About GPO   |   Newsroom/Media   |   Congressional Relations   |   Inspector General   |   Careers   |   Contact   |   askGPO   |   Help  
 
Home   |   Customers   |   Vendors   |   Libraries  

The Electronic Code of Federal Regulations (e-CFR) is a regularly updated, unofficial editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.

Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF

Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.

Purchase individual CFR titles from the U.S. Government Online Bookstore.

Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.

[1]
 
 

Electronic Code of Federal Regulations

e-CFR Data is current as of July 31, 2014

Title 45: Public Welfare


PART 5b—PRIVACY ACT REGULATIONS


Contents
§5b.1   Definitions.
§5b.2   Purpose and scope.
§5b.3   Policy.
§5b.4   Maintenance of records.
§5b.5   Notification of or access to records.
§5b.6   Special procedures for notification of or access to medical records.
§5b.7   Procedures for correction or amendment of records.
§5b.8   Appeals of refusals to correct or amend records.
§5b.9   Disclosure of records.
§5b.10   Parents and guardians.
§5b.11   Exempt systems.
§5b.12   Contractors.
§5b.13   Fees.
Appendix A to Part 5b—Employee Standards of Conduct
Appendix B to Part 5b—Routine Uses Applicable to More Than One System of Records Maintained by HHS
Appendix C to Part 5b—Delegations of Authority [Reserved]

Authority: 5 U.S.C. 301, 5 U.S.C. 552a.

Source: 40 FR 47409, Oct. 8, 1975, unless otherwise noted.

§5b.1   Definitions.

As used in this part:

(a) Access means availability of a record to a subject individual.

(b) Agency means the Department of Health and Human Services.

(c) Department means the Department of Health and Human Services.

(d) Disclosure means the availability or release of a record to anyone other than the subject individual.

(e) Individual means a living person who is a citizen of the United States or an alien lawfully admitted for permanent residence. It does not include persons such as sole proprietorships, partnerships, or corporations. A business firm which is identified by the name of one or more persons is not an individual within the meaning of this part.

(f) Maintain means to maintain, collect, use, or disseminate when used in connection with the term “record”; and, to have control over or responsibility for a system of records when used in connection with the term “system of records.”

(g) Notification means communication to an individual whether he is a subject individual.

(h) Record means any item, collection, or grouping of information about an individual that is maintained by the Department, including but not limited to the individual's education, financial transactions, medical history, and criminal or employment history and that contains his name, or an identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. When used in this part, record means only a record which is in a system of records.

(i) Responsible Department official means that officer who is listed in a notice of a system of records as the system manager for a given system of records or another individual listed in the notice of a system of records to whom requests may be made, or the designee of either such officer or individual.

(j) Routine use means the disclosure of a record outside the Department, without the consent of the subject individual, for a purpose which is compatible with the purpose for which the record was collected. It includes disclosures required to be made by statute other than the Freedom of Information Act, 5 U.S.C. 552. It does not include disclosures which are permitted to be made without the consent of the subject individual which are not compatible with the purpose for which it was collected such as disclosures to the Bureau of the Census, the General Accounting Office, or to Congress.

(k) Secretary means the Secretary of Health and Human Services, or his designee.

(l) Statistical record means a record maintained for statistical research or reporting purposes only and not maintained to make determinations about a particular subject individual.

(m) Subject individual means that individual to whom a record pertains.

(n) System of records means any group of records under the control of the Department from which a record is retrieved by personal identifier such as the name of the individual, number, symbol or other unique retriever assigned to the individual. Single records or groups of records which are not retrieved by a personal identifier are not part of a system of records. Papers maintained by individual employees of the Department which are prepared, maintained, or discarded at the discretion of the employee and which are not subject to the Federal Records Act, 44 U.S.C. 2901, are not part of a system of records; Provided, That such personal papers are not used by the employee or the Department to determine any rights, benefits, or privileges of individuals.

§5b.2   Purpose and scope.

(a) This part implements section 3 of the Privacy Act of 1974, 5 U.S.C. 552a (hereinafter referred to as the Act), by establishing agency policies and procedures for the maintenance of records. This part also establishes agency policies and procedures under which a subject individual may be given notification of or access to a record pertaining to him and policies and procedures under which a subject individual may have his record corrected or amended if he believes that his record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function.

(b) All components of the Department are governed by the provisions of this part. Also governed by the provisions of this part are:

(1) Certain non-Federal entities which operate as agents of the Department for purposes of carrying out Federal functions, such as intermediaries and carriers performing functions under contracts and agreements entered into pursuant to sections 1816 and 1842 of the Social Security Act, 42 U.S.C. 1395h and 1395u.

(2) Advisory committees and councils within the meaning of the Federal Advisory Committee Act which provide advice to (i) any official or component of the Department or (ii) the President and for which the Department has been delegated responsibility for providing services.

(c) Employees of the Department governed by this part include all regular and special government employees of the Department; members of the Public Health Service Commissioned Corps; experts and consultants whose temporary (not in excess of 1 year) or intermittent services have been procured by the Department by contract pursuant to 3109 of Title 5, United States Code; volunteers where acceptance of their services are authorized by law; those individuals performing gratuitous services as permitted under conditions prescribed by the Civil Service Commission; and, participants in work-study or training programs.

(d) Where other statutes mandate procedures which are inconsistent with the procedures set forth in this part, components of the Department may issue supplementary regulations containing procedures necessary to comply with such statutes. In addition, components of the Department may supplement by regulation the policies and procedures set forth in this part to meet particular needs of the programs administered by such components.

(e) This part does not:

(1) Make available to a subject individual records which are not retrieved by that individual's name or other personal identifier.

(2) Make available to the general public records which are retrieved by a subject individual's name or other personal identifier or make available to the general public records which would otherwise not be available to the general public under the Freedom of Information Act, 5 U.S.C. 552, and Part 5 of this title.

(3) Govern the maintenance or disclosure of, notification of or access to, records in the possession of the Department which are subject to regulations of another agency, such as personnel records subject to the regulations of the Civil Service Commission.

(4) Apply to grantees, including State and local governments or subdivisions thereof, administering federally funded programs.

(5) Make available records compiled by the Department in reasonable anticipation of court litigation or formal administrative proceedings. The availability of such records to the general public or to any subject individual or party to such litigation or proceedings shall be governed by applicable constitutional principles, rules of discovery, and applicable regulations of the Department and any of its components.

§5b.3   Policy.

It is the policy of the Department to protect the privacy of individuals to the fullest extent possible while nonetheless permitting the exchange of records required to fulfill the administrative and program responsibilities of the Department, and responsibilities of the Department for disclosing records which the general public is entitled to have under the Freedom of Information Act, 5 U.S.C. 552, and part 5 of this title.

§5b.4   Maintenance of records.

(a) No record will be maintained by the Department unless:

(1) It is relevant and necessary to accomplish a Department function required to be accomplished by statute or Executive Order;

(2) It is acquired to the greatest extent practicable from the subject individual when maintenance of the record may result in a determination about the subject individual's rights, benefits or privileges under Federal programs;

(3) The individual providing the record is informed of the authority for providing the record (including whether the providing of the record is mandatory or voluntary, the principal purpose for maintaining the record, the routine uses for the record, what effect his refusal to provide the record may have on him), and if the record is not required by statute or Executive Order to be provided by the individual, he agrees to provide the record.

(b) No record will be maintained by the Department which describes how an individual exercises rights guaranteed by the First Amendment unless expressly authorized (1) by statute, or (2) by the subject individual, or (3) unless pertinent to and within the scope of an authorized law enforcement activity.

§5b.5   Notification of or access to records.

(a) Times, places, and manner of requesting notification of or access to a record. (1) Subject to the provisions governing medical records in §5b.6 of this part, any individual may request notification of a record. He may at the same time request access to any record pertaining to him. An individual may be accompanied by another individual of his choice when he requests access to a record in person; Provided, That he affirmatively authorizes the presence of such other individual during any discussion of a record to which access is requested.

(2) An individual making a request for notification of or access to a record shall address his request to the responsible Department official and shall verify his identity when required in accordance with paragraph (b)(2) of this section. At the time the request is made, the individual shall specify which systems of records he wishes to have searched and the records to which he wishes to have access. He may also request that copies be made of all or any such records. An individual shall also provide the responsible Department official with sufficient particulars to enable such official to distinguish between records on subject individuals with the same name. The necessary particulars are set forth in the notices of systems of records.

(3) An individual who makes a request in person may leave with any responsible Department official a request for notification of or access to a record under the control of another responsible Department official; Provided, That the request is addressed in writing to the appropriate responsible Department official.

(b) Verification of identity—(1) When required. Unless an individual, who is making a request for notification of or access to a record in person, is personally known to the responsible Department official, he shall be required to verify his identity in accordance with paragraph (b)(2) of this section if:

(i) He makes a request for notification of a record and the responsible Department official determines that the mere disclosure of the existence of the record would be a clearly unwarranted invasion of privacy if disclosed to someone other than the subject individual; or,

(ii) He makes a request for access to a record which is not required to be disclosed to the general public under the Freedom of Information Act, 5 U.S.C. 552, and part 5 of this title.

(2) Manner of verifying identity. (i) An individual who makes a request in person shall provide to the responsible Department official at least one piece of tangible identification such as a driver's license, passport, alien or voter registration card, or union card to verify his identity. If an individual does not have identification papers to verify his identity, he shall certify in writing that he is the individual who he claims to be and that he understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act subject to a $5,000 fine.

(ii) Except as provided in paragraph (b)(2)(v) of this section, an individual who does not make a request in person shall submit a notarized request to the responsible Department official to verify his identity or shall certify in his request that he is the individual who he claims to be and that he understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act subject to a $5,000 fine.

(iii) An individual who makes a request on behalf of a minor or legal incompetent as authorized under §5b.10 of this part shall verify his relationship to the minor or legal incompetent, in addition to verifying his own identity, by providing a copy of the minor's birth certificate, a court order, or other competent evidence of guardianship to the responsible Department official; except that, an individual is not required to verify his relationship to the minor or legal incompetent when he is not required to verify his own identity or when evidence of his relationship to the minor or legal incompetent has been previously given to the responsible Department official.

(iv) An individual shall further verify his identity if he is requesting notification of or access to sensitive records such as medical records. Any further verification shall parallel the record to which notification or access is being sought. Such further verification may include such particulars as the individual's years of attendance at a particular educational institution, rank attained in the uniformed services, date or place of birth, names of parents, an occupation or the specific times the individual received medical treatment.

(v) An individual who makes a request by telephone shall verify his identity by providing to the responsible Department official identifying particulars which parallel the record to which notification or access is being sought. If the responsible Department official determines that the particulars provided by telephone are insufficient, the requester will be required to submit the request in writing or in person. Telephone requests will not be accepted where an individual is requesting notification of or access to sensitive records such as medical records.

(c) Granting notification of or access to a record. (1) Subject to the provisions governing medical records in §5b.6 of this part and the provisions governing exempt systems in §5b.11 of this part, a responsible Department official, who receives a request for notification of or access to a record and, if required, verification of an individual's identity, will review the request and grant notification or access to a record, if the individual requesting access to the record is the subject individual.

(2) If the responsible Department official determines that there will be a delay in responding to a request because of the number of requests being processed, a breakdown of equipment, shortage of personnel, storage of records in other locations, etc., he will so inform the individual and indicate when notification or access will be granted.

(3) Prior to granting notification of or access to a record, the responsible Department official may at his discretion require an individual making a request in person to reduce his request to writing if the individual has not already done so at the time the request is made.

§5b.6   Special procedures for notification of or access to medical records.

(a) General. An individual in general has a right to notification of or access to his medical records, including psychological records, as well as to other records pertaining to him maintained by the Department. This section sets forth special procedures as permitted by the Act for notification of or access to medical records, including a special procedure for notification of or access to medical records of minors. The special procedures set forth in paragraph (b) of this section may not be suitable for use by every component of the Department. Therefore, components may follow the paragraph (b) procedure for notification of or access to medical records, or may issue regulations establishing special procedures for such purposes. The special procedure set forth in paragraph (c) of this section relating to medical records of minors is mandatory.

(b) Medical records procedures—(1) Notification of or access to medical records. (i) Any individual may request notification of or access to a medical record pertaining to him. Unless the individual is a parent or guardian requesting notification of or access to a minor's medical record, an individual shall make a request for a medical record in accordance with this section and the procedures in §5b.5 of this part.

(ii) An individual who requests notification of or access to a medical record shall, at the time the request is made, designate a representative in writing. The representative may be a physician, other health professional, or other responsible individual, who would be willing to review the record and inform the subject individual of its contents at the representative's discretion.

(2) Utilization of the designated representative. A subject individual will be granted direct access to a medical record if the responsible official determines that direct access is not likely to have an adverse effect on the subject individual. If the responsible Department official believes that he is not qualified to determine, or if he does determine, that direct access to the subject individual is likely to have an adverse effect on the subject individual, the record will be sent to the designated representative. The subject individual will be informed in writing that the record has been sent.

(c) Medical records of minors—(1) Requests by minors; notification of or access to medical records to minors. A minor may request notification of or access to a medical record pertaining to him in accordance with paragraph (b) of this section.

(2) Requests on a minor's behalf; notification of or access to medical records to an individual on a minor's behalf. (i) In order to protect the privacy of a minor, a parent or guardian, authorized to act on a minor's behalf as provided in §5b.10 of this part, who makes a request for notification of or access to a minor's medical record will not be given direct notification of or access to such record.

(ii) A parent or guardian shall make all requests for notification of or access to a minor's medical record in accordance with this paragraph and the procedures in §5b.5 of this part. A parent or guardian shall at the time he makes a request designate a family physician or other health professional (other than a family member) to whom the record, if any, will be sent.

(iii) Where a medical record on the minor exists, it will be sent to the physician or health professional designated by the parent or guardian in all cases. If disclosure of the record would constitute an invasion of the minor's privacy, that fact will be brought to the attention of the physician or health professional to whom the record is sent. The physician or health professional will be asked to consider the effect that disclosure of the record to the parent or guardian would have on the minor in determining whether the minor's medical record should be made available to the parent or guardian. Response to the parent or guardian making the request will be made in substantially the following form:

We have completed processing your request for notification of or access to

____________________'s

         (Name of minor)

medical records. Please be informed that if any medical record were found pertaining to that individual, they have not been sent to your designated physician or health professional.

In each case where a minor's medical record is sent to a physician or health professional, reasonable efforts will be made to so inform the minor.

§5b.7   Procedures for correction or amendment of records.

(a) Any subject individual may request that his record be corrected or amended if he believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the responsible Department official in writing; except that, the request need not be in writing if the subject individual makes his request in person and the responsible Department official corrects or amends the record at that time. The subject individual shall specify in each request:

(1) The system of records from which the record is retrieved;

(2) The particular record which he is seeking to correct or amend;

(3) Whether he is seeking an addition to or a deletion or substitution of the record; and,

(4) His reasons for requesting correction or amendment of the record.

(b) A request for correction or amendment of a record will be acknowledged within 10 working days of its receipt unless the request can be processed and the subject individual informed of the responsible Department official's decision on the request within that 10 day period.

(c) If the responsible Department official agrees that the record is not accurate, timely, or complete based on a preponderance of the evidence, the record will be corrected or amended. The record will be deleted without regard to its accuracy, if the record is not relevant or necessary to accomplish the Department function for which the record was provided or is maintained. In either case, the subject individual will be informed in writing of the correction, amendment, or deletion and, if accounting was made of prior disclosures of the record, all previous recipients of the record will be informed of the corrective action taken.

(d) If the responsible Department official does not agree that the record should be corrected or amended, the subject individual will be informed in writing of the refusal to correct or amend the record. He will also be informed that he may appeal the refusal to correct or amend his record to the appropriate appeal authority listed in §5b.8 of this part. The appropriate appeal authority will be identified to the subject individual by name, title, and business address.

(e) Requests to correct or amend a record governed by the regulation of another government agency, e.g., Civil Service Commission, Federal Bureau of Investigation, will be forwarded to such government agency for processing and the subject individual will be informed in writing of the referral.

§5b.8   Appeals of refusals to correct or amend records.

(a) Processing the appeal. (1) A subject individual who disagrees with a refusal to correct or amend his record may appeal the refusal in writing. All appeals shall be made to the following appeal authorities, or their designees, or successors in function:

(i) Assistant Secretary for Administration and Management for records of the Office of the Secretary, or where the initial refusal to correct or amend was made by another appeal authority. The appeal authority for an initial refusal by the Assistant Secretary for Administration and Management is the Under Secretary.

(ii) Assistant Secretary for Health for records of the Public Health Service including Office of Assistant Secretary for Health; Health Resources Administration; Health Services Administration; Alcohol, Drug Abuse, and Mental Health Administration; Center for Disease Control; National Institutes of Health; and Food and Drug Administration.

(iii) Assistant Secretary for Education for records of the Office of the Assistant Secretary for Education, National Center for Education Statistics, National Institute of Education, and Office of Education.

(iv) Assistant Secretary for Human Development for records of the Office of Human Development.

(v) Commissioner of Social Security for records of the Social Security Administration.

(vi) Administrator, Social and Rehabilitation Service for the records of the Social and Rehabilitation Service.

(2) An appeal will be completed within 30 working days from its receipt by the appeal authority; except that, the appeal authority may for good cause extend this period for an additional 30 days. Should the appeal period be extended, the subject individual appealing the refusal to correct or amend the record will be informed in writing of the extension and the circumstances of the delay. The subject individual's request to amend or correct the record, the responsible Department official's refusal to correct or amend, and any other pertinent material relating to the appeal will be reviewed. No hearing will be held.

(3) If the appeal authority agrees that the record subject to the appeal should be corrected or amended, the record will be amended and the subject individual will be informed in writing of the correction or amendment. Where an accounting was made of prior disclosures of the record, all previous recipients of the record will be informed of the corrective action taken.

(4) If the appeal is denied, the subject individual will be informed in writing:

(i) Of the denial and the reasons for the denial;

(ii) That he has a right to seek judicial review of the denial; and,

(iii) That he may submit to the responsible Department official a concise statement of disagreement to be associated with the disputed record and disclosed whenever the record is disclosed.

(b) Notation and disclosure of disputed records. Whenever a subject individual submits a statement of disagreement to the responsible Department official in accordance with paragraph (a)(4)(iii) of this section, the record will be noted to indicate that it is disputed. In any subsequent disclosure, a copy of the subject individual's statement of disagreement will be disclosed with the record. If the responsible Department official deems it appropriate, a concise statement of the appeal authority's reasons for denying the subject individual's appeal may also be disclosed with the record. While the subject individual will have access to this statement of reasons, such statement will not be subject to correction or amendment. Where an accounting was made of prior disclosures of the record, all previous recipients of the record will be provided a copy of the subject individual's statement of disagreement, as well as the statement, if any, of the appeal authority's reasons for denying the subject individual's appeal.

§5b.9   Disclosure of records.

(a) Consent to disclosure by a subject individual. (1) Except as provided in paragraph (b) of this section authorizing disclosures of records without consent, no disclosure of a record will be made without the consent of the subject individual. In each case the consent, whether obtained from the subject individual at the request of the Department or whether provided to the Department by the subject individual on his own initiative, shall be in writing. The consent shall specify the individual, organizational unit or class of individuals or organizational units to whom the record may be disclosed, which record may be disclosed and, where applicable, during which time frame the record may be disclosed (e.g., during the school year, while the subject individual is out of the country, whenever the subject individual is receiving specific services). A blanket consent to disclose all of a subject individual's records to unspecified individuals or organizational units will not be honored. The subject individual's identity and, where applicable (e.g., where a subject individual gives consent to disclosure of a record to a specific individual), the identity of the individual to whom the record is to be disclosed shall be verified.

(2) A parent or guardian of any minor is not authorized to give consent to a disclosure of the minor's medical record.

(b) Disclosures without the consent of the subject individual. The disclosures listed in this paragraph may be made without the consent of the subject individual. Such disclosures are:

(1) To those officers and employees of the Department who have a need for the record in the performance of their duties. The responsible Department official may upon request of any officer or employee, or on his own initiative, determine what constitutes legitimate need.

(2) Required to be disclosed under the Freedom of Information Act, 5 U.S.C. 552, and part 5 of this title.

(3) For a routine use as defined in paragraph (j) of §5b.1 of this part. Routine uses will be listed in any notice of a system of records. Routine uses published in appendix B are applicable to more than one system of records. Where applicable, notices of systems of records may contain references to the routine uses listed in appendix B. Appendix B will be published with any compendium of notices of systems of records.

(4) To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title 13 U.S.C.

(5) To a recipient who has provided the agency with advance written assurance that the record will be used solely as a statistical research or reporting record; Provided, That, the record is transferred in a form that does not identify the subject individual.

(6) To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Administrator of General Services or his designee to determine whether the record has such value.

(7) To another government agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of such government agency or instrumentality has submitted a written request to the Department specifying the record desired and the law enforcement activity for which the record is sought.

(8) To an individual pursuant to a showing of compelling circumstances affecting the health or safety of any individual if a notice of the disclosure is transmitted to the last known address of the subject individual.

(9) To either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee.

(10) To the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office.

(11) Pursuant to the order of a court of competent jurisdiction.

(c) Accounting of disclosures. (1) An accounting of all disclosures of a record will be made and maintained by the Department for 5 years or for the life of the record, whichever is longer; except that, such an accounting will not be made:

(i) For disclosures under paragraphs (b) (1) and (2) of this section; and,

(ii) For disclosures made with the written consent of the subject individual.

(2) The accounting will include:

(i) The date, nature, and purpose of each disclosure; and

(ii) The name and address of the person or entity to whom the disclosure is made.

(3) Any subject individual may request access to an accounting of disclosures of a record. The subject individual shall make a request for access to an accounting in accordance with the procedures in §5b.5 of this part. A subject individual will be granted access to an accounting of the disclosures of a record in accordance with the procedures of this part which govern access to the related record. Access to an accounting of a disclosure of a record made under paragraph (b)(7) of this section may be granted at the discretion of the responsible Department official.

§5b.10   Parents and guardians.

For the purpose of this part, a parent or guardian of any minor or the legal guardian or any individual who has been declared incompetent due to physical or mental incapacity or age by a court of competent jurisdiction is authorized to act on behalf of an individual or a subject individual. Except as provided in paragraph (b)(2) of §5b.5, of this part governing procedures for verifying an individual's identity, and paragraph (c) (2) of §5b.6 of this part governing special procedures for notification of or access to a minor's medical records, an individual authorized to act on behalf of a minor or legal incompetent will be viewed as if he were the individual or subject individual.

§5b.11   Exempt systems.

(a) General policy. The Act permits certain types of specific systems of records to be exempt from some of its requirements. It is the policy of the Department to exercise authority to exempt systems of records only in compelling cases.

(b) Specific systems of records exempted. (1) Those systems of records listed in paragraph (b)(2) of this section are exempt from the following provisions of the Act and this part:

(i) 5 U.S.C. 552a(c)(3) and paragraph (c)(2) of §5b.9 of this part which require a subject individual to be granted access to an accounting of disclosures of a record.

(ii) 5 U.S.C. 552a(d) (1) through (4) and (f) and §§5b.6, 5b.7, and 5b.8 of this part relating to notification of or access to records and correction or amendment of records.

(iii) 5 U.S.C. 552a(e)(4) (G) and (H) which require inclusion of information about Department procedures for notification, access, and correction or amendment of records in the notice for the systems of records.

(iv) 5 U.S.C. 552(e)(3) and paragraph (a)(3) of §5b.4 of this part which require that an individual asked to provide a record to the Department be informed of the authority for providing the record (including whether the providing of the record is mandatory or voluntary, the principal purposes for maintaining the record, the routine uses for the record, and what effect his refusal to provide the record may have on him), and if the record is not required by statute or Executive Order to be provided by the individual, he agrees to provide the record. This exemption applies only to an investigatory record compiled by the Department for criminal law enforcement purposes in a system of records exempt under subsection (j)(2) of the Act to the extent that these requirements would prejudice the conduct of the investigation.

(2) The following systems of records are exempt from those provisions of the Act and this part listed in paragraph (b) (1) of this section.

(i) Pursuant to subsection (j)(2) of the Act:

(A) The Saint Elizabeths Hospital's Court-Ordered Forensic Investigatory Materials Files; and

(B) The Investigatory Material Compiled for Law Enforcement Purposes System, HHS.

(ii) Pursuant to subsection (k)(2) of the Act:

(A) The General Criminal Investigation Files, HHS/SSA;

(B) The Criminal Investigations File, HHS/SSA; and,

(C) The Program Integrity Case Files, HHS/SSA.

(D) Civil and Administrative Investigative Files of the Inspector General, HHS/OS/OIG.

(E) Complaint Files and Log. HHS/OS/OCR.

(F) Investigative materials compiled for law enforcement purposes for the Healthcare Integrity and Protection Data Bank (HIPDB), of the Office of Inspector General. (See §61.15 of this title for access and correction rights under the HIPDB by subjects of the Data Bank.)

(G) Investigative materials compiled for law enforcement purposes for the Program Information Management System, HHS/OS/OCR.

(H) Investigative materials compiled for law enforcement purposes from the CMS Fraud Investigation Database (FID), HHS/CMS.

(I) Investigative materials compiled for law enforcement purposes from the Automated Survey Processing Environment (ASPEN) Complaints/ Incidents Tracking System (ACTS), HHS/CMS.

(J) Investigative materials compiled for law enforcement purposes from the Health Insurance Portability and Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS.

(K) Investigative materials compiled for law enforcement purposes from the Organ Procurement Organizations System (OPOS), HHS/CMS.

(L) Investigative materials compiled for law enforcement purposes for the National Practitioner Data Bank (NPDB). (See §60.21 of this subchapter for access and correction rights under the NPDB by subjects of the Data Bank.)

(iii) Pursuant to subsection (k)(4) of the Act:

(A) The Health and Demographic Surveys Conduct in Random Samples of the U.S. Population;

(B) The Health Manpower Inventories and Surveys;

(C) The Vital Statistics for Births, Deaths, Fetal Deaths, Marriages and Divorces Occurring in the U.S. during Each Year; and,

(D) The Maryland Psychiatric Case Register.

(E) The Health Resources Utilization Statistics, DHHS/OASH/NCHS.

(F) National Medical Expenditure Survey Records. HHS/OASH/NCHSR.

(iv) Pursuant to subsection (k)(5) of the Act:

(A) The Investigatory Material Compiled for Security and Suitability Purposes System, HHS; and,

(B) The Suitability for Employment Records, HHS.

(v) Pursuant to subsections (j)(2), (k)(2), and (k)(5) of the Act:

(A) The Clinical Investigatory Records, HHS/FDA;

(B) The Regulated Industry Employee Enforcement Records, HHS/FDA;

(C) The Employee Conduct Investigative Records, HHS/FDA; and,

(D) The Service Contractor Employee Investigative Records, HHS/FDA.

(vi) Pursuant to subsection (k)(6) of the Act:

(A) The Personnel Research and Merit Promotion Test Records, HHS/SSA/OMA.

(vii) Pursuant to subsections (k)(2) and (k)(5) of the Act:

(A) Public Health Service Records Related to Investigations of Scientific Misconduct, HHS/OASH/ORI.

(B) Administration: Investigative Records, HHS/NIH/OM/OA/OMA.

(C) FDA Records Related to Research Misconduct Proceedings, HHS/FDA/OC, 09-10-0020.

(D) NIH Records Related to Research Misconduct Proceedings, HHS/NIH, 09-25-0223.

(c) Notification of or access to records in exempt systems of records. (1) Where a system of records is exempt as provided in paragraph (b) of this section, any individual may nonetheless request notification of or access to a record in that system. An individual shall make requests for notification of or access to a record in an exempt system of records in accordance with the procedures of §§5b.5 and 5b.6 of this part.

(2) An individual will be granted notification of or access to a record in an exempt system but only to the extent such notification or access would not reveal the identity of a source who furnished the record to the Department under an express promise, and prior to September 27, 1975 an implied promise, that his identity would be held in confidence, if:

(i) The record is in a system of records which is exempt under subsection (k)(2) of the Act and the individual has been, as a result of the maintenance of the record, denied a right, privilege, or benefit to which he would otherwise be eligible; or,

(ii) The record is in a system of records which is exempt under subsection (k)(5) of the Act.

(3) If an individual is not granted notification of or access to a record in a system of records exempt under subsections (k) (2) and (5) of the Act in accordance with this paragraph, he will be informed that the identity of a confidential source would be revealed if notification of or access to the record were granted to him.

(d) Discretionary actions by the responsible Department official. Unless disclosure of a record to the general public is otherwise prohibited by law, the responsible Department official may in his discretion grant notification of or access to a record in a system of records which is exempt under paragraph (b) of this section. Discretionary notification of or access to a record in accordance with this paragraph will not be a precedent for discretionary notification of or access to a similar or related record and will not obligate the responsible Department official to exercise his discretion to grant notification of or access to any other record in a system of records which is exempt under paragraph (b) of this section.

[40 FR 47409, Oct. 8, 1975, as amended at 43 FR 40229, Sept. 11, 1978; 47 FR 57040, Dec. 22, 1982; 49 FR 14108, Apr. 10, 1984; 51 FR 41352, Nov. 14, 1986; 59 FR 36717, July 19, 1994; 65 FR 34988, June 1, 2000; 65 FR 37289, June 14, 2000; 68 FR 62751, Nov. 6, 2003; 73 FR 55775, Sept. 26, 2008; 76 FR 72327, Nov. 23, 2011; 78 FR 39186, 39188, July 1, 2013; 78 FR 47211, Aug. 5, 2013]

§5b.12   Contractors.

(a) All contracts entered into on or after September 27, 1975 which require a contractor to maintain or on behalf of the Department to maintain, a system of records to accomplish a Department function must contain a provision requiring the contractor to comply with the Act and this part.

(b) All unexpired contracts entered into prior to September 27, 1975 which require the contractor to maintain or on behalf of the Department to maintain, a system of records to accomplish a Department function will be amended as soon as practicable to include a provision requiring the contractor to comply with the Act and this part. All such contracts must be so amended by July 1, 1976 unless for good cause the appeal authority identified in §5b.8 of this part authorizes the continuation of the contract without amendment beyond that date.

(c) A contractor and any employee of such contractor shall be considered employees of the Department only for the purposes of the criminal penalties of the Act, 5 U.S.C. 552a(i), and the employee standards of conduct listed in appendix A of this part where the contract contains a provision requiring the contractor to comply with the Act and this part.

(d) This section does not apply to systems of records maintained by a contractor as a result of his management discretion, e.g., the contractor's personnel records.

§5b.13   Fees.

(a) Policy. Where applicable, fees for copying records will be charged in accordance with the schedule set forth in this section. Fees may only be charged where an individual requests that a copy be made of the record to which he is granted access. No fee may be charged for making a search of the system of records whether the search is manual, mechanical, or electronic. Where a copy of the record must be made in order to provide access to the record (e.g., computer printout where no screen reading is available), the copy will be made available to the individual without cost. Where a medical record is made available to a representative designated by the individual or to a physician or health professional designated by a parent or guardian under §5b.6 of this part, no fee will be charged.

(b) Fee schedule. The fee schedule for the Department is as follows:

(1) Copying of records susceptible to photocopying—$.10 per page.

(2) Copying records not susceptible to photocopying (e.g., punch cards or magnetic tapes)—at actual cost to be determined on a case-by-case basis.

(3) No charge will be made if the total amount of copying does not exceed $25.

Appendix A to Part 5b—Employee Standards of Conduct

(a) General. All employees are required to be aware of their responsibilities under the Privacy Act of 1974, 5 U.S.C. 552a. Regulations implementing the Act are set forth in 45 CFR 5b. Instruction on the requirements of the Act and regulation shall be provided to all new employees of the Department. In addition, supervisors shall be responsible for assuring that employees who are working with systems of records or who undertake new duties which require the use of systems of records are informed of their responsibilities. Supervisors shall also be responsible for assuring that all employees who work with such systems of records are periodically reminded of the requirements of the Act and are advised of any new provisions or interpretations of the Act.

(b) Penalties. (1) All employees must guard against improper disclosure f records which are governed by the Act. Because of the serious consequences of improper invasions of personal privacy, employees may be subject to disciplinary action and criminal prosecution for knowing and willful violations of the Act and regulation. In addition, employees may also be subject to disciplinary action for unknowing or unwillful violations, where the employee had notice of the provisions of the Act and regulations and failed to inform himself sufficiently or to conduct himself in accordance with the requirements to avoid violations.

(2) The Department may be subjected to civil liability for the following actions undertaken by its employees:

(a) Making a determination under the Act and §§5b.7 and 5b.8 of the regulation not to amend an individual's record in accordance with his request, or failing to make such review in conformity with those provisions;

(b) Refusing to comply with an individual's request for notification of or access to a record pertaining to hiem;

(c) Failing to maintain any record pertaining to any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such a record, and consequently a determination is made which is adverse to the individual; or

(d) Failing to comply with any other provision of the Act or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual.

(3) An employee may be personally subject to criminal liability as set forth below and in 5 U.S.C. 552a (i):

(a) Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by the Act or by rules or regulations established thereunder, and who, knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

(b) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements [of the Act] shall be guilty of a misdemeanor and fined not more than $5,000.

(c) Rules Governing Employees Not Working With Systems of Records. Employees whose duties do not involve working with systems of records will not generally disclose to any one, without specific authorization from their supervisors, records pertaining to employees or other individuals which by reason of their official duties are available to them. Notwithstanding the above, the following records concerning Federal employees are a matter of public record and no further authorization is necessary for disclosure:

(1) Name and title of individual.

(2) Grade classification or equivalent and annual rate of salary.

(3) Position description.

(4) Location of duty station, including room number and telephone number.

In addition, employees shall disclose records which are listed in the Department's Freedom of Information Regulation as being available to the public. Requests for other records will be referred to the responsible Department official. This does not preclude employees from discussing matters which are known to them personally, and without resort to a record, to official investigators of Federal agencies for official purposes such as suitability checks, Equal Employment Opportunity investigations, adverse action proceedings, grievance proceedings, etc.

(d) Rules governing employees whose duties require use or reference to systems of records. Employees whose official duties require that they refer to, maintain, service, or otherwise deal with systems of records (hereinafter referred to as “Systems Employees”) are governed by the general provisions. In addition, extra precautions are required and systems employees are held to higher standards of conduct.

(1) Systems Employees shall:

(a) Be informed with respect to their responsibilities under the Act;

(b) Be alert to possible misuses of the system and report to their supervisors any potential or actual use of the system which they believe is not in compliance with the Act and regulation;

(c) Make a disclosure of records within the Department only to an employee who has a legitimate need to know the record in the course of his official duties;

(d) Maintain records as accurately as practicable.

(e) Consult with a supervisor prior to taking any action where they are in doubt whether such action is in conformance with the Act and regulation.

(2) Systems Employees shall not:

(a) Disclose in any form records from a system of records except (1) with the consent or at the request of the subject individual; or (2) where its disclosure is permitted under §5b.9 of the regulation.

(b) Permit unauthorized individuals to be present in controlled areas. Any unauthorized individuals observed in controlled areas shall be reported to a supervisor or to the guard force.

(c) Knowingly or willfully take action which might subject the Department to civil liability.

(d) Make any arrangements for the design development, or operation of any system of records without making reasonable effort to provide that the system can be maintained in accordance with the Act and regulation.

(e) Contracting officers. In addition to any applicable provisions set forth above, those employees whose official duties involve entering into contracts on behalf of the Department shall also be governed by the following provisions:

(1) Contracts for design, or development of systems and equipment. No contract for the design or development of a system of records, or for equipment to store, service or maintain a system of records shall be entered into unless the contracting officer has made reasonable effort to ensure that the product to be purchased is capable of being used without violation of the Act or regulation. Special attention shall be given to provision of physical safeguards.

(2) Contracts for the operation of systems of records. A review by the Contracting Officer, in conjunction with other officials whom he feels appropriate, of all proposed contracts providing for the operation of systems of records shall be made prior to execution of the contracts to determine whether operation of the system of records is for the purpose of accomplishing a Department function. If a determination is made that the operation of the system is to accomplish a Department function, the contracting officer shall be responsible for including in the contract appropriate provisions to apply the provisions of the Act and regulation to the system, including prohibitions against improper release by the contractor, his employees, agents, or subcontractors.

(3) Other service contracts. Contracting officers entering into general service contracts shall be responsible for determining the appropriateness of including provisions in the contract to prevent potential misuse (inadvertent or otherwise) by employees, agents, or subcontractors of the contractor.

(f) Rules Governing Responsible Department Officials. In addition to the requirements for Systems Employees, responsible Department officials shall:

(1) Respond to all requests for notification of or access, disclosure, or amendment of records in a timely fashion in accordance with the Act and regulation;

(2) Make any amendment of records accurately and in a timely fashion;

(3) Inform all persons whom the accounting records show have received copies of the record prior to the amendments of the correction; and

(4) Associate any statement of disagreement with the disputed record, and

(a) Transmit a copy of the statement to all persons whom the accounting records show have received a copy of the disputed record, and

(b) Transmit that statement with any future disclosure.

Appendix B to Part 5b—Routine Uses Applicable to More Than One System of Records Maintained by HHS

(1) In the event that a system of records maintained by this agency or carry out its functions indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether federal, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto.

(2) Referrals may be made of assignments of research investigators and project monitors to specific research projects to the Smithsonian Institution to contribute to the Smithsonian Science Information Exchange, Inc.

(3) In the event the Department deems it desirable or necessary, in determining whether particular records are required to be disclosed under the Freedom of Information Act, disclosure may be made to the Department of Justice for the purpose of obtaining its advice.

(4) A record from this system of records may be disclosed as a “routine use” to a federal, state or local agency maintaining civil, criminal or other relevant enforcement records or other pertinent records, such as current licenses, if necessary to obtain a record relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant or other benefit.

A record from this system of records may be disclosed to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision on the matter.

(5) In the event that a system of records maintained by this agency to carry out its function indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether state or local charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto.

(6) Where Federal agencies having the power to subpoena other Federal agencies' records, such as the Internal Revenue Service or the Civil Rights Commission, issue a subpoena to the Department for records in this system of records, the Department will make such records available.

(7) Where a contract between a component of the Department and a labor organization recognized under E.O. 11491 provides that the agency will disclose personal records relevant to the organization's mission, records in this system of records may be disclosed to such organization.

(8) Where the appropriate official of the Department, pursuant to the Department's Freedom of Information Regulation determines that it is in the public interest to disclose a record which is otherwise exempt from mandatory disclosure, disclosure may be made from this system of records.

(9) The Department contemplates that it will contract with a private firm for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. Relevant records will be disclosed to such a contractor. The contractor shall be required to maintain Privacy Act safeguards with respect to such records.

(10)-(99) [Reserved]

(100) To the Department of Justice or other appropriate Federal agencies in defending claims against the United States when the claim is based upon an individual's mental or physical condition and is alleged to have arisen because of activities of the Public Health Service in connection with such individual.

(101) To individuals and organizations, deemed qualified by the Secretary to carry out specific research solely for the purpose of carrying out such research.

(102) To organizations deemed qualified by the Secretary to carry out quality assessment, medical audits or utilization review.

(103) Disclosures in the course of employee discipline or competence determination proceedings.

Appendix C to Part 5b—Delegations of Authority [Reserved]



For questions or comments regarding e-CFR editorial content, features, or design, email ecfr@nara.gov.
For questions concerning e-CFR programming and delivery issues, email webteam@gpo.gov.