Privacy and Health Research. The Federal Privacy Act (99)


The Privacy Act of 1974 covers personally identifiable data held by the Federal government, no matter what their source or subject, that are stored in "systems of records" from which data are retrieved by personal identifiers. Thus it covers regulatory data held by the Food and Drug Administration, statistical data held by the National Center for Health Statistics, public- health surveillance data held by the Centers for Disease Control, and the like. It requires that agencies announce in the Federal Register the purposes and uses of the system of records, and that notice be provided to the data-subjects. It provides that individuals must be allowed upon request to see information about themselves. And it prohibits disclosure of data without the consent of the data-subject, except in some special circumstances set out in the Act.

However, under the Privacy Act the Federal agencies are allowed wide discretion in making disclosures pursuant to their mandates. They may designate information as being eligible for "routine use" disclosure without the consent of the data-subjects if it is "for a purpose which is compatible with the purpose for which it was collected." "Routine uses" must be announced in the Federal Register, and the conditions on use are restrictive.

The Department of Health and Human Services provides for "routine use" disclosure of specified data sets for health research, imposing conditions on disclosure and use.100

The Privacy Act has been widely noted to have serious weaknesses, among them that:101

  • It does not cover data held outside the Federal government.
  • It covers only data about U.S. citizens and aliens permanently residing in the U.S., not data about citizens of other countries.
  • Its "routine use" provision is lax.
  • Few legal avenues are provided for citizens to seek injunctive or other relief if they believe their rights are being violated.
  • Its protections do not continue after the death of the data-subject.

The Privacy Act does not negate the provisions of the Freedom of Information Act (the law that provides "transparency" in Federal records by allowing citizens access to them).102 Exemption 6 of the Freedom of Information Act states that the Act does not apply to "personal and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." A few Freedom of Information demands for access to personally identifiable health data have succeeded, but for the most part health-research data have been defended.103

(99) 5 United States Code 552a.

(100) 5 United States Code 552a(e)(4)(D).

(101) For critique of the Privacy Act, see Schwartz and Reidenberg, as cited in endnote (83).

(102) 5 United States Code 552.

(103) See Gostin, as cited in endnote (4), pp. 501–503.