Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

Privacy Impact Assessments

System Privacy Impact Assessments

Titles II and III of the E-Government Act of 2002 require that agencies evaluate systems that collect personally identifiable information (PII) and determine whether the privacy of that PII is adequately protected. Agencies perform this  evaluation through a privacy impact assessment (PIA). HHS policy states that operating divisions (OPDIVs) are responsible for completing and maintaining PIAs on all systems (developmental and operational). Upon completion of each assessment, agencies are required to make that PIA publicly available.

HHS recently implemented new software to manage its PIA drafting and review processes. Questions in the new form are numbered; however, for privacy and relevancy reasons, certain questions are not listed. For example, questions about a website will not be included if the system does not utilize a website.

The PDFs on this site are undergoing remediation for compliance with Section 508. The remediation will be completed by 3/6/2015. If, in the interim, you need accessibility assistance with the PDFs, please contact Matthew Olsen at Matthew.Olsen@hhs.gov or 202-260-0322.

Administration for Children and Families

Agency for Healthcare Research and Quality

Centers for Disease Control & Prevention

Centers for Medicare & Medicaid Services

Food & Drug Administration

Health Resources & Services Administration

National Institutes of Health

Office of the Secretary

Substance Abuse and Mental Health Services Administration

To view PIAs published using the prior software, click on the name of the OpDiv listed below and then scroll through the document containing their PIAs:

Third-Party Websites and Applications Privacy Impact Assessments

The Office of Management and Budget Memorandum 10-23, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party Websites and applications to ensure that the uses protect privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA). In accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs on all third-party Websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available.

To view the Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system, please refer to the links located below.


Content created by Assist. Sec./Administration - Chief Information Officer
Content last reviewed on December 15, 2014

HHS System of Record Notices

The Privacy Act of 1974 requires that agencies create and maintain, as necessary, a system of record notice for systems as defined in the Privacy Act provisions. A system is subject to the Privacy Act if it contains a system of records; any item, collection, or grouping of information about an individual that identifies an individual, and where those records are retrieved by the name of the individual or by some type of unique identifier. In accordance with the Privacy Act of 1974, OPDIVs are responsible for completing and maintaining system or records notices.