) receive special education and related services under IDEA Part B. Parts B & C require that the Secretary of the U.S. Department of Education shall take appropriate action, in accordance with section 444 of the General Education Provisions Act (GEPA), to ensure the confidentiality of any personally identifiable data, information, and records collected or maintained by the Secretary and by State educational agencies (SEA) and local educational agencies (LEA).

Source:
Building the Legacy: IDEA 2004
IDEA and FERPA Confidentiality Provisions


Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)

Pub. L. 108-458

Office of the Director of National Intelligence Legal Reference Book

 

Overview

IRTPA addresses many different facets of information gathering and the intelligence community. IRPTA’s eight titles reflect its broad scope:

  • Title I – Reform of the Intelligence Community
  • Title II – Federal Bureau of Investigation
  • Title III – Security Clearances
  • Title IV – Transportation Security
  • Title V – Border Protection, Immigration, and Visa Matters
  • Title VI – Terrorism Prevention
  • Title VII – Implementation of 9/11 Commission Recommendations
  • Title VIII – Other Matters, including a requirement that the Department of Homeland Security ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and programs aimed at securing the homeland.


Internal Revenue Code (Tax Code)

26 U.S.C. §§ et al

26 U.S.C. § 6103 Confidentiality and disclosure of returns and return information
26 U.S.C. § 6713 Disclosure or use of information by preparers of returns
26 U.S.C. § 7213 Unauthorized disclosure of information
26 U.S.C. § 7213a Unauthorized inspection of returns or return information
See also:Internal Revenue Service Laws and Regulations

 

Overview

Taxpayers have the right to expect that any Internal Revenue System (IRS) inquiry, examination, or enforcement action will comply with the law and be no more intrusive than necessary, and will respect all due process rights, including search and seizure protections and will provide, where applicable, a collection due process hearing.

Taxpayers have the right to expect that any information they provide to the IRS will not be disclosed unless authorized by the taxpayer or by law. Taxpayers have the right to expect appropriate action will be taken against government officers and employees, tax return preparers, and others who wrongfully use or disclose taxpayer return information.

Source: Your Rights as a Taxpayer



Back to top

J


Justice System Improvement Act of 1979

42 U.S.C. § 3701 et seq

42 U.S.C. § 3789(g) Confidentiality of information

 

Overview

As a Federal statistical agency that collects, analyzes, publishes, and disseminates a wide array of information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government, the Bureau of Justice Statistics (BJS) has taken aggressive measures to protect the privacy and confidentiality of individuals from whom they obtain information. BJS has procedures in place to ensure that information collected by BJS that is identifiable to a private person may only be used and/or revealed for the statistical or research-related purpose for which it is obtained. BJS has procedures in place to ensure that copies of such information shall not, without the consent of the person to whom the information pertains, be revealed to others who are not involved in the collection and analysis of the information.

Source: Bureau of Justice Statistics Data Quality Guidelines



Back to top

K


No Content

Back to top

L


No Content

Back to top

M


No Content

Back to top

N


National Security Act of 1947

50 U.S.C. § 3001 et seq

National Security Act of 1947

 

Overview

In the aftermath of World War II, the National Security Act provided a major reorganization of the U.S. defense and intelligence agencies. As amended, the Act provides “a comprehensive program for the future security of the United States” through the integration of the policies and procedures of U.S. military, intelligence, and national security agencies, and the coordination of national security policy.

Source: National Security Act



Back to top

O


No Content

Back to top

P


Act to Regulate the Issue and Validity of Passports, And For Other Purposes, 1926 (as amended)

22 U.S.C. § 211a, Passports

 

Overview

This law provides that the U.S. Department of State is in charge of granting and issuing U.S. passports.


Paperwork Reduction Act of 1995 (PRA)

44 U.S.C. Chapter 35 et seq


 

Overview

The Paperwork Reduction Act (PRA), signed into law in 1980 and reauthorized in 1995, provides the statutory framework for the Federal government’s collection, use, and dissemination of information. The goals of the PRA include (1) minimizing paperwork and reporting burdens on the American public and (2) ensuring the maximum possible utility from the information that is collected.

In support of these goals, the PRA requires Federal agencies to take specific steps before requiring or requesting information from the public. These steps include (1) seeking public comment on proposed information collections and (2) submitting proposed collections for review and approval by the Office of Management and Budget (OMB). Within OMB, the Office of Information and Regulatory Affairs (OIRA) carries out the information collection review.

One of the purposes of the Paperwork Reduction Act is to “ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to (A) privacy and confidentiality, including section 552a of title 5; (B) security of information, including section 11332 of title 40; and (C) access to information, including section 552 of title 5.” 44 U.S.C. § 3501(8).

Source: Office of Information and Regulatory Affairs – Regulations and the Rule Making Process


Patient Safety and Quality Improvement Act of 2005 (PSQIA)

42 U.S.C. § 299b-21 – b-26

Patient Safety and Quality Improvement Act of 2005 (Public Law 109-41).

 

Overview

The Patient Safety and Quality Improvement Act of 2005 (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information, called patient safety work product. PSQIA authorizes the U.S. Department of Health and Human Services (HHS) to impose civil money penalties for violations of patient safety confidentiality. PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs). PSOs are the external experts that collect and review patient safety information.

Source: Health Information Privacy: Patient Safety and Quality Improvement Act of 2005 Statute and Rule


Privacy Act of 1974 (Privacy Act)

5 U.S.C. § 552a


 

Overview

The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Act requires U.S. Government agencies give public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

Source: U.S. Department of Justice – Privacy Act of 1974


Protection of Pupil Rights Amendment (PPRA)

20 U.S.C. § 1232h


 

Overview

The PPRA applies to the programs and activities of a State educational agency (SEA), local educational agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education. It governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:

  • political affiliations or beliefs of the student or the student’s parent;
  • mental or psychological problems of the student or the student’s family;
  • sex behavior or attitudes;
  • illegal, anti-social, self-incriminating, or demeaning behavior;
  • critical appraisals of other individuals with whom respondents have close family relationships;
  • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • religious practices, affiliations, or beliefs of the student or student’s parent; or,
  • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

PPRA also concerns marketing surveys and other areas of student privacy, parental access to information, and the administration of certain physical examinations to minors. The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under State law.

Source: Family Policy Compliance Office: Protection of Pupil Rights Amendment (PPRA)


Public Health Service Act (Certificates of Confidentiality)

42 U.S.C. Ch. 6A

42 U.S.C. § 241(d) Protection of privacy of individuals who are research subjects

 

Overview

Under section 301(d) of the Public Health Service Act (42 U.S.C. § 241(d)), the Secretary of the U.S. Department of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH). Persons authorized by the NIH to protect the privacy of research subjects may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.

Source: Certificates of Confidentiality Background


Public Health Service Act (Confidentiality of Health Statistics)

42 U.S.C. Ch. 6A

See also: 42 U.S.C. § 242m(d)
See also: Section 308(d) of the Public Health Service Act

 

Overview

The Public Health Service Act, 42 U.S.C. Ch. 6A, provision regarding the confidentiality of health statistics prohibits the National Center for Health Statistics (NCHS) from using any personal information for any purpose other than what was described to survey participants and from sharing that information with anyone not clearly mentioned to them. This provision enables NCHS to assure respondents strict confidentiality.

Source: How NCHS Protects Your Privacy



Back to top

Q


No Content

Back to top

R


No Content

Back to top

S



Title V – Confidential Information Protection and Statistical Efficiency Act of 2002 of the E-Government Act of 2002 (CIPSEA)

44 U.S.C. § 3501 note

See also:Title V – Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (Public Law No. 107-347)

 

Overview

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) can provide strong confidentiality protections for statistical information collections, such as surveys and censuses, as well as for other statistical activities, such as data analysis, modeling, and sample design, that are sponsored or conducted by Federal agencies.

Source: Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA)


  • Back to top

    T


    No Content

    Back to top

    U




    Back to top

    V


    No Content

    Back to top

    W


    No Content

    Back to top

    X


    No Content

    Back to top

    Y


    No Content

    Back to top

    Z


    No Content

    Law Enforcement


    Communications Assistance for Law Enforcement Act (CALEA)
    47 U.S.C. §§ 1001-1010

     

    Overview

    In response to concerns that emerging technologies such as digital and wireless communications were making it increasingly difficult for law enforcement agencies to execute authorized surveillance, Congress enacted CALEA on October 25, 1994. CALEA requires a “telecommunications carrier,” as defined by the CALEA statute, to ensure that equipment, facilities, or services that allow a customer or subscriber to “originate, terminate, or direct communications,” enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization. CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve. CALEA is limited to Telecommunications Carriers as defined by the Act and interpreted by the FCC.  In addition, CALEA specifically exempts “Information Services”, which includes many Internet based communications service providers, electronic storage providers and electronic messaging services.

    Source: Communications Assistance for Law Enforcement Act

    gRegulations gSupplemental Material
    Electronic Communications Privacy Act of 1986 (ECPA)
    18 U.S.C. §§ 1367, 2521, 2701 – 2712, 3117, 3121 – 3127
    18 U.S.C. § 2510 – 2522 Wire and Electronic Communications Interception and Interception of Oral Communications (Wiretap Act)
    18 U.S.C. §§ 2701-12. Stored Wire and Electronic Communications and Transactional Records Access (Stored Communications Act)
    18 U.S.C. §§ 3121 – 3227 Pen Registers and Trap and Trace Devices
    See also, Public Law 99-508

     

    Overview

    The Electronic Communications Privacy Act (ECPA) of 1986 created additional privacy protections for stored electronic communications and updated the Federal Wiretap Act to cover electronic communications as well as oral and wire communications.  Title II of the ECPA established a comprehensive system of protections for stored communications codified at 18 U.S.C. §§ 2701-2712 which has come to be referred to as the Stored Communications Act (SCA).

    The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.

    Source: Justice Information Sharing, Electronic Communications Privacy Act of 1986

    gHelpful Tips gSupplemental Material
    Federal Agency Data Mining Reporting Act of 2007 (FADMRA)
    42 U.S.C. § 2000ee-3

     

    Overview

    The Federal Agency Data Mining Reporting Act of 2007 (FADMRA) is contained in section 803 of the Implementing the Recommendations of the 9/11 Commission Act of 2007.

    The FADMRA provides that the head of each department or agency of the Federal Government that is engaged in any “pattern-based” data mining activity shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official. The report shall be produced in coordination with the privacy officer of that department or agency, if applicable, and shall be made available to the public, except for an annex as described in subparagraph (c).

    gHelpful Tips gSupplemental Material