Font Size Print Download Reader HHS Home|HHS News|About HHS

Health Resources & Services Administration Privacy Impact Assessments

06.3 HHS PIA Summary for Posting (Form) / HRSA BL Seamon CRM

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): TBA

5. OMB Information Collection Approval Number: TBD

6. Other Identifying Number(s): TBD

7. System Name (Align with system Item name): B L Seamon - Microsoft Dynamics CRM 4.0

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Duane Howard / Philip Boroughs

10. Provide an overview of the system: Microsoft Dynamics CRM 4.0 is a fully integrated customer relationship management (CRM) system. CRM is used to manage, verify and compile the Site and scholar contract data and track all correspondence through the Scholar placement cycle for the BLS/RTSC.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NHSC/RTSC and BLS/RTSC staff regarding the clinicians in various stages of the placement and relocation cycle along with site contact detail.

The CRM is also used to verify sites eligibility status, as well as it keeps track of Site points of contacts address, telephone numbers, email addresses, UDS #, sites HPSA scores, and HPSA ID.

The data is mandatory to the RTSC.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: While there are administrative, technical, and physical controls in place, the system is undergoing its first C&A effort and the details of these controls will be defined as in place or planned.

Access to the BL Deamon Corporation NOC is limited to 6 individuals.

Users do not have physical and/or logical access to stored data unless a need-to-know is determined, based on job tasks.

There are 2 administrators that have access to the system and their access is limited to their job responsibilitites.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA BL Seamon Web Operations GSS

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): TBD

5. OMB Information Collection Approval Number: TBD

6. Other Identifying Number(s): TBD

7. System Name (Align with system Item name): BLS Web Operation GSS; (Fedmeetings.net, SVRE/NHSC Travel. NHSCRTSC.net/Vacancy Update Request

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Duane Howard

10. Provide an overview of the system: The system is the Web Operation of B L Seamon Corporation. The system hosts various web sites and services for HRSA:

Fedmeetings.net-

Fedmeetings.net is a password protected Web-based ColdFusion/SQL Server application that was created by BLS. The system provides BLS Conference staff and clients with real time conference data and reports pertaining to conference attendance, dates, registrant travel information, and conference location.

SVRE/NHSC Travel-

The purpose of the Site Visit and Relocation Web site is to provide real time information to clinicians, NHSC staff, NHSC/RTSC and NHSC/BLS staff regarding the clinicians in various stages of the placement and relocation cycle. This includes an accurate listing of scholars and scholar information for each placement cycle. The system allows the clinicians to peruse available sites, request site visits as well as relocations. In addition, the NHSC and RTSC placement advisors can review these requests and make approvals, review and track spending, etc.

NHSCRTSC.net/Vacancy Update Request-

This program is used to review current site vacancies and post new vacancies. System provides status of changes/no changes to vacancies and point of contact information. The information for this system lists the sites Uniform Data Service number, Site Address, Telephone number, Point of Contact information and the vacancies that are posted on the Job Opportunities List.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Yes

Fedmeetings.net-

The system provides BLS Conference staff and clients with real time conference data and reports pertaining to conference attendance, dates, registrant travel information, and conference location.

SVRE/NHSC Travel-

The system provides real time information to clinicians, NHSC staff, NHSC/RTSC and NHSC/BLS staff regarding the clinicians in various stages of the placement and relocation cycle.

NHSCRTSC.net/Vacancy Update Request-

This system is used by NHSC staff, NHSC/RTSC and NHSC/BLS staff to review current site vacancies and post new vacancies to the Job Opportunities List.

Fedmeetings.net-

The system provides BLS Conference staff and clients with real time conference data and reports pertaining to conference attendance, dates, registrant travel information, and conference location.

SVRE/NHSC Travel-

The system provides real time information to clinicians, NHSC staff, NHSC/RTSC and NHSC/BLS staff regarding the clinicians in various stages of the placement and relocation cycle.

NHSCRTSC.net/Vacancy Update Request-

Yes

Fedmeetings.net-

The system provides BLS Conference staff and clients with real time conference data and reports pertaining to conference attendance, dates, registrant travel information, and conference location.

SVRE/NHSC Travel-

The system provides real time information to clinicians, NHSC staff, NHSC/RTSC and NHSC/BLS staff regarding the clinicians in various stages of the placement and relocation cycle.

NHSCRTSC.net/Vacancy Update Request-

Yes

Fedmeetings.net-

The system provides BLS Conference staff and clients with real time conference data and reports pertaining to conference attendance, dates, registrant travel information, and conference location.

SVRE/NHSC Travel-

The system provides real time information to clinicians, NHSC staff, NHSC/RTSC and NHSC/BLS staff regarding the clinicians in various stages of the placement and relocation cycle.

NHSCRTSC.net/Vacancy Update Request-

This system is used by NHSC staff, NHSC/RTSC and NHSC/BLS staff to review current site vacancies and post new vacancies to the Job Opportunities List.

There are a minimum number of required fields in the system to provide a high level service and to meet program goals.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: While there are administrative, technical, and physical controls in place the system is undergoing its first C&An effort and the details of these controls will be defined as in place or planned.

Access to the B L Seamon Corporation NOC is limited to 6 individuals

Users do not have physical and/or logical access to stored data unless a need-to-know is determined, based on job tasks.

Currently there is a firewall preventing outside access to the data stored within the database.

IIF data is encrypted within the database

There are 4 administrators (Server, DBA, and WEB/Cold Fusion) that have access to the system and their access is limited to their job responsibilities.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Bureau of Health Profession Performance Management System (BPMS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 13, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-01-1060-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0060

5. OMB Information Collection Approval Number: 0915-0061; 0915-0233

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA Comprehensive Performance Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Roger Straw

10. Provide an overview of the system: The CPMS-UPR is a web-based data collection and reporting system. CPMS-UPR web-based system provides grantees online forms through the EHB system to supply BHPr with the required data to complete the Comprehensive Performance Management System (CPMS) Report and the Uniform Progress Report (UPR). The CPMS forms are used to measure outcomes of the Bureau's Title VII and VIII health professions nursing education programs. The UPR report summarizes the grantees' progress in meeting their grant objectives.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is not shared.

* Actual performance achieved compared to the goals expressed in the Annual Performance Plan,

* Reasons why a goal may not have been met, and

* Describe future plans and provide a schedule for meeting the goal.

CPMS collect the Social Security numbers of individuals to track their employment. Submission of SSN is voluntary.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We notify the grantees of major system changes, as we have User Acceptance Testing when system changes are made.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Clients access CPMS data using secured sockets layers (SSL) and are required to specify https when attempting to connect with the application. CPMS also protects its data using two-tier virus protection on email servers, web-servers and workstations. CPMS also requires password complexity for access to the application. The system is housed in a government facility with physical controls. Access to the HEAL office space is controlled with a building pass card swipe scanner. In addition to agency-level training requirements, CPMS-specific training exists. The system also tracks those users that have accessed the CPMS with the following user authentication actions are logged:

• Acceptance of Rules of Behavior

• Rejection of Rules of Behavior

• Attempted/failed logins

• User lock-outs caused by excessive failed logins

• Password changes

• Successful logins

• Log outs

• Attempted concurrent logins

• Timeout followed by requests with expired session

• Successful Registration / Unsuccessful Registration

• User account termination

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA C.W. Bill Young Cell Transplantation Program (NBMDR)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 3, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: SEE COMMENTS (240-97-0036)

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0068 (In the process of preparing a New Systems of Records notification)

5. OMB Information Collection Approval Number: 0915-0212

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA C.W. Bill Young Cell Transplantation Program

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Shelley Tims

10. Provide an overview of the system: NMDP uses its proprietary Search, Tracking, and Registry (STAR®) System as the critical system to collect donor and cord blood information, to manage and facilitate all patient searches, and to track detailed post-transplant clinical status. Data retention includes: donor demographic data, Human Leukocyte Antigen (HLA) typing data, search process data, Network center management data, and clinical outcome data.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The C.W. Bill Young Cell Transplantation Program shares medical information in an attempt to find matches, but does not share the associated information about the individual, and such information can not be obtained through other sources

HRSA does not collect, maintain or disseminate IIF. The contractor for the C.W. Bill Young Cell Transplantation Program does collect IIF including name, address, and phone numbers. It is optional whether donors opt to provide their social security numbers and/or email addresses. All IIF are used to assist in locating a potential donor if they are found to be a match for a patient in need of a life saving blood stem cell transplant.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The IIF is given voluntarily from persons who register as potential donors of blood stem cells. The individual information is correlated to blood samples of that individual.

NMDP obtains consent when potential donors first register with NMDP. NMDP contacts potential donors through phone or postal mail to re-obtain consent when their information is request to be used outside of the scope of the original consent granted.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Children's Graduate Medical Education Payment Program (CHGME PP)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1320-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: 0915-0247

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Children's Graduate Medical Education Payment Program (CHGME PP) Database System (GME DS) and Web Application System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jill Schmid

10. Provide an overview of the system: The GME DS is a system that: 1) receives initial applications from hospitals that indicate the expected volume and complexity of services provided, 2) determines the initial allocation of available funds to hospitals, 3) issues award letters to the hospitals, 4) issues invoices to PSC that lead to monthly payments being made to the hospitals, 5) receives mid year reconciliation applications from the hospitals that finalize the volume and complexity of services, 6) recalculates the allocation of funds to hospitals, 7) issues revised invoices, 8) generates reports for the various parties involved, and 9) maintains records of these activities. In the past these activities were conducted manually. The hospitals sent their applications via the mail on a disc which uploaded their applications to the system. The new modifications allow the hospitals to apply for funds via the web based application. The web system has been implemented and went live in April of 2008. The new system has decreased the application process time in half. Auditors can also access the Web system to conduct their annual audit of hospital applications.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

The information collected is not personal information, the hospitals name, address and the amount of FTE’s are included in the application only. There is no financial information included in the application. The financial information and calculations are done on the GME DS that is housed on the server in HRSA and resides only on the H drive within BHPR. There is no personal information on the FTE’s being claimed.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII on this system

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA CIBMTR Stem Cell Therapeutic Outcomes Database (SCTOD)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: Not Applicable

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: N/A (See comments 240-97-0036)

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0068

5. OMB Information Collection Approval Number: 0915-0310

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Center for International Blood & Marrow Transplant Research Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Randy Gale (HRSA), Barbara McGary (CIBMTR)

10. Provide an overview of the system: The system collects and analyzes data on outcomes of allogeneic hematopoietic stem cell transplantation (HCT). The Center for International Blood and Marrow Transplant Research at the Medical College of Wisconsin is the contractor for the Stem Cell Therapeutic Outcomes Database component of the C.W. Bill Young Cell Transplantation Program. As the Government contractor, the CIBMTR-MCW will provide aggregated public information to increase availability, safety, and effectiveness of stem cell therapies. The CIBMTR-MCW will report to the Government regarding activity of the C.W. Bill Young Cell Transplantation Program and transplant outcomes.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The Stem Cell Therapeutic Outcomes Database system at CIBMTR-MCW shares the unique system assigned ID with respective individual transplant centers submitting patient outcomes data and with the contractor for the other components of the C.W. Bill Young Cell Transplantation Program (i.e, the National Marrow Donor Program). The purpose of this sharing is to track patient follow-up.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system collects medical information, including disease, treatment and outcome data of patients receiving stem cell therapies. The CIBMTR-MCW system will provide analyses of this data for dissemination to clinicians, government agencies and the public. This information dissemination is intended to improve access to therapies and improve outcomes. This information contains IIF. Submission of the IIF items listed in Q 17 is mandatory to fulfill the statutory charge of the legislation governing the C.W. Bill Young Cell Transplantation Program (P.L. 109-129). Per the charge of the legislation and contract, this IIF is to be submitted to the SCTOD for all allogeneic hematopoietic stem cell transplants performed in the United States and all non-U.S. stem cell transplants using hematopoietic products facilitated by the C.W. Bill Young Cell Transplantation Program.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The unique patient identifier is used for communication with other components of the C.W. Bill Young Cell Transplantation Program and with centers submitting data. It does not link to other sources of personal information. (1) In its function as a Public Health Authority, CIBMTR-MCW will not be notifying or obtaining consent from individuals when changes occur in the system. (2) In its function as a Public Health Authority, CIBMTR-MCW will not be notifying or obtaining consent from individuals regarding the CIBMTR Recipient ID used in the Stem Cell Therapuetic Outcomes Database system. (3) The Stem Cell Therapuetic Outcomes Database system at CIBMTR-MCW shares the unique system assigned ID with respective individual transplant centers submitting patient outcomes data and with the contractor for the other components of the C.W. Bill Young Cell Transplantation Program (i.e., the National Marrow Donor Program). The purpose of this sharing is to track patient follow-up.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF is protected in transmission by using secure protocols. Individuals with access to the system have a user ID and password. Only very limited IIF (mentioned at # 17) is collected and maintained in the SCTOD system. The critical dates in a recipient’s treatment and outcome history are necessary for performing the outcomes analysis required by the SCTOD contract. System generated unique recipient ID numbers are necessary as a communications link with the reporting transplant center for tracking long-term follow up. CIBMTR-MCW System directors participated in a NIST Risk Assessment to evaluate the impact of risk to the confidentiality, integrity and availability of the SCTOD information. The resulting Sensitivity Score led the CIBMTR to apply the Moderate Baseline to the Management, Operational and Technical System Security Controls defined in NIST 800-53. CIBMTR policies are in place for these controls and the HRSA OIT System Test and Evaluation was performed in July 2008. Complete HRSA OIT C&A is anticipated by November 15, 2008.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Division of Transplantation Research Information System (DTRIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 26, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0055

5. OMB Information Collection Approval Number: 0915-0157

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): Division of Transplantation Research Information System (DTRIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mesmin Germain

10. Provide an overview of the system: The Organ Procurement and Transplantation Network was established by the National Organ Transplant Act of 1984 (NOTA), and the HRSA Division of Transplantation (DoT) has been designated by the Secretary of the Department of Health and Human Services to administer the program.

The OPTN collects pre- and post-transplant clinical information of patients on the national patient waiting lists and living organ donors, histocompatibility information on donated organs, and records of matches run between donated organs and waiting list patients. This information includes SSN, names, and state of residence for patients and included additional address and contact information for living donors. This information has been collected in various forms since the inception of the OPTN in 1988.

This information is collected as a function of the OPTN process of matching donated organs to potential transplant recipients. The OPTN is the only system in the country that serves this function for heart, liver, lung, kidney, pancreas, and intestine transplants.

HRSA, the OPTN, and HRSA contractors qualify as “public health authorities” for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation, “Standards for Privacy of Individual Identifiable Health Information” (Privacy Rule), 45 CFR Parts 160 and 164. Under 45 CFR 164.512, a “covered entity” may disclose an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a “public health authority” that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability. Given the legal authority and mandate of the OPTN, it has been determined that a “covered entity” may disclose certain individually identifiable health information to the OPTN without written consent or authorization of the individual, when the disclosure furthers the OPTN’s statutory purposes and functions.

Information is collected by OPTN member transplant centers and organ procurement organizations (OPO) and is then submitted to the OPTN system for matching. Submission of this information to the OPTN is mandatory for OPTN member transplant centers and OPOs. The collection of this information from individuals takes place at OPTN member transplant centers and OPOs. Concern about individual information included in the OPTN data set may be sent to the OPTN contractor, which would then contact the relevant OPTN member to make any corrections or changes that would be appropriate. The OPTN does not have direct communication with patients.

The data collected by the OPTN are also used for analysis by HRSA Division of Transplantation (DoT) and HRSA DoT contractors, such as the Scientific Registry of Transplant Recipients (SRTR), and are also shared through approved data use agreements with other Federal agencies such as the Centers for Medicare and Medicaid Services (CMS) and the National Institutes of Health (NIH). HRSA regularly reviews the data collection processes of the OPTN, including linkages of the OPTN data set with other data bases for purposes of validation and enhancement, and confirms that it meets the criteria of the Common Rule for exemption of IRB oversight under the Public Benefit and Service Program provisions of 45 CFR 46.101(b)(5).

HRSA DoT is responsible for monitoring the effectiveness of organ transplantation in the United States based on the OPTN Final Rule 42 CFR Part 121. DoT meets this responsibility by maintaining the HRSA DoT Research Information System (DTRIS). The DTRIS is a HRSA computer system that is used to perform statistical research on the effectiveness of organ transplantation in the United States. It includes all of the information collected by the OPTN in the process of matching donated organs to potential transplant recipients. Although these OPTN data are analyzed by HRSA contractors for t

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) HRSA, the OPTN, and HRSA contractors qualify as “public health authorities” for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation, “Standards for Privacy of Individual Identifiable Health Information” (Privacy Rule), 45 CFR Parts 160 and 164. Under 45 CFR 164.512, a “covered entity” may disclose an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a “public health authority” that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability. Given the legal authority and mandate of the OPTN, it has been determined that a “covered entity” may disclose certain individually identifiable health information to the OPTN without written consent or authorization of the individual, when the disclosure furthers the OPTN’s statutory purposes and functions.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Operational controls:

Access to the DTRIS Database is restricted to three people via a valid User-Id and password. The workstation hosting the DTRIS is not available via any network.

Physical security of the Parklawn Building, including security guards for limiting access, as well as monitoring environmental including smoke and fire alarms is provided by the Government Services Administration (GSA).

The workstation is located in a secured room with cipher lock access. Because it is not connected to any network or other computers, no firewall is needed.

Physical Controls:

The CD-ROMs and DLT tape cartridges are received via courier and are kept in a locked room. Access to the data is limited to three individuals.

The data is kept on the hard disk of one workstation, in a locked room. The workstation is not connected to the network. No data is

transmitted directly from the workstation. No IIF is printed from the DTRIS; analytical output is copied to diskette, and printed outside the secured area of the DTRIS.

The data is not backed up for contingency purposes. In the event of a disaster, the authorized user will obtain another copy of the data from the OPTN.

Technical controls:

The DTRIS use Windows 2000 Server login capabilities for User ID and Password verification.

No access controls, outside of Identification and Authentication (I & A) are being implemented by the operating system.

The DTRIS is not accessible via any network. Since the DTRIS is a stand-alone workstation, no technical Public Access Controls are in place.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: May 26, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Electronic Handbooks (EHB)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 13, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-01-1060-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA Electronic Handbooks

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy McGinness

10. Provide an overview of the system: HRSA EHBs serve as a tool to ensure that the grants are managed efficiently and in compliance with mandated agency-wide and federal policies, procedures and legislation. Currently it provides automated support for Planning/Solicitation, Submission, Award and Negotiation phases in the grants office, program office, financial office and external organizations. HRSA EHBs has recently been enhanced to support Review and Selection and Project Management. Additional Post Award Functions supporting Project Management and Closeout as part of the grants management lifecycle are scheduled future enhancements.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The entity -related information may be collected directly from the individuals making application over the Internet or by paper submissions. Applicants are told that this information becomes public knowledge upon grant award. Through the system users are made aware of changes during the grants applications process.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF in the EHB. However, general systems controls include the following: EHB provides data protection and integrity by determining whether the value of the field is within an acceptable range or has an acceptable format (i.e. zip code needs to be 5 digits long) and determining whether interrelated fields satisfy the corresponding constraints (i.e. a zip code should be consistent with the state). Anti-virus protections are also in place for example • Virus definition updates are performed at least bi-weekly by DNS

• Full system scans are performed automatically on a weekly bases

• Real-time file system scanning is enabled EHB also provides internal users are given a system ID when requested by their supervisor and approved by the System Owner. The internal system user establishes his/her individual password that is used for authentication. The system uses strong encryption for all communications (HTTPS) from the time the user logs on until they log off. EHB also has a complex password policy in order for users to login.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steve R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Enhancement/Maintenance and Development of the Application Submission and Processing System (ASAPS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-02-00-02-1370-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0066

5. OMB Information Collection Approval Number: Per Susan Queen - N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Enhancement/Maintenance and Development of the Application Submission and Processing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debra A. Hammond

10. Provide an overview of the system: To help facilitate the submission of applications and processing review, Office of Shortage Designation (OSD) has installed an electronic database designed to streamline the application process and create standards and efficiencies in the application review. There will be approximately 60 State and U.S. territory users and 20 SDB users.

The installed electronic database is known as the Application Submission and Processing System (ASAPS). It is based on Geographical Information System (GIS) software that utilizes maps, distance measurements, populations levels and sequential data to determine rated factors necessary for determining if an area, population or facility can be designated. ASAPS is a database available to State PCOs and OSD staff. It is Internet based, operates on Windows operating system and Microsoft SQL server and utilizes the Environmental Systems Research Institute (ESRI) ArcIMS (Internet Map Server) software. The server is in a secured environment at the HRSA offices in the Parklawn building in Rockville, MD.

ASAPS will serve map data dynamically via the Internet and Intranet to support business processing. For example ASAPS will:

- Clearly visualize geographic areas to be designated

- View service area or planning alternatives

- Correlate critical demographic information with specific locations

- Evaluate the location and suitability of health resources

- Access detailed information about providers and facilities

- Access data layers defined by user to allow use of dynamic data.

ASAPS allows geographically dispersed users to access geographic data stored at HRSA and use this data in a business software application. The product of the software - an application for shortage designation - is then transmitted to OSD where it can be reviewed for accuracy.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Provider data is shared with the associated State Primary Care Offices to accurately identify underserved areas of the United States and its territories.

Individual record data provides individual providers, not only to counties, but also to the subcounty service areas. Data on actual time spent providing health care to patients is utilized to estimate the actual level of services available in these areas.

It is also important to obtain name data for providers for the use in resolving conflicts between national and State or local data that may arise in designation determinations. Identifiers such as UPIN are extremely useful for use in comparing databases, such as unduplicating with lists of National Health Service Corps and Community Health Center providers.

State data provided to OSD will be a significant part of the overall database used for determining population-to-provider ratios for shortage designation purposes. The states obtain this data from the state licensure boards.

The submission of IIF to the states is voluntary.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Data Use Agreement between HRSA and State Primary Care Office specifies that the states provide IIF to the system. It does not collect IIF directly from individuals so it does not notify individuals when there are major changes to the system. It does not notify individuals how their IIF is going to be used.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Provider data is only available to the associated State Primary Care Office. Only the database administrator has privileges to update, delete, or override provider database. The system uses SSL and encryption. Also used is Data Integrity/Validation Controls, documentation, Security Awareness and Training, Identification and Authentication, logical access controls, and audit trails.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA eRoom

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1360-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): eRoom

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alice Kroliczak

10. Provide an overview of the system: eRoom is a COTS product designed to provide secure spaces (called eRooms) to support collaboration efforts.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

No IIF on the systems covered in this assessment

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA General Support Systems (GSS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 13, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-02-00-02-1080-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA OIT General Support System (GSS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lynn Dennie

10. Provide an overview of the system: Provides common connectivity and file and print services.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Security controls for this system include redundant Cisco firewalls; redundant intrusion monitoring systems including Securify and Proventia; 24x7 monitoring of the perimeter defenses; antivirus systems with automatic updates for both workstations and servers from McAfee and Symantec; Ad-aware anti-spyware software; and routine certification and verification activities. Access is limited to those requiring access to the system and is protected by username/password controls with enforced complexity requirements. Physical controls include card reader access to authorized individuals and cameras for monitoring and recording Data Center activity.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Geospatial Data Warehouse

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Feb 24, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1350-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA Geospatial Data Warehouse

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terri Cohen

10. Provide an overview of the system: The HRSA Geospatial Data Warehouse is a publicly-available reporting tool available to all users on the Internet. It provides a single point of access to HRSA programmatic information, related health resources, and demographic data. This promotes information sharing, collaboration, and provides government-to-government, government-to-business and government-to-citizen services that have significantly improved both the efficiency and effectiveness of the agency in delivering its mission.

The result is uninterrupted global access to comprehensive, current data on HRSA programs, the majority of which focus on improving access to care for underserved people, and key health markers.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is shared.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: We do not collect any IIF information. The HGDW disseminates information at summary and aggregated data from other sources. The data being made available consolidates and integrates data from over ten system sources, and databases (including EHB, NIS, BCHDANet, offline Excel spreadsheets, and outside Agencies and vendors) into a single repository. This eliminates the need to develop and maintain separate reporting functions for each HRSA data system, thereby reducing the overall hardware, software, and FTE burden on HRSA; makes data and information regarding HRSA's activities available to all, over the Internet without requirements for passwords and user ids, using web browsers only (no special software or skills are required); promotes information sharing and collaboration among HRSA staff, HRSA partners, state and local health planners and policy makers, and stakeholders; promotes and enhances understanding of the data by putting the information in a broad geographic and demographic context; provides both text-based and visual output (in the form of interactive maps), which facilitate greater understanding of the information and the interrelationships between data sets; provides detailed metadata about the composition, meaning, and derivation of HRSA's data.

With regard to name, dob, or SSN for question 17: NO PII is maintained on the system except for grant/grantee POC information this is stripped out during processing KTA. No personal information or privacy protection is circumvented in any way.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Any IIF received is first stripped from the data automatically is not saved in the HGDW.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII is stripped from the data when we receive it and it is not stored.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Health Education Assistance Loan Program (HEAL HOPS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 13, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1040-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0044

5. OMB Information Collection Approval Number: 0915-0036 (extension date request at OMB)

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Health Education Assistance Loan Program (HEAL) Online Processing System (HOPS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Judy Rodgers

10. Provide an overview of the system: HOPS is an automated system that tracks and maintains HEAL-related loan information. HEAL information consists of: Borrowers; Loans; Claims; Litigations against defaulted loans; Lenders; and Educational Institutions receiving loan funds. Loan servicing organizations use HOPS information to update and verify the accuracy or status of loan guarantees.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Loan Servicer personnel for verification of loan data. HEAL and Division of Financial Operations staff to process claims and claim payments.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The purpose of the system is 1) to identify students participating in the HEAL program 2) to determine eligibility of loan applicants and to compute insurance premium for federal insurance 3) to monitor the loan status of HEAL recipients, which includes the collection of overdue debts owed under the HEAL program 4) to compile and generate managerial and statistical reports 5) process claims and 6) produce an annual report that contains aggregate information but no individual borrower can be identified in this report. The categories of records in the system contains name , SSN, birth date, demographic background, educational status, loan location and status, and financial information about the individual for whom the record is maintained, lender and school identification. Disclosure of the applicant’s SSN is mandatory for participation in the HEAL program as provided for by Section 4 of the Debt Collection Act of 1982. Submission of PII is mandatory Applicant Form HRSA-700 states the SSN will be used to verify the identity of the applicant and as an account number throughout the life of the loan to record necessary data accurately. Applicants are advised that failure to provide his/her SSN will result in the denial of the individual to participate in the HEAL program.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The HEAL Program obtains PII only from the HEAL Servicers and does not obtain PII directly from individuals. The PII information is used for identification when the program receives claim submissions. Section 709(c)(2) of the Act is directed that HHS may release information on borrowers excluded for Medicare and Medicaid to relevant federal agencies, schools, school associations, professional associations, state licensing board, hospitals that borrowers are associated with and other relevant organizations. We can release defaulters name, SSN, last known address, name and location of school attended and amount of debt. To find out if the system contains records about an individual the system manager is contacted by a request in person that requires at least one tangible identification card; or request by mail containing the name and address of the requester, birth date, at least one tangible identification card, and signature.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: HEAL-HOPS was recertified and accredited in June 2006. HEAL relies on network security controls provided by the HRSA GSS. The system uses strong encryption for all communications (HTTPS) from the time the user logs on until they log off. Usernames and passwords are sent encrypted as well as all data transferred during the session. This is accomplished using Secure Sockets Layer (SSL) technology. PII data fields in the HOPS system are encrypted while the data is at rest. The system is housed in a government facility with physical controls. Access to the HEAL office space is controlled with a building pass card and cipher locks. PII is transmitted to HRSA using encrypted, secure protocols. The concept of "least privilege" provides users a minimal set of system access rights based on their role. Access to additional resources or information is granted upon approval by the resource owner (supervisor). Unique UserIDs and passwords permit only authorized users to access the system. Select users are individually assigned write, create and update privileges to loan data based on their functional role. Accounts are reviewed annually to ensure that least privilege is granted, and roles and responsibilities have not changed. OIT provides connectivity to the HRSA LAN access to the HEAL-HOPS System by authorized Internal Users, and by authorized Internet Access for External Users. There is no information available for use by the general public. An "inactivity time out" capability disables unattended computers to prohibit unauthorized access to PII. All authorized system users agree to the systems "Rules of Behavior" during the log in process. PII data fields in HOPS are now encrypted while the data is at rest. The Statement of Work (SOW) provides guidance for contractors to comply with HEAL-HOPS security requirements. The contractor shall comply with existing federal and departmental laws, regulations, and requirements. All contractors and federal users are now required to sign a Rules of Behavior agreement approved by the HRSA /OIT security section.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Integrated Clearinghouse System (ICS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1400-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0067

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA Information Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Bowman

10. Provide an overview of the system: The system is used by people requesting information to be sent to them from the HRSA Information Center. It collects information about what is being ordered and where and to whom to send it.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Designated project staff and relevant/appropriate HRSA staff. The purpose information might be shared amongst HRSA IC phone ordering staff/supervising HRSA staff is to ensure good customer service. Only the name, address, and phone number (voluntarily supplied by callers/web requesters) given at the time of order is kept for a period up to 1 year to ensure that if a person calls back with questions about their previous orders, our Information Specialists are able to identify them and assist them in getting the materials they want

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The information is collected from requestors by information specialists or requestors voluntarily entering the information on a Website for ordering materials. Requestors voluntarily provide contact information for the mutually expressed purpose of making it possible for the Information Center to send (and when appropriate, follow up on) requested materials, and for the requestor to receive them.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policies are place which limit the retention of personal information from individuals who obtain publications at the HRSA Information Center to a one-year period, after which this information is purged from the database on which it is housed. The information is collected from requestors by information specialists or requestors voluntarily entering the information on a Website for ordering materials. Requestors voluntarily provide contact information for the mutually expressed purpose of making it possible for the Information Center to send (and when appropriate, follow up on) requested materials, and for the requestor to receive them. Note that this information is captured and kept for this period of time to better address customer issues, including previous requests for order information, and to correct customer orders (return mail, etc.) This information is kept secure by means of several technical and physical security safeguards and procedures, including: key card access is required for all employees to physically access the server on which the information is stored; employee access to the system is controlled and protected by requirements that include having a proper user id and password; while the system itself resides in a secure environment protected by firewall and an intrusion detection system. The contractors also review security logs on a regular basis.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA National Health Service Corps Information Systems/Stipend Payroll Financial System (LYCEUM)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Mar 30, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1420-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0037

5. OMB Information Collection Approval Number: 0915-0127 (exp. 10/31/10) and 0915-0278 (exp. 12/31/09)

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): National Health Service Corps Information Systems/ Payments Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Diane E. Culkin

10. Provide an overview of the system: The SPFS is an application whose mission is to calculate, maintain and process stipend payment data for the 1000+ scholars of HRSA. The system maintains supporting data for its stipend, tuition, accounting and tax functions, EFT banking, contact, education, financial and program information. The SPFS is located in a secure collocation facility at Verizon, Ashburn, Virginia. A redendant backup of the system is located at Verizon, Richardson, Texas. The Verizon facilitites are occupied by Verizon employees and contractor personnel, and are not open to the general public. The financial management system is crucial to HRSA's ability to pay scholars and support them throughout their time in school as part of this program.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Output data to make financial payments flows to the Treasury via an ACH file. Financial payment information flows to the DHHS Program Support Center via a Form 650 data file format for entry in the CORE, and subsequently UFMS, financial management systems.

The information collected contains IIF and the submission of personal information is mandatory in order to effect payment of the scholarship.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The Government will provide the initial data load and all data input of changes and additions to scholar and institution payment source documents such as Direct Deposit and W-4 information. When scholarship awards are made, data will be transmitted via flat file. Upon completion of a scholarship application, all prospective students are informed that their personal information shall be used in the determination of scholarship award, and subsequent payment of stipend, tuition and other reasonable costs. Individuals not consenting to such notices simply opt out of the scholarship opportunity. These individuals are not notfiied of system changes as they do not pertain to the scholars but to the administrators of the system.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: - All personnel with production access undergo a background check and will only be provided access to the production systems when it is necessary to complete their tasks.

- All data transmitted to/from the network is protected. Data is first encrypted using the triple-DES (online banking) standard, and then transmitted through secure network communication links. Data is held in its raw format on the hard drives, while passwords are encrypted.

- Data is retained through Continuation of Operations Procedures (COOP). Backup versions of data will be supported through a redundant, geographically removed, asynchronously replicated backup installation. Procedures for the activation of the backup installation will be documented and backup activation exercises will be performed semi-annually.

To implement this payroll, Lyceum designed and erected security boundaries around the payroll model, operations, data, users and interfaces using several mechanisms:

- Partition ID - the HRSA Payroll Model is partitioned to allow only HRSA registered users access to HRSA system elements. Access to the HRSA Payroll Model is eliminated for any Lyceum users operating within the Base Payroll Model. Elements within the HRSA Payroll Model will simply not appear for any non-registered users.

- Agency Role - The HRSA payroll has five (5) separate payee classes from administrator to self-service user which define the computations, views and other functionality that the user has access to. The HRSA Systems Administrator has assigned which registered users may access which policy elements within the HRSA Payroll Model.

- User ID - Within the user community, user identifications limit the access of registered users to data elements of colleagues within other departments, or tiers of the organization.

- Session ID - Each user session is identified and logged to enable tracing in the future. Transactions are captured, time-stamped and logged by user for later analysis in the event of a security breach from within the organization.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Mar 4, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA National Practitioner Data Bank/Healthcare Integrity and Protection Data Bank (NPDB/HIPDB)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 13, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-01-1010-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0054 -- NPDB SOR 09-90-0103 -- HIPDB SOR

5. OMB Information Collection Approval Number: NPDB: 0915-0126, HIPDB: 0915-0239

6. Other Identifying Number(s): date above is for NPDB 0915-0126, HIPDB 09-90-0103 -- 10/31/2010

7. System Name (Align with system Item name): National Practitioner Data Bank (NPDB) and Healthcare Integrity and Protection Data Bank (HIPDB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Darryl Gray

10. Provide an overview of the system: The NPDB provides a nationwide database that makes adverse information on physicians, dentists, and other health care practitioners available to health care entities, hospitals, professional societies, and State licensing boards. The HIPDB is a national database that provides information on health care related convictions and judgments, licensure actions, exclusions from government programs and other adjudicated actions. The NPDB-HIPDB co-exist as one integrated processing system

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NPDB/HIPDB program shares information with the Registered Entities in accordance with Congressional mandate and Federal law. Federal law also mandates the disclosure of the information to specific user groups. The Data Banks uses PII to uniquely/personally identity and match a report to a specific physician, dentist, or other practitioner.

Why We Collect Your Personal Information:

-Information is vital to the existence of the Data Banks. Without collecting the information contained in the Data Banks our mission could not be fulfilled. This information facilitates the tenants of our mission, including protecting the public and providing quality health care.

-We do not use the information for any other secondary purpose.

-We only collect the information necessary to fulfill our mission. No other information is collected.

What personal information we collect:

We only collect enough information to serve the mission of the Data Banks. We collect the following personal information on subjects of NPDB and HIPDB reports and queries.

-Name

-Date of Birth

-Social Security Number

-Mailing Addresses

-Phone Numbers

-E-mail Addresses

-Education Records

The information must identify the specific practitioner and is not voluntary.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The NPDB provides a nationwide database that makes adverse information on physicians, dentists, and other health care practitioners available to health care entities, hospitals, professional societies, and State licensing boards. The HIPDB is a national database that provides information on health care related convictions and judgments, licensure actions, exclusions from government programs and other adjudicated actions. These entities are required to report information to this database, and the individual that is the subject of the report has the ability to receive a copy of the file. Data is shared only with the Registered Entities, and new entities are investigated before receiving access.

We communicate via data Bank Correspondence, quarterly Newsletter, Informational Web Site Postings, and User Review Panel meetings.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NPDB/HIPDB was recertified and accredited in August 2007, including a Privacy Impact Assessment (PIA). NPDB/HIPDB relies on network security controls provided by the contractor managed off-site GSS. The NPDB/HIPDB implements firewalls, network and host base intrusion detection to secure its facilities. Boundary entry points are controlled by firewall rules and protected by Intrusion Detection Servers to prevent unauthorized access. All traffic to the NPDB-HIPDB web servers is encrypted using 128-bit SSL in the production environment. The NPDB-HIPDB system uses pay.gov to process credit card transactions. It is an Internet system where the NPDB-HIPDB originates Secure Hyper Text Transfer Protocol (HTTPS) requests for billing and receives HTTPS responses.

The IIF is secured through the use of a secure commercial facility, and transmission lines.

The NPDB-HIPDB system supports external (end-user) and internal user groups that are controlled by permissions, rights, and level of access.

Employees of the covered entities are advised of the legal consequences of misuse of NPDB/HIPDB information. NPDB-HIPDB personnel (internal users) are briefed on the sensitivity of NPDB-HIPDB information and the requirements for its protection. Prior to gaining access, employees are required to sign the NPDB-HIPDB Non-Disclosure Statement, acknowledging understanding of their responsibilities and consequential penalties for non-compliance. External users (customers) are required to sign registration forms before they are granted access to the system. Upon accessing the web site, users are also informed, via sign-on warnings, that unauthorized use can subject the user to fine and imprisonment under Federal Statute. The contractor shall comply with existing federal and departmental laws, regulations, and requirements.

Physical access controls such as cipher locks, man traps with biometric scanners, badges, etc. in place.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA Nursing Information System (NIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 13, 2008

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-02-02-1070-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0037; 09-15-0038

5. OMB Information Collection Approval Number: NELRP OMB 0915-0140; NSP OMB 0915-0301

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Nursing Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry Locklear

10. Provide an overview of the system: The Nursing Information System (NIS) provides automated support for the Nursing Education Loan Repayment Program (NELRP) including submission and processing of approximately 4,000 on-line applications yearly. The system is to provide a program-wide case management capability allowing the tracking of the status of NELRP applicants and participants from initial electronic application submission, associated applications evaluation, ranking and obligation of awards or disposition of unfunded applications, through completion of each participant's service contract. It is to support an electronic case file for full automation of participant requirements including submission of 6 month employment verification forms and the processing of the optional third year amendment applications. The system provides access to portions of the database to enable work required in the external environment for applicants/participants and in the internal environment for application and case management processing by NELRP staff, the HRSA Call Center, a processing support contractor, and the Legal and Compliance Branch.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): HRSA OIT for the HGDW. The original IIF is found only in NIS. Some systems share information provided by NIS, but since NIS is the source of the data the information is compelled to match. It should be mentioned that the most sensitive information is not passed on to other systems (passwords, SSNs, etc.)

The Bureau of Clinician Recruitment and Service, HRSA currently has the functionality within the NIS application to process applications for the Nursing Scholarship Program (NSP). The current process collects the application data via a web based front end provides a process for staff to edit and manage the data. The data contains mandatory personal information related to the applicant, ssn, address, and school information.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Prior to actually registering individuals are asked to read the rules or behavior, non disclosure, and Acceptable Use Policy posted on the site. They can only proceed into the system if they choose the "I ACCEPT" button on the screen which allows them to move forward. If individuals choose not to accept, then they are returned to the general information screen. This is a field that is stored in the database. Since this system is based on cycles, the data field is checked for each new cycle year and forces them to re-acknowledge/reaccept.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The NIS consists of a multi-tier architecture using the Windows 2003 Advanced Server Operating System with a web-based front end, a second tier of application servers, and a third tier of Microsoft SQL Server 2005 database to store the data.

Applicants and Vendors access the system via the Internet, and register for a login and password to ensure that responsibility for data can be attributed to an individual.

HRSA employees (and vendors/contractors) have access to NIS through the HRSA intranet and can also access the system through the Internet when working out of the office.

Communications between system components use the TCP/IP protocol. Applicants and vendors must use approved COTS web browsers (Microsoft Internet Explorer version 6.0 and Netscape version 6.2 or a high version) to communicate with the NIS system web servers via secure http (https) using web server digital certificates and strong encryption (128 bit) to protect data. Internal users are currently using Internet Explorer 6.0 or higher.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Zena Clare

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Steven R. Davis

Sign-off Date: Nov 13, 2008

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / HRSA OPAIS 340B Database

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Feb 24, 2009

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1450-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): HRSA Office of Pharmacy Affairs Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jae Choi

10. Provide an overview of the system: The Office of Pharmacy Affairs Information System (OPAIS) consists of a Public Website containing databases for 340B Covered Entities, Manufacturers, and Contract Pharmacies.

The 340B Public Website is an Application that stores information on the Covered Entities, Contracted Pharmacies, and Manufacturers which are participating in the 340B Drug Discount Program. This information is for public dissemination most especially for Manufacturers and Wholesalers who reference the 340B Public Website to check if a Covered Entity or Contracted Pharmacy is participating in the 340B Drug Discount program and eligible for discounted prices. The Public Website supports approximately 12,000 public users who query the system for information, 300-400 public users who log into the system to verify their address information, and approximately 20 administrative users who log into the administrator section of the site for record entry and maintenance purposes. The Public Website is located on two servers (a database and web server) at HRSA OIT headquarters in Rockville, MD. HRSA OIT is responsible for the backup and maintenance of both servers.