Skip to main content

Overview of the Privacy Act of 1974

Agency Rules

To implement the Act, an agency that maintains a system of records “shall promulgate rules, in accordance with [notice and comment rulemaking, see 5 U.S.C. § 553].”  For examples of the Department’s Privacy Act regulations, see 28 C.F.R. Part 16, Subpart E (2014).  For a case involving this section, see United States v. Tate, NMCCA 201200399, 2013 WL 951040, at *1 (Mar. 12, 2013) (setting aside a guilty finding of an individual who violated DOD’s Privacy Act regulations because the regulation is not punitive in nature).

The rules shall –

A. 5 U.S.C. § 552a(f)(1)

“establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him.”


For a discussion of this provision, see OMB Guidelines, 40 Fed. Reg. 28,948, 28,967 (July 9, 1975), available at

B. 5 U.S.C. § 552a(f)(2)

“define reasonable times, places, and requirements for identifying an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual.”


For a discussion of this provision, see OMB Guidelines, 40 Fed. Reg. 28,948, 28,967 (July 9, 1975), available at

C. 5 U.S.C. § 552a(f)(3)

“establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedure, if deemed necessary, for the disclosure to an individual of medical records, including psychological records pertaining to him.”


In the past, a typical regulation consistent with this provision would allow an agency to advise an individual requester that his medical records would be provided only to a physician, designated by the individual, who requested the records and established his identity in writing.  The designated physician would then determine which records should be provided to the individual and which should not be disclosed because of the possible harm to the individual or another person.

However, as a result of a Court of Appeals for the District of Columbia Circuit opinion, Benavides v. BOP, 995 F.2d 269 (D.C. Cir. 1993), such regulations are no longer valid.  In Benavides, the D.C. Circuit held that subsection (f)(3) is “strictly procedural . . . merely authoriz[ing] agencies to devise the manner in which they will disclose properly requested non-exempt records” and that “[a] regulation that expressly contemplates that the requesting individual may never see certain medical records [as a result of the discretion of the designated physician] is simply not a special procedure for disclosure to that person.”  Id. at 272.  The D.C. Circuit went on to state that the Justice Department’s subsection (f)(3) regulation at issue, 28 C.F.R. § 16.43(d) (1992), “in effect, create[d] another substantive exemption” to Privacy Act access, and it accordingly held the regulation to be “ultra vires.”  995 F.2d at 272-73. 

Nevertheless, the D.C. Circuit in Benavides rejected the argument that the Privacy Act requires direct disclosure of medical records to the individual.  Recognizing the “potential harm that could result from unfettered access to medical and psychological records,” the court provided that “as long as agencies guarantee the ultimate disclosure of the medical records to the requesting individual . . . they should have freedom to craft special procedures to limit the potential harm.”  Id. at 273; accord Bavido v. Apfel, 215 F.3d 743, 748-50 (7th Cir. 2000) (finding that the “Privacy Act clearly directs agencies to devise special procedures for disclosure of medical records in cases in which direct transmission could adversely affect a requesting individual,” but that “these procedures eventually must lead to disclosure of the records to the requesting individual”; further finding exhaustion “not required” because agency’s regulations “trapped” plaintiff by requiring him to “formally [designate] a representative” and “[t]o name such a representative would amount to conceding his case”); Melvin v. SSA, No. 5:09-CV-235, 2010 WL 1979880, at *5 & n.3 (E.D.N.C. May 13, 2010) (explaining that “SSA amended the regulation [at issue in Bavido] in such a way that ensures the ultimate disclosure of records” and, therefore, allowing plaintiff to proceed with her Privacy Act claims), aff’d per curiam, 442 F. App’x 870 (4th Cir. 2011); cf. Simmons v. Reno, No. 97-2167, 1998 WL 964228, at *1 (6th Cir. Dec. 29, 1998) (citing Benavides and questioning district court’s reliance on SSA regulation that required designation of medical representative for receipt of all medical records), vacating & remanding No. 4:96CV214 (W.D. Mich. Sept. 30, 1997); Waldron v. SSA, No. CS-92-334, slip op. at 9-10 (E.D. Wash. July 21, 1993) (holding claim not ripe because plaintiff had not designated a representative and had not been denied information (only direct access), but stating that portion of regulation granting representative discretion in providing access to medical records “is troubling because it could be applied in such a manner as to totally deny an individual access to his medical records”).

As a result of the Benavides decision, prior case law applying (and thus implicitly upholding) subsection (f)(3) regulations, such as the Justice Department’s former regulation on this point, is unreliable.  See, e.g., Cowsen-El v. DOJ, 826 F. Supp. 532, 535-37 (D.D.C. 1992) (recognizing although “the Privacy Act does not authorize government agencies to create new disclosure exemptions by virtue of their regulatory powers under the Privacy Act,” nevertheless upholding the DOJ regulation); Becher v. Demers, No. 91-C-99-S, 1991 WL 333708, at *4 (W.D. Wis. May 28, 1991) (denying request where plaintiff failed to designate medical representative and agency determined that direct access would have adverse effect on plaintiff); Sweatt v. Navy, 2 Gov’t Disclosure Serv. (P-H) ¶ 81,038, at 81,102 (D.D.C. Dec. 19, 1980) (finding that withholding of “raw psychological data” in accordance with regulation, on ground that disclosure would adversely affect requester’s health, deemed not denial of request), aff’d per curiam, 683 F.2d 420 (D.C. Cir. 1982).  Nevertheless, some courts, without addressing the holding in Benavides, have upheld the denial of access pursuant to agency regulations that require the designation of a representative to review medical records.  See Hill v. Blevins, No. 3-CV-92-0859, slip op. at 5-7 (M.D. Pa. Apr. 12, 1993) (finding SSA procedure requiring designation of representative other than family member for receipt and review of medical and psychological information valid), aff’d, 19 F.3d 643 (3d Cir. 1994) (unpublished table decision); Besecker v. SSA, No. 91-C-4818, 1992 WL 32243, at *2 (N.D. Ill. Feb. 18, 1992) (dismissing for failure to exhaust administrative remedies where plaintiff failed to designate representative to receive medical records), aff’d, 48 F.3d 1221 (7th Cir. 1995) (unpublished table decision); cf. Polewsky v. SSA, No. 95-6125, 1996 WL 110179, at *1-2 (2d Cir. Mar. 12, 1996) (affirming lower court decision which held that plaintiff’s access claims were moot because he had ultimately designated representative to receive medical records and had been provided with them (even though prior to filing suit, plaintiff had refused to designate representative); stating further that plaintiff decided voluntarily to designate representative and thus although issue was “capable of repetition” it had “not been shown to evade review”).

Although there is no counterpart provision qualifying a requester’s independent right of access to his medical records under the FOIA, the D.C. Circuit found it unnecessary in Benavides to confront this issue.  See 995 F.2d at 273.  In fact, only two courts have addressed the matter of separate FOIA access and the possible applicability of 5 U.S.C. § 552a(t)(2) (addressing access interplay between Privacy Act and FOIA), one of which was the lower court in a companion case to BenavidesSee Smith v. Quinlan, No. 91-1187, 1992 WL 25689, at *4 (D.D.C. Jan. 13, 1992) (stating court did “not find Section 552a(f)(3) as implemented [by 28 C.F.R. § 16.43(d)] and Section 552a(t)(2) to be incompatible”; reasoning that “if Congress had intended Section 552a(t) to disallow or narrow the scope of special procedures that agencies may deem necessary in releasing medical and psychological records, it would have so indicated by legislation”), rev’d & remanded sub nom. Benavides v. BOP, 995 F.2d 269 (D.C. Cir. 1993); Waldron v. SSA, No. CS-92-334, slip op. at 10-15 (E.D. Wash. June 1, 1993) (upholding Smith, but with regard to SSA regulation); cf. Hill, No. 3-CV-92-0859, slip op. at 7 (M.D. Pa. Apr. 12, 1993) (interpreting subsection (f)(3) incorrectly as constituting an “exempting statute” under FOIA).

For further discussion of this provision, see OMB Guidelines, 40 Fed. Reg. 28,948, 28,957, 28,967 (July 9, 1975), available at http://www.whitehouse. gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf, and the Report of the House Committee on Government Operations, H.R. Rep. No. 1416, 93d Cong., 2d Sess., at 16-17 (1974), reprinted in Source Book at 309-10, available at

D. 5 U.S.C. § 552a(f)(4)

“establish procedures for reviewing a request from an individual concerning the amendment of any record or information pertaining to the individual, for making a determination on the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under [the Act].”


For a discussion of this provision, see OMB Guidelines, 40 Fed. Reg. 28,948, 28,967 (July 9, 1975), available at

E. 5 U.S.C. § 552a(f)(5)

“establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of the record.”


Unlike under the FOIA, search and review costs are never chargeable under the Privacy Act.  See OMB Guidelines, 40 Fed. Reg. 28,948, 28,968 (July 9, 1975), available at

Note also that subsection (f) provides that the Office of the Federal Register shall biennially compile and publish the rules outlined above and agency notices published under subsection (e)(4) in a form available to the public at low cost. 

Previous Section Agency Requirements || Next Section Civil Remedies

Updated February 24, 2021