General Q&A
The following are general questions and answers regarding the Privacy Act 1974 (5 U.S.C. 552a). Subsequent sections will provide more detailed information regarding the Indian Health Service's (IHS) Privacy Act records and the Privacy Act of 1974. Click on the following questions to go directly to answer.
- What is the Privacy Act?
- Does the Privacy Act apply to all Government records?
- Does the Privacy Act apply to all records maintained about individuals?
- How does the Government inform the public about the record systems that are covered by the Privacy Act?
- What are an individual's basic rights and the agency employees' responsibilities under the Privacy Act?
- What can I do to meet my Privacy Act responsibilities?
- Does the Privacy Act apply to all IHS employees?
- If I have a Privacy Act question or problem, where do I go for help?
- Does the IHS have any Privacy Act systems of records?
- What does it mean to make a routine use disclosure from a Privacy Act system of records?
- Does the Privacy Act apply to contractors?
- Are there any Privacy Act compliance reviews that are required to be made?
What is the Privacy Act?
A: The Privacy Act of 1974 is a code of fair information practices which mandates how Government agencies, such as the IHS, shall maintain records about individuals. The Privacy Act requires that Government agencies:
- collect only information that is relevant and necessary to carry out an agency function;
- maintain no secret records on individuals;
- explain at the time the information is being collected, why it is needed and how it will be used;
- ensure that the records are used only for the reasons given, or seek the person's permission when another purpose for their use is considered necessary or desirable;
- provide adequate safeguards to protect the records from unauthorized access and disclosure;
- allow people to see the records kept on them and provide them with the opportunity to correct inaccuracies in their records.
Does the Privacy Act apply to all Government records?
A: No. The Privacy Act only applies to Government records that:
- contain information on individuals;
- are maintained by a Government agency or its contractors in a system of records; and
- are retrieved by a personal identifier, such as a person's name, Social Security Number, medical record number or other unique identifier.
Does the Privacy Act apply to all records maintained about individuals?
A: No. The Privacy Act only applies to U.S. citizens or lawful permanent resident aliens and only to Government records that meet the requirements outlined in item 2 above. The Privacy Act does not apply to deceased persons.
How does the Government inform the public about the record systems that are covered by the Privacy Act?
A: The Government informs the public about record systems covered by the Privacy Act by publishing notices in the Federal Register. The record systems are referred to as Privacy Act systems of records and the notices provide a description of a particular systems of records.
What are an individual's basic rights and the agency employees' responsibilities under the Privacy Act?
A: The following is a summary of an individual's rights and the IHS employee responsibilities under the Privacy Act regarding:
- Collection of Personal Information
Individual Rights: As an individual, whenever you are requested to provide personal information to a Federal agency, you are entitled to know the following: the legal authority for requesting the information, the purpose for collecting it, what related uses might be made of this information, whether your response is mandatory or voluntary, and what effect your refusal to provide the information would have.
Employee Responsibilities: As an employee, you must collect only personal information that is relevant and necessary to accomplish an authorized agency function. Whenever you request personal information from someone, you must inform him/her in writing of the legal authority, the purpose for collecting it, what related uses will be made of this information, whether a response is mandatory or voluntary, and what will be the effect if he/she refuses to respond. This information usually is provided on a form given to the person providing the information.
Whenever you ask for a Social Security Number you must tell the individual the purpose for requesting it, and whether a response is mandatory or voluntary. You should always attempt to collect personal information directly from the individual rather than from other sources. - Access to Records
Individual Rights: As an individual, you can request to see your records in writing or in person. You should describe the information you wish to see because blanket requests for "all the information the agency has on me" cannot be honored.
If you appear in person, identification will be required to verify you are the person whose record you are requesting. If you have no suitable identification, you will be asked to certify your identity in writing.
Telephone requests are usually not honored, because positive identification of the caller may be difficult to establish.
You may have another person accompany you when you review your records.
You are entitled to receive a copy of your record or an acknowledgement of your request within ten working days.
You are not required to give a reason for your request; however, the more specific your request, the faster you can expect a response.
Employee Responsibilities: As an employee, when someone requests to see his or her record, you must verify his/her identity or require written certification that he or she is the subject of the record requested.
If a patient requests another person's presence when he/she wants to inspect or discuss his/her records, you must have the patient authorize the other person's presence in writing prior to the inspection or discussion of the records.
When a request for a record is received, you should check to see whether a record exists on the person in a system of records that is subject to the Privacy Act. Depending on the procedure in your organization, the system manager or designee must either present the record or a copy of it, or acknowledge the request within ten working days.
You should not ask the person to give a reason or justify a need to see his or her own record. - Access to Health and Medical Records
Individual Rights: Special rules apply to health and medical records. As an individual, you should usually be able to see your medical record directly. However, when it appears that the medical record may contain information that could have an "adverse effect" on you, the medical record will be sent to a representative you name, such as your family doctor or other responsible person, who would be willing to review the medical record and inform you of its contents. You may designate an IHS employee as your representative.
Employee Responsibilities: As an employee, when an individual requests access to their own medical record, you must require that they designate a representative, such as a family doctor or other health professional or other responsible person, who would be willing to review the record and discuss its contents. The responsible official may determine that the medical record will not have an "adverse effect" upon the person and allow direct access to the medical record. A patient may designate an IHS employee as his/her representative. As with all records subject to the Privacy Act, the individual's identity must be verified. - Amendment of Records
Individual Rights: As an individual, if you wish to correct, delete or add information, you must identify the record and give your reasons for the desired change. In general, only factual, verifiable information is subject to amendment under the Privacy Act. Other procedures, such as personnel grievance procedures, should be followed if you wish to contest subjective opinion. You must verify your identity as described above
Employee Responsibilities: As an employee, depending on your organization's procedures, you or a designated official must acknowledge a request to amend a record within ten working days and advise the person when he or she can expect a decision on the request. A review should normally be completed within 30 days. You must verify the person's identity. Advise the person when he or she can expect a decision on the request. Under the regulations, an appeal must be decided within 30 days which may be extended an additional 30 days.
What can I do to meet my Privacy Act responsibilities?
A: If the Privacy Act is to achieve its objectives, there must be cooperation by every employee and contractor who works with records containing individually identifiable information. In the course of your work you become a steward of the information entrusted to you. In order to meet the responsibilities of this stewardship, there are certain steps you should to take:
- Learn the requirements of the Privacy Act and how they relate to your particular job. This can be accomplished through formal training, on-the-job training, discussions with your supervisor, and reading. Acquaint yourself as much as possible with the Privacy Act policies and procedures that apply to the information that you work with day-to-day.
- Consider how you handle the information you work with, and what measures, if any, you need to take to safeguard the personal information that you have about others in your possession.
- Certain IHS staff have been specially trained in the requirements of this law and they are available to assist you. Your supervisor can give the name of your nearest Privacy Act official.
- Respond promptly to requests for information by quickly referring such requests to the responsible IHS Privacy Act official. Learn the procedures used for Privacy Act requests and follow them when requests for information are received.
- Be careful that personal information is not disclosed to anyone unless that individual has received prior permission to see the information from the subject of the record, or disclosures of the record are authorized by law. The Privacy Act authorizes disclosure of an IHS Privacy Act record to HHS employees who have a legitimate need for the record in the performance of their duties.
Does the Privacy Act apply to all IHS employees?
A: Yes. As an IHS employee you "wear two hats." On the one hand you are an individual citizen who is entitled to the full protection and rights afforded by the Privacy Act. On the other hand, you are a Federal employee who works with records containing personal information and who shares some responsibility in carrying out the requirements of the law. Unless you are a Privacy Act system manager or designee, you should never disclose information subject to the Privacy Act from the records in your care or allow unauthorized persons access to such records.
The seriousness of this responsibility is evident from the penalties the Privacy Act imposes for knowing and willful violations of the law. Fines up to $5,000 can be imposed by the courts for willfully disclosing personal information that should not be released under the Privacy Act. Disciplinary actions may include reprimand, suspension, or termination of employment.
If I have a Privacy Act question or problem, where do I go for help?
A: Privacy Act staff are located throughout the IHS at the Service Unit, Area and Headquarters levels. The primary Privacy Act staff are referred to as Privacy Act System Managers, e.g., the IHS Area and Service Unit Directors are the designated Privacy Act System Managers for the IHS medical record system.
Most IHS System Managers delegate these responsibilities to other staff, commonly referred to as Area Privacy Act Coordinators and Service Unit Privacy Act Liaisons and their alternates, if any. The Coordinators and Liaisons are the primary contacts for your Privacy Act questions.
At the Service Unit level, Privacy Act questions should normally be addressed to the Privacy Act System Manger designee usually referred to as the Service Unit Privacy Act Liaison. Your supervisor can provide you with his/her name and telephone number.
At the Area level, Privacy Act questions should be addressed to the System Manager designee usually referred to as the Area Privacy Act Coordinator.
At the Headquarters level, Privacy Act questions should be addressed to the Agency Privacy Act Officer. The more complex Privacy Act questions or problems are usually referred to this level. It is recommended that you contact your Area Privacy Act Coordinator prior to consulting with the Agency Privacy Act Officer.
Does the IHS have any Privacy Act Systems of Records?
A: Yes. The IHS has the following three Privacy Act systems of records:
What does it mean to make a routine use disclosure from a Privacy Act System of Records?
A: A routine use disclosure from a Privacy Act system of records permits disclosures of information from a record to requestors outside HHS without the consent of the individual to whom the record pertains.
Routine use disclosures must be consistent with the purpose(s) for which the information was collected and must be published in the Federal Register.
Routine use disclosures are not mandatory. They are optional disclosures made at the discretion of the appropriate Privacy Act System Manager or his/her designee.
Agencies must keep an accounting of all disclosures made pursuant to a routine use on IHS 505 Disclosure Accounting Record.
Does the Privacy Act apply to contractors?
A: Yes, whenever a contractor establishes or maintains a system of records to carry out a function of IHS.
Are there any Privacy Act compliance reviews that are required to be made?
A: Yes, the Office of Management and Budget (OMB), Management of Federal Information Resources regulations requires the following:
- Contracts - Every two years review a random sample of contracts that deal with the maintenance of a Privacy Act system of records to make sure that the wording of each contract applies the provisions of the Privacy Act;
- Record keeping practices - An annual review of IHS record keeping and disposal practices
- Routine use disclosures - Every three years review the routine use disclosures to ensure that the recipient's use of such records continues to be in accordance with the purpose for which IHS collected the information.
- An annual review of each on-going matching program in which IHS has participated in the last year, either as a source or matching agency.
- Privacy Act training - An annual review of IHS training practices to ensure that personnel are familiar with the requirements of the Privacy Act, HHS Privacy Act regulations, policy and guidelines.
- Violations - An annual review of IHS agency personnel actions which resulted in either IHS being found civilly liable, or in an employee being found criminally liable. This will be done in order to determine the extent of the problem and the most effective way to prevent a recurrence.