Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

National Institutes of Health Privacy Impact Assessments - Page 1

 Back to Privacy Impact Assessments page

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC 4D Mac Platform [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Not Applicable
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC 4D Mac Platform
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin, 301-496-4240
10. Provide an overview of the system:  CC 4D Mac Platform is comprised of multiple separate applications using a software suite called 4D.  4D is an integrated development platform - a single product comprised of the components needed to create and distribute professional applications. The CC has 3 systems developed on the 4D Mac  Platform that are included in the boundary of this GSS.  The CC systems are NIH CC Protocol Tracking (PROTRAK), NIH CC Medicolegal Request Tracking System (MRT) and NIH CC Medical Staff Credentialing Processes (SACRED.)  The systems support administrative functions of the Clinical Center.  Details about the individual systems listed are available in the system's Privacy Impact Assessment.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This is a GSS for the 4D Mac Platform and does not collect, maintain or disseminate PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Not Applicable - No PII is collected, stored or processed.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No PII is collected, stored or processed.  Details on the administrative, technical, and physical controls are not required for the CC 4D Mac Platform GSS.  The controls for applications that do collect, store or process PII within the boundaries of the 4D Mac Platform are covered by separate system Privacy Impact Assessments (PIA).
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin: CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Admissions and Travel Voucher Application [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/28/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  Admissions and Travel Voucher Application (ATV)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  This is an ancillary application which works with the CRIS system allowing research teams to register new patients, submit admission requests, update patient demographics and submit travel requistions and payments.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Shares reports containing patient names, demographics and travel dates with Omega travel agents so that travel arrangements can be made.  Additionally shares reports containing patient names, demographics and travel requests with Chief of Ambulatory Care Services  to approve reimbursement of travel expenses.  Information sharing is in accordance with SORN 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Legislation authority is the Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.)  The information collected is name, date of birth, social security number, mailing address, phone number and medical record number.  This information is used to register individuals as participitants in clinical trials and to assist in providing travel arrangements for those individuals and provide reimbursement.  Information is disclosed to travel agents to assist in making the necessary travel arangements.  Information submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The CC Information Practices Notice is provided to each patient when initially registered and admitted to the Clinical Center.  Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical and physical security controls.  The system is physically  located behind locked doors, monitored by CC TV and Systems Monitoring staff in attendance around the clock. Additionally, the system is behind the NIH, CC and CRIS firewalls.  Access to PII and privileges are based on user's assigned roles.  Authentication with NIH PIVcard will occur at the time of login to the CC network via CC CASPER for remote users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Medication Dispensing (Omnicell)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-05-02-3097-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC Automated Medication Dispensing (Omnicell)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The system automates the Pharmacy Dept's ability to manage and dispense medications at the point of use, increasing patient safety with the use of medication profiles, improving workflow efficiency and enhancing medication security.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system captures and maintains information on registered CC patients including patient name, Date of Birth, MRN, gender, allergies, medication order number, visit number  and administration instructions.  The system captures and maintains information on CC caregivers including staff name, user role and fingerprint biometric identifier.  The information is shared with Omnicell administrators in Pharmacy, CC Nurse Managers responsible for the investigation of dispensing cabinet diversion reports.  The collection of PII is voluntary since admission to the CC and specific research protocol(s) is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Admission to the Clinical Center (CC) is completely voluntary and requires consent of each patient.  Additionally, each patient is provided a full written accounting of established information practices at the CC, including the capture and use of PII, and has the opportunity to ask questions.  Each patient must acknowledge receipt of same through manual signature on the CC Information Practices Notice Form.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII will reside on a server in the CC DataCenter protected by restricted access and video closed circuit TV.  The server will be behind the NIH and CC clinical firewall.  The Omnicell SecureVault PC and stand alone PC in the Pharmacy Dept are protected by restricted access and video monitoring.  The Omnicell automated medication dispensing cabinets are on the medical VLAN and located in the Nursing Units behind locked doors with access restricted by Staff ID badge or key.  Access to the dispensing cabinets is granted by user type and is set by the Pharmacy Dept Omnicell Administrator in accordance with Pharmacy policies.  Access to the dispensing cabinets will require password or fingerprint identification and inclusion in specific user types based on the user role.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Nurse Staff Office Schedule [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/1/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-26-02-3008-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-90-0018
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC ANSOS:  Automated Nurse Staff Office Schedule
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Barbara Quinn
10. Provide an overview of the system:  The ANSOS System is used to arrange schedules and project staffing needs for nurses caring for patients at the Clinical Center and is authorized by Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Includes basic identification data including name, date of birth, address, phone numbers and related information (CC training attendance records) necessary to develop schedules for nurses.   Submission is mandatory if the individual wishes to be employed as a nurse at the Clinical Center.  In addition, inpatient census data by patient care unit and outpatient census data by outpatient clinic and day hospital is collected to project utilization and staffing needs across the Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each individual is informed of information practices at the time of job application and subsequently when individual schedules are developed.  In addition, the CC Nursing Department is responsible for notifying each nurse of major system changes related to PII, which may be done electronically or in written form.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized person may have access to the ANSOS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.  Authentication with NIH PIVcard will occur at time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/30/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Barcode Enabled Automated Point of Care Technology (BEAPOCT)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/21/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH CC Barcode Enabled Automated Point of Care Technology (BEAPOCT)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  BEAPOCT consists of 2 applications with interfaces to existing hospital and lab systems.  SMARTworks Patient Linkup Enterprise (PLUE) system provides printed barcoded patient wristbands, picture wallet ID cards and labels.  CareFusion utilizes the barcode technology and wireless scanning to identify patients, staff, lab tests, specimens and blood products while capturing data that is pertinent for safe, accurate and timely documentation.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  NA
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information collected includes individual patient demographics, medical notes, vital signs at time of transfusion, Donor ID, photographic images, staff name, role and NED ID.  Patient name, DOB, MRN and photographs enhance positive patient identification processes, thus safety, throughout the NIH Clinical Center.  Donor ID, medical notes and vital signs are collected to document care and satisfy reporting requirements for blood administration.  Staff name, role and NED ID associate resources with critical clinical tasks performed such as labeling of laboratory specimens and verification of blood transfusion products.  Patient and staff information does contain PII.  The information is submitted voluntarily based on an individual's consent to become a registered patient at NIH or be employed in the clinical care of CC patients.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is obtained from interfaces to existing CC clinical systems, including the admission, discharge and transfer (ADT) system, Clinical Research Information System (CRIS) and laboratory information system (LIS),  including SoftBank.  Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient at the time of initial admission.  Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical, physical security and privacy controls.  The system is located on servers in the CC Data Center protected by restricted access and video monitoring.  Access to the application is granted by scanning an authorized user's NED ID.  Authorized user's access and privileges are restricted by assigned user roles.  Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Biomedical Translational Research Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/27/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-05-02-3009-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0200
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH Biomedical Translational Research Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Elaine Ayres
10. Provide an overview of the system:  BTRIS will provide longitudinal data, text and images from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the NIH intramural research mission. Principal investigators and designees (e.g. associate investigators), IC Data Extractors and Administrative Users will be allowed to access identified data only as permitted by their active protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and query only data in a de-identified manner.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII data in BTRIS will only be shared with authorized principal investigators for patients enrolled in their active protocols or others authorized by the appropriate IRB or OHSR e.g. associate investigators, IC Data Extractors and Administrative Users.  All others will only be granted access to de-identified data. Data will be used for statistical analysis, hypothesis development & testing, quality assurance, clinical comparison and subject recruitment.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Clinical and research data including diagnostic, therapeutic, imaging, and research testing results will be stored in BTRIS.  PII will be collected and will include names, medical record numbers and diagnosis. PII data in BTRIS will only be shared with authorized principal investigators for patients enrolled in their active protocols or others authorized by the appropriate IRB or OHSR e.g. associate investigators, IC Data Extractors, Administrative Users .  All others will only be granted access to de-identified data. Data will be used for statistical analysis, hypothesis development & testing, clinical comparison, quality assurance purposes, and subject recruitment.  The collection of all data is voluntary.  Every patient must voluntarily execute a protocol consent and admission consent prior to entry onto an intramural research protocol and treatment at the Clinical Center.  In addition, each patient is provided a formal notification of Information Practices at the Clinical Center and must certify that they have been so advised.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Every patient must voluntarily execute a protocol consent and admission consent prior to entry onto an intramural research protocol and treatment at the Clinical Center.  In addition, each patient is provided a formal notification of Information Practices at the Clinical Center and must certify that they have been so advised.  BTRIS will contain longitudinal data, text and images from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the NIH intramural research mission. Principal investigators and designees (e.g. associate investigators) will be allowed to access identified data only as permitted by their active protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and query only data in a de-identified manner. If a major change occurs, a revised Information Practices Form will be developed and presented to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The BTRIS system and all data contained therein are protected using administrative, technical and physical security and privacy controls. The system is behind locked doors and monitored by closed circuit TV. Access to the physical system is limited to authorized staff with common access cards.  In addition, only principal investigators or others authorized by an appropriate IRB or OHSR have access to PII in the application, while all others only have access to de-identified data. Application access is also restricted based on user roles and password authentication. Authentication with NIH PIVcards using SiteMinder will occur for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Blood Bank Control System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/29/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-26-02-3007-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0011
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  Blood Bank Control System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Boyd Conley
10. Provide an overview of the system:  The systems contains data regarding donors at the Department of Transfusion Medicine used to conduct clinical care and research at the Clinical Center as authorized by Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information, including past donations, blood types, phenotypes, lab results, serologic reactions and related information, is collected from donors of blood and blood components to be used for clinical care and research at the Clinical Center. Submission is mandatory since donations must be directly attributable to each individual donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each individual donor is informed of required information collection and uses before donation.  Major systems changes would be sent directly to each donor and new consents obtained upon new donations.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized persons may have access and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.  Fingerprint recognition access controls are in place at the alternate location site in Bldg 12.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer,  (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Pla
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC 3M Medical Record Processing System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/22/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  Automated Medical Record Processing and Tracking Applications
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  Automated medical record processing and tracking applications containing demographic and tracking information is maintained on registered Clinical Center patients in order to route documents for creation, recording, retention, signature and location.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  None
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information is collected to identify and route clinical documentation electronically for user review and confirmation. Patient and clinician demographic information, along with clinical documentation identifiers and location information.  The information is voluntarily provided at the time of dictation or authorship and each patient is informed of CC information practices before admission as a patient at the Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The automated medical record processing and tracking applications are a  part of the medical record system which is an approved Privacy Act System.  As such, each individual is informed of all information practices and any major system changes are published under a revised SORN.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All information is protected by applying user ID, hierarchical passwords and administrative controls including supervisor limiting employee access on a need-to-know and minimum amount basis.  Authentication with NIH PIVcards will occur at time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Clinical Research Volunteer Program [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/3/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-05-02-3099-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0012
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC Clinical Research Volunteer Program
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  System is used to contain information about  potential candidates for participation as volunteers or research subjects participating in clinical research protocols at the Clinical Center.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0012, published in the Federal Register, Volume 67, No. 187, September 26, 2002.  Clinical research volunteers data is made available to approved or collaborating intramural researchers.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Demographics and health information are collected from program applications, health questionnaires and records of prior participation to provide appropriate persons as volunteers or research subjects in approved research protocols conducted at the Clinical Center. Submission is voluntary if applicant wants to be referred as a potential research subject. Information is also used to process requests for compensation and authorization of payments to research volunteers.  Checks are issued by the Treasury Department.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each person is verbally informed of information uses and verbal consent is obtained from each person who wishes to be evaluated as a potential research subject.  Each individual is informed of information collection and uses prior to referral as a volunteer or patient.  Each applicant would be notified directly by phone of any major system changes and new consent would be obtained.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  As per standard CIT procedures for the collection, maintenance and destruction of computer files, as well as specified in the PA Systems Notice.  Authentication will occur at time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301) 496-4240 - smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Executive Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/1/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-09-02-3099-00-403-131
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  CC Executive Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The Executive Information System (EIS) is an application designed to provide real time reporting of key hospital performance indicators.  The EIS provides query and reporting capabilities for executive decision makers, and allows staff to view daily, monthly, annual patient census information and key hospital performance metrics. Census data can be reported by hospital unit and protocol, IC, branch, and Principal Investigator name associated with protocol activity.
EIS reports (does not collect) census statistics and resource utilization.  Metrics include admissions, inpatient days, outpatient visits, average length of stay, discharges, patient counts and volume and cost of services provided.  The information is used by nursing staff, clinical departments and institutes to manage operations and by executive leadership to track trends in hospital census activity and resource utilization.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  EIS reports (does not collect) census statistics.  Metrics include admissions, inpatient days, outpatient visits, average length of stay, discharges, and patient counts.   The information is used by nursing and clinical departments to manage operations and is used by executive leadership to track trends in hospital census activity.  Principle investigator name (federal employee PII) associated with protocol activity is reported.  CC social workers name collected from scheduling system is also reported in EIS system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Principle investigators provide name at the time they apply for protocol approval from their IRB, which is required for protocol review and administrative approval.  If any information other than principle investigator names are collected, then notification will be sent out from OMAR to each individual.   CC social workers provide name when they confirm the outpatient appointment in the scheduling.com application.  If any information other than CC social workers name are collected, then notification will be sent out from OMAR to each individual.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII is secured using user names/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access to NIH campus and background investigations.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC IT Infrastructure [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/21/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Not Applicable
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  Not Applicable
7. System Name (Align with system Item name):  CC IT Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The CC IT Infrastructure ( CC ITI) is a GSS that supports approximately 4,500 users within the NIH Clinical Center, and is located in Bldg 10-CRC on the NIH campus in Bethesda, Maryland.  The CC ITI hosts a myriad of servers, components, workstations, network and infrastructure devices uses to manage the NIH information.  The Department of Clinical Research Informatics (DCRI) is responsible for the management of the CC ITI.  The CC ITI comprises a variety of servers including network servers, application servers,  Web and Internet Servers.  While many applications with PII reside on servers in the CC ITI, the CC ITI provides the infrastructure to support those applications.  The collection, storage and processing of PII for those applications will be covered by separate system Privacy Impact Assessments (PIA) , not by the CC ITI PIA
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII collected, stored or processed by applications in the CC ITI are covered by separate Privacy Impact Assessments; not by the CC ITI PIA.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This is a GSS for the IT infrastructure and does not collect, maintain or disseminate PII.  No PII is collected, stored or processed.  Private shares on the CC ITI file servers are used by CC personnel for storage of working documents to facilitate performance of their assigned duties.  The information in working documents does not contain PII per NIH and CC policies.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Not Applicable - No PII is collected, stored or processed.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No PII is collected, stored or processed.  Details on the administrative, technical, and physical controls are not required for the CC ITI GSS but have been provided where relevant for server and network access.  The controls for applications that do collect, store or process PII residing in the CC ITI will be covered by separate system Privacy Impact Assessments (PIA), not the CC ITI PIA.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin: CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Protocol Tracking [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/4/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-26-02-3099-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0200
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC Patient & Research Services:  Protocol Tracking
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The Protocol Tracking System is used to collect, maintain and report administrative data about intramural research protocols under authority of Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  NIH Employees for protocol approval, control and reporting.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The only PII contained in the Protocol Tracking System are the names of the investigators related to each protocol, including NIH employees, contractors and other collaborators. The submission of all names are mandatory when the protocol is submitted to the IRB for approval.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Employees provide names at the time as a part of the protocol approval process and the names of Government employees are a matter of public record.  There are no plans to add additional PII  information at the current time, but the Office of Protocol Services would provide notification to each investigator if additions were made in the future.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized person may have access to the Protocol Tracking System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer,  (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Prototype [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/14/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0200
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  Not Applicable
7. System Name (Align with system Item name):  CC Prototype
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  Custom application providing a Web-based  protocol authoring tool that utilizes a systematic framework to develop and maintain research protocols throughout their lifecycle.  The application utilizes templates and language specified by the IC Institutional Review Board (IRB).  Users include Primary Investigators (PI), Associate Investigators (AI) and IC reveiwers.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information collected includes protocol documents, protocol workflows, status of protocol review, user's name, user's contact information and user's IC.  The information is utilized to support authoring, reviewing and management of a protocol from cradle to grave.  The system includes PII about the Primary Investigator and Associate Investigator.  The submission of federal contact information is voluntary for IC staff who choose to use the protocol authorizing system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Release Notes describing system changes are electronically distributed to the registered users accessing the CC Prototype system with each version upgrade.  The Release Notes provides notice of changes made during upgrades to add/ modify data fields and add/modify data flow and add new features and functionality.  The PII collected about users is limited, i.e., name, federal contact address, federal contact phone number, personal email and organization.  The PII is collected from the user at the time a new account is created.  The user may update the address, phone number and email at any time.  The information is used to identify the authors and reviewers associated with protocols during the protocol development and approval phase.  The information is not  shared with other systems.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical, physical security and privacy controls.  The system is located behind locked doors, monitored on CC TV and requires key card access for admission to the CC Data Center.  In addition only authorized user may access the system based on user roles and passwords.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Visual Supply Catalog [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/14/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  none
6. Other Identifying Number(s):  none
7. System Name (Align with system Item name):  NIH:CC:Visual Supply Catalog
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin, CC Privacy Officer
10. Provide an overview of the system:  The Visual Supply Catalog is a web-based application that displays photographs of indiviudal medical-surgical items, along with pertinent ordering information.  The VSC was formulated using the electronic "shopping cart" concept typically used for on-line ordering and supports ordering by medical staff members supplies for use by Clinical Center patients.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The PII collected will include patient name, medical record number, address and phone number.  These data are necessary to assure that medical-surgical supplies ordered are accurately filled and mailed to the proper patient. Admission to the Clinical Center is entirely voluntary and each patient is advised of the Clinical Center information management practices in writing at the time of admission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Admission to the Clinical Center is entirely voluntary and each patient is advised of the Clinical Center information management practices in writing at the time of admission.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Access to the system is controlled through the use of user IDs, passwords and access levels.  Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for remote application users.  The servers are located in a controlled environment of the DCRI Data Center and physical controls include locked doors, key card access, cameras, etc.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Citrix Netscaler
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/4/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Not Applicable
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  Not Applicable
7. System Name (Align with system Item name):  NIH CC CITRIX Netscaler
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The Clinical Center (CC) CITRIX Netscaler system is used as a FIPS compliant secure authentication portal for the CC CITRIX published applications.  It is a hardened appliance that requires LDAP or Smartcard authentication in order to access applications published in the CC CITRIX farm.  It is a high availability network load balancer and is used to limit outages due to server maintenance and problem resolution.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No PII is collected, stored or processed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Not Applicable - No PII is collected, stored or processed.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No PII is collected, stored or processed by the CC CITRIX Netscaler system.  The CITRIX farm servers are protected using administrative, technical and physical security controls.  The system is located behind locked doors, monitored by closed circuit TV and requires key card access for admission to the CC Data Center.  Biometric authentication is required for admission to the high availability location in Bldg. 12 Customer Service Area.  The system will enforce two factor authentication at the time of login to the CC network via CC CASPER for remote users accessing applications published in the CC CITRIX farm.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/29/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/29/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-06-01-3006-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  NO
6. Other Identifying Number(s):  CC-1
7. System Name (Align with system Item name):  Clinical Research Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dr. Jon McKeeby
10. Provide an overview of the system:  Core system and component applications to document clinical care and research for registered patients at the Clinical Research Center: NIH.  This activity is authorized by Section 301 of the Public Health and Safety Act.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The Mayo Clinic for contracted lab tests not performed by the Department Of Laboratory Medicine at the CC.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information collected includes individual patient demographics, confirmed appointments, clinical research data and those related to diagnosis and treatment at the Clinical Center.  These may include results of laboratory tests, imaging studies, blood product utilization, social work encounters, medical & ethical consults, surgery and other related clinical interactions while a patient at the Clinical Center.   Patient information collected by the NIH as described in the NIH System of Records 09-25-0099 is utilized as the official clinical research record for each research participant.  The information contains PII and the submission is voluntary based on an individual's consent to become a registered patient at NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is obtained from patient interviews, referring physicians, a datafeed from the hospital scheduling system, a multi-disciplinary care team, and diagnostic, therapeutic, and research results.  Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient a the time of initial admission.  Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical, and physical security controls. System components are located behind locked doors, monitored by CC TV and Systems Monitoring staff in attendance around the clock.  Additionally, the system is behind the NIH, CC and CRIS firewalls.  Access to PII and privileges are based on user's assigned roles.   Authentication with NIH PIVcards will occur at time of login to the CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Pla
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Student Records System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/22/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0014
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC Clinical Research Student Records System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Bob Lembo (301)-496-2636
10. Provide an overview of the system:  This system tracks applications from healthcare researchers, providers and administrators in training to the NIH Clinical Center Office of Clinical Research Training and Medical Education's undergraduate and graduate medical education programs, including the Clinical Electives Program (CEP), the Resident Electives Program (REP), Clinical Research Training Program (CRTP), Sabbatical Program and to selected Graduate Medical Education (GME) programs sponsored by various Institutes and Centers within the NIH.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The PII information collected includes name, personal mailing address, personal phone number, personal email address and educational records.  The information is not disseminated and is used to process applicants for training programs sponsored by various Institutes and Centers within the NIH.  The information is submitted voluntarily by medical/dental students or physicians and is collected to determine the suitability of applicants for NIH clinical research training programs.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is no current process to notify individuals when a major change occurs.  Individuals are notified by email communications and electronic notice that submission of information is voluntary and how it will be used.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The electronic versions are password protected.  Access to hard copies have physical controls in place and require administrative requests and access.  The system resides in the CC Data Center where it is protected by locks, video monitoring and controlled access.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, NIH/CC/DCRI, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC DTM SQL System Applications
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/29/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0011
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CC DTM Applications Non-COTS (DANC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Boyd Conley
10. Provide an overview of the system:  The DTM Applications Non-Cots (DANC) provides the Department of Transfusion Medicine (DTM) with administrative reporting functionality for donors and research management.  The system provides DTM staff with tools to make decisions about the collection, use and distribution of donated blood.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The DANC system will collect demographic information, medical notes, travel history and laboratory results on donors and NIH research participants.  The information is used by DTM staff to perform routine tasks required by the American Association of Blood Banks and the FDA and support CC research protocols.  The system will collect PII on donors and NIH research participants.  The submission is mandatory since donations must be directly attributable to each individual donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each individual donor is informed of required information collection and uses before donation.  Major systems changes would be sent directly to each donor and new consents obtained upon new donations.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized persons with assigned roles may have access to the system.  The DANC system is protected in the CC Data Center through door locks and other physical controls.  Access to DANC is secured by technical controls; including user identification and password protection.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC EKG System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC EKG System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dennis Brown
10. Provide an overview of the system:  The TraceMasterVue ECG management system automates ECG data acquired from EKG machines and provides viewing, editing, resulting and report management functionality to the EKG technician and cardiologist users working in the EKG Dept.  ORDERLINK is a bi-directional interface for ADT/orders that come the hospital clinical information system known as Clinical Research Information System (CRIS Sunrise).  After verification by the cardiologists, test results and reports from TraceMasterVue are sent to CRIS Sunrise.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects, maintains and disseminates electrocardiogram (ECG) tracings and reports on CC patients for the purpose of diagnosis and treatment of underlying heart conditions while enrolled in NIH intramural protocols.  The ECG reports contain PII, which includes patient name, date of birth, medical record number, medical notes, Order ID and name of cardiologist reviewing transmitted ECG tracings.  The submission is voluntary based on an individual's consent to become a registered patient at NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is obtained from patient interviews, medical orders, and EKG machines when the diagnostic ECG test is performed at the CC.  Admission and protocol consent forms are signed by each patient.  CC Information Practices Notification is provided to each patient at the time of initial admission to the CC.  If there is a major system change, each patient would be advised at the time of subsequent admissions and a revised CC Information Practies Notification would be provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The EKG system hardware and software employ administrative, technical and physical controls to protect patient's PII and sensitive data.  The TraceMasterVue and ORDERLINK servers are located in locked areas of the CC.  System administrators must have physical keys and/or cardkeys to work on servers in these secure locations.  Data is backed up nightly and stored offsite.  Application access requires a user ID and password.  All PII is logically located behind multiple firewalls for increased protection.  Authentication with NIH PIVcard will occur at time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301)-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC eSphere System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/27/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC eSphere System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The CC eSphere System is used by the CC Pain and Palliative Care department clinical staff to document and report the results of pain consults performed on CC patients.  The eSphere application receives Admissions, Discharge and Transfer (ADT), consult orders, medication orders and allergy information from CRIS Sunrise via interface.  Additionally, the eSphere application sends the completed consult report to CRIS Sunrise via interface so it becomes part of the patient's electronic medical record.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information collected, maintained and disseminated  to CRIS Sunrise by the eSphere application does include PII.  The information includes  name, date of birth, medical record and medical notes such as medications and allergies on CC patients.  Information is collected for the purpose of diagnosis and treatment by the CC Pain and Palliative Care department clinical staff.  The information is submitted voluntarily based on the individual's consent to become a registered patient at NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is obtained from patient interviews, referring physicians and CRIS Sunrise, the  electronic medical record for CC patients.  Admission and protocol consents forms are signed by each patient and the CC Information Practices Notifice form is signed by each patient at the time of their initial admission.  Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical and physical controls.  The servers and application are physically located in the CC Data Center  with access limited to authorized CC IT staff.  The information is logically located behind multiple firewalls. User access and privileges in the application are based on their assigned roles in the application.  Access to the application is controlled by Citrix technology and encryption is employed.   Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Histotrac
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/11/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC Histotrac
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  CC Histotrac is a laboratory software application that tracks the results of human leukocyte antigen (HLA) performed on blood samples from CC patients and potential donors.  The Histotrac system provides a single database to track the status of samples received and tested at the CC, query results for CC patients and donors, and provides a reporting functionality for the Department of Transfusion Medicine (DTM) clinicians and leadership team.  The system is utilized by DTM staff to support the intramural transplant programs operated by NHLBI and NCI.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Limited PII is shared with the NIH intramural research  transplant program staff from NHLBI and NCI for the purposes of clinical care and research.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) The system collects, maintains and disseminates blood types, HLA testing results, and related medical information collected from donors and potential transplant recipients.  (2) The information is required by the DTM staff  and intramural research team to make clinical decisions regarding potential transplantation. (3) The information contains PII, including name, date of birth, medical record number and medical notes. (4) Submission is mandatory since donations must be directly attributable to each donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each individual donor is informed of required information collection and uses before donation.  Major system changes would be sent directly to each donor and new consents obtained upon new donations.  The information will be used to make clinical decisions regarding potential transplantation of CC patients.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized persons with assigned roles may have access to the system.  The Histotrac system is protected in the CC Data Center through door locks and other physical controls.  Access to Histotrac is secured by technical controls; including user identification and password protection.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, Clinical Center, Privacy Officer
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/29/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Hospital Materials Management System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/28/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-05-02-3099-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CC Hospital Materials Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  CC Hospital Materials Management System also know as Lawson is an Inventory Management System.  Everything that is bought, received, stored, transferred, issued, or disposed of is recorded and controlled. The program is a live inventory instantaneously recording any supply activity that is entered in the system.  It makes daily recommendations for both replenishing the Central Hospital Supply shelves from the Storage & Distribution Warehouse; as well as provides reorder for supplies that have fallen below their "par levels". It is the database that is linked to the Visual Supply Catalogue to provide the users the best "picture" and information on medical supplies. Finally, it is a tracking system for receiving supply orders that is used by Materials Management Dept staff.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  CC Hospital Materials Management System also known as Lawson is a supply/inventory software that stores CC customer (patient care unit names, Clinic names, ancillary dept. names, not PII) and product information. The information stored is a history of purchases, receipts, issues, transfers etc. of supplies purchased and equipment purchased by the Materials Management Department and consumed by the CC customer locations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  This is an inventory management system - No PII is collected or maintained
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  This is an inventory management system - no PII is collected or maintained.  Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER fore remot application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Investigational Drug Management System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CC Investigational Drug Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The CC Investigational Drug Management System (IDMS) is used by the Pharmacy Dept. to create, manage and store data related to investigational drugs used in the Clinical Center.  The Pharmaceutical Development Section (PDS)  provides investigational drug services for IRB approved intramural research protocols.  IDMS provides PDS with the ability to track the inventory of the investigational drugs and the raw materials used to make the drugs.  The system also provides the ability to fill prescriptions from the inventory of investigational drugs tracked by IDMS.  Additionally, it provides Protocol/Study tracking capability.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The IDMS system receives patient and prescription order data from CRIS Sunrise, the CC hospital information system.  There are no external systems that share or disclose data with IDMS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects, maintains and disseminates IDMS data about CC patients for the purpose of filling prescriptions and tracking the use of investigational drug administration on IRB approved protocols.  The IDMS reports contain PII, which includes patient name, medical record number, patient study number, prescribing physician name, protocol name, and protocol number.  The submission is voluntary based on an individual's consent to become a registered patient at NIH and enroll in an intramural research protocol.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  PII information is collected in CRIS Sunrise.  Admission and protocol consent forms are signed by each patient.  CC Information Practices Notification is provided to each patient at the time of initial admission to the CC.  If there is a major system change, each patient would be advised at the time of subsequent admissions and a revised CC Information Practices Notification would be provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The IDMS system employs administrative, technical and physical controls to protect PII and sensitive data.  The servers are located in the CC Data Center, behind locked doors and monitored 24/7 by DCRI Systems Operations team.  Data is backed up nightly and stored offsite.  User authentication is based on NIH Active Directory.  Access and privileges in IDMS are determined by the user's assigned role.  All PII is logically located behind multiple firewalls for increased protection.  Authentication with NIH PIVcard will occur at time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Laboratory Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/9/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  Laboratory Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The LIS is an automated system designed to track, report and maintain results for laboratory tests performed on Clinical Center patients.  Results comprise part of the official patient medical record.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The LIS captures laboratory results for specific Clinical Center patients and shares those results along with identifying PII with caregivers and scientists at the Clinical Center.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The LIS contains information regarding the entry of specific orders to complete various lab tests ordered on Clinical Center patients, along with the results of those tests and the PII required to identify the specific patients to which those orders, tests and results apply.  PII collected includes names, identifying numbers, and other demographics.  Information is shared with caregivers and scientists with authorized access in order to provide clinical care or conduct approved medical research. Admission to the Clinical Center is completely voluntary and each patient is advised of Clinical Center information practices at the time of admission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Admission to the Clinical Center is completely voluntary and each patient is advised of Clinical Center information practices at the time of admission. In addition, each patient signs an informed consent at the time of each admission. All notifications and consents are done in hard copy.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All data is maintained in digital form and can only be accessed by NIH employees who have been authorized to do so by virtue of their need to know, need to deliver clinical care or conduct biomedical research.  Access is controlled by role and password.  The system servers etc are maintained in a controlled-access data center.  Authentication with the NIH PIVcard will occur at the time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, Clinical Center, Privacy Officer
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medical Staff Credentialing System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-26-02-3099-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0169
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  Medical Staff Credentialing Processes
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  Information is collected from individual members of the Clinical Center Medical Staff and is used to document their credentialing and privileging under authority of Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Private medical facilities, state medical boards and accrediting bodies as part of the credentialing process.  Read only view of Credentialing Process application is available on defined workstations in Special Procedures Dept, Surgical Services Dept and Admissions Dept allowing the call team to view the medical privileges of medical consultants at night, weekends and holidays when Credentialing Offices are closed.  Names and email address of medical staff applying for privileges to practice at the CC is sent by nightly feed to Prescriber Training database to support remote on-line CRIS training.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Names, addresses, phone numbers, medical licenses, college information and related data as part of the individual's application for membership on the Clinical Center Medical Staff.  Information does contain PII.  Submission is voluntary since application for membership is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is obtained directly from each applicant and each is informed about information collection procedures and rules when each applicant signs the consent authorizing the collection.  Major systems changes would be sent electronically to each member of the medical staff and new consents obtained at the time of reappointment to the staff.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical and physical security controls.  System is located behind locked doors, monitored by CC TV and Systems Monitoring staff in attendance around the clock.  Additionally, the system is behind the NIH, CC and CRIS firewalls.  Access to PII and privileges are based on user's assigned role.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301) 496-4240,  smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Pla
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medicolegal Request Tracking [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/22/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-05-02-3099-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  Medicolegal Request Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The Medicolegal Request Tracking System is used to receive requests for and track copies of medical record documentation sent out by the Medical Record Department to Clinical Center patients and the third parties they authorize to receive such information.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0099, published in the Federal Register, Volume 67, No 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects patient names, addresses, type of documentation requested for release, as well as the name and addresses of the person/organization to which the documentation is to be sent and the dates of receipt and release. Information is voluntary since release requests are also voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each individual patient is informed of CC information practices before they are accepted as patients.  In addition, each patient must provide a written release before information if sent out for any other purpose. The Medical Record Department would be responsible for revising release request authorization and information practices forms if any major system changes take place.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system is maintained under controlled physical access and user identification as well as passwords are in effect for all users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Metabolic Kitchen Nutrition System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/21/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH CC Metabolic Kitchen Nutrition System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The NIH CC Metabolic Kitchen Nutrition System (also known as ProNutra application) is used within the CC Nutrition Department to maintain a database of nutrient information on foods used in research diets, to calculate research diets for patients on specific protocols, and to produce food labels and menus for these research diets.  Records are stored linking patient name to research protocol and date that meals were served to the patient.  These records contain information on what foods were eaten, and quantities consumed.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The system does not automatically disclose PII, but manual queries containing patient name, DOB and protocol number are provided to the research team.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Patient name and date of birth are the only PII collected.  This information is used to identify patients in the system and for delivery of meals for research purposes.  This information is retrieved from CRIS, the clinical research information system, by CC Nutrition Dept registered dieticians and manually entered into the CC Metabolic Kitchen Nutrition System.  The submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Patients are advised about the information collection practices and uses of their data for purposes of clinical research at the time of admission to the CC.  Patients agree to the collection of PII in clinical research systems and acknowledge their consent by signing the CC Information Practices Notice.  Patients would be advised about major system changes affecting PII by a revision to the CC Information Practices Notice that would be presented for review and acknowledgement at the time of their next admission to the hospital.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The CC Nutrition Dept staff with access to the CC Metabolic Kitchen Nutrition System are required to complete NIH Computer Security and Privacy Awareness Training.  Access to the system is controlled by user ID and password.  The system is located in the CC Data Center behind locked doors.  Individual workstations from which the CC Metabolic Kitchen Nutrition System may be accessed are located in the CC Nutrition Dept.  Access to the CC Nutrition Dept is protected by card key readers. Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Office, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC NMD Server Room
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/18/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Not Applicable
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC NMD Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Charles Fraser
10. Provide an overview of the system:  The Positron Emission Tomography (PET) IT Infrastructure (formerly NIH CC Nuclear Medicine Server Room) is a GSS located in Bldg 10 in the CC PET Department.  The PET IT Infrastructure hosts a myriad of servers, components, imaging workstations, network and infrastructure devices used to support the PET imaging studies at the Clinical Center.  The PET IT staff is responsible for the management of the PET IT Infrastructure.  Whie some applications with PII reside on servers and workstations in the PET IT Infrastructure,  details regarding the collection, storage and processing of PII for those applications will be covered by separate system Privacy Impact Assessments (PIA).
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII collected, stored or processed by applications in the CC NMD Server Room are covered by separate Privacy Impact Assessments; not by the PET IT Infrastructure PIA
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This is a GSS for the IT infrastructure and does not collect, maintain or disseminate PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Not Applicable - No PII is collected, stored or processed.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No PII is collected, stored or processed. Details on the administrative, technical, and physical controls are not required for the PET IT Infrastructure GSS.  The controls for application that do collect, store or process PII residing in the PET IT Infrastructure will be covered by separate system Privacy Impact Assessments (PIA), not the PET IT Infrastructure.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301)-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Nutrition Department Research System (NDRS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/21/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC Nutrition Department Research System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The CC Nutrition Department Research System (also known as Nutrition Department System for Research (NDSR)) is a dietary analysis program designed for the collection and analyses of 24-hour dietary recalls and the analysis of food records, menus, and recipes.  Calculation of nutrients occur immediately providing data by ingredient, food, meal and day in both report and analysis file formats.  The application includes a dietary supplement assessment module so that nutrient intake from both food and supplement sources may be captured and quantified for patients enrolled in intramural clinical research protocols. 

NDSR is used to analyze 3-day and 7-day food records from patients enrolled in 8 protocols (NIDDK, NICHD, NIAID, NHGRI and NCI) coding approximately 150-200 days of food records each month.  The food records are coded by CC Dept of Nutrition Health Technicians and reviewed by CC Dept of Nutrition registered dieticians.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information collected includes PII specifically; name, date of birth, and medical record number.  The information is used to track dietary intake of patients enrolled in intramural clinical research protocols from several Institutes within the NIH.  The submission of information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Patients are advised about information collection practices and uses of their data for purposes of clinical research at the time of admission to the CC.  Patients agree to the collection of PII in clinical research and acknowledge their consent by signing the CC Information Practices Notice.  Patients would be advised about major system changes affecting PII by a revision to the CC Information Practices Notice that would be presented for review and acknowledgment at the time of their next admission to the hospital.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All staff are required to take NIH Information Security and NIH Privacy Awareness training.  All application hardware is located in the CC Data Center behind locked doors. Individual workstations where data input occurs are located behind key card controlled locked doors in the CC Dept of Nutrition.  Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, NIH/CC/DCRI, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Nutrition System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/21/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC Nutrition System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The CC Nutrition System consists of two major components; the Food Service Suite (FSS) and the Nutrition Service Suite (NSS).  FSS is used to track information regarding recipes, nutritional values, stock inventory, and vendor information.  NSS uses the recipe and nutrition information to determine which foods are appropriate for patients based upon their diets as entered into the CRIS.  This determination is then used by employees in the room service call center to assist patients in selecting appropriate food items.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The Nutrition System receives PII from CRIS through a unidirectional interface.  The Nutrition System doesn't share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Demographic and clinical information is provided through an interface with CRIS to identify the patient, caregivers, clinical information, etc. No additional PII is collected other than that provided by CRIS.  The information is used to screen out menu items not appropriate for patients based on physician orders and to identify appropriate items. Patients sign consents when admitted to the CC and admission is entirely voluntary. In addition, each patient is advised of the specific uses of information at the CC and signs an acknowlegement thereof.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  PII is collected from CRIS.  Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient upon the next admission.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical, physical and privacy controls. All staff with access are required to take Computer Security and Privacy Awareness Training.  Access and privileges utilize role-based security and NIH  credentials.  All hardware is located in the CC Data Center behind locked doors and individual workstations are also kept behind locked doors.  Authentication with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:CC Privacy Office, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC OPUS Respiratory Information System (OPUS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/3/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC OPUS Respiratory Information System (OPUS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dennis Brown
10. Provide an overview of the system:  The OPUS Respiratory Information System is used by Critical Care Medicine Dept (CCMD) Respiratory Therapists to document clinical care activities performed on CC patients.  The system provides functionality for clinical documentation, patient charges, workload productivity reporting and evaluation of the patient's respiratory status.  The system receives patient demographics and medical orders from CRIS Sunrise.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  PII collected in OPUS from CRIS Sunrise includes patient name, date of birth, medical record number, medical orders, and protocol number.  The information is required to support workflow and documentation by respiratory therapist on CC patients.  The submission is voluntary based on an individuals consent to become a registered patient at the CC.  Additional PII entered in OPUS by the CCMD Respiratory Therapists include employment status data such as dates of hire, personnel data and training records.  The information is collected to support quality assurance programs and tracking of staff activities.  The submission is mandatory based on a respiratory therapists acceptance of employment at the CC.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  CC Information Practices Notification is provided to each patient at the time of initial admission to the CC.  If there is a major system change, each patient would be advised at the time of subsequent admissions and a revised CC Information Practices Notification would be provided to each patient.  Respiratory Therapists are notified of the requirement to collect employment information during department orientation.  If there is a major system change, staff would be advised of the changes through department communications.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The OPUS system application hardware and software employ administrative, technical and physical controls to protect patient and staff PII.  The servers are located in locked areas of the CC.  The PC Tablets used by Respiratory Therapists at the bedside utilize VPN technology to secure data on the CC wireless network.  Data is backed up nightly and stored offsite.  Application access requires user ID and password.  All PII is logically located behind multiple firewalls for increased protection.  Authentication with NIH PIVcard will occur at time of login to CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC PeriOperative Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/13/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH CC Perioperative Information System (POIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  COTS application providing OR and Anesthesia specific functions to  the Department of Perioperative Medicine (DPM).  The functions include:  Scheduling the OR, Anesthesia, IC human resources and material resources for surgical and anesthesia procedures  at the Clinical Center, documentation of clinical and research care provided to registered patients, inventory management, tracking patients across the perioperative continuum, integration with CC Clinical Research Information Systems (CRIS) for receipt of patient demographics, allergies and laboratory test results, integration with patient care monitors for automated collection of specific vital signs, and reporting to DPM and CC Leadership.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Clinical documentation of perioperative care provided to CC patients which is created in POIS is shared with CRIS system for storage in the specific patient's official medical record.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information collected includes individual patient demographics, scheduling of procedures and associated resources, clinical research data related to surgical and anesthetic care provided at the Clinical Center.  Patient and staff information becomes part of the official medical record.  Information about medical supplies, devices and medications collected during procedures supports inventory management for the the Department of Perioperative Medicine.  The patient information contains PII and the submission is voluntary based on an individual's consent to become a registered patient at the NIH.  The staff information contains PII and the submission is mandatory based on their credentialed status as care providers at the Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is obtained from patient interviews, a multi-disciplinary care team in the Department of Perioperative Medicine and patient observations.  Admission and protocol consent forms are signed by each patient and a CC information practices notification form is provided to each patient at the time of initial admission.  Consent to Invasive Procedure forms are signed by the patient before each procedure.  Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system and all contained data are protected using administrative, technical, physical security and privacy controls.  The system is located behind locked doors, monitored by CC TV and requires key card access for admission to both the CC Data Center and the Department of Perioperative Medicine. In addition, only authorized users may access the system based on user roles and hierarchial passwords.  User authentication with NIH PIVcards will occur at the time of login to the NIH network from CC desktops for local application users.  Authentication with NIH PIVcards will occur at the time of login to the CC network via CC  CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Picker: Clinical Center Survey Results
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  Not Required
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0156
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH-CC Picker: Clinical Center Survey Results
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  Information resulting from various surveys and questionnaires conducted by the Clinical Center from patients and staff regarding quality of care and hospital operations. The categories of evaluative information varies according to the service being surveyed and may include data related to the research experience, the clinical services received, the respondent's level of satisfaction, time of delivery and future plans.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No identified data is shared. Only de-identified aggregate data is shared with CC Administration. Once individual responses are aggregated, individuals are no longer able to be retrieved by name.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Data is abstracted from various survey responses and questionnaires, including demographics and is primarily related to the quality and performance of various selected hospital services. The CC provides NRC with visit status, unit location, MRN, name, address, DOB, visit and discharge date, protocol number, Institute and Branch to identify a pool of CC patients who may receive the survey questionnaire in the mail.   The information collected in the questionnaires returned to NRC is used to target areas for improvement to satisfy patient and staff expectations.  Participation is entirely voluntary and CC Administration is provided with de-identified aggregate data only. Submission is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Consent is not obtained because participation is entirely voluntary and because the data derived from the surveys and questionnaire is only provided in a de-identified aggregate manner to the CC reviewers.  Any individual can opt not to participate by not responding to the survey mailed to them.   Each particpant is provided a written introduction and explanation of the survey in a cover letter.  There has never been any major changes to the system and none are anticipated at this time.  If such changes do occur, each participant will be notified directly.  There are no other notification procedures in place.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is kept in a physically secure location utilizing access controls that include security badges and key cards.  Data is protected by technical controls that include User ID, passwords, firewalls, VPNs, and card key readers.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Picture Archive Communications System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/18/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC Picture Archive Communications System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The PACS collects, disseminates and stores radiological images pertaining to Clinical Center patients and provides those images to authorized caregivers involved in the delivery of clinical care or to scientists conducting approved biomedical research. The information collected includes PII to identify specific patients by name, medical record number and other identifiers.  Admission to the Clinical Center is entirely voluntary and each individual is informed of Clinical Center information practices and gives informed consent before providing PII.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The PACS provides radiological images and PII identifying those images with specific Clinical Center patients with authorized caregivers and scientists.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The PACS collects, disseminates and stores radiological images pertaining to Clinical Center patients and provides those images to authorized caregivers involved in the delivery of clinical care or to scientists conducting approved biomedical research. The information collected includes PII to identify specific patients by name, medical record number and other identifiers.  Admission to the Clinical Center is entirely voluntary and each individual is informed of Clinical Center information practices and gives informed consent before providing PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Admission to the Clinical Center is entirely voluntary and each individual is informed of Clinical Center information practices and gives informed consent before providing PII. The process may be completed again if major changes occur.  All notifications are done in hard copy or using secure email.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Access is restricted only to authorized users with a need to know and is secured using passwords and role based security.  Servers are located in the CC data center   behind locked doors, monitored by CCTV and  supported by redundant power and cooling.  Authentication with NIH PIVcard will occur at time of login to the CC Network using CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, Clinical Center, Privacy Officer
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC ProVation
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/14/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  CC Provation
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  CC Provation is a Major Application whose mission is to digitally report findings from gastroenterological endoscopic exams of the upper and lower gastrointestinal tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Hard copy reports of endoscopic procedures are printed from the system and stored in the patient's medical record.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  CC Provation is a Major Application whose mission is to digitally report findings from gastroenterologi­cal endoscopic exams of the upper and lower gastrointestinal­ tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology­ and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

The submission of the personal information is voluntary.   The CC Provation system collects and stores PII; specifically,  medical record number and name.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Protocol consent forms are signed by each patient and an information practices notification form is provided to each patient at the time of initial admission. Data is retained on servers maintained by DCRI in the CC Data Center and a hard copy is printed which is inserted into the patient’s medical chart. This is kept in medical records.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Technical, Physical and administrative controls are in place to ensure the security of the information. These include a Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel.

The information is secured through multiple levels of security and access controls which have been established to identify permitted users and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and the CC.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Pyxis Supply Station System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/14/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH CC Pyxis Supply Station System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin, CC Privacy Officer
10. Provide an overview of the system:  The Pyxis Supply Station System is an advanced point-of-use system that automates the distribution, management and control of medical supplies ordered by medical staff for Clinical Center patients.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Pyxis Supply System collects inventory data and PII data that includes unique identifiers such as patient name and medical record number to assure that the right patient gets the right medical supplies.  The submission is voluntary based on an individual's consent to become a registered patient at the CC.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Patient demographics, including patient name, medical record number and current hospital location are collected in CRIS Sunrise and shared with the Pyxis Supply Station System.  CC Information Practices Notification is provided to each patient at the time of initial admission to the CC.  If there is a major system change, each patient would be advised at the time of subsequent admissions and a revised CC Information Practices Notification would be provided to each patient.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The Pyxis Supply Station System and all contained data are protected using administrative, technical and physical security controls.  Pyxis Supply Station dispensing units are located in controlled access areas of the CC nursing units.  Access to PII and privileges are based on user's assigned roles.  The Pyxis Supply Station application/database servers are located in the CC Data Center behind locked doors, monitored by CC TV and Systems Monitoring staff in attendance around the clock.  Additionally, the system is logically located behind the NIH, CC and CRIS firewalls.  Remote access to the Pyxis Supply Station require use of the NIH VPN.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, Privacy Officer, Clinical Center
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Quadramed  Nursing Acuity System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/5/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-90-0018
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH CC Quadramed Nursing Acuity System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  Quadramed Nursing Acuity System provides the Nursing and Patient Care Services (NPCS) department with the functional ability to document patient acuity on CC inpatients and outpatients.  The Quadramed system utilizes the QuadraMed Acuity-Plus application to collect staffing, acuity and visit data by way of input from CC Nurses and the Automated Nurse Staff Office Schedule (ANSOS) system.  The application then provides recommended staffing levels to NPCS leadership.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Quadramed system collects patient name, medical record number, acuity assessments, admission, discharge and transfer data derived from CRIS Sunrise.  Additionally, the Quadramed system collects NPCS staff names and roles.  The information is analyzed to project staffing requirements for the CC patient care locations.  Patient information includes PII, i.e., name, medical record number and medical notes; submission is voluntary. Staff information includes PII, i.e., name and role which is publically available in NED.  Staff information submission is a mandatory condition of employment.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Patients would be advised at the time of admission if major system changes occur, data uses or disclosures change.  The CC Information Practices Notice would be revised and provided to each patient at the subsequent admission to the CC.  NPCS staff would be advised of major system changes related to PII by the CC Nursing Department.  Notification may be done electronically or in written form.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII is secured using administrative controls that include backup files, user manuals, and user training.  Access and privileges in the Quadramed Nursing Acuity System are based on the user's assigned roles.  PII is additionally protected by technical controls that require entry of a User ID and Password to open the application.  The application is logically located behind the CRIS firewall and requires the NIH VPN for remote access.  Only authorized DCRI  IT staff  have access to the Quadramed Nursing Acuity System servers in the CC Data Center.  The system hardware is protected by door locks, CCTV, NIH security guards and Identification Badges.  Authentication with NIH PIVcards will occur at time of login to the CC Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Rehabilitation-Social Security Administration Data Sharing System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/29/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0200
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC: Rehabilitation Medicine Dept - Social Security Administration Data Sharing System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The Clinical Center Rehabilitation Medicine Department (CC-RMD) at the National Institutes of Health (NIH) has agreed to assist the Social Security Administration (SSA) to explore innovative methods for augmenting and improving the current disability evaluation process. The first major line of work requires analysis of data from longitudinal research files maintained by the Social Security Administration and assessing the feasibility of developing Computer Adaptive Testing (CAT) instruments that can be integrated into the SSA data collection and determination processes.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The  research data set  is only shared between the SSA and the specific RMD staff authorized to perform statistical and other related analyses of the information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Analysis of data from longitudinal research files maintained by the Social Security Administration Office of Disability Program Information and Studies (ODPIS). These files house extensive administrative data, including application data and decisional data.  Each record represents one disability claim.  Past efforts to improve the quality and utility of the files were challenged by resource constraints. Users of the data files will need to creatively problem-solve and formulate solutions to data-related issues as they arise. The data includes limited personal identifiers including a pseudo social security number, medical notes, and birth month and year.  Data is submitted as part of an application for a disability determination.  The submission of data by applicants is required as part of the process when applying for benefits.  Sharing of the data with the RMD is entirely voluntary on the part of the SSA.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  All individuals are notified of use at the time of disability filing and consent is written and maintained by SSA.  Major changes will be communicated by the CC CIO to the SSA Project Director. A limited data set, aka, research data is shared between the SSA and the specific RMD staff authorized to perform statistical and other related analyses of the information.  In the event a change to the CC system would include a new use or disclosure, the SSA Project Director would make a determination to notify individuals whose data is contained in the CC system.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  A limited data set, aka, research data is shared between the SSA and the specific RMD staff authorized to perform statistical and other related analyses of the information. Access is password protected and role based security is also used.  All data resides on a server and SAN solely dedicated to that purpose and is located within the secure CC Data Center which uses state of the art backup and physical security measures.  Individual files include a scrambled social security number (aka pseudo SSN).  The key to unscramble the pseudo SSN is stored at the SSA to ensure protection of sensitive PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin , CC Privacy Officer
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Scheduling System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/27/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  NIH CC Scheduling System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  An ASP web-based application used for scheduling patient appointments in the Clinical Center.  Schedules for physicians, nurses, ancillary care givers, resources and locations are built so that specific schedules can be created and viewed.  A third-party contractor sends individualized appointment reminder letters to patients.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII is required for patient identification at the point of scheduling, as well as for contacting patients and mailing them reminder letters regarding their scheduled appointments.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information is provided from CRIS to support the scheduling functionality including patient  and clinician demographics which is used to create the specific appointments for each patient within the application.  Admission to the Clinical Center is entirely voluntary and each patient is advised of the specfic information practices at the Clinical Center at the time of admission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each patient signs a consent to be admitted to the Clinical Center and is advised as to each of the specific information practices at the Clinical Center including how information about them will be stored and shared and for what purposes.  Major changes will be updated in the current information practices and patients will be informed at the time of admission.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  CC users and contractors have completed information security and privacy training.  Access to data is based on user role.  SCI Solutions security policy includes review of all incidents and action plans to mitigate, repair and prevent damage.  Access is restricted by firewalls, use of virtual IP and physical separation of database servers from systems serving HTTP pages.  Production systems access is limited to specific need-to-know employees. Physical access is limited by locked doors, pass-coded ID, cameras, etc.  Authentication with NIH PIVcard will occur at time of login to the CC Network via CC CASPER for remote users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, Privacy Officer, Clinical Center, Department of Clinical Research Informatics
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC StemLab
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/29/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0011
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CC StemLab
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Boyd Conley
10. Provide an overview of the system:  StemLab is a clinical and administrative management system.  It manages and streamlines the unique work flow followed in the CC Dept of Transfusion Medicine's stem cell blood laboratory.  StemLab also supports stem cell processing operations for bone marrow and apheresis products.  The system also provides functionality to meet quality assurance practices and regulatory compliance for cell therapy transplant services at NIH.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Information related to donation and receipt of blood products for patients on IRB approved protocols is shared with intramural clinical research team.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The StemLab system will collect demographic information, medical notes and laboratory results on donors and NIH research participants.  The informaion is used by DTM staff to perorm routine tasks required by the American Associatoin of Blood Banks and the FDA and support CC research protocols.  The system will collect PII on donors and NIH research participants. The submission is mandatory since donations must be directly attributable to each individual donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Each individual donor is informed of required information collection and uses before donation.  Major systems changes would be sent directly to each donor and new consents obtained upon new donations.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Only authorized persons with assigned roles may have access to the system.  The StemLab system is protected in the CC Data Center through door locks and other physical controls.  Access to StemLab is secured by technical controls; including user identification and password protection.  Authentication with NIH PIVcard will occur at the time of login to CC Network via CC CASPER for remote users.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin:  CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC Teramedica IS PACS
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/12/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0200
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  Not Applicable
7. System Name (Align with system Item name):  NIH CC Teramedica IS PACS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ron Levin
10. Provide an overview of the system:  Teramedica IS PACS stores Digital Imaging and Communications in Medicine (DICOM) formatted image data acquired from imaging devices on the NIH network and images acquired from external research partners.  The DICOM image data from external research partners includes limited data in the MRI image headers per the approved HIPAA release.  The DICOM data from intramural research partners includes PII in the image headers.  The system is operated by CC Diagnostic Radiology Department (DRD) and CC (Radiology and Imaging Sciences) RAD IS staff.  Users include CC Radiology and Imaging Sciences staff and NIH intramural research staff whose DICOM images are stored in the system.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The Teramedica IS PAC system shares and/or discloses PII with Johns Hopkins Medical Institutes.  The PII data is incorporated in reports by Dr. Bluemke's research team following their analysis of JHMI  MRI images.  The disclosure is pursuant to a JHMI IRB approved protocol and an NIH IRB approved protocol.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) The Teramedica system collects DICOM images, names, dates of birth, medical record numbers, medical notes, gender  on NIH intramural research subjects for clinical research and analysis.  (2) This information is collected for the purposes of analysis of MRI images by members of the IRB approved research study between Johns Hopkins Medical Institutes and the CC.  (3) The information contains PII.  (4) Submission of PII is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  NIH intramural research subjects are advised of data uses at the time of admission to the Clinical Center  in the CC Information Practices Notice.  Major changes in the use of their DICOM images in the Teramedica system would be incorporated in an amended CC Information Practices Notice and provided to the CC patients at the time of next admission.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII in the application is protected by technical controls that include user ID and password, firewalls and NIH VPN with authentication using NIH PIVcard for remote application users.  The system hardware is located in Bldg 10 Data Center and Bldg 12 Data Center.  The infrastructure is protected by guards, the use of identification badges, key cards and retinal scan for access to Bldg 12.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/29/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CC TheraDoc Epidemiology System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/28/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0099
5. OMB Information Collection Approval Number:  None
6. Other Identifying Number(s):  None
7. System Name (Align with system Item name):  CC TheraDoc Epidemiology System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sue Martin
10. Provide an overview of the system:  The system provides the Hospital Epidemiology Service with continuous infection surveillance, alerts, and analysis to help promote better and more timely infection control practices.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Hard copy reports with PII are faxed as needed to Maryland, Virginia and District of Columbia Public Health Depts in compliance with public health reporting requirements for infectious diseases.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system captures and maintains PII on registered Clinical Center patients, including demographics, lab results, radiology results, admission/discharge/transfer information, vital signs, medications and selected surgical information. PII is shared with staff epidemiologists and other care givers involved with the treatment of patients at the Clinical Center.  The collection of PII is voluntary since admission to the Clinical Center and specific research protocol(s) is completely voluntary.  Additionally, the Clinical Center is required to collect infectious disease surveillance information for JCAHO and the Public Health Service.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Admission to the Clinical Center is completely voluntary and requires consent of each patient.  In addition, each patient is provided a full written accounting of established information practices at the Clinical Center , including the capture and use of PII, and has the opportunity to ask questions and must acknowlege receipt of same through their signature on the CC Information Practices Notices form.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII resides on a server in the CC Datacenter protected by restricted access and video monitoring.  The server is behind the NIH & CC firewalls.  Access is granted by the application administrator to each indiviudal on a need-to-know basis.  Access will require password and specific security group inclusion.  Passwords at the NIH and application level require updates as required by NIH policy and users are automatically logged off the system after inactivity.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Sue Martin, CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/27/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Billing System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CIT Billing System (CBS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  John Burke
10. Provide an overview of the system:  The CIT Billing System (CBS) provides comprehensive job accounting and chargeback reporting. CBS is integrated with CIMS to identify the billable services that each organization uses and creates invoices that are presented to Customer Accounts for payment.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information collected are account usage and costs associated with use.  This data is used to create invoices and summary reporting files for the central accounting system.  The CIT Billing System is integrated with CIMS to support fee for service and flat fee standard rates. the CIT Billings System collects no sensitive information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Democracy II Server Room [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  There is no PII  - this is for a server room
5. OMB Information Collection Approval Number:  There is no OMB ICA Number  - this is for a server room
6. Other Identifying Number(s):  There are no unique identifying numbers
7. System Name (Align with system Item name):  Democracy II Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Chris Santos
10. Provide an overview of the system:  This is a development and test environment used by CIT's Division of Enterprise and Custom Applications.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  There is no PII  - this is for a server room
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is no PII  - this is for a server room
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  There is no PII  - this is for a server room
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele France, NIH/CIT/PECO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Division of Computational Bioscience Systems [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-26-02-3103-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0200
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Division of Computational Bioscience Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Anthony Fletcher NIH/CIT/DCB
10. Provide an overview of the system:  This system (“DCB Systems”) is used to provide CIT support for the Institutes and Centers (IC) at NIH.  DCB collaborates with the NIH intramural research program to provide expertise and develop software on computational research problems of significance to the ICs.  DCB Systems host this software which includes development and pre-production versions.  The application areas include molecular modeling, protein structure prediction, biomedical imaging, mathematical modeling, and biomedical informatics.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  SOR 09-25-0200 This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  CIT/DCB does not collect any of the data it uses in its research and collaborations with the Institutes. DCB develops tools for principal investigators to use in collecting data.  DCB merely keeps a copy of the data, which depends on the protocol but may include IIF such as name, date of birth, phone number, medical records, medical notes, and gender.  The principal investigators with whom DCB collaborates determine which data will be collected. All data are provided voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Any IIF data in the system are obtained from the ICs with which DCB collaborates, particularly NINDS.  The processes by which the IIF data are collected are determined by the principal investigators in charge of the protocols.  The clinical staff at NINDS handle all consent forms and notifications.  DCB has no processes in place in addition to those processes provided by NINDS.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Restricted physical and logical access; no project personnel will be allowed to see project data.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Status of Funds Internet Edition [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  There is no PII.
5. OMB Information Collection Approval Number:  There is no PII.
6. Other Identifying Number(s):  There are no additional identifying numbers.
7. System Name (Align with system Item name):  Status of Funds Internet Explorer (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Robin Lyons
10. Provide an overview of the system:  SOFie is a Web based application employing Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of several offices and branches within CIY, allowing budget offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level. The program also contains a tracking mechanism to track prior year funds. The application downloads this information from the NIH Data Warehouse weekly. SOFie is not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  There is no PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  SOFie is a commercial-off-the-shelf web-based application tool for providing advanced financial reporting and analysis.  The application supports an Excel interface that allows for the development of spreadsheets using custom functions that extract real-time expenditure, budget, and planning data from the SOFiE database.

The CIT/FMO uses SOFie to track expenditures of direct, reimbursable, and non-appropriated funds in the fiscal year.  Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level.  The program also contains a tracking mechanism to track prior year funds.  The data used by SOFie is downloaded from the NIH Data Warehouse weekly.  SOFie is not a source database for other information systems. SOFie does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is no PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  There is no PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele France, NIH/CIT/PECO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Consolidated Colocation Site [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  This is not applicable; there is no PII.
5. OMB Information Collection Approval Number:  009-25-02-00-01-3109-00
6. Other Identifying Number(s):  There are no additional identifying numbers.
7. System Name (Align with system Item name):  NIH Consolidated Co-Location Site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Adriane Burton
10. Provide an overview of the system:  The NIH Consolidated Co-Location Site (NCSS) is an off-campus site used to house IC servers, including CIT servers.  The NCCS is a secure, environmentally controlled facility located approximately 30 miles from the NIH campus in Northern Virginia.  Multiple telecommunications links between NIH and the NCCS provide extremely high bandwidth.  These links are part of NIHnet which is managed and operated by the CIT Division of Network Systems and Telecommunications (DNST).
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  This system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This C&A is for a facility only; this does not include any data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  This C&A is for a facility only; this does not include any data.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  This C&A is for a facility only; this does not include any data.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholland France, NIH/CIT
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Collaborative Technology
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  009-25-02-00-01-3109-00-109-026
6. Other Identifying Number(s):  There are no other identifying numbers.
7. System Name (Align with system Item name):  NIH CIT Data Center Collaborative Technology
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Adrienne Yang
10. Provide an overview of the system:  The NIH Data Center provides video casting and web collaboration services to the NIH and HHS communities.  Video casting allows customers to broadcast lectures, seminars, conferences, or meetings live to a broad audience over the internet as a real-time streaming video.  Web collaboration provides web conferencing and online collaboration for real-time information sharing and document collaboration.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The only information collected from individuals is their name and work-related information solely for the purpose of establishing user accounts for using the web collaboration service.  This information is only collected from NIH/federal staff.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholland France, CIT/OD/EO/PECO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Scientific Computing
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/2/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  009-25-02-00-01-3109-00-109-026
7. System Name (Align with system Item name):  NIH CIT Data Center Scientific Computing
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Adrienne Yang
10. Provide an overview of the system:  The NIH Data Center scientific computing services provides high-performance scientific processing services to the NIH intramural research community.  A wide range of scientific applications and web-based tools are provided to ease and enhance scientific research.  Two processing platforms support the scientific applications: Helix is a multiprocessor shared-memory system for interactive use and Biowulf is a 6300+ processor cluster for large computational processing.  Users are responsible for the protection of their data; Helix and Biowulf provide the tools for doing so.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The only information collected from individuals is their names and work-related information such as office locations, phone numbers, etc., solely for the purpose of establishing user accounts on the scientific computing services hosts.  No personally-identifying information is collected, maintained, or disseminated as part of the scientific services.  This information is collected from NIH employees and contractors only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholland France
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Unix Hosting
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/4/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  009-25-02-00-01-3109-00-109-026
7. System Name (Align with system Item name):  NIH CIT Data Center Unix Hosting
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Adrienne Yang
10. Provide an overview of the system:  The NIH Data Center provides Unix application hosting services to NIH Institutes and Centers (ICs), the U.S. Department of Health and Human Services (HHS), and other federal agencies.  The NIH Center for Information Technology (CIT) is responsible for the management and administration of the Unix general support system - the operating system and Oracle relational database management system.  Data and applications are the sole responsibility of the application owners.  CIT provides the environment and utilities that enable customers to effectively manage the security of their applications and data.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The only information collected from individuals is their names and work-related information such as office locations, phone numbers, etc., solely for the purpose of establishing user accounts on the Unix hosts.  No personally-identifying information is collected, maintained, or disseminated as part of customer support for Unix services.  This information is collected from government employees and contractors only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholland France, CIT/NIH
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top