Privacy Act of 1974 and HIPAA Privacy Rules

The purpose of the Privacy Act and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules are to provide safeguards for individuals against an invasion of privacy. Federal agencies are required to permit individuals to:

  1. Determine what records pertaining to him/her are collected, used, or disseminated by such agencies.
  2. Prevent records pertaining to him/her from being used for another purpose without their consent.
  3. Gain access to information pertaining to him/her in federal agency records, and to correct such records when appropriate.

Disclosure of information about a named beneficiary is prohibited except to the beneficiary (or his/her legal guardian), without the beneficiary's (or legal guardian's) explicit written authorization. This authorization may be in any form, but it must:

  • Include the beneficiary's name and Medicare ID;
  • Specify the individual, organizational unit, class of individuals, or organizational units who may make the disclosure;
  • Specify the individual, organizational unit, class of individuals or organizational units to which the information may be disclosed;
  • Specify the records, information, or types of information that may be disclosed;
  • Describe the purpose of the requested use or disclosure (if the beneficiary does not want to provide a statement of the purpose, he/she can describe the use as "at the request of the individual");
  • Indicate whether the authorization is for a one-time disclosure, or give an expiration date or event that relates to the individual or the purpose of the use or disclosure (e.g., for the duration of the beneficiary's enrollment in the health plan);
  • Be signed and dated by the beneficiary or his/her authorized representative. If signed by the representative, a description of the representative's authority to act for the individual must also be provided;
  • Contain a statement describing the individual's right to revoke the authorization along with a description of the process to revoke the authorization;
  • Contain a statement describing the inability to condition treatment, payment, enrollment or eligibility for benefits on whether or not the beneficiary signs the authorization; and
  • Contain a statement informing the beneficiary that information disclosed pursuant to the authorization may be re-disclosed by the recipient and may no longer be protected.

Blanket consents to disclose all of the beneficiary's records to unspecified individuals or organizations will not be honored. The consent must specify the item/service for which the disclosure is requested and should only include those items/services prescribed by the beneficiary's physician.


Last Updated Feb 23 , 2018