Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

Agency for Healthcare Research and Quality Privacy Impact Assessments

06.3 HHS PIA Summary for Posting (Form) / AHRQ Application Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  12/16/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-06-02-0034-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Application Network
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Tim Erny
10. Provide an overview of the system:  The purpose of the AHRQ Application Network System is to provide the infrastructure for development and testing of new AHRQ applications.  The system does not directly support the AHRQ user environment; rather it is utilized by application developers and testers as a secure environment to design, develop, and test AHRQ systems.  The Storage Area Network (SAN) is within the perimeter of the Application Network.  All data for the entire organization is stored on the SAN, therefore PII from other systems are stored within the scope of the Application Network.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1) The AHRQ Network stores a variety of different types of information, to include the following:

- AHRQ publications
- Grants information
- Backup metadata
- Anonymized research data

It also contains PII collected by the AHRQ Frontend System that is collected on a voluntary basis.

2) This information is used to by AHRQ to maintain and operate the Management group system, provide services to other systems, and operate the AHRQ security program.

3) The information contains PII.

4) The information is collected on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Via the Frontend System, users are notified of potential uses of PII through a machine readable privacy policy which states the following:

1) Users are not required to provide personal information to visit any of our Web resources.
2) Users are not required to provide personal information to visit any of our Web resources.
3) If users choose to provide AHRQ with additional information about themselves through an e-mail message, form, survey, etc., AHRQ only uses that information to respond to their message or to fulfill the stated purpose of the communication. The information provided is handled on a confidential basis within the Agency.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system data and PII specifically, is protected by management, operational and technical controls commensurate with the security categorization of the system and in accordance with NIST SP 800-53.  Only authorized personnel have access to the data.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  12/19/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ BackEnd System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  2/15/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-06-02-0053-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ BackEnd System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Tim Erny
10. Provide an overview of the system:  The purpose of the Backend System is to support the applications and services AHRQ provides.  In most cases, the Backend System serves simply as the database for AHRQ systems.  It is not directly accessed by AHRQ users, but is accessed indirectly through data requests via the front end AHRQ applications.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The AHRQ Backend System stores a variety of different types of information, to include the following:

- AHRQ publications
- Grants information
- Backup metadata
- Anonymous research data

The system utilizes a website which allows registered users to download or order copies of AHRQ publications.

It also contains PII collected by the AHRQ Frontend System that is collected on a voluntary basis. The following PII may be collected:

-Web Uniform Resource Locator(s) (URL)
-Mailing Address
-Phone Numbers
-Name
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Users are notified of potential uses of PII through a machine readable privacy policy which states the following:
-       Users are not required to provide personal information to visit any of our Web resources;
-       If users choose to provide AHRQ with additional information about themselves through an e-mail message, form, survey, etc., AHRQ only uses that information to respond to their message or to fulfill the stated purpose of the communication. The information provided is handled on a confidential basis within the Agency.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system data, and PII specifically, is protected by management, operational and technical controls commensurate with the security categorization of the system and in accordance with NIST SP 800-53.  Only authorized personnel have access to the data.  All PII will be secured on the system at all times using controls prescribed by NIST SP 800-53, and implemented commensurate with the security categorization of the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  2/17/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Consumer Assessment of Healthcare Providers and Systems/Survey on Patient Safety [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/7/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-02-02-0013-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  Contract HHSA 290200710024C
7. System Name (Align with system Item name):  Consumer Assessment of Healthcare Providers and Systems / Survey on Patient Safety (CAHPS/SOPS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Christine Crofton
10. Provide an overview of the system:  The system includes applications and information management processes developed for both the CAHPS and SOPS programs, and those that support the merged CAHPS/SOPS program.  It includes a number of web-based data submission applications supporting a public web site.  Data collected through and managed by the CAHPS/SOPS submission applications contain survey data that are collected using standard CAHPS/SOPS survey instruments. These survey data are collected at the person level but do not contain any information in identifiable form. Only a unique record level identifier along with survey responses to individual survey items is provided in the survey data files. In addition to survey data, the applications also collect administrative and characteristic data such as measurement year, health care organization name, sample size, frame size, survey methodology and response rate.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Data collected through and managed by the CAHPS/SOPS submission applications contain survey data that are collected using standard CAHPS/SOPS survey instruments. These survey data are collected at the person level but do not contain any information in identifiable form. Only a unique record level identifier along with survey responses to individual survey items is provided in the survey data files. In addition to survey data, the applications also collect administrative and characteristic data such as measurement year, health care organization name, sample size, frame size, survey methodology and response rate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A - the system does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Violante
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  9/8/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Data Application Support System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/7/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  009-33-01-06-02-0025-00
7. System Name (Align with system Item name):  AHRQ Data Application Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Laurie MacCallum
10. Provide an overview of the system:  The AHRQ Data Application Support System is comprised of a set of servers used to support data applications for CFACT, CDOM, and CQuiPS.  The data applications are Web sites that provide data, statistics, publications, and analysis related to health care data.  The user community consists of health economists, policy makers, media representatives, and the general public.

The support system is considered to be a General Support System with each of the Web sites hosted on the servers considered to be Minor Applications.

Currently, four Web sites are supported on this system: the MEPS Web Site, the HCUPnet Web Site, the State Snapshots, and the QRDRnet Web Site. 

The Medical Expenditure Panel Survey (MEPS) is a set of large-scale surveys of families and individuals, their medical providers, and employers across the United States. The MEPS Web Site allows users to access the results of these surveys. The site provides detailed information on health care utilization and expenditures, health insurance, and health status, as well as a variety of demographic, social, and economic characteristics of a representative sample of Americans. Users can review and download public use micro data files, access MEPS data presented in a tabular format, analyze MEPS data using online tools, and read and download a variety of analytic publications.

HCUPnet is part of the Healthcare Cost and Utilization Project (HCUP) at AHRQ. HCUPnet generates statistics using data from HCUP's Nationwide Inpatient Sample (NIS), the Kids' Inpatient Database (KID), and the State Inpatient Databases (SID). HCUPnet is an on-line query system that provides instant access to the largest set of all-payer health care databases that are publicly available. HCUPnet provides a means to generate tables and graphs on national and regional statistics and trends for community hospitals in the U.S. In addition, community hospital data are available for those States that have agreed to participate in HCUPnet. The HCUPnet Web site can generate statistics for emergency room data. 

The State Snapshots Web site provides State-specific health care quality information, including strengths, weaknesses, and opportunities for improvement. The goal is to help State officials and their public- and private-sector partners better understand health care quality and disparities in their State.  State-level information used to create the State Snapshots is based on data collected for the National Healthcare Quality Report (NHQR).

QRDRnet is an online tool which allows users to access data contained in the Tables Appendices of the National Healthcare Quality and Disparities Reports (NHQR, NHDR).  The Tables Appendices contain both national- and state-level data.  Users may access full tables for each NHQR or NHDR measure, or access subsets of the tables.  For many measures the site also allows users to access multiple years of data to investigate trends over time.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A, no PII is shared or disclosed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system receives non-IIF data from data collection systems which remove potential IIF and compile the data for summary purposes. The system publishes the data for public consumption.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are no processes in place to obtain consent from individuals because no IIF is utilized by this system.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A, there is no IIF.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Violante
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  9/8/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Disaster Recovery Site [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  4/2/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  TBD
6. Other Identifying Number(s):  TBD
7. System Name (Align with system Item name):  AHRQ Disaster Recovery Site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Eric Colombel
10. Provide an overview of the system:  Disaster Recovery Site for all internally hosted AHRQ systems.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This system is a backup of the AHRQ Application Network, AHRQ Management Group, AHRQ MEPS System, AHRQ Front End System, and the AHRQ Back End System.  Therefore this system does not process any IFF data, it is only stored as a means of backing up the internal AHRQ systems.  Please refer to the respective system PIA’s for more information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  This system is a backup of the AHRQ Application Network, AHRQ Management Group, AHRQ MEPS System, AHRQ Front End System, and the AHRQ Back End System.  Therefore this system does not process any IFF data, it is only stored as a means of backing up the internal AHRQ systems.  Please refer to the respective system PIA’s for more information.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All IIF will be secured on the system at all times using controls prescribed by NIST SP 800-53 rev. 3, and implemented commensurate with the security categorization of the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Effective Healthcare [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/22/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-06-02-0050-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Effective Healthcare
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Marian James
10. Provide an overview of the system:  Effective Healthcare represents the collaboration between HHS Agency for Healthcare Research and Quality (AHRQ), clinicians and patients to help determine which drugs and other medical treatments work best for certain health conditions. Effective Healthcare builds on existing network of 13 Evidence-based Practice Centers (EPC). Each EPC will focus especially on comparing the relative effectiveness of different treatments, including drugs, as well as identifying gaps in knowledge where new research is need. The ECPs carry out carry out accelerated studies, including research aimed at filling knowledge gaps about treatment effectiveness.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  3/26/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ FrontEnd System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  2/15/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-06-02-0050-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ FrontEnd System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Tim Erny
10. Provide an overview of the system:  The Frontend System refers to a cluster of fourteen modules currently residing amongst three servers physically located at AHRQ headquarters in Rockville, MD. Each of these modules is unique in nature with different system administrators and content managers.

The modules associated with the Frontend System include the following: 

Electronic Preventive Service Selector
Research Reporting System
Publications Clearinghouse
PDA Applications and Downloads
Preventive Services
Talking Quality
Patient Safety Organizations
President's Commission on Health Care Quality
Centers for Education & Research on Therapeutics
Web Development
Council on Private Sector Initiatives
Team STEPPS
Quality Interagency Coordination Task Force
AHRQ's Internet

These modules, utilized by both internal and external AHRQ stakeholders, all serve the common goal of communicating various messages relating to the AHRQ mission. Administration of these modules takes place via web interfaces on internal application servers accessible only from the internal AHRQ network. All administrative activity requires identification and authentication.  This is handled through the AHRQ domain and is outside of the scope of this system boundary.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Frontend System is comprised of several modules.  These modules all serve similar functions in promoting the AHRQ mission through web communication.

Administration of these modules takes place via web interfaces on internal application servers accessible only from the internal AHRQ network. All administrative activity requires identification and authentication. 

 PII, in the form of name, email address, phone number, and mailing address is collected on a voluntary basis to enable communication.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Users are notified of potential uses of PII through a machine readable privacy policy which states the following:
-       Users are not required to provide personal information to visit any of our Web resources;
-       If users choose to provide AHRQ with additional information about themselves through an e-mail message, form, survey, etc., AHRQ only uses that information to respond to their message or to fulfill the stated purpose of the communication. The information provided is handled on a confidential basis within the Agency.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system data, and PII specifically, is protected by management, operational and technical controls commensurate with the security categorization of the system and in accordance with NIST SP 800-53.  Only authorized personnel have access to the data.  All PII will be secured on the system at all times using controls prescribed by NIST SP 800-53, and implemented commensurate with the security categorization of the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  2/17/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Guidelines, Measures, Innovations System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  6/26/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Guidelines, Measures, and Innovations System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Mary P. Nix
10. Provide an overview of the system:  The GMI enclave consists of the following:

The National Guideline Clearinghouse (NGC) is a public resource for evidence-based clinical practical guidelines.  NGC is an initiative of the Agency for Healthcare Research and Quality (AHRQ).  The NGC Web site is a public Web site hosted by the contractor ECRI.  No sensitive information is collected.  The Quality Measures Clearinghouse (NQMC) is a public repository for evidence-based quality measures and measure sets.  The Web sites are hosted by ECRI Institute (contractor).

The AHRQ Health Care Innovations Exchange (HCIE) is a database and Web site of innovations and tools used to improve health care quality.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  HCIE: The Web site portion of the system displays PII of innovators to the public audience to facilitate communication between potential adopters and the innovators.

NGC/NQMC: N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  HCIE: The information the agency will collect, maintain, and disseminate consists of details describing innovative activities and tools used in health care quality improvement initiatives around the country. The details of innovations (not of tools) could include PII, voluntarily submitted, if the innovator would like his/her contact information provided for potential adopters to contact him/her with questions about the innovation.

NGC/NQMC:  The agency will collect email and name from those individuals who voluntarily participate in creating a profile for tailoring their interactions with the sites and creating tailored email alerts

NGC/NQMC wil employ Web measurement and/or customization technology (WMCT). The purpose of WMCT is to provide NGC and NQMC Web site users with a personalized Web experience utilizing session cookies and site registration methodologies.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  HCIE: Individuals that desire PII information to be placed on the Web Site must first certify their consent prior to the information being published.  The certification contains an understanding of what and how the information is to be used.  Display of this PII is completely voluntary.

The HCIE Web site portion of the system displays PII of innovators to the public audience to facilitate communication between potential adopters and the innovators.  The information the agency will collect, maintain, and disseminate consists of details describing innovative activities and tools used in health care quality improvement initiatives around the country.

NGC/NQMC:  The FAQs will include a description of how the IIF is being used for tailored alerts, homepage and dashboards.  Should major system changes take place email will be sent to all subscribers.

NGC/NQMC wil employ Web measurement and/or customization technology (WMCT). The purpose of WMCT is to provide NGC and NQMC Web site users with a personalized Web experience utilizing session cookies and site registration methodologies.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  HCIE: Individuals that desire PII information to be placed on the Web Site must first certify their consent prior to the information being published.  This information will remain (retention) on the web site until the individual contacts Westat and requests that the PII be removed (destruction).  The information or Web content will then be promptly removed.  In addition annual recertification will be required.  Technical and physical controls are in place including review and approval of content that may contain voluntary PII information.  Physical controls include the content media for publication which is physically delivered and only employees with proper credentials for access (passwords, badges, least privilege rights etc.) can publish the certified and approved content to the site.

NGC/NQMC: Technical and physical controls are in place including review and approval of content that may contain voluntary IIF information.  Physical controls include the content media for publication which is physically delivered and only employees with proper credentials for access (passwords, badges, least privilege rights etc.) can publish the certified and approved content to the site.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  6/26/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Healthcare Cost and Utilization Project Web Services [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/22/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Healthcare Utilization Project (HCUP) Web Services
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Carol Stocks
10. Provide an overview of the system:  The Healthcare Cost and Utilization Project (HCUP) is a Federal-State-
Industry Partnership sponsored by the Agency for Healthcare Research
and Quality (AHRQ). Thomson Reuters is the prime contractor to AHRQ
on this project. HCUP Web Services are a collection of Websites
developed and hosted by Thomson Reuters on behalf of AHRQ that
include the HCUP-US (http://www.hcup-us.ahrq.gov/), MONAHRQ
(http://monahrq.ahrq.gov/), and Halfreski (http://www.halfreski.net/)
Websites.
The HCUP Web Services are a separate subsystem of HCUP. No
person-level data is stored or made available on any of the three sites
that comprise the HCUP Web Services.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Healthcare Innovations Exchange [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  12/13/2010
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-02-02-0010-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Healthcare Innovations Exchange (HCIE)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Mary Nix
10. Provide an overview of the system:  A database and web site of innovations and tools used to improve health care quality.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The web site portion of the system displays IIF of innovators to the public audience to facilitate communication between potential adopters and the innovators.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information the agency will collect, maintain, and disseminate consists of details describing innovative activities and tools used in health care quality improvement initiatives around the country. The details of innovations (not of tools) could include IIF, voluntarily submitted, if the innovator would like his/her contact information provided for potential adopters to contact him/her with questions about the innovation.  PII such as; Name, Mailing Address, Phone Number, and Email Address is collected, maintained, or disseminated by the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Individuals that desire IIF information to be placed on the web site, must first certify their consent prior to the information being published.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Individuals that desire IIF information to be placed on the web site must first certify their consent prior to the information being published.  This information will remain (retention) on the web site until the individual contacts Westat and requests that the IIF be removed (destruction).  The information or Web content will then be promptly removed.  In addition annual recertification will be required.  Technical and physical controls are in place including review and approval of content that may contain voluntary IIF information.  Physical controls include the content media for publication which is physically delivered and only employees with proper credentials for access (passwords, badges, least privilege rights etc.) can publish the certified and approved content to the site.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Violante
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  12/13/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Management Group System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  12/16/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-06-02-0052-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Management Group System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Tim Erny
10. Provide an overview of the system:  The purpose of the AHRQ Management Group system is to provide back-office and operational management functions to the agency, support application development and provide the tools needed to operate AHRQ development systems.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1) The AHRQ Management Group System collects, maintains and disseminates a variety of different types of information, to include the following:

- Project timelines, goals, and milestones
- System performance and configuration information
- Development code and documentation
- System security information and documentation including C&A packages, vulnerabilities, and compliance reports
- System backup and encryption configurations
- VPN remote access encryption information

2) This information is used to by AHRQ to maintain and operate the Management group system, provide services to other systems, and operate the AHRQ security program.

3) None of this information contains PII.

4) No PII is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  12/19/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Medical Expenditure Panel Survey - Medical Provider Component [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/22/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Medical Expenditure Panel Survey - Medical Provider Component (MEPS-MPC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Katherine M. Mason
10. Provide an overview of the system:  The Medical Expenditure Panel Survey Medical Provider Component (MEPS-MPC) is a major application that collects data about medical costs reported in the MEPS Household Component (MEPS-HC), a nationally representative subsample of households that participated in the previous year’s National Health Interview Survey (NHIS). Beginning in Panel 14, data collection for the MEPS-MPC will be conducted by RTI and SSS; data collection for the HC will continue to be conducted by Westat, Inc., the contractor for previous panels of the MPC. Data requested in the MPC may draw from several record systems (medical records, billing, laboratory) and often requires contacting several individuals at the provider organization. Because much of the data are derived from records maintained for other purposes, information obtained across providers must be comparable. In addition, the MPC design offers alternatives to supplying the requested information—including telephone interviews or providing copies of medical and other records. The MPC data collection system and procedures must be flexible in accepting and processing data securely and monitoring survey production from these multiple streams. The objective of the MPC is to match provider data with household data collected in the HC. Because neither source is error-free, the matching process requires a carefully designed statistical process specifying matching variables and criteria for accepting or rejecting possible matches. The matching process will require collaboration among AHRQ, the HC contractor, and the MPC contractor.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The MEPS Medical Provider Component (MPC) collects data from all hospitals, emergency rooms, home health care agencies, outpatient departments, long term health care facilities and pharmacies reported by MEPS Household Component (HC) respondents as well as all physicians who provide services for patients in hospitals but bill separately from the hospital. Submission of PII by the HC respondents is completely voluntary. The data elements that are passed to RTI from the HC contractor include only the minimum necessary to identify these patients to the providers. These include patient name, patient address, patient phone number and patient DOB. For the providers, we collect and store provider name, provider address, provider phone number and one or more contact names and phone numbers.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1) Not applicable.  Disclosures are obtained earlier in the project by Westat.

2) There is an informed consent process for both patients and providers, with patients signing an authorization form and providers giving verbal consent.

 

3) Data collected in the MEPS-MPC are used to impute estimates of medical expenditures not captured in the MEPS-HC. Data from the MPC are used in tandem with data from the HC and are critical to developing expenditure estimates that can withstand intense public scrutiny. The MPC also provides information about physician charges associated with hospital care but not billed by hospitals, and is a primary source of expenditure information for Medicaid recipients.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The MEPS-MPC Information System will be in place on RTI’s Enhanced Security Network’s (ESN’s) dedicated hardware, which is a completely isolated computing network physically located on RTI’s Research Triangle Park campus in North Carolina. The campus and buildings are protected by a set of physical controls described in the SSP.

The ESN forms a dedicated network segment within the RTI corporate network and employs a highly restrictive set of security controls, allowing it to host project systems requiring protection at the NIST moderate level. All data collected will be stored in the ESN. RTI will provide real time ESN access to qualified project employees of our subcontractors. The ESN was recertified with an Authority to Operate (ATO) on 10/22/08.

Access to the MEPS-MPC Information System is controlled through an SSL VPN portal that securely encrypts all network traffic and data in transit. User credentials within the ESN are separate from the RTI public and private networks and include two-factor authentication (explained in the identification and authentication (IA) controls section of the SSP). MEPS-MPC project staff move files into and out of the system via secure file transfer protocol (sFTP). There is no other Internet access to the MEPS-MPC Information System. MEPS-MPC project staff are not allowed to transfer data to local hard drives, flash drives, or other removable media.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  3/23/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Medical Expenditure Panel Survey [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  10/20/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-02-01-0011-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-35-0002
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Medical Expenditure Panel Survey (MEPS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Doris Lefkowitz
10. Provide an overview of the system:  MEPS is used to provide national data on health care expenses of the civilian population living in the United States.  Specifically, MEPS captures detailed statistics on the type of medical services used, how frequently they are used, the cost of those services, and how they are paid for, as well as health conditions and health insurance availability and coverage.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The agency does not share the IIF.  Only non-IIF information is shared.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) The information collected is: the age, race, and sex of each family member; Health conditions; Current Health Status; Visits to health care providers (doctors, dentists, hospitals, etc.); Charges and Payments for Health Care; Medications; Employment; Health Insurance.
(2) The information is used to generate statistical data that is used to spot trends in health care spending.
(3) Yes.
(4) It is collected through a team of interviewers and the information submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The information is gathered through an interview process with the selected participants and is provided on an voluntary basis.  Prior to the interview process, it is explained to the participants what data is being collected, why, and how the data is shared and protected. No data containing PII is shared.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The IIF information is secured on a protected network that only accessible from specific terminals.  This network has no access to the Internet or any other network.  For COOP purposes the data is mirrored to an off-site host and is only accessible via VPN or at recovery facility.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Violante
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  10/25/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Medical Expenditure Panel Survey Enclave [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/20/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-02-01-0011-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  MEPS Enclave
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Doris Lefkowitz
10. Provide an overview of the system:  The MEPS Enclave collects demographic information, healthcare use data, health care expenses, health insurance coverage data and the quality of medical care and preventive services received by the households data.  In addition, as part of the survey, the system acquires and processes case information from medical providers.  Participating households authorize the project (in writing) to request information from those doctors, hospitals, pharmacies, and other medical providers from which they receive service.  Data, collected through MEPS Enclave, is used for the construction of analytical variables and files which are delivered to AHRQ for publication.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  AHRQ processes public use files to provide nationally representative estimates for the US civilian non-institutional population.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Respondent data includes demographic information, healthcare use, cost of services, sources of payment and insurance coverage, containing IIF. The MEPS Enclave provides data to create nationally representative estimates for the US civilian non-institutionalized population.  Submission of personal information is voluntary except for name and address.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1) Changes in disclosure and/ or data uses not anticipated.
2) Contact via letter or phone call
3) AHRQ. Public use files provide nationally representative estimatse for the US civilian non-institutional population. RTI. Files are delivered to RTI, the MCP contractor, for the data collection from the Medical Providers, and matching those records to the household component medical events.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized personnel have access to the data.  The data is encrypted when stored and transmitted.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Violante
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  10/25/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ National Guidelines Quality Measures Clearinghouse [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  6/14/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-02-02-0010-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ National Guidelines and Quality Measures Clearinghouse (NGC/NQMC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Mary P. Nix
10. Provide an overview of the system:  AHRQ National Guidelines Quality Measures Clearinghouse is composed of the AHRQ National Guidelines Clearinghouse and the AHRQ National Quality Measures Clearinghouse.  AHRQ National Guidelines Clearinghouse (NGC) is a public resource for evidence-based clinical practical guidelines.  NGC is an initiative of the Agency for Healthcare Research and Quality (AHRQ).  The NGC Website is a public website hosted by  ECRI at Voicenet.  No sensitive information is collected.  AHRQ National Quality Measures Clearinghouse (NQMC) is a public repository for evidence-based quality measures and measure sets.  The AHRQ National Quality Measures Clearinghouse (NQMC) Website is also hosted by ECRI at Voicenet.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  NA
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NGQMC consists of databases and web servers that collect evidence-based clinical practice guidelines and information on specific evidence-based health care quality measures and measure sets.  The system mission is to provide physicians, nurses, and other health professionals, health care providers, health plans, integrated delivery systems, purchasers, and others an accessible mechanism for obtaining objective, detailed information on clinical practice guidelines and quality meastures to further their dissemination, implementation, and use.   The system does not contain PII.

 

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A - the system does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  NA The system does not collect IIF.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  9/29/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Patient Safety Organization Privacy Protection Center [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Internal Flow or Collection 
1. Date of this Submission:  12/16/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Pending
5. OMB Information Collection Approval Number:  0935-0143
6. Other Identifying Number(s):  Contract # HHSA-290-2007-10032-C, AHRQ-07-10032
7. System Name (Align with system Item name):  AHRQ Patient Safety Organization Privacy Protection Center (PPC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dr. Amy Helwig
10. Provide an overview of the system:  To support the Patient Safety and Quality Improvement Act (PL 109-41), the Patient Safety Organization (PSO) Privacy Protection Center (PPC) provides PSOs information on PPC services, submission formats and the ability to submit patient safety event information.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Name and address of PSO personnel seeking to submit data to the PSOPPC are submitted to an Identity Verification Provider for identity proofing.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Name and mailing address are collected and maintained for the purpose of identity proofing PSO personnel that will submit patient safety events to the PSOPPC.  PII is disseminated to an Identity Verification Provider.  Identity Verification Provider maintains PII for 14 days and then deletes.  Submission of the information is voluntary.

Information about patient safety events is collected and maintained to ensure the information has been contextually de-identified before submission to the Network of Patient Safety Databases.  Patient safety events may contain birth dates, gender, ethnicity, and medical notes.  PII is not disseminated and submission of the information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Registered Patient Safety Organizations must have a PSO Agreement on file before their personnel may register for an account on the PSOPPC Website.  These documents contain language which advises how PII will be used.  Should the need arise to change the usage or sharing of PII, the PSO Agreement will be updated and new agreements will be delivered to affected parties.

Individuals are given written notice.

Should the need arise to change the usage or sharing of PII, individuals will receive electronic notice on the PSOPPC Website as well as written notice.

Usage of PII submitted in patient safety events is governed by Patient Safety and Quality Improvement Act (PL 109-41).  Updates to the act would follow normal legislative notification processes.

Specific data collected is designated in the Common Formats and Technical Specifications.  Updates to the formats and specifications are posted on the PSOPPC web site.  PSOs are provided notification through a posting on the PSOPPC web site and via email notification.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  1.             Technical controls include but are not limited to:
a.             Authorized users: User passwords and a hard token-One Time Password Device for access to the secured areas of the website.
b.             Separation of duties, filters and parameters are set up in accordance with an approved configuration to enforce the security policy,
c.             Data back up on a daily and weekly basis, with the weekly tapes going off-site for storage.
d.             Destruction of electronic information, as appropriate, via sanitization of the systems holding the information.
e.             Audit of events initiated by each individual user, i.e., entry of UserID and password, program initiation, file creation, file deletion, file open, file close, and other user related actions,
f.              Audit trails identify the individual user initiating the event, date, and time the event occurred, success, or failure of each event, and location where the event was initiated,

2.             Physical controls include but are not limited to:
a.             Building access cards and ID badges are required in the main facility and only authorized personnel have access to the locked data center where the hardware used to process this system data is located.
b.             Security guards are present during working hours and off-hour visits are made by security personnel.
c.             CCTV is used for monitoring of the facility. 
d.             Back up media is stored offsite in a secure, climate controlled storage facility.
e.             Visitor process includes signing in and out, visitor badges and escorting of all visitors.
f.              Uninterruptible Power System (UPS) with a diesel generator back up to ensure ongoing system operation and an orderly shutdown when necessary.
g.             Power to the data center is separated from the power to the rest of the facility and additional HVAC with humidity controls is in place.
h.             Locked shred bins are utilized for document and media destruction and certificates of destruction are received from the bonded destruction company upon completion.

3.             Administrative Controls
a.             Procedural safeguards: Users must comply with terms of use on reinforce the confidentiality protection requirements, and the confidentiality policy is reviewed and signed on an annual basis.
b.             Security training and ongoing awareness programs, such as posters and newsletters
c.             Access controls, including termination procedures to ensure only authorized personnel have access to facilities and systems, commensurate with their job duties
d.             Review of system activity logs to monitor for issues, Risk Management plans to include Risk assessments, Security Plans, Continuity of Operations/Disaster Recovery plans
e.             Background and reference checks are performed on all IFMC personnel.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  12/19/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ Portal System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  11/16/2011
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  009-33-01-02-02-0030-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Portal System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Steve Bernstein
10. Provide an overview of the system:  The portal system is comprised the Extranet Website, the Public Website and a Search function that are all available from the internet.  The Extranet requires a username and password to logon.  The Public website and the Search function are available to anyone on the web.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Does not share IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1) Is only disseminated to peers working on the same content, and is not used for any other purpose.
2) Content management and system administration
3) Yes
4) Submission of this information is voluntary,

 

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1) N/A
2) N/A
3) Information is never shared.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system is hosted by Terremark’s Federal Group. Each datacenter operated by Terremark is a secure bunker, designed to provide public sector clients colocation space that meets standards for sensitive compartmented information facilities (SCIFs).
Inside each datacenter, a professional security staff maintains and operates sophisticated surveillance systems,
biometric scanners and secured areas for processing of staff, customers and visitors. Built to a power capacity of 160 watts per square foot, the NAP of the Capital Region accommodates today’s power requirements for high-density computing environments with 100% service level agreements on power and environmentals.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Violante
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  11/17/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / AHRQ SQI2 [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  5/9/2012
2. OPDIV Name:  AHRQ
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  AHRQ Support for Quality Indicators II
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Mamatha Pancholi
10. Provide an overview of the system:  The AHRQ SQI-II system at Battelle consists of five components: a public web site, documentation and software (SAS and Windows) posted on the website for download, a user listserv, user support via e-mail and telephone voicemail, and HCUP data. The web site contains no identifiable data. The web site contains documentation and software tools that users may apply to their own data.  The documentation and software implement specifications and risk-adjustment for the AHRQ Quality Indicators (AHRQ QI). Users with questions about the AHRQ QI specifications or software submit the queries and receive responses via the user support e-mail or telephone. Users may also sign-up for the listserv to receive notices of updates. All data elements that directly identify an individual have been removed in the HCUP data.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The help desk support team includes staff at AHRQ and other contractors on this project
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The user support system and website are maintained as a public service to provide support to individuals interested in use of the AHRQ Quality Indicators and information on healthcare research and quality from our Agency. No personal information is collected by this Web site. Users of the Web site may subscribe to a mailing list (listserv) to receive official announcements regarding QI updates and software releases. Users of the system may seek individualized assistance through contact to the user support e-mail address or telephone support. Information is collected only by either subscribing to the listserv which collects name and email address or by requesting support. Support requests are made by sending an E-mail message requesting assistance from the AHRQ help system to the Web site mailbox or by calling the help desk voice mail. The information is used only to respond to the users request message or to fulfill the stated purpose of the communication. (ie. Listserv subscription or help desk support)
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No processes are in place. The information is not to be shared now or in the future. For additional information please consult the privacy notice at http://www.ahrq.gov/news/privacy.htm.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Battelle has an AHRQ System Security Plan that addresses the NIST SP800-53 administrative, technical, and physical controls that are applied to this system. The system resides in a VLAN environment in an isolated segment that has been configured for compliance with FISMA controls.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Ben Rollin
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Tim Erny
Sign-off Date:  5/11/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top