Privacy Legislation and Regulations
CDC provides technical support and education to CDC employees, grantees, partners, and state and local health departments on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Family Educational Rights and Privacy Act (FERPA), and other privacy laws and regulations.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to facilitate health insurance reform, implement standards for the transfer of health data, and protect the privacy of healthcare consumers.
The HIPAA Privacy Rule (45 CFR Parts 160 and 164) regulates the use and disclosure of individually identifiable health information, called protected health information (PHI), by entities subject to the Privacy Rule, called covered entities. Health plans, health care clearinghouses, and providers who transmit health information in electronic form in connection with specified transactions are covered entities. The Privacy Rule protects all PHI that is transmitted or maintained in any form or medium (e.g. electronic, paper, or oral) by a covered entity or its business associate, but excludes certain educational and employment records.
The Privacy Rule generally prohibits the use or disclosure of PHI without the written authorization of the individual. There are several exceptions to this requirement including an exception for public health. Without individual authorization a covered entity may disclose PHI to a public health authority that is legally authorized to collect information for the purposes of preventing or controlling disease, injury, or disability including, but not limited to reporting of disease, injury, and vital events, and conducting public health surveillance, investigations and interventions. The Privacy Rule also permits disclosures that are required by law. It contains separate provisions for disclosure when the disclosure is for research.
The Privacy Rule gives individuals certain rights in respect to their health information including, but not limited to the right to inspect and request corrections or amendments to their PHI. The Privacy Rule requires covered entities to notify individuals or their privacy rights and how their PHI will be used and disclosed.
For more information:
The Office for Civil Rights has oversight and enforcement responsibilities for the Privacy Rule. The website contains the text of the HIPAA Privacy Rule, comprehensive guidance and answers to hundreds of questions.
CDC and the U.S. Department of Health and Human Services published guidance on the HIPAA Privacy Rule and public health.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. Health care information is generally part of the education record. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their child’s education record. These rights include the right to inspect and request corrections to the record. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.
FERPA generally prohibits the disclosure of any personally identifiable information contained in an education record without the appropriate written consent. There are limited exceptions to this requirement.
For more information:
The U.S. Department of Education website contains the text of FERPA and comprehensive information on the law.
- Page last reviewed: June 29, 2017
- Page last updated: April 10, 2015
- Content source:
- Office of the Associate Director for Science