Skip to Main Content

Privacy Act of 1974

The Privacy Act of 1974, as amended at 5 United States Code (U.S.C.) 552a, protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual is entitled access to his or her records and to request correction of these records as applicable.

The Privacy Act prohibits disclosure of these records without an individual's written consent unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act Systems of Records (SOR). A notice of any such system is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and the routine uses for the records.

As with the Freedom of Information Act (FOIA), the Privacy Act binds only Federal agencies, and covers only records in the possession and control of Federal agencies.

In addition to the Privacy Act, the Centers for Medicare & Medicaid Services (CMS) is required to follow the Department of Health and Human Services (DHHS) Privacy Act Regulations at 45 Code of Federal Regulations (C.F.R.) Part 5b.

Inquiries concerning the Privacy Act should be directed to the CMS Privacy Officer at (410)786-5357.

How to Make a Privacy Act Request

Requests for Privacy Act records should be directed to the appropriate System Manager of the system where the records are stored.  This System Manager is identified in the System of Records (SOR) notice. The notice also contains access and notification procedures. See the link below for "CMS Systems of Records (SOR).