Primavera ProSight Form Report

Font Size Print Download Reader HHS Home|HHS News|About HHS

06.3 HHS PIA Summary for Posting (Form) / Center for International Blood & Marrow Transplant Research Systems (CIBMTR) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Oct 11, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: N/A (See comments 240-97-0036)

4. Privacy Act System of Records (SOR) Number: 09-15-0068

5. OMB Information Collection Approval Number: 0915-0310

6. Other Identifying Number(s): N/A

7. System Name: Stem Cell Therapeutic Outcomes Database (SCTOD)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Randy Gale

10. Provide an overview of the system: The system collects and analyzes data on outcomes of allogeneic hematopoietic stem cell transplantation (HCT). The Center for International Blood and Marrow Transplant Research at the Medical College of Wisconsin is the contractor for the Stem Cell Therapeutic Outcomes Database component of the C.W. Bill Young Cell Transplantation Program. As the Government contractor, the CIBMTR-MCW will provide aggregated public information to increase availability, safety, and effectiveness of stem cell therapies. The CIBMTR-MCW will report to the Government regarding activity of the C.W. Bill Young Cell Transplantation Program and transplant outcomes.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The Stem Cell Therapeutic Outcomes Database system at CIBMTR-MCW shares this identifier with respective individual transplant centers submitting patient outcomes data and with the contractor for the other components of the C.W. Bill Young Cell Transplantation Program (i.e, the National Marrow Donor Program). The purpose of this sharing is to track patient follow-up.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF is protected in transmission by using secure protocols. Individuals with access to the system have a user ID and password. Only very limited IIF (mentioned at # 17) is collected and maintained in the SCTOD system. The critical dates in a recipient’s treatment and outcome history are necessary for performing the outcomes analysis required by the SCTOD contract. System generated unique recipient ID numbers are necessary as a communications link with the reporting transplant center for tracking long-term follow up. CIBMTR-MCW System directors participated in a NIST Risk Assessment to evaluate the impact of risk to the confidentiality, integrity and availability of the SCTOD information. The resulting Sensitivity Score led the CIBMTR to apply the Moderate Baseline to the Management, Operational and Technical System Security Controls defined in NIST 800-53. CIBMTR policies are in place for these controls and the HRSA OIT System Test and Evaluation will determine the extent to which procedures implemented for these controls are met.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Children's Graduate Medical Education Payment Program (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 10, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1320-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: 0915-0247

6. Other Identifying Number(s): N/A

7. System Name: Children's Graduate Medical Education Payment Program (CHGME PP) Database System (GME DS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jill Schmid

10. Provide an overview of the system: The GME DS is a system that: 1) receives initial applications from hospitals that indicate the expected volume and complexity of services provided, 2) determine the initial allocation of available funds to hospitals, 3) issue award letters to the hospitals, 4) issue invoices to PSC that lead to monthly payments being made to the hospitals, 5)recieve mid year reconciliation applications from the hospitals that finalize the volume and complexity of services, 6) recalculate the allocation of funds to hospitals, 7)issue revised invoices, 8) generate reports for the various parties involved, and 9) maintain records of these activities. In the past this has been done manually, with the hospitals sending the applications via the mail with a disc to upload their applications to our system, with the modification the hospitals will be able to apply for funds via a web based application. the auditors will be able to access the system to do their annual audit of the applications. The web system has been implemented and has been going through various testing stages. The CHGME is holding a workshop Nov 1, 2007, where all the hospitals will get to view this system and provide feedback. Once we incorporate any suggestions we will then have our selected 10 hospitals begin a vigorous test and provide comments for more upgrades performed by the contractor. The system will be live for the next application cycle.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF on this system

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Data Warehouse (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 15, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1350-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: HRSA Geospatial Data Warehouse

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terri Cohen

10. Provide an overview of the system: The HRSA Geospatial Data Warehouse is a publicly-available reporting tool available to all users on the Internet. It provides a single point of access to HRSA programmatic information, related health resources, and demographic data. This promotes information sharing, collaboration, and provides government-to-government, government-to-business and government-to-citizen services that have significantly improved both the efficiency and effectiveness of the agency in delivering its mission.

The result is uninterrupted global access to comprehensive, current data on HRSA programs, the majority of which focus on improving access to care for underserved people, and key health markers.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not apply since we have no IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: We do not collect any IIF information. The HGDW disseminates information at summary and aggregated data from other sources. The data being made available consolidate and integrate data from over ten source systems and databases (including EHB, NIS, BCHDANet, offline Excel spreadsheets, and outside Agencies and vendors) into a single repository. This eliminates the need to develop and maintain separate reporting functions for each HRSA data system, thereby reducing the overall hardware, software, and FTE burden on HRSA; makes data and information regarding HRSA's activities available to all, over the Internet without requirements for passwords and user ids, using web browsers only (no special software or skills are required); promotes information sharing and collaboration among HRSA staff, HRSA partners, state and local health planners and policy makers, and stakeholders; promotes and enhances understanding of the data by putting the information in a broad geographic and demographic context; provides both text-based and visual output (in the form of interactive maps), which facilitate greater understanding of the information and the interrelationships between data sets; provides detailed metadata about the composition, meaning, and derivation of HRSA's data.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Does not apply since we have no IIF.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Enhancement/Maintenance and Development of the Application Submission and Processing System (ASAPS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 5, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-02-00-02-1370-00

4. Privacy Act System of Records (SOR) Number: 09-15-0066

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Enhancement/Maintenance and Development of the Application Submission and Processing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debra A. Small

10. Provide an overview of the system: To help facilitate the submission of applications and processing review, SDB has installed an electronic database designed to streamline the application process and create standards and efficiencies in the application review. There will be approximately 60 State and U.S. territory users and 20 SDB users.

The installed electronic database is known as the Application Submission and Processing System (ASAPS). It is based on Geographical Information System (GIS) software that utilizes maps, distance measurements, populations levels and sequential data to determine rated factors necessary for determining if an area, population or facility can be designated. ASAPS is a database available to State PCOs and SDB staff. It is Internet based, operates on Windows operating system and Microsoft SQL server and utilizes the Environmental Systems Research Institute (ESRI) ArcIMS (Internet Map Server) software. The server is in a secured environment at the HRSA offices in the Parklawn building in Rockville, MD.

ASAPS will serve map data dynamically via the Internet and Intranet to support business processing. For example ASAPS will:

- Clearly visualize geographic areas to be designated

- View service area or planning alternatives

- Correlate critical demographic information with specific locations

- Evaluate the location and suitability of health resources

- Access detailed information about providers and facilities

- Access data layers defined by user to allow use of dynamic data.

ASAPS allows geographically dispersed users to access geographic data stored at HRSA and use this data in a business software application. The product of the software - an application for shortage designation - is then transmitted to SDB where it can be reviewed for accuracy.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Provider data is shared with the associated State Primary Care Offices.

Individual record data provides individual physicians, not only to counties, but also to the subcounty service areas. Data on actual time spent providing health care to patients is utilized to estimate the actual level of services available in these areas.

It is also important to obtain name data for primary care providers for the use in resolving conflicts between national and State or local data that may arise in designation determinations,. Identifiers such as UPIN are extremely useful for use in comparing databases, such as unduplicating with lists of National Health Service Corps and Community Health Center providers.

State data provided to OWEQA will be a significant part of the overall database used for determining population-to-provider ratios for shortage designation purposes.

The submission of IIF to the states is voluntary.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Provider data is only available to the associated State Primary Care Office. Only the database administrator has privileges to update, delete, or override provider database. The system uses SSL and encryption. Also used is Data Integrity/Validation Controls, documentation, Security Awareness and Training, Identification and Authentication, logical access controls, and audit trails.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / eRoom (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 17, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1360-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: eRoom

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Roger Straw

10. Provide an overview of the system: eRoom is a COTS product designed to provide secure spaces (called eRooms) to support collaboration efforts.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

No IIF on the systems covered in this assessment

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Health Center Management Information System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Sep 5, 2006

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1390-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Health Center Management Information System (HCMIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Colleen Meiman

10. Provide an overview of the system: HCMIS is a set of Microsoft Access databases that provide Health Center Project Officers in the HRSA/BPHC Division of Health Center Management with "one-stop shopping" access to the data needed to conduct their daily functions. This data includes the Uniform Data System (UDS), President's Initiative application status, grantee audit reviews, project and budget period, grant award amounts, grant funds draw-down, change in scope request status, BPHC "Alert List" status, grantee accreditation, FTCA deeming, Chronic Disease Collaborative participation, and other summary data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information (not IIF) contained in HCMIS is accessible to approved users located in:

- all divisions of HRSA's Bureau of Primary Health Care (BPHC)

- the following other HRSA offices: the Division of FInancial Integrity, the Office of Grants Management, the BHPr Office of Pharmacy Affairs. The purpose for allowing this data sharing is to make it easier to contact

- Work is currently underway to expand access to this data to staff from the Office of Performance Review who are located in the regional offices.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: HCMIS makes available individualized and summarized grant award, annual audit, and annually reported grantee utilization data on Federaly -funded health centers. HCMIS maintains data received from the Uniform Data System and the BHCDANet database system that includes the name, business telephone number, and email address of a grantee's Chief Executive Officer, Medical Director, and Contact person as well as the address of each grantee's administrative office and satellite clinic sites. The name of the grantee's Board Chairperson is also maintained without an associated telephone number or email address. This information is primarily provided to and updated by Project Officers in the BPHC Division of Health Center Management to enable them to contact key staff in the grantees assigned to them as Project Officers and is used for generating mass mailings and email messages to grantees as necessary. All users of HCMIS have the ability to view this information. Grantees are required to submit the names and contact information in their annual UDS reports and their grant applications.

1. The Uniform Data System (UDS). This system disseminates privacy policy information that informs individuals how their IIF will be used and shared.

2. Grant applications and related documents. We assume that the general information provided to grant applicants states that the information they provide will be collected and used for grants administration purposes.

3. Direct contact between grantees and HRSA/BPHC Project Officers. For example, a grantee will e-mail their PO to inform them of a change of address or leadership, and the PO will update the information in HCMIS.

There are currently no processes in place to notify or obtain consent from individuals when major changes are made to HCMIS or the information is used in a new manner. However, there are no major changes planned to the HCMIS system until the new Legacy System becomes operational, and no anticipated changes to how the data is used.

These information collected and maintained are not IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: HCMIS is hosted on the HRSA OIT network and on HRSA OIT servers. It is only accessible by persons to whom HRSA OIT has provided accounts on the HRSA OIT network and given network user rights to access the shared folders where the HCMIS databases are hosted. Staff in the BPHC Division of Clinical Quality (now the Office of Quality and Data) are responsible for tracking/monitoring FTCA Deeming and accreditation status of grantees. They have read/write/update rights to the FTCA deeming and accreditation data in HCMIS. The BPHC contracted CPAs have read/write/update rights to the financial audit data because they are the ones that review the audits and enter the audit review information into HCMIS. Staff in the Division of Policy and Development have read/write/update rights to the President’s Initiative database that tracks applications received under the New Access, Expanded Medical Capacity, and Service Expansion grant programs because this office is responsible for tracking and processing these applications. One of the secretaries is responsible for maintaining the staff list in HCMIS so she is the only one that can use the Project Officer assignment function in HCMIS. Currently, all HCMIS data is maintained in Microsoft Access databases which are not encrypted or secured.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA C.W. Bill Young Cell Transplantation Program (NBMDR) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 19, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: SEE COMMENTS (240-97-0036)

4. Privacy Act System of Records (SOR) Number: 09-15-0068

5. OMB Information Collection Approval Number: 0915-0212

6. Other Identifying Number(s): N/A

7. System Name: HRSA C.W. Bill Young Cell Transplantation Program

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Shelley Tims

10. Provide an overview of the system: NMDP uses its proprietary Search, Tracking, and Registry (STAR®) System as the critical system to collect donor and cord blood information, to manage and facilitate all patient searches, and to track detailed post-transplant clinical status. Data retention includes: donor demographic data, Human Leukocyte Antigen (HLA) typing data, search process data, Network center management data, and clinical outcome data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The C.W. Bill Young Cell Transplantation Program shares medical information in an attempt to find matches, but does not share the associated information about the individual, and such information can not be obtained through other sources

HRSA does not collect, maintain or disseminate IIF. The contractor for the C.W. Bill Young Cell Transplantation Program does collect IIF including name, address, and phone numbers. It is optional whether select to provide their social security numbers and/or email addresses. All IIF are used to assist in locating a potential donor if they are found to be a match for a patient in need of a life saving blood stem cell transplant.

NMDP obtains consent when potential donors first register with NMDP. NMDP contacts potential donors through phone or postal mail to re-obtain consent when their information is request to be used outside of the scope of the original consent granted.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA Comprehensive Performance Management System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Nov 7, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-01-1060-00

4. Privacy Act System of Records (SOR) Number: 09-15-0060

5. OMB Information Collection Approval Number: 0915-0061; 0915-0233

6. Other Identifying Number(s): N/A

7. System Name: HRSA Comprehensive Performance Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sarah Richards

10. Provide an overview of the system: The CPMS-UPR is a web-based data collection and reporting system. CPMS-UPR web-based system provides grantees online forms to supply BHPr with the required data to complete the Comprehensive Performance Management System (CPMS) Report and the Uniform Progress Report (UPR). The CPMS forms are used to measure outcomes of the Bureau's Title VII and VIII health professions nursing education programs. The UPR report summarizes the grantees' progress in meeting their grant objectives.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Yes

* Actual performance achieved compared to the goals expressed in the Annual Performance Plan,

* Reasons why a goal may not have been met, and

* Describe future plans and provide a schedule for meeting the goal.

CPMS collect the Social Security numbers of individuals to track their employment. Submission of SSN is voluntary.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Clients access CPMS data using secured sockets layers (SSL) and are required to specify https when attempting to connect with the application. CPMS also protects its data using two-tier virus protection on email servers, web-servers and workstations. CPMS also requires password complexity for access to the application. The system is housed in a government facility with physical controls. Access to the HEAL office space is controlled with a building pass card swipe scanner. In addition to agency-level training requirements, CPMS-specific training exists. The system also tracks those users that have accessed the CPMS with the following user authentication actions are logged:

• Acceptance of Rules of Behavior

• Rejection of Rules of Behavior

• Attempted/failed logins

• User lock-outs caused by excessive failed logins

• Password changes

• Successful logins

• Log outs

• Attempted concurrent logins

• Timeout followed by requests with expired session

• Successful Registration / Unsuccessful Registration

• User account termination

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA Electronic Handbooks (EHB) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 10, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-01-1060-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: HRSA Electronic Handbooks

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy McGinness

10. Provide an overview of the system: HRSA EHBs serve as a tool to ensure that the grants are managed efficiently and in compliance with mandated agency-wide and federal policies, procedures and legislation. Currently it provides automated support for Planning/Solicitation, Submission, Award and Negotiation phases in the grants office, program office, financial office and external organizations. HRSA EHBs has recently been enhanced to support Review and Selection and Project Management. Additional Post Award Functions supporting Project Management and Closeout as part of the grants management lifecycle are scheduled future enhancements.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF in the EHB. However, general systems controls include the following: EHB provides data protection and integrity by determining whether the value of the field is within an acceptable range or has an acceptable format (i.e. zip code needs to be 5 digits long) and determining whether interrelated fields satisfy the corresponding constraints (i.e. a zip code should be consistent with the state). Anti-virus protections are also in place for example • Virus definition updates are performed at least bi-weekly by DNS

• Full system scans are performed automatically on a weekly bases

• Real-time file system scanning is enabled EHB also provides internal users are given a system ID when requested by their supervisor and approved by the System Owner. The internal system user establishes his/her individual password that is used for authentication. The system uses strong encryption for all communications (HTTPS) from the time the user logs on until they log off. EHB also has a complex password policy in order for users to login.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA General Support Systems (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 15, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-02-00-02-1080-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: HRSA OIT General Support System (GSS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lynn Dennie

10. Provide an overview of the system: Provides common connectivity and file and print services.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Security controls for this system include redundant Cisco firewalls; redundant intrusion monitoring systems including Securify and Proventia; 24x7 monitoring of the perimeter defenses; antivirus systems with automatic updates for both workstations and servers from McAfee and Symantec; Ad-aware anti-spyware software; and routine certification and verification activities. Access is limited to those requiring access to the system and is protected by username/password controls with enforced complexity requirements.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA Health Education Assistance Loan Program (HEAL HOPS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 11, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1040-00

4. Privacy Act System of Records (SOR) Number: 09-15-0044

5. OMB Information Collection Approval Number: 0915-0036

6. Other Identifying Number(s): N/A

7. System Name: Health Education Assistance Loan Program (HEAL) Online Processing System (HOPS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Durham

10. Provide an overview of the system: HOPS is an automated system that tracks and maintains HEAL-related loan information. HEAL information consists of: Borrowers; Loans; Claims; Litigations against defaulted loans; Lenders; and Educational Institutions receiving loan funds. Loan servicing organizations use HOPS information to update and verify the accuracy or status of loan guarantees.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Loan Servicer personnel for verification of loan data. HEAL and Division of Financial Operations staff to process claims and claim payments.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Applicant Form HRSA-700 states the SSN will be used to verify the identity of the applicant and as an account number throughout the life of the loan to record necessary data accurately. Applicants are advised that failure to provide his/her SSN will result in the denial of the individual to participate in the HEAL program. To find out if the system contains records about an individual system manager is contacted by a request in person that requires at least one tangible identification card; or request by mail containing the name and address of the requester, birth date, at least one tangible identification card, and signature.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: HEAL-HOPS was recertified and accredited in June 2006. HEAL relies on network security controls provided by the HRSA GSS. The system uses strong encryption for all communications (HTTPS) from the time the user logs on until they log off. Usernames and passwords are sent encrypted as well as all data transferred during the session. This is accomplished using Secure Sockets Layer (SSL) technology. PII data fields in the HOPS system are encrypted while the data is at rest. The system is housed in a government facility with physical controls. Access to the HEAL office space is controlled with a building pass card swipe scanner. PII is transmitted to HRSA using encrypted, secure protocols. The concept of "least privilege" provides users a minimal set of system access rights based on their role. Access to additional resources or information is granted upon approval by the resource owner (supervisor). Unique UserIDs and passwords permit only authorized users to access the system. Select users are individually assigned write, create and update privileges to loan data based on their functional role. Accounts are reviewed annually to ensure that least privilege is granted, and roles and responsibilities have not changed. OIT provides connectivity to the HRSA LAN access to the HEAL-HOPS System by authorized Internal Users, and by authorized Internet Access for External Users. There is no information available for use by the general public. An "inactivity time out" capability disables unattended computers to prohibit unauthorized access to PII. All authorized system users agree to the systems "Rules of Behavior" during the log in process. PII data fields in HOPS are now encrypted while the data is at rest. The Statement of Work (SOW) provides guidance for contractors to comply with HEAL-HOPS security requirements. The contractor shall comply with existing federal and departmental laws, regulations, and requirements. All contractors and federal users are now required to sign a Rules of Behavior agreement approved by the HRSA /OIT security section.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA National Practitioner Data Bank/Healthcare Integrity and Protection Data Bank (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 9, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-01-1010-00

4. Privacy Act System of Records (SOR) Number: 09-15-0054 -- NPDB SOR 09-90-0103 -- HIPDB SOR

5. OMB Information Collection Approval Number: NPDB: 0915-0126, HIPDB: 0915-0239

6. Other Identifying Number(s): date above is for NPDB 0915-0126, HIPDB 09-90-0103 -- 10/31/2010

7. System Name: National Practitioner Data Bank (NPDB) and Healthcare Integrity and Protection Data Bank (HIPDB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Darryl Gray

10. Provide an overview of the system: The NPDB provides a nationwide database that makes adverse information on physicians, dentists, and other health care practitioners available to health care entities, hospitals, professional societies, and State licensing boards. The HIPDB is a national database that provides information on health care related convictions and judgments, licensure actions, exclusions from government programs and other adjudicated actions. The NPDB-HIPDB co-exist as one integrated processing system

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NPDB/HIPDB program shares information with the Registered Entities in accordance with Congressional mandate and Federal law.

Why We Collect Your Personal Information:

-Information is vital to the existence of the Data Banks. Without collecting the information contained in the Data Banks our mission could not be fulfilled. This information facilitates the tenants of our mission, including protecting the public and providing quality health care.

-We do not use the information for any other secondary purpose.

-We only collect the information necessary to fulfill our mission. No other information is collected.

What personal information we collect:

We only collect enough information to serve the mission of the Data Banks. We collect the following personal information on subjects of NPDB and HIPDB reports and queries.

-Name

-Date of Birth

-Social Security Number

-Mailing Addresses

-Phone Numbers

-E-mail Addresses

-Education Records

The information must identify the specific practitioner and is not voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The NPDB provides a nationwide database that makes adverse information on physicians, dentists, and other health care practitioners available to health care entities, hospitals, professional societies, and State licensing boards. The HIPDB is a national database that provides information on health care related convictions and judgments, licensure actions, exclusions from government programs and other adjudicated actions. These entities are required to report information to this database, and the individual that is the subject of the report has the ability to receive a copy of the file. Data is shared only with the Registered Entities, and new entities are investigated before receiving access.

We communicate via data Bank Correspondence, quarterly Newsletter, Informational Web Site Postings, and User Review Panel meetings.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NPDB/HIPDB was recertified and accredited in August 2007, including a Privacy Impact Assessment (PIA). NPDB/HIPDB relies on network security controls provided by the contractor managed off-site GSS. The NPDB/HIPDB implements firewalls, network and host base intrusion detection to secure its facilities. Boundary entry points are controlled by firewall rules and protected by Intrusion Detection Servers to prevent unauthorized access. All traffic to the NPDB-HIPDB web servers is encrypted using 128-bit SSL in the production environment. The NPDB-HIPDB system uses pay.gov to process credit card transactions. It is an Internet system where the NPDB-HIPDB originates Secure Hyper Text Transfer Protocol (HTTPS) requests for billing and receives HTTPS responses.

The IIF is secured through the use of a secure commercial facility, and transmission lines.

The NPDB-HIPDB system supports external (end-user) and internal user groups that are controlled by permissions, rights, and level of access.

Employees of the covered entities are advised of the legal consequences of misuse of NPDB/HIPDB information. NPDB-HIPDB personnel (internal users) are briefed on the sensitivity of NPDB-HIPDB information and the requirements for its protection. Prior to gaining access, employees are required to sign the NPDB-HIPDB Non-Disclosure Statement, acknowledging understanding of their responsibilities and consequential penalties for non-compliance. External users (customers) are required to sign registration forms before they are granted access to the system. Upon accessing the web site, users are also informed, via sign-on warnings, that unauthorized use can subject the user to fine and imprisonment under Federal Statute. The contractor shall comply with existing federal and departmental laws, regulations, and requirements.

Physical access controls such as cipher locks, man traps with biometric scanners, badges, etc. in place.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA Nursing Information System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 12, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-02-02-1070-00

4. Privacy Act System of Records (SOR) Number: 09-15-0037; 09-15-0038

5. OMB Information Collection Approval Number: NELRP OMB 0915-0140; NSP OMB 0915-0301

6. Other Identifying Number(s): N/A

7. System Name: Nursing Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry Locklear

10. Provide an overview of the system: The Nursing Information System (NIS) provides automated support for the Nursing Education Loan Repayment Program (NELRP) including submission and processing of approximately 4,000 on-line applications yearly. The system is to provide a program-wide case management capability allowing the tracking of the status of NELRP applicants and participants from initial electronic application submission, associated applications evaluation, ranking and obligation of awards or disposition of unfunded applications, through completion of each participant's service contract. It is to support an electronic case file for full automation of participant requirements including submission of 6 month employment verification forms and the processing of the optional third year amendment applications. The system provides access to portions of the database to enable work required in the external environment for applicants/participants and in the internal environment for application and case management processing by NELRP staff, the HRSA Call Center, a processing support contractor, and the Legal and Compliance Branch.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): HRSA OIT for the HGDW. The original IIF is found only in NIS. Some systems share information provided by NIS, but since NIS is the source of the data the information is compelled to match. It should be mentioned that the most sensitive information is not passed on to other systems (passwords, SSNs, etc.)

The Bureau of Clinician Recruitment and Service, HRSA currently has the functionality within the NIS application to process applications for the Nursing Scholarship Program (NSP). The current process collects the application data via a web based front end provides a process for staff to edit and manage the data. The data contains mandatory personal information related to the applicant, ssn, address, and school information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The NIS consists of a multi-tier architecture using the Windows 2003 Advanced Server Operating System with a web-based front end, a second tier of application servers, and a third tier of Microsoft SQL Server 2005 database to store the data.

Applicants and Vendors access the system via the Internet, and register for a login and password to ensure that responsibility for data can be attributed to an individual.

HRSA employees (and vendors/contractors) have access to NIS through the HRSA intranet and can also access the system through the Internet when working out of the office.

Communications between system components use the TCP/IP protocol. Applicants and vendors must use approved COTS web browsers (Microsoft Internet Explorer version 6.0 and Netscape version 6.2 or a high version) to communicate with the NIS system web servers via secure http (https) using web server digital certificates and strong encryption (128 bit) to protect data. Internal users are currently using Internet Explorer 6.0 or higher.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA OPAIS 340B Database (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 11, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1450-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: HRSA Office of Pharmacy Affairs Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sharley Chen

10. Provide an overview of the system: The Office of Pharmacy Affairs Information System (OPAIS) consists of a Public Website containing databases for 340B Covered Entities, Manufacturers, and Contract Pharmacies.

The 340B Public Website is an Application that stores information on the Covered Entities, Contracted Pharmacies, and Manufacturers which are participating in the 340B Drug Discount Program. This information is for public dissemination most especially for Manufacturers and Wholesalers who reference the 340B Public Website to check if a Covered Entity or Contracted Pharmacy is participating in the 340B Drug Discount program and eligible for discounted prices. The Public Website supports approximately 12,000 public users who query the system for information, 300-400 public users who log into the system to verify their address information, and approximately 20 administrative users who log into the administrator section of the site for record entry and maintenance purposes. The Public Website is located on two servers (a database and web server) at HRSA OIT headquarters in Rockville, MD. HRSA OIT is responsible for the backup and maintenance of both servers.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

For Q.53 - this is done by Parklawn Security - we don't know if cipher locks or CCTV is utilized.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA OPAIS 340B Pricing System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 22, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1450-00

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: HRSA OPA Pricing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Devin Williams

10. Provide an overview of the system: The HRSA OPA 340B Pricing System is an Application that calculates the actual 340B ceiling prices for all drugs in the 340B Drug Discount Program. The calculated ceiling prices are classified information and to be used only by a select number of people within the Office of Pharmacy affairs. Thus, the Pricing System will be hosted on a locked computer with no connection to the Internet located in HRSA headquarters and secured by HRSA OIT. The Pricing System will support approximately 3-5 users who require password access to activate both the computer and the Pricing System.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA Organ Procurement and Transplantation Network (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 12, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-02-02-1030-00

4. Privacy Act System of Records (SOR) Number: 09-15-0055

5. OMB Information Collection Approval Number: 0915-0157

6. Other Identifying Number(s): N/A

7. System Name: Organ Procurement and Transplantation Network (OPTN)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mesmin Germain

10. Provide an overview of the system: The Organ Procurement and Transplantation Network was established by the National Organ Transplant Act of 1984 (NOTA), and the HRSA Division of Transplantation (DoT) has been designated by the Secretary of the Department of Health and Human Services to administer the program.

The OPTN collects pre- and post-transplant clinical information of patients on the national patient waiting lists and living organ donors, histocompatibility information on donated organs, and records of matches run between donated organs and waiting list patients. This information includes SSN, names, and state of residence for patients and included additional address and contact information for living donors. This information has been collected in various forms since the inception of the OPTN in 1988.

This information is collected as a function of the OPTN process of matching donated organs to potential transplant recipients. The OPTN is the only system in the country that serves this function for heart, liver, lung, kidney, pancreas, and intestine transplants.

Information is collected by OPTN member transplant centers and organ procurement organizations (OPO) and is then submitted to the OPTN system for matching. Submission of this information to the OPTN is mandatory for OPTN member transplant centers and OPOs. The collection of this information from individuals takes place at OPTN member transplant centers and OPOs. Concern about individual information included in the OPTN data set may be sent to the OPTN contractor, which would then contact the relevant OPTN member to make any corrections or changes that would be appropriate. The OPTN does not have direct communication with patients.

The data collected by the OPTN are also used for analysis by HRSA Division of Transplantation (DoT) and HRSA DoT contractors, such as the Scientific Registry of Transplant Recipients (SRTR), and are also shared through approved data use agreements with other Federal agencies such as the Centers for Medicare and Medicaid Services (CMS) and the National Institutes of Health (NIH). HRSA regularly reviews the data collection processes of the OPTN, including linkages of the OPTN data set with other data bases for purposes of validation and enhancement, and confirms that it meets the criteria of the Common Rule for exemption of IRB oversight under the Public Benefit and Service Program provisions of 45 CFR 46.101(b)(5).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): United Network for Organ Sharing (UNOS) will share information with HRSA, SRTR and with Medicare according to Federal Law.

Information is obtained from medical personnel at organ transplantation centers. The information is voluntary, but a requirement for the program.

The information collected in UNetSM is for the continued operation and improvement of the National Organ Procurement and Transplantation Network (OPTN). This information assists transplant centers, organ procurement organizations and histocompatibility laboratories throughout the United States with matching, transporting and sharing organs. The information entered into UNetSM is used to match transplant candidates to organ donors; electronically notify transplant programs of available compatible organs; and collect data on transplant candidates, deceased and living donors, eligible donors, and transplant recipients. The submission of personal information is mandatory for the OPTN/UNOS member institutions.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: HRSA, the OPTN, and HRSA contractors qualify as “public health authorities” for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation, “Standards for Privacy of Individual Identifiable Health Information” (Privacy Rule), 45 CFR Parts 160 and 164. Under 45 CFR 164.512, a “covered entity” may disclose an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a “public health authority” that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability. Given the legal authority and mandate of the OPTN, it has been determined that a “covered entity” may disclose certain individually identifiable health information to the OPTN without written consent or authorization of the individual, when the disclosure furthers the OPTN’s statutory purposes and functions.

The information is taken from medical records. It is used to correlate those needing organs with donor organs as they become available based on strict guidelines.

The UNetSM System is accessed by specified employees of the OPTN/UNOS member institutions. Those member institutions are notified by UNOS when a major change occurs in the UNetSM System. UNOS does not collect and maintain contact information for individuals. Therefore, consent and notification of collection of data are performed by the member institutions who have direct contact with the individuals on whom IIF is being collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: To support the OPTN business function and protect PII, OPTN uses a three-tiered system to protect PII (1) the top layer is a web browser (examples include Microsoft’s Internet Explorer or Mozilla’s Firefox) using SSL technology with 128 bit encryption to protect the data transfer. (2) layer two or the middle layers are the web servers, in this instance OPTN uses multiple web servers running Microsoft’s “Network Load Balancing” software to provide redundancy. (3) The third and final layer is the data layer which includes application servers and SQL database servers where OPTN uses Microsoft’s Clustering software for the SQL servers. OPTN (developers of the system) made available a "system security policy and rules of behavior document" for all users. The rule of least privilege is executed by having the least amount of ports open, and running the least amount of protocols possible to accomplish tasks. OPTN employs virus protection mechanisms at critical information system entry and exit points. Finally, system accounts are reviewed yearly.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 11, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-19-03-1300-00

4. Privacy Act System of Records (SOR) Number: 09-15-0055

5. OMB Information Collection Approval Number: OMB Number -0915-0157

6. Other Identifying Number(s): N/A

7. System Name: Scientific Registry of Transplant Recipients

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mesmin Germain, MBA, MPH

HRSA, the OPTN, and HRSA contractors qualify as “public health authorities” for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation, “Standards for Privacy of Individual Identifiable Health Information” (Privacy Rule), 45 CFR Parts 160 and 164. Under 45 CFR 164.512, a “covered entity” may disclose an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a “public health authority” that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability. Given the legal authority and mandate of the OPTN, it has been determined that a “covered entity” may disclose certain individually identifiable health information to the OPTN without written consent or authorization of the individual, when the disclosure furthers the OPTN’s statutory purposes and functions.

The SRTR is a research and statistical analysis contract that supports the ongoing evaluation of solid organ transplantation in the United States. The SRTR receives all data collected by the OPTN organ matching process, and supplements this with information from other national data sets to perform modeling and other analyses to support HRSA DoT, the OPTN, and the HHS Secretary’s Advisory Committee on Organ Transplantation.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The SRTR may share data received from the OPTN with other Federal agencies such as the Centers for Medicare and Medicaid Services (CMS) and the National Institutes of Health (NIH) through approved data use agreements. In addition, data with identifiers may be provided to other researchers with approval of the SRTR Scientific Advisory Committee, the HRSA project officer and an Institutional Review Board and after execution of a data use agreement. Specific patients of a transplant center may be identified by communications that transplant centers are using their center-specific reports.

In addition, when people make a request for information via the web site, they voluntarily give contact information with an understanding that it will be used to reply. All other IIF is obtained from OPTN, and is covered by their privacy assessment.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: HRSA, the OPTN, and HRSA contractors qualify as “public health authorities” for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation, “Standards for Privacy of Individual Identifiable Health Information” (Privacy Rule), 45 CFR Parts 160 and 164. Under 45 CFR 164.512, a “covered entity” may disclose an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a “public health authority” that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability. Given the legal authority and mandate of the OPTN, it has been determined that a “covered entity” may disclose certain individually identifiable health information to the OPTN without written consent or authorization of the individual, when the disclosure furthers the OPTN’s statutory purposes and functions.

• notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection)

• notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Data about transplant candidates and recipients from the OPTN and from CMS are required. The information will be used for analytical support to HRSA, the OPTN, and outside researchers. Additionally, basic contact information (name, mailing address, telephone number, email address) is collected from data requestors.

Allowing us to respond to email queries is the sole purpose for collecting the basic contact information we gather. Consequently, we have no process for notifying users or obtaining consent for changing data uses. Our website privacy policy describes in detail how the information will be used and shared, and how users can modify it and how this information will be used. Please see http://www.arborresearch.org/privacy_policy.aspx

We do not collect IIF unless an individual chooses to have us respond to thieir query. In this case consent is implicit.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All SRTR data is maintained on a private system without online interconnections to other systems. Data are received from Organ Procurement and Transplantation Network periodically. This data resides on a server with no outside access and access limited to authorized SRTR personnel. The server is logically isolated from the Internet via firewalls and other configured controls. It does not receive or transfer data via the Internet. The server is physically protected from the outside by three locked doors, access-limited to authorized personnel only, and the machine itself is locked and in a locked computer rack.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / HRSA Title V Information System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 25, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-19-02-0000-00-404-142 (TVIS)

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: 0915-0172

6. Other Identifying Number(s): N/A

7. System Name: Title V Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Scott Snyder

10. Provide an overview of the system: MCHB administers the Title V Block Grant Program, through which approximately $600 million is currently distributed to the 59 U.S. States and territories and the District of Columbia. All grantee entities (e.g., States) are required to submit required reporting annually to comply with the Federal Guidance. To fulfill these requirements, the State must submit required forms and an annual report.

Grants are given to states to provide healthcare. Data is aggregated by the states and reported to HRSA via the TVIS system.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

TVIS includes aggregated public health data from individual States. All data entered into TVIS are made public through a public reporting web site.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Information Center (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 5, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-09-02-1400-00

4. Privacy Act System of Records (SOR) Number: 09-15-0070

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: HRSA Information Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Bowman

10. Provide an overview of the system: The system is used by people requesting information to be sent to them from the HRSA Information Center. It collects information about what is being ordered and where and to whom to send it.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Designated project staff and relevant/appropriate HRSA staff. The purpose information might be shared amongst HRSA IC phone ordering staff/supervising HRSA staff is to ensure good customer service. Only the name, address, and phone number (voluntarily supplied by callers/web requesters) given at the time of order is kept for a period up to 1 year to ensure that if a person calls back with questions about their previous orders, our Information Specialists are able to identify them and assist them in getting the materials they want

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policies are place which limit the retention of personal information from individuals who obtain publications at the HRSA Information Center to a one-year period, after which this information is purged from the database on which it is housed. The information is collected from requestors by information specialists or requestors voluntarily entering the information on a Website for ordering materials. Requestors voluntarily provide contact information for the mutually expressed purpose of making it possible for the Information Center to send (and when appropriate, follow up on) requested materials, and for the requestor to receive them. Note that this information is captured and kept for this period of time to better address customer issues, including previous requests for order information, and to correct customer orders (return mail, etc.) This information is kept secure by means of several technical and physical security safeguards and procedures, including: key card access is required for all employees to physically access the server on which the information is stored; employee access to the system is controlled and protected by requirements that include having a proper user id and password; while the system itself resides in a secure environment protected by firewall and an intrusion detection system. The contractors also review security logs on a regular basis.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / National Health Service Corps Information Systems / Customer Support Systems (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Oct 26, 2006

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1420-00

4. Privacy Act System of Records (SOR) Number: 09-15-0037

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Bureau of Health Care Delivery and Assistance (NET) - BHCDAnet hereafter referred as B-net

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Makinde, Michael (HRSA) - 301.443.1652; Beals, Debra (HRSA) - 301.443.3955; Hoyt Carelock, Jr. (NIH) 301-435-5488

10. Provide an overview of the system: BHCDAnet is an automated management information system designed to meet the special data maintenance and reporting requirements of the NHSC.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Program staff and contractors use IIF information within the scope of their job function to support the day to day operations of the NHSC. Program contractors are in contact with IIF within the scope of testing and data management, and performing as an agent of NHSC in the operations of contracted duties. Information reported externally will be handled within the constraints of HRSA rules and FOIA.

BHCDANET is an automated management information system designed to meet the special data maintenance and reporting requirements of programs such as the Community Health Center Program (CHC), Migrant Health Center Program (MHC), Health Care for the Homeless Program (HCH), National Health Service Corps (NHSC), and Health Professional Shortage Areas (HPSA). As appropriate, BHCDANET may also be developed further to support the information needs of other programs within DHHS/HRSA. The following is a short description of each of the programs:

· Community Health Center (CHC) Program: is a federal grant program to provide for primary and preventive health care services in medically-underserved areas throughout the U.S. and its territories. Using BHCDANET you can search Community Health Center Sites to find locations at which to receive affordable health care.

· Migrant Health Center (MHC) Program: The Migrant Health Center (MHC) program provides a broad array of medical and support services to migrant and seasonal farm workers and their families.

· Health Care for the Homeless program (HCH): HCH grantees to improve the health status and outcomes for homeless individuals and families by improving access to primary health care, mental health services, and substance abuse treatment. Access is improved through outreach, case management, and linkages to services such as housing, benefits, and other critical supports.

· National Health Service Corps (NHSC) Program: The National Health Service Corps (NHSC) is committed to improving the health of the Nation's underserved. NHSC Also, Recruit and retain the right health professionals to deliver health care in underserved communities often involves developing and preparing sites and communities, and looking for innovative solutions.

· Health Professional Shortage Areas (HPSAs) Program: The Shortage Designation Branch in the HRSA Bureau of Health Professions National Center for Health Workforce Analysis develops shortage designation criteria and uses them to decide whether or not a geographic area or population group is a Health Professional Shortage Area or a medically Underserved Area or population.

The goal of BHCDANET is to provide all of its potential users with timely and accurate information in a highly flexible manner. As a database management system, it seeks to avoid the problems associated with maintenance of separate, duplicative files at the Regional and Central Offices; e.g., lag time in performing information updates or delays in disseminating printed (hard-copy) reports. Through a centralized database, BHCDANET allows for consistent storage and retrieval of management information across all user groups.

The submission of personal information is mandatory.

Individuals entered their IIF on paper applications. Those applications are then scanned and entered into BHCDANET. Therefore, individuals do not use the system directly and they are not notified when changes occur to the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: BCHDANET received Privacy Impact Assessment in October 2006. BCHDANET relies on mainframe security controls provided by the NIH managed GSS. The NIH implements firewalls, and network intrusion detection to secure its facilities. BCHDANET has no Web-based interface. BCHDANET has no non-HRSA end-users. Usernames and passwords are required to access the system. Access to the NIH office space is controlled with a building pass card swipe scanner.

The BCHDANET system supports HRSA internal user groups (employees and contractors) that are controlled by permissions, rights, and level of access. RACF is employed to control access by authorized users to protected BCHDANET resources. RACF identifies and verifies users during system and resource access, validates user’s authority to access data, and logs and reports attempts of unauthorized access. The NIH RACF system administrator manages registration of user requests for access to BCHDANET computing environment and the Titan MVS computing environment, including user ID and password management.

User - Security warning at logon, Technical - security table to login (in process), mainframe security protocol, Physical – NIH data center provides security. Contractor usage is periodically checked and updated.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / National Health Service Corps Information Systems/Stipend Payroll Financial System (LYCEUM) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Nov 15, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-1420-00

4. Privacy Act System of Records (SOR) Number: 09-15-0037

5. OMB Information Collection Approval Number: 0915-0127 (exp. 10/31/10) and 0915-0278 (exp. 12/31/09)

6. Other Identifying Number(s): N/A

7. System Name: National Health Service Corps Information Systems/ Payments Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Diane E. Culkin

10. Provide an overview of the system: The financial management system processes all Division of National Health Corps stipend payroll, other reasonable education costs payments for scholarship recipients of the National Health Service Corps Scholarship Program (465 scholars), Nursing Scholarship Program (400 scholars) and Native Hawaiian Scholarship Program (20 scholars). This system also reports data required for accounting and tax purposes, leading to follow-on funding of the scholarship programs. The financial management system is crucial to HRSA's ability to pay scholars and support them throughout their time in school as part of this program.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Output data to make financial payments flows to the Treasury via an ACH file. Financial payment information flows to the DHHS Program Support Center via a Form 650 data file format for entry in the CORE, and subsequently UFMS, financial management systems.

The information collected contains IIF and the submission of personal information is mandatory in order to effect payment of the scholarship.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The Government will provide the initial data load and all data input of changes and additions to scholar and institution payment source documents such as Direct Deposit and W-4 information. When scholarship awards are made, data will be transmitted via flat file. Upon completion of a scholarship application, all prospective students are informed that their personal information shall be used in the determination of scholarship award, and subsequent payment of stipend, tuition and other reasonable costs. Individuals not consenting to such notices simply opt out of the scholarship opportunity. These individuals are not notfiied of system changes as they do not pertain to the scholars but to the administrators of the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: Yes

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: - All personnel with production access undergo a background check and will only be provided access to the production systems when it is necessary to complete their tasks.

- All data transmitted to/from the network is protected. Data is first encrypted using the triple-DES (online banking) standard, and then transmitted through secure network communication links. Data is held in its raw format on the hard drives, while passwords are encrypted.

- Data is retained through Continuation of Operations Procedures (COOP). Backup versions of data will be supported through a redundant, geographically removed, asynchronously replicated backup installation. Procedures for the activation of the backup installation will be documented and backup activation exercises will be performed semi-annually.

To implement this payroll, Lyceum designed and erected security boundaries around the payroll model, operations, data, users and interfaces using several mechanisms:

- Partition ID - the HRSA Payroll Model is partitioned to allow only HRSA registered users access to HRSA system elements. Access to the HRSA Payroll Model is eliminated for any Lyceum users operating within the Base Payroll Model. Elements within the HRSA Payroll Model will simply not appear for any non-registered users.

- Agency Role - The HRSA payroll has five (5) separate payee classes from administrator to self-service user which define the computations, views and other functionality that the user has access to. The HRSA Systems Administrator has assigned which registered users may access which policy elements within the HRSA Payroll Model.

- User ID - Within the user community, user identifications limit the access of registered users to data elements of colleagues within other departments, or tiers of the organization.

- Session ID - Each user session is identified and logged to enable tracing in the future. Transactions are captured, time-stamped and logged by user for later analysis in the event of a security breach from within the organization.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Office of Special Programs Transplantation Research Information System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Oct 10, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-15-0055

5. OMB Information Collection Approval Number: 0915-0157

6. Other Identifying Number(s): No

7. System Name: Division of Transplantation Research Information System (DTRIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mesmin Germain

HRSA DoT is responsible for monitoring the effectiveness of organ transplantation in the United States based on the OPTN Final Rule 42 CFR Part 121. DoT meets this responsibility by maintaining the HRSA DoT Research Information System (DTRIS). The DTRIS is a HRSA computer system that is used to perform statistical research on the effectiveness of organ transplantation in the United States. It includes all of the information collected by the OPTN in the process of matching donated organs to potential transplant recipients. Although these OPTN data are analyzed by HRSA contractors for the OPTN and SRTR, internal HRSA DoT analysis capability is critical to HRSA’s oversight responsibility.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: HRSA, the OPTN, and HRSA contractors qualify as “public health authorities” for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation, “Standards for Privacy of Individual Identifiable Health Information” (Privacy Rule), 45 CFR Parts 160 and 164. Under 45 CFR 164.512, a “covered entity” may disclose an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a “public health authority” that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability. Given the legal authority and mandate of the OPTN, it has been determined that a “covered entity” may disclose certain individually identifiable health information to the OPTN without written consent or authorization of the individual, when the disclosure furthers the OPTN’s statutory purposes and functions.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Operational controls:

Access to the DTRIS Database is restricted to three people via a valid User-Id and password. The workstation hosting the DTRIS is not available via any network.

Physical security of the Parklawn Building, including security guards for limiting access, as well as monitoring environmental including smoke and fire alarms is provided by the Government Services Administration (GSA).

The workstation is located in a secured room with cipher lock access. Because it is not connected to any network or other computers, no firewall is needed.

Physical Controls:

The CD-ROMs and DLT tape cartridges are received via courier and are kept in a locked room. Access to the data is limited to three individuals.

The data is kept on the hard disk of one workstation, in a locked room. The workstation is not connected to the network. No data is

transmitted directly from the workstation. No IIF is printed from the DTRIS; analytical output is copied to diskette, and printed outside the secured area of the DTRIS.

The data is not backed up for contingency purposes. In the event of a disaster, the authorized user will obtain another copy of the data from the OPTN.

Technical controls:

The DTRIS use Windows 2000 Server login capabilities for User ID and Password verification.

No access controls, outside of Identification and Authentication (I & A) are being implemented by the operating system.

The DTRIS is not accessible via any network. Since the DTRIS is a stand-alone workstation, no technical Public Access Controls are in place.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / Upgrade, Replacement, Consolidation of Systems Supporting Campus Based Branch Programs (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Oct 10, 2007

2. OPDIV Name: HRSA

3. Unique Project Identifier (UPI) Number: 009-15-01-06-02-9225-00

4. Privacy Act System of Records (SOR) Number: 09-15-0069 for DMS N/A for Web Reporting System

5. OMB Information Collection Approval Number: WRS: 0915-0044

6. Other Identifying Number(s): N/A

7. System Name: Upgrade, Replacement and Consolidation of Systems Supporting Campus Based Branch Programs- BHPr

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Essel

10. Provide an overview of the system: This investment will move the Campus Based Branch from its current reliance on a number of systems that are reaching (or have reached) the end of their useful life, are not integrated, and do not meet current security requirements to an integrated, web-based system that more efficiently supports the work of the Branch. Over the next few years, CBB will analyze its business requirements, review its existing systems, and develop and implement a system development plan for a modern, web-based application to support its business. As part of the planning process, CBB will consider reuse of existing systems (e.g., Nursing Information System and EHBs) that support similar activities in addition to new development. This investment includes two IT systems: The Web Reporting System (WRS) and a document management system (DMS). The WRS is a web-based application that stores data submitted by schools participating in CBB programs. The document management system is an internal system that assists CBB with it document workflow.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is used by CBB to contact program officials at participating institutions. Financial account information are aggregate financial data that the school submits to CBB for administration and analysis of its programs. Medical and financial IIF is shared with contractors on disability and write-off cases.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The indicative information in the WRS contains program status codes, such as if the program is active or closed; geographic identifiers, such as state and zip code; general program information, such as if the program is a scholarship or a loan; and program contact person business information for all CBB programs, such as official’s name, telephone number and room number. Normally, these are IIF information that does not fall under the Privacy Act. It utilizes a web interface written in ASP, JavaScript and HTML and a SQL Server database. The web interface allows program participants to voluntarily update their business contact person information using their program’s identification number. An Administrative Web Interface allows CBB staff to update, edit, add, search and delete records in the database. In 2005 HRSA OIT determined that the security risk associated with access to the indicative files in the system was unacceptable and the access was taken offline. CBB negotiated to place the files on HRSA’s intranet system so that CBB staff could continue to utilize the administrative interface until the system could be made more secure, but general public access to the system was denied. A new and secure indicative file system was developed and is now online for administrative and program use. General public access is no longer available. The DMS contains some similar information as contained in the WRS, as well as, correspondence from officials of the institutions.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Modifications, changes and the use of its information within the WRS are announced on its homepage. So immediately, users are notified in a summary about changes made. If the user wants more detailed information about the changes, a link is provided on the homepage for users to click and get detailed modification information. The detailed information describes the changes within the WRS and any effect on privacy issues. Several ways to contact us is included in the information to individuals whose IIF is in the system. Consent is not obtained prior to changes being made because the IIF information in the system does not fall under the Privacy Act. The WRS does not fall under the Privacy Act because the IIF contained in the system are normal business information. The DMS does contain IIF information that falls under the Privacy Act; however, the system is internal and not accessible to the public. Any major changes to the way we use or store information in the DMS will be notified in a Federal Register Notice.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Currently the IIF information within CBB systems can only be accessed by CBB staff and its contractors. Remedies to secure IIF have been developed and implemented by not allowing general public access to the system, and by moving the hosting of the servers to HRSA OIT server room. The new contact information system was developed and securely imbedded into the WRS, so that access can only be done by user ID and password. CBB staff and its contractors have read/write/modify access to the WRS and the DMS. User Ids and passwords are required for all access. The data is not stored encrypted, but the WRS data is transferred encrypted. Currently, no locks or keycards are used to protect PII printouts from the DMS because the system is only accessed internally by CBB staff.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Rodney Washington

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Caroline Lewis

Sign-off Date: Nov 16, 2007

Date Published: Jun 26, 2008