Skip to Content

Privacy Act of 1974

Privacy and Confidentiality
Security of Health Information

The Privacy Act of 1974 protects information about individuals, such as patients and practitioners, held by or collected by the federal government that can be retrieved by personal identifiers such as name, social security number, or other identifying number or symbol. The Privacy Act authorizes a federal agency to release individually identifiable information to identified persons or to their designees with written consent or pursuant to one of twelve exemptions for disclosure.1  These exemptions include disclosure to federal agency employees, the Census Bureau, the National Archives and Records Administration, other government entities for civil and criminal law enforcement purposes, the Comptroller General, Congress or its committees, and a consumer reporting agency.2  Additional exemptions include disclosures for statistical research, disclosures required by FOIA, disclosures in response to emergency circumstances, and disclosures pursuant to a court order. 


The broadest of the twelve exemptions, the “Routine Use” disclosure, authorizes federal agencies to release individually identifiable information pursuant to a System of Records (SOR) and Routine Uses.3 A SOR is a group of any records under the control of a federal agency from which information is retrieved by the name of the individual or by a particular identifier.  When a federal agency establishes or substantially revises an SOR that contains individually identifiable information, the Privacy Act of 1974 requires the agency to publish a notice of a system of records (SORN or “notice”) in the Federal Register, and to submit a report about the new or amended system to OMB and Congress for approval.


The Privacy Act also governs how a federal agency collects, maintains, and uses individually identifiable information.  For example, federal agencies must keep an accurate accounting of all records disclosed without an individual’s written consent except for disclosures made to agency employees and disclosures required by the Privacy Act. The agency must note the name and address of the person or agency to whom the disclosure is made, and the date, nature and purpose of each disclosure.4 In addition, agencies may collect only that information needed to accomplish the purpose for its collection.5  They must also collect information directly from the individual whenever practicable and maintain all records containing such information accurately and completely.6  Finally, when an agency creates a SOR for collected data, it must publish a notice in the Federal Register that explains its system of records and the acceptable routine uses as described above.


Penalties for violations of the Privacy Act include both civil and criminal penalties.  On the civil side, an individual may sue a federal agency whenever the agency: fails to amend an individual’s record as requested or to properly review such a request; refuses to comply with a request to access an individual’s record; fails to maintain an individual’s records adequately, resulting in an adverse determination against the individual; or fails to comply with any other provision of the Privacy Act in a way that adversely affects an individual.7   If a court finds that an agency has violated the Privacy Act, it may order the agency to take corrective action or pay reasonable litigation costs.8 Additionally, if a court finds that the agency intentionally or willfully violated the statute, it can impose a fine of up to $1,000.9  Criminal penalties may be assessed against an agency employee if an agency employee is guilty of a misdemeanor with fines up to $5,000 if the employee willfully discloses individually identifiable information to any person not entitled to receive it, knowing that the disclosure of such information is prohibited or maintains a system of records that fails to meet the Act’s notice and comment requirements.10  In addition, criminal penalties may be assessed against any person who is guilty of a misdemeanor, including fines up to $5,000 if the person willfully and knowingly requests or obtains an individual’s record from an agency under false pretenses.11




Current View


  • 1. Privacy Act of 1974, Pub. L. No. 93-579, § 3, 88 Stat. 1896, 1896 (codified as amended at 5 U.S.C. § 552a (2006)).
  • 2. Id. at 5 U.S.C. §552a(b).
  • 3. Id.
  • 4. 5 U.S.C. § 522a(c).
  • 5. Id. at § 522a(e)(1).
  • 6. Id. at § 522a(e)(2), (5).
  • 7. Id. at § 522a(g)(1).
  • 8. Id. at § 522a(g)(2)-(4).
  • 9. Id. at § 522a(g)(5).
  • 10. Id. at § 522a(i)(1).
  • 11. Id.