System name: Program Information Management System (PIMS), HHS/OS/OCR.
Security classification: None.
System location: The automated portion of the system is maintained at OCR Headquarters. Paper files are maintained in headquarters and regional offices as noted in Appendix I.
Categories of individuals covered by the system: Covered individuals include persons who file complaints alleging discrimination or violation of their rights under the statutes identified below (Authority for Maintenance) and covered entities (e.g., service providers) that are individuals and not organization or institutions, investigated by OCR as a result of complaints filed or through reviews conducted by OCR. Covered individuals also include persons who submit correspondence to
OCR related to other compliance activities, (e.g., outreach and public education) and other correspondence unrelated to a complaint or review and requiring response by OCR. In addition, OCR employees who use the system to record the status of their work are covered.
Categories of records in the system: The system encompasses a variety of records having to do with complaints, reviews, and correspondence. The complaint files and log include complaint allegations, information gathered during the complaint investigation, findings and results of the investigation, and correspondence relating to the investigation, as well as status information for all
complaints. This component of PIMS is being exempted from the notification, access, correction and amendment provisions of the Privacy Act (see below: Systems Exempted From Certain Provisions of the Act). Equivalent types of information are maintained for reviews and correspondence activities--namely information gathered, findings, results, correspondence and status.
Authority for maintenance of the system: Title VI of the 1964 Civil Rights Act; sections 533, 542, 794, 855, 1947 and 1908 of the Public Health Service Act; sections 504 and 508 of the Rehabilitation Act of 1973: Title II of the Americans with Disabilities Act of 1990; the Age Discrimination Act of 1975; the Equal Employment Opportunity Provisions of the Public Telecommunications Financing Act of 1978; Title VI and Title XVI of the Public Health Service Act
(the “community services of obligation'' of facilities funded under the Act); Title IX of the 1972 Education Amendments; section 407 of the Drug Abuse Office and Treatment Act; section 321 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970; section 508 of the Social Security Act, the Family Violence Prevention and Services Act;
Low-Income Home Energy Assistance Act of 1981; Section 1808 of the Small Business Job Protection Act of 1996; and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
PIMS will be used by OCR staff and will consist of an electronic repository of information and documents, and supplementary paper document files. PIMS effectively combines and replaces OCR's two existing systems of records, the “Case Information Management System (CIMS), HHS/OS/OCR, 09-90-0050,'' and the ``Complaint File and Log, HHS/OS/OCR 09-09-0051,'' into a single integrated system with enhanced electronic storage, retrieval and tracking capacities. While the types of information collected and stored in PIMS will be the same as the information collected in CIMS and the Complaint File and Log, PIMS will allow OCR to manage more effectively the information that it does collect. The system is designed to allow OCR to integrate all of OCR's various business processes, including all its compliance activities, to allow for real time access and results reporting and other varied information management needs. PIMS will provide: (1) A single, central, electronic, repository of all significant OCR documents and information, including investigative files, correspondence, administrative records, policy and procedure manuals and other documents and information developed or maintained by OCR; (2) easy, robust capability to search all the information in OCR's repository; (3) better quality control at the front end with simplified data entry and stronger data validation; (4) tools to help staff work on and manage their casework, and (5) supplementary paper document files. The system will have the capacity to generate reports concerning the status of all current and closed complaints, reviews and correspondence, and will allow OCR to track outreach, training and other activities and to locate and retrieve information in order to manage more efficiently its work and report results. In addition, PIMS, consistent with its predecessor management information systems, will allow for the tracking of work assignments to employees to facilitate workload balancing, timely response to complaints and completion of review, and outreach and public education initiatives focused on organizations and individuals.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
The routine uses proposed for this system are compatible with the stated purpose of the system. The first routine use proposed for this system, permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the request of the individual. The second routine use allows disclosure to the Department of Justice or a court in the event of litigation. The third routine use allows referral to the appropriate agency, in the event that a System of Records maintained by this agency to carry out its functions indicates a violation or potential violation of law. The fourth routine use allows disclosure of records to contractors for the purpose of
processing or refining records in the system.
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:
Storage: Automated records are maintained on magnetic disc and tape back-up. Paper records are kept in file folders.
Retrievability: Records are indexed by transaction number, but may be retrieved by name, street address, and other complainant or covered entity characteristic (such as type of entity, city, state and type of service provided) by OCR staff engaged in compliance activities.
Safeguards: The PIMS system will conform to applicable law and policy governing the privacy and security of Federal automated information systems. These include but are not limited to: the Privacy Act of 1984, Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix III, “Security of Federal Automated Information Resources.'' OCR has prepared a system security plan as required by OMB Circular A-130, Appendix III. This plan conforms fully to guidance issued by the National Institute for Standards and Technology (NIST) in NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems.'' The plan includes conduct of a risk assessment that addresses the confidentiality and integrity of the data. Only authorized users have access to the information in the system.
Categories of users include: OCR investigators, regional and headquarters managers, team leaders, OCR budget and Government Performance and Results Act planning staff, program and policy staff, and data analysts. Specific access to structured around need and is determined by the person's role in the organization. Access is managed through the use of electronic access control lists, which regulate the ability to read, change and delete information in the system. Each OCR user has read access to designated information in the system, with the ability to modify only their own submissions or those of others within their region or group. Data identified as confidential is so designated and only specified individuals are granted access. The system maintains an audit trail of all actions against the data base.
All electronic data is stored on servers maintained in locked facilities with computerized access control allowing access to only those support personnel with a demonstrated need for access. A data base is kept of all individuals granted security cart access to the room, and all visitors are escorted while in the room. The server facility has appropriate environmental security controls, including measures to mitigate damage to automated information system resources caused by fire, electricity, water and inadequate climate controls. Access control to servers, individual computers
and databases includes a required user log-on with a password, inactivity lockout to systems based on a specified period of time, legal notices and security warnings at log-on, and remote access security that allows user access for remote users (e.g., while on government travel) under the same terms and conditions as for users within the office. System administrators have appropriate security clearance.
Printed materials are filed in secure cabinets in secure Federal buildings with access based on need as described above for the automated component of the PIMS system.
Retention and disposal: Documents related to complaints and reviews are retained at OCR for two years from the date the complaint is closed and then are archived at the National Archives and Records Administration for 15 years. Correspondence is retained for one year following the end of the fiscal year in which processed.
System manager(s) and address: PIMS Project Manager, Resource Management Division, Office for Civil Rights, 200 Independence Ave. SW., Room 509F, Washington, DC 20201.
Notification procedure: Contact System Manager (above). Include name and address of complainant, and name of the recipient against which the allegation was filed. The Department is exempting all investigative records from this provision (see below: Records Exempted).
Record access procedures: Same as notification procedures. Requesters should also reasonably specify the record contents being sought. Request should be made to the system manager (above). The Department is exempting all investigative records from this provision (see below: Records Exempted).
Contesting record Procedure: Contact the official(s) at the address specified under System Manager, and reasonably identify the record and specify the information to be contested and corrective action sought with supporting justification. (These procedures are in accordance with Department Regulations (45 CFR 5b.7) Federal Register, October 8, 1975, page 47411.) The Department is exempting all investigative records from this provision (see below: Records Exempted).
Record source categories: Information is provided by complainants and covered entities.
Record exempted from certain provisions of the act: OCR investigative records maintained in PIMS, either as paper records or electronic documents are records complied for law enforcement purposes and will be exempt under subsection (k)(2) from the notification, access, correction and amendment provisions of the Privacy Act.
Appendix Number 1--System Locations:
This system is located at HHS offices in the following cities.
Headquarters, PIMS Project Manager, Resource Management Division, Office for Civil Rights, 200 Independence Ave. SW., Room 509F, Washington, DC 20201.
Region I, Regional Manager, OCR/HHS, J.F. Kennedy Federal Building—Room 1875, Boston, Massachusetts 02203.
Region II, Regional Manager, OCR/HHS, 26 Federal Plaza--Suite 3312, New York, NY 10278.
Region III, Regional Manager, OCR/HHS, 150 S. Independence Mall West, Suite 372, Public Ledger Building, Philadelphia, PA 19106.
Region IV, Regional Manager, OCR/HHS, Atlanta Federal Center, Suite 3B70, 67 Forsyth Street, SW., Atlanta, GA 30303.
Region V, Regional Manager, OCR/HHS, 233 N. Michigan Ave, Suite 240, Chicago, IL 60601.
Region VI, Regional Manager, OCR/HHS, 1301 Young Street, Suite 1169, Dallas, TX 75202.
Region VII, Regional Manager, OCR/HHS, 601 E. 12th Street--Room 248, Kansas City, MO 64106.
Region VIII, Regional Manager, OCR/HHS, Federal Office Building, 1961 Stout Street--Room 1185, Denver, CO 80294.
Region IX, Regional Manager, OCR/HHS, 50 United Nations Plaza—Room 322, San Francisco, CA 94102.
Region X, Regional Manager, OCR/HHS, 2201 Sixth Avenue--Suite 900, Seattle, WA 98121.