NRPM: Standards for Privacy of Individually Identifiable Health Information. a. The Privacy Act.


The Privacy Act of 1974, 5 U.S.C. 552a, is not preempted or amended by part C of title XI. The Privacy Act applies to all federal agencies, and to certain federal contractors who operate Privacy Act protected systems of records on behalf of federal agencies. It does not, however, apply to non-federal entities that are reached by part C. While the proposed rules are applicable to federal and non-federal entities, they are not intended to create any conflict with Privacy Act requirements. In any situation where compliance with the proposed rules would lead a federal entity to a result contrary to the Privacy Act, the Privacy Act controls. In sections of the proposed rules which might otherwise create the appearance of a conflict with Privacy Act requirements, entities subject to the Privacy Act are directed to continue to comply with Privacy Act requirements.

Because the Privacy Act gives federal agencies the authority to promulgate agency-specific implementing regulations, and because the Privacy Act also allows agencies to publish routine uses that have the status of exceptions to the Privacy Act’s general rule prohibiting disclosure of Privacy Act protected information to third parties, the issue of possible conflicts between the proposed Administrative Simplification rules and existing Privacy Act rules and routine uses must be addressed. Where the federal program at issue is one of the ones that Congress explicitly intended to have the Administrative Simplification standards and implementation specifications apply to, by including them in the definition of “health plan” in section 1171, we think that there is evidence that the Administrative Simplification standards and implementation specifications should prevail over contrary exercises of discretion under those programs. That is, to the extent that a routine use is truly discretionary to an agency which is also a covered entity under section 1172(a), the agency would not have discretion to ignore the Administrative Simplification regulations. It is possible, however, that in some cases there might be underlying federal statutes that call for disclosure of certain types of information, and routine uses could be promulgated as the only way to implement those statutes and still comply with the Privacy Act. If this were to happen or be the case, the routine use should prevail.