﻿"prompt","response"
"Date Signed:","03/06/2025"
"OPDIV:","NIH"
"Name:","CC CRSS Laboratory Information System"
"PIA Unique Identifier:","P-4903215-626085"
"The subject of this PIA is which of the following?","Minor Application (stand-alone)"
"Identify the Enterprise Performance Lifecycle Phase of the system.","Operations and Maintenance"
"Is this a FISMA-Reportable system?","No"
"Does the system include a Website or online application available to and for the use of the general public?","No"
"Identify the operator.","Agency"
"Is this a new or existing system?","Existing"
"Does the system have Security Authorization (SA)?","Yes"
"Indicate the following reason(s) for updating this PIA.","PIA Validation"
"Describe in further detail any changes to the system that have occurred since the last PIA.","The PIA has been updated to meet the requirements of Executive Order - Defending Women From Gender Ideology Extremism And Restoring Biological Truth To The Federal Government."
"Describe the purpose of the system.","The NIH Clinical Center (CC) Laboratory Information System (LIS) maintains information regarding the entry of specific Clinical Research Information System (CRIS) lab tests ordered on CC patients, along with the results of those tests and the personally identifiable information (PII) required to identify the patients to which those orders, tests and results apply. The following Soft Computer Corporation (SCC) commercial off the shelf (COTS) modules compose the LIS system:SoftBI (Business Intelligence) module provides management reports to the Department of Laboratory Medicine (DLM) leadership team. The reports include critical operational data, analytical and statistical data, laboratory efficiency data, various productivity analyses and other reports involving data from all of SCC's core software products installed at the CC.SoftBank is a transfusion service management module used by Department of Transfusion (DTM) blood bank that streamlines the routine, manual, time-consuming tasks associated with transfusion and blood center processes and procedures.SoftFlowCytometry is a module that adds immunology/hematology capability, used to analyze the chemical characteristics of a population of cells.SoftID is a specimen collection system adopting positive patient identification at patients' bedside to ensure patient safety.  SoftID module provides barcode scanning function to ensure positive patient identification with collection of specimens from CC patients.SoftIDTx is a blood administration module used by DTM for patient and blood unit matching prior to blood transfusion and nursing data entry during transfusion administration. SoftIDTx module provides barcode scanning function to ensure positive patient identification by nursing staff before administering blood components to patients.SoftLab (Laboratory) is the general laboratory module of that includes general laboratory and management reporting functions. SoftLab interfaces with the lab instruments processing CC specimens and collects the results.SoftMedia module allows for enhancing clinical services with document and image storage capabilities. SoftMic (Microbiology) module automates the processing of microbiology specimens through all stages from order entry, processing, and workup to final reporting.SoftPathDX (Pathology) is the anatomic pathology, cytology, and autopsy module of LIS that imports images and lab results into final reports that contribute to diagnostic interpretation.SoftReport is the report writing module that enhances LIS reports with color, a variety of report fonts, images, graphs and charts.SoftTotalQC (Total Quality Control) is used for managing Quality Control (QC) values through interfaced instruments or by manual entry.  SoftTotalQC module also enables DLM to manage QC material and reagents inventory.SoftWebPlus module allows authorized NIH users to remotely order laboratory tests & access laboratory results for patient and animal specimens submitted to the CC Department of Laboratory Medicine (DLM).SecurityManagement is the module that can create users, roles and monitor each users' activity.  The system automatically inactivates any users with more than 120 days of inactivity."
"Describe the type of information the system will collect, maintain (store), or share.","PII collected includes patient name, date of birth, CRIS Order identification (ID), medical record number (MRN), test results, and demographics, including age, race and sex. Specific laboratory (lab) notes collected includes lab test name, description of specimen (blood, urine, tissue, bone, bodily fluids, volume, weight and anatomical source), description of blood components transfused to patients, Lab Order identification (ID), date/time of collection and processing, medical instrument device name, test results, date/time of final result sent to CRIS.The name of NIH staff clinicians collecting specimens, administering blood and ordering tests in CRIS is also collected.Information is shared with caregivers and research clinicians in order to provide clinical care or to conduct approved medical research at other institutions, specifically Centers for Disease Control (CDC) and Walter Reed National Military Medical Center.Users log in to this system using the NIH Identity, Credential, and Access Management (IAM) Services which maintains its own unique privacy impact assessment (PIA) on record, including all legal authorities documented.  The purpose of IAM Services is to authenticate and authorize all users and computers in a Windows domain type network; assigning and enforcing information security policies for all computers and installing or updating software. The IAM Services collect unique usernames and passwords (user credentials) and stores them in an encrypted format.  The IAM Services are an essential service which facilitates and governs network access to various resources.CRIS maintains its own unique privacy impact assessment, with all legal authorities documented."
"Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.","The NIH CC LIS maintains information regarding the entry of specific CRIS lab tests ordered on CC patients, along with the results of those tests and the PII required to identify the patients to which those orders, tests and results apply. The following SCC COTS modules compose the LIS system:SoftBI SoftBank iSoftFlowCytometry SoftID SoftIDTx iSoftLab SoftMedia SoftMic SoftPathDXSoftReport SoftTotalQC SoftWebPlus SecurityManagement PII collected includes patient name, date of birth, CRIS ID, MRN, test results, and demographics, including age, race and sex. Specific medical notes collected includes lab test name, description of specimen (blood, urine, tissue, bone, bodily fluids, volume, weight and anatomical source), description of blood components transfused to patients, Lab Order ID, date/time of collection and processing, medical instrument device name, test results, date/time of final result sent to CRIS.The name of NIH staff clinicians collecting specimens, administering blood and ordering tests in CRIS is also collected.Information is shared with caregivers and research clinicians in order to provide clinical care or conduct approved medical research at other institutions, specifically CDC and Walter Reed National Military Medical Center.Users log in to this system using the NIH IAM Services which maintains its own unique on record, including all legal authorities documented.  CRIS maintains its own unique privacy impact assessment, with all legal authorities documented."
"Does the system collect, maintain, use or share PII?","Yes"
"Indicate the type of PII that the system will collect or maintain.","Date of Birth; Name; Medical Records Number; Medical Notes; Lab Order ID, CRIS Order ID, test results, test name; Age, race and sex, Lab test notes"
"Indicate the categories of individuals about whom PII is collected, maintained or shared.","Employees; Public Citizens; Patients; None"
"How many individuals' PII is in the system?","100,000-999,999"
"For what primary purpose is the PII used?","The PII is used primarily for clinical and research care of CC patients.  The primary purpose of the NIH staff PII is to identify the clinicians associated with orders and actions performed in the LIS system."
"Describe the secondary uses for which the PII will be used.","There are no secondary uses specified by the system owner.  "
"Identify legal authorities governing information use and disclosure specific to the system and program.","The legal authority to operate and maintain this Privacy Act records system is 42 U.S.C. §§ 241, 248, 282 and 284."
"Are records on the system retrieved by one or more PII data elements?","Yes"
"Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being use to cover the system or identify if a SORN is being developed.","09-25-0099, Clinical Research: Patient Medical Records"
"Identify the sources of PII in the system.","Directly from an individual about whom the information pertains - In-Person; Government Sources - Within OpDiv; Government Sources - Other Federal Entities; Non-Governmental Sources - Public"
"Identify the OMB information collection approval number and expiration date","Public Law 114-255, Section 2035, exempts research conducted by NIH from Paperwork Reduction Act (PRA) requirements."
"Is the PII shared with other organizations?","Yes"
"Identify with whom the PII is shared or disclosed and for what purpose. Within HHS:","LIS is owned and operated by CC.  Some LIS reports are shared with intramural research teams from other NIH Institutes/Centers for research purposes. "
"Identify with whom the PII is shared or disclosed and for what purpose. Other Federal Agencies:","The CC permits two contracted Interpflow staff access to flow cytometry case files (FCS) generated by LIS.  The LIS patient flow cytometry data exchange takes place via a secured network connection to a National Cancer Institute (NCI) file share. (Interpflow is a flow cytometry analysis company under contract to the CC DLM providing subject matter expertise to the CC Hematology Section staff.)The CC permits access by Mayo Collaborative Services Limited Liability Company (LLC) contractors as part of an agreement for outside laboratory testing.The CC permits access by Soft Computer Corporation contractors as part of an agreement for vendor support to troubleshoot and investigate reported issues.DLM mails specimens to the commercial labs listed below for processing.  The tests results are securely sent back to DLM.1. GeneDx2. Athena3. Quest4. Beacon Diagnostics5. MiraVista6. National Jewish7. Oxford Immunotec8. UC Davis9. U. Texas Fungus Testing Lab10. U. Texas Tyler11. U. Washington12. Viracor13. Karius"
"Identify with whom the PII is shared or disclosed and for what purpose. State or Local Agencies:","Centers for Disease Control (CDC) for mandatory disease reporting.Walter Reed National Military Medical Center when NIH is asked to confirm pathology test results of patients at that institution."
"Identify with whom the PII is shared or disclosed and for what purpose. Private Sector:","The CC permits two contracted Interpflow staff access to flow cytometry case files (FCS) generated by LIS.   Interpflow is a flow cytometry analysis company, under contract to the CC DLM, providing subject matter expertise to the CC Hematology Section staff.The CC permits access by Mayo Collaborative Services LLC contractors as part of an agreement for outside laboratory testing.The CC permits access by Soft Computer Corporation contractors as part of an agreement for vendor support to troubleshoot and investigate reported issues.DLM mails specimens to the commercial labs listed below for processing.  The tests results are returned to DLM via secure fax or the commercial lab's secure portal.1. GeneDx2. Athena3. Quest4. Beacon Diagnostics5. MiraVista6. National Jewish7. Oxford Immunotec8. University of California (UC) Davis9. University of (U.) Texas Fungus Testing Lab10. U. Texas Tyler11. U. Washington12. Viracor14. Karius"
"Describe any agreements in place that authorizes the information sharing or disclosure.","Two agreements exist with Interpflow.A memorandum of understanding (MOU) establishing a management agreement between the Interpflow Corporation and the NIH regarding the development, management, operation, and security of a connection between systems owned by Interpflow and systems owned by the NIH.A MOU formalizing an agreement reached between National Cancer Institute (NCI), and the Department of Clinical Research Informatics (DCRI), CC, NIH for the sending of data from the CC to the NCI.Other MOUs:An MOU between the NIH CC and Mayo Collaborative Services LLC (Mayo) documents the management and operation of a secure connection between the NIH CC LIS and Mayo Collaborative Services.An MOU between the NIH CC and Soft Computer Corporation (SCC) documents the management and operation of a secure connection between the NIH CC LIS and Soft for technical support."
"Describe the procedures for accounting for disclosures.","If a request for an accounting is received, there are audit logs to allow the system owner to provide that information. Individual components of LIS track functions of logged in users. LIS is an aggregation of Soft Computer Corporation modules establishing a boundary for Security Assessment & Authorization (SA&A) purposes."
"Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.","Every patient voluntarily signs a protocol consent and a general admission consent prior to enrollment into an intramural research protocol and treatment at the Clinical Center.  In addition, each patient is provided a formal notification of Information Practices at the Clinical Center and must certify that they have been so advised."
"Is the submission of PII by individuals voluntary or mandatory?","Voluntary"
"Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.","Enrollment in a clinical research trial is voluntary and the collection of PII and medical notes is necessary to conduct research and provide clinical care.  Therefore, a patient may not opt out of the collection or use of their PII while participating in research at the CC.  "
"Process to notify and obtain consent from individuals whose PII is in the system when major changes occur to the system.","All patients are notified of information practices upon admission.  Each patient would be advised at the time of the next admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient again."
"Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate.","A Privacy Rights Complaint Form is available to individuals when they believe that their PII has been inappropriately used or disclosed. The CC DCRI Privacy Office will review the complaint and coordinate with the NIH Office of the Senior Official for Privacy (OSOP) to respond to the concern. Complaints could also be submitted to the System Manager, who would investigate and share findings with CC Information Systems Security Officer (ISSO) and CC DCRI Privacy Office."
"Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy.","Per LIS Operating Policy and Procedure, periodic checks are made to assess the accuracy of data transmitted by manual testing or automated system to the LIS, CRIS, and Clinical Data Warehouse (CDW) for displayed and printed data integrity, and the safe handling of confidential patient information.The DLM is accredited by College of American Pathologists (CAP) every 2 years and all elements are reviewed by the DLM Lab Director."
"Identify who will have access to the PII in the system and the reason why they require access.","Users: Users require access to PII to perform tests and provide results; Administrators: Administrators have access to PII to maintain system and controls; Developers: Developers require access to PII to prepare reports.; Contractors: NIH direct contractors may be users, administrators and/or developers.Mayo Clinic Laboratories direct contractors have access to PII in order to prepare samples and perform data entry in LIS.Interpflow direct contractors have access to PII to provide flow cytometry analysis services.Soft Computer Corporation (SCC) staff have incidental access to PII to troubleshoot reported system errors and assist in upgrades per contractual obligations"
"Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.","Access to PII is assigned based upon job roles/responsibilities. Users access LIS using NIH IAM, which combines the identity and authentication tools and capabilities used throughout the NIH enterprise."
"Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.","Appropriate access is granted to the system based on predefined roles and job descriptions, and administrative access is limited to authorized employees based on current roles.  Dual factor authentication with NIH Personal Identity Verification (PIV) card and NIH IAM will occur at time of login to the NIH Network. System owners are responsible for creating the proper security groups within their systems with the applicable permissions for group members to enforce least privilege."
"Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.","According to NIH policy, all personnel who manage or operate NIH applications must successfully complete annual security awareness training.  Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials.Administrators and Privileged Users require additional training specific to their roles and responsibilities."
"Describe training system users receive (above and beyond general security and privacy awareness training).","DLM and DTM staff receive application specific training from the SCC vendor.  CC Nursing Department Education team conducts SoftID and SoftTX training for CC nurses and DLM phlebotomists using these modules."
"Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?","Yes"
"Describe the process and guidelines in place with regard to the retention and destruction of PII.","Records are retained and disposed of under the authority of the NIH Intramural Records Retention Schedule. Item I-0006: Clinical Care Services Records(DAA-0443-2012-0007-0006)These records consist of clinical care services and clinical care department operational records that are consolidated under this one common temporary retention item. Exclusions and exceptions are noted and cross referenced to their appropriate item numbers within this schedule. Disposition: TEMPORARY. Cut off annually at end of fiscal year. Destroy 7 years after cutoff."
"Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.","Physical Controls: The IT hardware used to host protected information is located in a secured datacenter facility. The facility is only open to authorized personnel whose access is monitored by locking doors with badge readers for both ingress and egress. Each discrete ingress and egress event is logged. The facility is under 24-hour surveillance by facilities security for security and environmental hazards.Technical Controls: IT hardware and software is segregated from default commodity public networks to prevent unauthorized or malicious access. Access controls lists and event logs are maintained and monitored to detect unauthorized, suspicious or malicious activity. Access lists are restricted to approved IT technical personnel. Two factor authentication must be used for access. File integrity and auditing software are employed on hardware.Administrative Controls: All technical personnel who access IT systems which contain protected information have met background investigation criteria for Public Trust positions. All personnel have taken mandatory security and privacy training classes and annual refreshers. Administrative personnel accessing these systems use privileged and separate accounts for administrative access."
