HHS Privacy Impact Assessment (PIA) Summary

Question

Response

1

System:

CDC CCHIS Epidemic Information Exchange (Epi-X)

2

Is this a new PIA?

Yes

3

If this is an existing PIA, please provide a reason

for revision:

Alteration in Character of Data

4

Date of this Submission:

May 14, 2007

5

OPDIV Name:

CDC

6

Unique Project Identifier (UPI) Number:

009-20-01-02-02-0335-00 (009-20-01-21-02-1060-00)

7

Privacy Act System of Records (SOR) Number:

N/A - System does not constitute a "System of Records" under the

Privacy Act. IIF is not accessible to CDC and records are not

retrieved by IIF. See Question 30 comments.

8

OMB Information Collection Approval Number:

NA

9

Other Identifying Number(s):

NA

10

System Name:

The Epidemic Information Exchange (Epi-X)

11

System Point of Contact (POC). The System POC

is the person to whom questions about the system

and the responses to this PIA may be addressed:

Rossanne Philen

12

Provide an overview of the system:

Epi-X is CDC's secure, moderated, bi-directional method of

communicating outbreak and terrorist information to state and local

health departments, other Federal agencies and selected

international groups and organizations. It is also the preferred

method

13

Indicate if the system is new or an existing one

being modified:

Existing

14

Does/Will the system collect, maintain (store),

disseminate and/or pass through IIF within any

database(s), record(s), file(s) or website(s) hosted

by this system?

Yes

15

Is the system subject to the Privacy Act?

No

16

If the system shares or discloses IIF please specify

with whom and for what purpose(s):

System does not share or disclose IIF.

17

Describe in detail the information the agency will

collect, maintain, or disseminate and why and for

what purpose the agency will use the information:

The information is submitted by state, local and Federal health

officials using a secure, web-based reporting system. Epi-X uses

CDC Secure Data Network (SDN) to authenticate users. SDN

requires an authorized user to possess a Class II VeriSign digital

18

Describe the consent process:

The information is posted to the Epi-X website by local, state and

Federal health officials. These authorized users are required to read

and abide by the Epi-X Editorial Policy which delineates their roles

and responsibilities with regard to the use of E

19

Does the system host a website?

Yes

20

Does the website have any information or pages

directed at children under the age of thirteen?

No

21

Are there policies or guidelines in place with regard

to the retention and destruction of IIF?

Yes

22

Are there technical controls present?

Yes

23

Describe the IIF security controls:

Physical Access Controls: Guards, ID badges, key cards, CCTV .

The information is stored in a SQL database that resides behind the

firewall. The physical security where the servers reside requires

special CDC Security clearance to enter the room. Cleare

24

Sr Official of Privacy Signature:

Deborah Holtzman

25

Sr Official of Privacy Signoff Date:

August 18, 2006

PIA-HHS-Form

Report Date: 5/23/2007

Page: 2

Note on IIF: Any question about IIF seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it

is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily

or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or

other legislation. Note: If no IIF is contained in the system, please answer the remaining required questions, then promote the PIA to the Sr. Privacy

Official who will authorize the PIA. Note: If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature

and promotion.