In plain terms. HHSAR is the Department of Health and Human Services' supplement to the FAR, adding HHS-specific contract rules.
Who it applies to. Contractors serving HHS and its agencies (such as CMS, NIH, FDA, CDC).
What it requires. Meet the FAR baseline (including the 52.204-21 safeguards), then HHSAR additions. Because HHS work frequently involves protected health information (PHI) and personal data, expect privacy, security, and breach-handling terms, with HIPAA obligations often layered in.
Why it matters. Health data is high-risk and heavily regulated, so mishandling it on an HHS contract can trigger both contractual and HIPAA consequences.
Citation. HHSAR, the Health and Human Services Acquisition Regulation supplement to the Federal Acquisition Regulation (FAR), codified in the FAR System at Title 48 of the C.F.R.