Privacy Program

Privacy Program – The NIH Privacy Program is responsible for mitigating and managing privacy breaches within NIH, and coordinates with IC Privacy Coordinators across NIH to prevent and manage situations where persons other than authorized users have access, or potential access, to personally identifiable information (PII).

Privacy Act

The Privacy Act safeguards privacy through the implementation of the Code of FAIR Information Practice Principles in operational and procedural requirements.  Government agencies must provide records pertaining to an individual upon request from that individual, if the records are maintained in a Privacy Act system of records.  In addition, the Privacy Act places restrictions on how agencies can share an individual's data with other people and agencies.

The Privacy Act requires agencies to:

  • Publish the details of all their "system of records" in the Federal Register.
  • Show an individual any records kept on them, make copies, and correct any factually incorrect information.
  • Provide members of the public with a notification statement to explain the legal authorization to collect information, the purpose of the collection, the intended use of the information, to whom it may be disclosed, and what, if any, consequences there will be if the information is not provided.
  • Set limits on how agencies can share an individual's data.
  • Follow the "fair information practices" when gathering and handling personal data.

The Privacy Act identifies key mandates for Federal agencies to protect members of the public:

  • Applies to Federal records about U.S. citizens and permanent residents.
  • Limits an agency's ability to disclose information in a "system of records".
  • Restricts the sharing of personal information between agencies.
  • Requires agencies to retain the minimum amount of information "relevant and necessary" to accomplish purposes.
  • Requires that agencies keep a correct account of when, and to whom, it discloses information.

The Privacy Act contains multiple provisions for handling systems of records:

  • Defines a record as any item, collection or group of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph (Privacy Act, 5 U.S.C. Section 552a(a)(4)).
  • Requires agencies to provide a Privacy Act Notice when collecting personal information in order to provide an explanation of the intended uses for obtaining information.
  • Requires the agency collecting the information to publish a System of Records Notice (SORN) in the Federal Register no less than 40 days prior to the collection of the information.
  • Charges the Office of Management and Budget (OMB) with developing guidelines on how agencies should interpret and implement provisions of the Privacy Act.
  • Provides "right of action" for members of the public when an agency violates the Privacy Act.
  • Provides law enforcement exemptions.
  • Requires Government agencies to disclose personally identifiable information (PII) so long as it is captured in the SORN's 'routine uses' when creating or altering the system of records.
     

Privacy Act Exceptions

The Privacy Act provides that NIH will provide access to records within our possession unless one of the exceptions or general/specific exemptions applies.  The exact language of the exemptions can be found in the Privacy Act.

Most of the NIH Privacy Act System of Records are non-exempt, meaning that there is no exemption rule claimed for the systems of records.  It means the records contained with the system are releasable to the subject of the file in their entirety.  However, there are exceptions to the rule:

  • Records that contain information about a third party.
  • Information that is not about the subject of the file, and therefore no accessible under the Privacy Act.

 

Records that are excepted from the Privacy Act access include records compiled in reasonable anticipation of a civil action or proceeding - 5 U.S.C. Section 552a(d)(5) (Litigation Protection).

Records that are exempted from Privacy Act access include the following:

  • (j)(1) – 5 U.S.C. Section 552a(j)(1) (CIA Systems of Records) – "records maintained by the Central Intelligence Agency"; and
  • (j)(2) – 5 U.S.C. Section 552a(j)(2) (Criminal Investigatory Records) – "records maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws". This requirement is usually met by such obvious law enforcement components as the FBI, DEA and BATF. In addition, Justice Department components such as the U.S. Parole Commission, the Federal Bureau of Prisons, and the Office of the Pardon Attorney, have been held to qualify as "principal function" criminal law enforcement entities.
    Specific Exemptions 5 U.S.C. Section 552a(k): 
  • (k)(1) – 5 U.S.C. Section 552a(k)(1) (Classified Records) - "subject to the provisions of section 552(b)(1) of this title"; 
  • (k)(2) – 5 U.S.C. Section 552a(k)(2) (Law Enforcement Investigative Records) - "investigatory material compiled for law enforcement purposes other than material within the scope of subsection (j)(2) of this section"; 
  • (k)(3) – 5 U.S.C. Section 552a(k)(3) (Secret Service Records) - "records maintained in connection with providing protective services to the President of the United States or other individuals pursuant to Section 3056 of Title 18"; 
  • (k)(4) – 5 U.S.C. Section 552a(k)(4) (Statistical Records) - "records required by statute to be maintained and used solely as statistical records"; 
  • (k)(5) – 5 U.S.C. Section 552a(k)(5) (Background Investigative Records) - "investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9-27-75], under an implied promise that the identity of the source would be held in confidence"; 
  • (k)(6) – 5 U.S.C. Section 552a(k)(6) (Testing Records) - "testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process"; and 
  • (k)(7) – 5 U.S.C. Section 552a(k)(7) (Military Evaluation Records) - "evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9-25-75], under an implied promise that the identity of the source would be held in confidence". 

Fair Information Practice Principles

The Code of Fair Information Practice Principles are widely accepted in the United States and internationally as a general framework for privacy.  They are reflected in various Federal and international laws and policies.  In a number of organizations, they serve as the basis for analyzing privacy risks and determining mitigation strategies.

  1. There must be no personal data record-keeping systems whose very existence is secret.
  2. There must be a way for a person to find out what information about the person is in a record and how it is used.
  3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.
  4. There must be a way for a person to correct or amend a record of identifiable information about the person.
  5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

How to Request Records

The Department of Health and Human Services (HHS) regulations govern the notification and access requirements for Privacy Act systems of records maintained by NIH.  In accordance with Department policy, NIH may not maintain records on individuals unless:
  1. It is relevant and necessary to accomplish an NIH or Department function required by statue or Executive Order.
  2. The information in the record is acquired to the greatest extent practicable directly from the subject individual (when maintenance of the record may result in a determination about the subject individual's rights, benefits or privileges under Federal programs).
  3. The individual providing the record, is informed at the time the record is collected of the authority NIH has for requesting the record (45CFR Section 5b.4(A)).
 
When a Privacy Act record exists in a system of records, the subject individual (the individual to whom the record pertains) may request access to his or her record.

When preparing a request for records, please follow the below instructions:
  • Submit a written request (requests sent via facsimile or electronic mail will not be accepted as the identity of the requestor cannot be verified);
  • Verify your identity by providing either a notarization of the request or a written certification that you are who you claim to be and understand that the knowing and willful request of a record pertaining to an individual under false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine;
  • Provide the subject individual’s name and current mailing address. An individual requesting notification or access to sensitive records, such as medical records, may be required to further verify identity with regard to particulars in the requested record, e.g., date or place of birth, educational institution attended, social security number, etc.;
  • State that the records are requested under the Privacy Act;
  • Identify the records requested.  Be as specific as possible and include the approximate dates the information was collected, the types of information collected, or the official responsible for the collection of information where known);
  • Include a daytime telephone number in the event that additional information is needed; and
  • Mark the outside of the envelope "Privacy Act Request" and mail it to the NIH Senior Official for Privacy at the address listed in the contact box above.
 
Individuals requesting reproduction of partial or complete medical records from the NIH Clinical Center need to also provide NIH-527 "Authorization for the Release of Medical Information," which can be obtained by contacting the following:
 
NIH Clinical Center
Medical Record Department
Attention: Medicolegal Section
10 Center Drive, MSC 1192
Building 10, Room 1N216
Bethesda, Maryland 20892-1192
(301) 496-3331
The patient, or parent/guardian or legal designee of a minor or incompetent patient, may request release of medical information. The request must be made in writing and signed by the patient or patient's parent/guardian/legal designee. The parent/guardian/designee must provide adequate documentation to verify their relationship to the patient as well as their identity to prove the relationship.
 
Individuals will be granted access to their medical records unless the System Manager determines that such access is likely to have an adverse effect on the individual and potentially cause harm.
 
In such cases when the System Manager has determined that the nature of the record information requires medical interpretation, the subject of the record shall be requested to designate in writing, a responsible representative who will be willing to review the record and inform the subject individual of its contents at the representative's discretion. The representative may be a physician, health professional, or other responsible individual. In this case, the medical record will be sent to the designated representative. Individuals will be informed in writing if the record is sent to the representative. This same procedure will apply in cases where a parent/guardian/legal designee requests notification of, or access to, a minor or incompetent patient’s medical record.
 
To request Privacy Act records collected as part of a background investigation necessary to issue an NIH I.D., please visit: http://www.hhs.gov/foia.

Fees

HHS 45 CFR Section 5b.13 Fees.

(a) Policy
  • Where applicable, fees for copying records will be charged in accordance with the schedule set forth in this section:
    Fees may only be charged when an individual requests that a copy be made of the record to which he/she is granted access;
  • No fee may be charged for making a search of the system of records whether the search is manual, mechanical, or electronic;
  • Where a copy of the record must be made in order to provide access to the record (e.g., computer printout where no screen reading is available), the copy will be made available to the individual without cost; and
  • Where a medical record is made available to a representative designated by the individual or to a physician or health professional designated by a parent or guardian under section 5b.6 of this part, no fee will be charged.

(b) Fee schedule: 
  • Copying of records susceptible to photocopying - $.10 per page;
  • Copying records not susceptible to photocopying – at actual cost to be determined on a case-by-case basis; and
  • No charge will be made if the total amount of copying does not exceed $25.00.

Appeals

Records that contain information that is inaccurate, incomplete, untimely, or irrelevant may be amended.  To contest such information, individuals should contact the System Manager identified in the SORN.  The individual should reasonably identify the record, specify the information contested, the corrective actions ought, and state the reason(s) for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

Requestors who wish to appeal the refusal of NIH to correct or amend the individual's record must do so within 30 days of the receipt of a letter from NIH.  The following information should be provided:

  • Reasons why the requested information should be corrected or amended under the Act.
  • Why the denial may be in error.

Requestors wishing to submit an appeal should attach a copy of their original request and response letter tot he NIH appeal authority, clearly mark the letter and the outside envelope "Privacy Act Appeal" and mail the documents to the following address:

NIH Senior Official for Privacy
National Institutes of Health
6011 Executive Boulevard
Suite 601, MSC 7669
Bethesda, MD 20892-7669

Requestors who wish to appeal an NIH decision should attach a copy of their original request and response letter to their appeal, clearly mark the letter and the outside envelope "Privacy Act Appeal" and mail the documents to the following address:

Director, News Division
Mary E. Switzer Building
330 C Street, SW
Room 2206
Washington, DC 20201​


Privacy Act Links

IC Privacy Coordinators
IC Information Systems Security Officers
NIH Project Clearance Branch Website
NIH Records Management Website
NIH Information Security and Privacy Awareness Training Dashboard
Privacy FAQs
Privacy Glossary
Privacy Laws & References
Privacy Act (Public Law 93-579)
NIH Privacy Act Systems of Record Notices (SORNs)
​​​​​
​​

Contacting DMS

Division of Management Support

Director, Ekaterini 'Katy' Perry

National Institutes of Health,

Office of Management Assessment

6011 Executive Blvd., Suite 601, MSC 7669

Rockville, MD 20852

Phone: (301) 496-2832 or (301) 496-4606

Fax: (301) 402-0169

Want to know more about allegations?

DPI has the authority to conduct reviews using certain rules and acts.

Learn More About Allegations
​​​​​​​​​​​​
​​