Office of the Assistant Secretary
for Planning and Evaluation
HHS Privacy Committee
To ensure attention to privacy as a fundamental consideration in
collection and use of personally-identifiable information.
In carrying out its mission, HHS collects and uses information about
individuals, and funds and stimulates collection and use of such information by
State and local governments, universities, health care providers, and many
other public and private entities. As HHS works to make more effective use of
this data, it is committed to protecting the privacy of individuals. The
Privacy Committee was formed to help in carrying out the Data Council's
- Committee membership and contact information
Disclaimer: References or links from these pages to
other pages outside the U.S. Department of Health and Human Services (HHS) do
not constitute any endorsement or recommendation by the Department or any of
its agencies or employees. HHS is also not responsible for the contents of any
pages outside our control. HHS does not endorse any product or service provided
by any other organization.
U.S. Federal Government, including Privacy Act of
- The Privacy Act of 1974,
5 U.S.C. § 552a, As Amended
- The Relationship between Citizen and Government:
The Privacy Act of 1974. Chapter 13 of the Report of The Privacy Protection
Study Commission [July 1977]
- The Privacy Act of 1974: An Assessment.
Appendix 4 to the report of the U.S. Privacy Protection Study Commission.
of Management and Budget Information and Regulatory Policy Privacy
- Overview of the Privacy
Act of 1974 From Office of Information and Privacy, U.S. Department of
Justice [May 2004]
- Privacy Act
Issuances - 2001 Compilation. Agency Privacy Act system notices as of
date of compilation. From National Archives and Records Administration [March
Privacy Act Guidance [July 9, 1975, PDF - 4.8MB]
OMB Guidance [December 4, 1975, PDF - 218K]
OMB Guidance Interpreting the Provisions of Public Law 100-503, the Computer
Matching and Privacy Protection Act of 1988 [June 19, 1989, PDF - 1.5MB]
Circular A-130 [November 30, 2000]
Privacy Act Regulations, 45 CFR Part 5b
- HHS Privacy Act Contacts
- Centers for Medicare and Medicaid
Services (CMS) Privacy Act Site
Privacy Act Regulations, 21 CFR Part 21
- National Institutes of Health
(NIH) Privacy Act Site
- Indian Health
Service (IHS) Privacy Act Site
- HHS Privacy Impact Assessments
- Department of Defense Privacy
- Social Security
Administration Privacy Act System Notices
- Internal Revenue Service
- Department of Homeland Security Chief
of Education Privacy Act Issuances [February 2002]
- Office of Personnel
Management Privacy Act Site. Includes systems of records maintained on
Computer System Security and Privacy Advisory Board (CSSPAB), on management
of privacy responsibilities of Federal agencies. [September 2002]
Note: PDF (Portable Document Format) files can be read
using Adobe's Acrobat(TM)
Reader. This program, which you must install once on your computer, allows
you to view, navigate, and print the documents as originally published. Please
contact Adobe for assistance installing and
using Adobe's Acrobat(TM) Reader.
Government Data Protection Officials:
Data protection officials in many countries of the world have developed
valuable reference materials on privacy. The sites listed below have at least
some material in English.
International Conference of Privacy and Data Protection Commissioners, Ottawa,
Ontario, Canada, Sept 18-20, 1996 some papers.
Conference on Privacy and Personal Data Protection, Hong Kong, Sept. 13-14,
1999- Meeting of world data protection officials papers and presentations.
Conference on Privacy and Personal Data Protection, Venice, Sept. 28-30, 2000-
Meeting of world data protection officials papers and presentations
Conference on Privacy and Personal Data Protection, Paris, France, Sept. 23-26,
2001- Meeting of the world data protection officials - papers and presentations
24th International Conference on Privacy and Personal Data Protection, Cardiff,
Wales, Sept. 9-11, 2002 - papers and presentations
Conference of Data Protection and Privacy Commissioners, Sydney, Australia,
September 10-12, 2003 - papers and presentations
26th International Conference
of Data Protection and Privacy Commissioners, Wrocaw, Poland, September 14-16,
European Union (EU):
Many organizations are working on privacy and confidentiality issues at
different levels, from policy to implementation guides. The following are some
of these organizations. Inclusion of these organizations does not imply any
endorsement of the organizations or the positions they propound.
Policy Documents and Inquiries:
Privacy in the Information
Age - Project of the Computer Science and Telecommunications Board (CSTB)
of The National Academies. "... comprehensive assessment that will evaluate
causes for concern about privacy in the information age and tools and
strategies for responding." [in progress, September 2001]
Goes There? Authentication Through the Lens of Privacy. Report of the Committee
on Authentication Technologies and Their Privacy Implications of the Computer
Science and Telecommunications Board of the National Academies. Explores authentication
technologies (including passwords, PKI, biometrics, etc.) and their implications
for the privacy of the individuals being authenticated. [April 2003]
Not That Easy: Questions About Nationwide Identity Systems. - Report
of the Committee on Authentication Technologies and Their Privacy Implications
of the Computer Science and Telecommunications Board of the National Academy of
Sciences. Discusses policy, procedural, and technological issues presented by
nationwide identity systems [April 2002]
Privacy and Data-Sharing:
The Way Forward for Public Services. Report from United Kingdom Cabinet
Office, Performance and Innovation Unit, on " how public services should look
to balance the individual right to privacy with the wider social benefits that
data-sharing can deliver." [April 2002]
Options for Promoting Privacy on the National
Information Infrastructure Draft for Public Comment. From Information
Policy Committee, National Information Infrastructure Task Force [April 1997]
Communicating Privacy Policies:
Privacy Impact Assessment Policy:
- OMB Guidance
for Implementing the Privacy Provisions of the E-Government Act of 2002.
Includes Privacy Impact Assessment guidance. [September 2003]
- Internal Revenue
Service, Model Information Technology, Privacy Impact Assessment - offered
by the U.S. Federal Chief Information Officer's Council
- Privacy Impact Assessment
Policy, Department of the Interior
- Privacy Impact Assessment Model -
Alberta Information and Privacy Commissioner
- Privacy Impact Assessment Tool
- British Columbia Information and Privacy Commissioner
- Privacy Impact Assessment
Guidelines- Ontario Government Management Board Secretariat [June 2001]
- Privacy Impact Assessment - An Essential Tool
for Data Protection. Presentation by David H. Flaherty at the 22nd Annual
Meeting of Privacy and Data Protection Officials, Venice, Italy. [September
- Working Paper,
Privacy Impact Assessment for Justice Information Systems, From Office
of Justice Programs, U.S. Department of Justice. [February 2001]
- Privacy Impact Assessment:
Some Approaches, Issues and Examples, by Blair Stewart, Assistant Commissioner,
Office of the Privacy Commissioner, New Zealand
- Privacy Impact Assessment
Handbook, From Office of the Privacy Commissioner, New Zealand [March
Impact Assessment Policy, from Chief Information Officer Branch, Treasury
Board Secretariat, Government of Canada [April 2002]
- Standards for Privacy of Individually Identifiable Health Information.
The Department has published , under authority in the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) a privacy regulation applicable
to health information created or maintained by health care providers who engage
in certain electronic transactions, health plans, and health care clearinghouses.
The text of the regulation and other information can be found on web site
of the Office for Civil Rights.
- Health Insurance Portability and Accountability Act of 1996. The Department
is developing other regulations to implement HIPAA. The text of the act, recommendations
for confidentiality legislation, proposed and final regulations, and other
information can be reached through our Administrative
Simplification web site.
- For the Record: Protecting Electronic
Health Information - Produced by the Committee on Maintaining Privacy
and Security in Health Care Applications of the National Information Infrastructure.
National Academy Press, Washington, 1997. General overview of the nature of
concerns with the privacy and confidentiality of health care information in
the electronic age, as well as specific recommendations, with special attention
- Substance Abuse Patient Confidentiality Requirements
Public Health Service Act, section 543 (42 U.S.C. 290dd-2)
42 CFR part 2
- Model State Public
Health Privacy Act, prepared by Model State Public Heath Privacy Project,
Georgetown University Law School 
- The Domain
of Health Care Information Privacy - Protecting Identifiable Health Care Informational
Privacy: A Consensus Report on Eight Content Areas for Performance Measure
Development. From Ethical Force Program of the American Medical Association.
- Health Records: Social Needs
and Personal Privacy. Proceedings of a Conference sponsored by the U.S.
Department of Health and Human Services. [February 1993]
Privacy in Computerized Medical Information. Report of Office of Technology
Assessment [September 1993]. From Woodrow Wilson School of Public and International
Affairs OTA archive.
- Personal Privacy in an Information Society,
Chapter 7, Record-keeping in the Medical-Care Relationship Portion of
the report of the Privacy Protection Study Commission addressing health records.
- Protecting Patient Confidentiality:
Final Report. Confidentiality and Security Advisory Group for Scotland (CSAGS),
Scottish Executive Health Department [April 2002]
- Genetic Information
Privacy, Discrimination and Legal Issues. From National Human Genome
Research Institute, NIH.
- Protecting Privacy When Using Telehealth Technology in Healthcare, Volume
1 & Volume
2. Reports with guidance for protecting patient information when using
information and communications technologies to deliver care across a distance.
From Telehealth Deployment Research Testbed (TDRT), sponsored by Office for
the Advancement of Telehealth, Health Resources and Services Administration.
- Privacy Issues in Mental Health
and Substance Abuse Treatment: Information Sharing Between Providers and Managed
Care Organizations. Study of privacy issues with regard to what personal
information should be shared for patients receiving mental health or substance
abuse treatment. By Mathematica Policy Research, Inc., for the Office of the
Assistant Secretary for Planning and Evaluation, January 17, 2003.
- Confidentiality Certificates to Protect Personally-Identifiable Research
- Protecting Data Privacy
in Health Services Research. Report of the Institute of Medicine with
recommendations on protection of privacy and the role of Institutional Review
Boards in health services research, funded by the Agency for Health Care Research
and Quality and the Office of the Assistant Secretary for Planning and Evaluation.
- The National Cancer Institute conducted an inquiry into confidentiality
issues surrounding research, with two documents:
- Privacy and Health Research - Report to the Secretary
of HHS by William W. Lowrance, Ph.D. on privacy and health research. [May
- Improving Access to
and Confidentiality of Research Data: Report of a Workshop. Proceedings
of workshop conducted by Committee on National Statistics, National Research
Council, on effective use of microdata and preservation of confidentiality,
particularly with use of longitudinal data linked to administrative records.
Medical Research Council (MRC) of the United Kingdom. Includes:
- Personal Information in Medical Research [October 2000]
- Human Tissue and Biological Samples for Use in Research - Operational
and Ethical Guidelines [April 2001]
- MRC Interim Guidance on Ethics of Research Involving Human Material
Derived from the Nervous System [June 2003]
Institute for Health Information (CIHI). Privacy and Data Protection.
Includes "Privacy and Confidentiality of Health Information at CIHI:
Principles and policies for the protection of health information" [April
- Personal Privacy in an Information Society,
Chapter 15, The Relationship Between Citizen and Government: The Citizen as
Participant in Research and Statistical Studies. Portion of the report
of the Privacy Protection Study Commission addressing research and statistical
uses of personal information.[July 1977]
on Institutional Review Boards, Surveys, and Social Science Research, Committee
on National Statistics. Panel is reviewing current and proposed methods
of human subjects' protection in social science data collection. Protecting
Participants and Facilitating Social and Behavioral Sciences Research (2003)
- Office for Human Research Protections
of the Department of Health and Human Services.
- Archive of National
Human Research Protections Advisory Committee (NHRPAC).
- Analyses and recommendations and draft documents of the Social
and Behavioral Science Working Group of the National Human Research Protections
Advisory Committee. On web site of American Sociological Association.
- National Bioethics Advisory Commission, Ethical and Policy Issues in Research
Involving Human Participants, Volume
II: Commissioned Papers, [August 2001]:(B-1) Privacy and Confidentiality:
As Related to Human Research in Social and Behavioral Science, by Joan E.
Sieber; and (C-1) Privacy and Confidentiality in Health Research, by Janlori
Goldman and Angela Choy.
- Summary of
Human Subjects Protection Issues Related to Large Sample Surveys, by Joan
E. Sieber. Study prepared for Bureau of Justice Statistics, U. S. Department
of Justice [June 2001]
- Canadian Institutes
for Health Research. Includes:
Issues in Biomedical and Clinical Research. Board on Biology, National
Academy of Sciences. Proceedings of a forum. Addresses genetic information
- Administrative Data for Policy-Relevant
Research: Assessment of Current Utility and Recommendations for Development.
Chapter 3 discusses safeguards to ensure that information on individuals and
households contained in administrative databases and used for research remains
confidential and that privacy interests of individuals are maintained. From
Advisory Panel on Research Uses of Administrative Data, under auspices of
the Joint Center for Poverty Research, funded by Office of Assistant Secretary
for Planning and Evaluation. [January 1998].
from Experience : Privacy and the Secondary Use of Data In Health Research.
Study from Nuffield Trust, by Dr. William W. Lowrance, of use of personal
health information in research, in United Kingdom context [November 2002].
- Secretary's Advisory Committee
on Human Research Protections (SACHRP)
- Social and
Behavioral Sciences Working Group on Human Research Protections
Comments/suggestions about the HHS Data Council Privacy Committee
web pages should be directed to the webmaster.
Last updated 7/19/04.