﻿"prompt","response"
"Date Signed:","05/29/2024"
"OPDIV:","NIH"
"Name:","Nutrition - Pronutra"
"PIA Unique Identifier:","P-7293307-389209"
"The subject of this PIA is which of the following?","Minor Application (stand-alone)"
"Identify the Enterprise Performance Lifecycle Phase of the system.","Operations and Maintenance"
"Is this a FISMA-Reportable system?","No"
"Does the system include a Website or online application available to and for the use of the general public?","No"
"Identify the operator.","Agency"
"Is this a new or existing system?","Existing"
"Does the system have Security Authorization (SA)?","Yes"
"Indicate the following reason(s) for updating this PIA.","PIA Validation"
"Describe in further detail any changes to the system that have occurred since the last PIA.","This validation is intended to refresh content and update the security authorization date.   There have been no substantial changes since the last assessment."
"Describe the purpose of the system.","The NIH Clinical Center (CC) Pronutra system is used to identify patients in the food preparation system and for delivery of meals. Pronutra is part of the CC Nutrition system."
"Describe the type of information the system will collect, maintain (store), or share.","CC Nutrition Department registered dieticians pull patient name, date of birth (DOB), medical records number (MRN), protocol number and protocol name from the Clinical Research Information System (CRIS) and manually enter it into the CC Metabolic Kitchen Nutrition System.  This information is used to identify patients in the system for delivery of meals, and for research purposes, such as a metabolic study. CRIS maintains it's own privacy impact assessment (PIA) with all legal authorities documented.Those requiring access to this system log in using the NIH Identity, Credential, and Access Management (IAM) Services which maintains its own unique privacy impact assessment (PIA) on record, with all legal authorities documented.  The purpose of IAM Services is to authenticate and authorize all users and computers in a Windows domain type network assigning and enforcing information security policies for all computers and installing or updating software. The IAM Services collects unique user credentials and stores them in an encrypted format.  The IAM Service is an essential service which facilitates and governs network access to various resources."
"Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.","The NIH CC Pronutra system is used to identify patients in the food preparation system and delivery of meals. Pronutra is part of the CC Nutrition system.CC Nutrition Department registered dieticians pull patient name, DOB, MRN, protocol number and name from CRIS and manually enter it into the CC Metabolic Kitchen Nutrition System.  This information is used to identify patients for delivery of meals, and for research purposes, such as a metabolic study. Those requiring access to this system log in using the NIH IAM Services.  NIH IAM and CRIS maintain their own unique PIAs on record, with all legal authorities documented. "
"Does the system collect, maintain, use or share PII?","Yes"
"Indicate the type of PII that the system will collect or maintain.","Date of Birth; Name; Medical Records Number; Protocol Number and Protocol Name"
"Indicate the categories of individuals about whom PII is collected, maintained or shared.","Public Citizens; Patients"
"How many individuals' PII is in the system?","5,000-9,999"
"For what primary purpose is the PII used?","To identify patients in the food preparation system and delivery of meals. "
"Describe the secondary uses for which the PII will be used.","For research purposes, such as a metabolic study. "
"Identify legal authorities governing information use and disclosure specific to the system and program.","The legal authority to operate and maintain this Privacy Act records system is 42 U.S.C. §§ 241, 248, 282 and 284"
"Are records on the system retrieved by one or more PII data elements?","Yes"
"Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being use to cover the system or identify if a SORN is being developed.","09-25-0099, Clinical Research: Patient Medical Records"
"Identify the sources of PII in the system.","Government Sources - Within OpDiv"
"Identify the OMB information collection approval number and expiration date","Public Law 114-255, Section 2035, exempts research conducted by NIH from Paperwork Reduction Act (PRA) requirements."
"Is the PII shared with other organizations?","No"
"Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.","Every patient must voluntarily execute a protocol consent and authorization prior to entry onto an intramural research protocol and treatment at the Clinical Center. In addition, each patient is provided a formal notification of Information Practices at the Clinical Center and must certify that they have been so advised.  "
"Is the submission of PII by individuals voluntary or mandatory?","Voluntary"
"Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.","General admission and protocol consent forms are signed by each patient. Additionally, an information practices notification form is reviewed and acknowledged in writing by each patient at the time of initial admission to the CC. Enrollment in a clinical research trial is voluntary and the collection of personally identifiable information (PII) and medical notes is necessary to conduct research and provide clinical care. Therefore, a patient may not opt out of the collection or use of their PII while participating in research at the CC."
"Process to notify and obtain consent from individuals whose PII is in the system when major changes occur to the system.","All patients are notified of information practices upon admission.  Each patient would be advised at the time of the next admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient again."
"Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate.","A Privacy Rights Complaint Form is available to individuals when they believe that their PII has been inappropriately used or disclosed. The Clinical Center's Privacy Office will review the complaint and respond to the concern within 30 business days. Complaints could also be submitted to the System Manager, who would investigate and share findings with CC Information Systems Security Officer (ISSO) and CC Privacy Officer. "
"Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy.","Information, including PII, is reviewed when queries are performed and data is provided to the clinical research team. Modifications to patient PII are sent from CRIS to the system to keep the patient PII in sync across the ancillary clinical information systems."
"Identify who will have access to the PII in the system and the reason why they require access.","Users: Data entry and report generation; Administrators: Data retrieval for nutrition research; Contractors: Direct contractors may be users or administrators."
"Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.","Determinations are made based on role-based access controls and least privilege.  User rights are provisioned based on controls within the system, allowing users only access to the minimum amount of PII necessary to perform their job."
"Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.","Access to PII is assigned to personnel based upon current job responsibilities. An IAM account login is required to gain access to the stored PII data."
"Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.","According to NIH policy, all personnel who use NIH applications must successfully complete security awareness training annually.  There are five categories of mandatory information technology (IT) training (Information Security, Counterintelligence, Privacy Awareness, Records Management and Emergency Preparedness).  "
"Describe training system users receive (above and beyond general security and privacy awareness training).","Application specific ""sit next to me while I show you"" peer training."
"Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?","Yes"
"Describe the process and guidelines in place with regard to the retention and destruction of PII.","Records are retained and disposed of under the authority of the NIH Intramural Records Retention Schedule. Item 03-005: Patient Medical Records.  These records document admissions and medical treatment for a patient accepted in a research project. Disposition:  Cut off patient case file annually after 5 years of inactivity. Destroy when case fileis no longer needed for scientific reference.  DAA-0443-2012-0007-0010  "
"Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.","Physical Controls: The IT hardware used to host protected information is located in a secured data center facility. The facility is only open to authorized personnel whose access is monitored by locking doors with badge readers for both ingress and egress. Each discrete ingress and egress event is logged. The facility is under 24-hour surveillance by facilities security for security and environmental hazards.Technical Controls: IT hardware and software is segregated from default commodity public networks to prevent unauthorized or malicious access. Access controls lists and event logs are maintained and monitored to detect unauthorized, suspicious or malicious activity. Access lists are restricted to approved IT technical personnel. Two factor authentication must be used for access. File integrity and auditing software are employed on hardware.Administrative Controls: All technical personnel who access IT systems which contain protected information have met background investigation criteria for Public Trust positions. All personnel have taken mandatory security and privacy training classes and annual refreshers. Administrative personnel accessing these systems use privileged and separate accounts for administrative access."
