Federal agencies will be required to comply with both the Privacy Act of 1974 (5 U.S.C. § 552a) and the HIPAA regulation. The Privacy Act provides Federal agencies with a framework and scheme for protecting privacy, and the HIPAA regulation will not alter that scheme. Basic organizational and management features, such as the provision of safeguards to protect the privacy of health information and training for employees -- which are required by this proposed rule -- already are required by the Privacy Act.
The proposed rule has been designed so that individuals will not have fewer rights than they have now under the Privacy Act. It may require that agencies obtain individual authorization for some disclosures that they now make without authorization under routine uses.
Private-sector organizations with contracts to conduct personal data handling activities for the Federal government are subject to the Privacy Act by virtue of performing a function on behalf of a Federal agency. They too will be required to comply with both rules in the same manner as Federal agencies.