Data are essential to inform public health activities. While an abundance of data are collected and used in different sectors, laws define how data can be used to promote health of individuals and communities. Unfortunately, it can be hard to know whether there are legal barriers to a proposed data use. Different laws with different requirements can apply to data in different contexts. These legal snapshots give an overview of the basic legal requirements of different federal data protection laws to help public health professionals and researchers understand how different federal laws might apply to a proposed data activity. They also provide links to full text versions of the law and other federal resources.
This annotated resource compilation is intended to help state and local agencies access information and resources needed to better understand the federal legal protections and requirements associated with datasets collected by federal agencies or as part of a federally funded program.
Federal Law: Child and Adult Care Food Program (CACFP) Confidentiality Provisions
Citation: 42 U.S.C. § 1758(b)(6); 7 C.F.R. § 226.2; 7 C.F.R. § 226.23
CACFP confidentiality provisions protect eligibility information contained in applications for children’s free or reduced price meals.
Federal Law: Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA)
Citation: 44 U.S.C. § 3501 Note Sec. 501, et al.
CIPSEA protects identifiable information collected by federal agencies for exclusively statistical purposes.
Federal Law: Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Human Immunodeficiency Virus (HIV) Infection, and Sickle Cell Anemia Medical Records
Citation: 38 U.S.C. 7332; 38 C.F.R. §§ 1.460-1.499
Protects drug and alcohol abuse, HIV, and sickle cell VA records.
Federal Law: Family Educational Rights and Privacy Act (FERPA)
Citation: 20 U.S.C. § 1232g; 34 C.F.R. Part 99
The Family Educational Rights and Privacy Act protects identifiable student education records.
Federal Law: New Head Start Program Performance Standards
Citation: 42 U.S.C. § 9801, et seq.; 45 C.F.R. § 1303 Subpart C
Head Start regulations contain privacy protections that generally align with the protections found in the Family Educational Rights and Privacy Act.
Federal Law: Health and Human Services (HHS) Privacy Act Regulations
Citation: 5 U.S.C. § 552a; 45 C.F.R. Part 5b
The HHS Privacy Act Regulations implement the requirements of the Privacy Act of 1974 for HHS.
Federal Law: Higher Education Act (National Student Loan Data System)
Citation: 20 U.S.C. § 1092b; 34 C.F.R. Part 5b
The Higher Education Act limits who can access the National Student Loan Data System and how the data can be used.
Federal Law: Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
Citation: 42 U.S.C. § 1320d et al., 45 C.F.R. Parts 160 and 164
HIPAA Privacy Rule limits uses and disclosures of identifiable health information by covered entities and business associates.
Federal Law: Homeless Management Information Systems Privacy Standards
Citation: 42 U.S.C. § 11360a; 24 C.F.R. § 578.7; 24 C.F.R. § 578.57; 24 C.F.R. § 578.103; 69 FR 45888
HMIS seeks to protect the confidentiality of personal information.
Federal Law: Individuals with Disabilities Education Act (IDEA), Part B Confidentiality Provisions
Citation: 20 U.S.C. § 1400; 34 C.F.R. Part 300
IDEA contains confidentiality provisions that apply to personally identifiable information relating to children with disabilities.