Skip to main content

CMS Information Collection: Privacy Act Statement

The Privacy Act of 1974 provides safeguards against an invasion of privacy through the misuse of records by Federal agencies maintained in a System of Records (SOR).

Last Reviewed: 6/4/2026

Contact: ISPG Privacy | Privacy@cms.hhs.gov

Introduction

The Privacy Act of 1974, as amended (5 U.S.C. § 552a), provides safeguards against an invasion of privacy through the misuse of records by Federal agencies maintained in a System of Records (SOR). As part of the Privacy Act, individuals must be provided a Privacy Act Statement (PAS) — as stated in section (e)(3) of the Act — when personal information is requested about them to administer agency health care programs that are maintained in a system of records.

Scope and Applicability

These procedures apply to information collections regardless of the format or method used to obtain the information, whether paper or electronic, as well as to all CMS organizations and their contractors engaged in the design and development of forms that collect personal information.

When Is a Privacy Act Statement Needed?

If an individual is requested to furnish personal information (e.g., name, date of birth, Social Security number) that will be stored in a SOR, regardless of the method used to collect the information (e.g., forms, personal or telephonic interview), then a PAS is required. If the information requested will not be personally identifiable information (PII) and/or will not be included in a SOR (i.e., not retrievable by a personal identifier), then a PAS is not required.

Where Should the Privacy Act Statement Appear?

The placement on the form can vary based on preference. The following locations are listed in order of preference:

  1. Immediately below the title of the form;
  2. Elsewhere on the front page of the form;
  3. On the last page of the form;
  4. On the back of the form, with a notation of its location on the front; or
  5. On a separate form.

Process for Developing the Privacy Act Statement

The process for preparing and drafting a PAS includes identifying the applicable Privacy Act System of Records Notice (SORN). A list of CMS SORNs is available on the CMS website. The SORN — or specific program information — can be used to address the following four required elements:

  1. Authority: State the Federal laws or Executive Orders cited in the SORN (e.g., 5 U.S.C. § 301, Departmental Regulations and/or Section 3004(c) of the Patient Protection and Affordable Care Act of 2010, as amended). If there are additional or different authorities beyond those listed in the SORN, include those as well.
  2. Purpose: Describe the reason the information is being collected and how it will be used. This is typically similar to the "PURPOSE(S) OF THE SYSTEM" section of the applicable SORN; however, tailor this response to your specific program purpose as needed.
  3. Routine Uses: List who outside of the Centers for Medicare & Medicaid Services will have access to the information (e.g., "To the Department of Social Security to verify eligibility of benefits").
  4. Disclosure: State whether disclosure of the information is "Voluntary" or "Mandatory."
    • Mandatory is only appropriate when a Federal law or Executive Order specifically requires the individual to furnish the information and provides a criminal or civil penalty for failure to do so.
    • Voluntary applies when furnishing information is a condition for receiving a benefit or privilege that the individual is voluntarily seeking.
    • Regardless of whether disclosure is voluntary or mandatory, the statement must include the consequences of not providing the information.

Privacy Act Statement — Sample Template

The Centers for Medicare & Medicaid Services (CMS) collects information from Medicare providers to improve their customer experience with Medicare Administrative Contractors (MACs). Executive Order 12862 authorizes federal agencies, like CMS, to survey customers regarding the quality of service they want and their satisfaction with existing services.

CMS may use and disclose providers' survey responses as specified in the System of Records Notice (SORN) "HHS Correspondence, Customer Service, and Contact List Records," System No. 09-90-1901, 84 Federal Register 28823, June 20, 2019, and as permitted by the Privacy Act of 1974. Your response to this survey is voluntary. However, failure to respond may affect CMS' efforts to improve provider customer service offered by the MACs.

Additional Information & Contact

  • System of Records Notices on HHS.gov
  • Overview of the Privacy Act of 1974
  • Office of Management and Budget Memorandum A-108

 

For assistance or to finalize a draft Privacy Act Statement for your collection, please contact the CMS Privacy Office at Privacy@cms.hhs.gov.