|
Frequently Asked Questions (FAQs)
Privacy Act
1. Why have a Privacy Act?
- We have a constitutional right to privacy. Amendment IV of the U.S. Constitution says “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”;
- Information is affected by the collection, maintenance, use and dissemination by Federal agencies; and
- The use of the internet, computers and other technology create the possibility for faster and greater distribution, which could lead to greater harm.
2. What does the Privacy Act do?
- Limits the collection of personal information;
- Prevents secret Government record systems;
- Prevents secret use of Government records;
- States individual's right to see and correct records;
- Requires safeguards to be implemented to protect the security and accuracy of the information; and
- Allows for civil remedies and criminal penalties to be assessed for violations under the Privacy Act.
3. Who does the Privacy Act cover and not cover?
- The Privacy Act covers:
- U.S. citizens
- Resident aliens
- The Privacy Act does not cover:
- Non-resident aliens
- The deceased
- Organizations
4. When is NIH allowed to collect my information?
- NIH may not legally maintain records on individuals unless:
- The information is relevant and necessary to accomplish an NIH or Department function required by statute or Executive Order;
- The information in the record is acquired to the greatest extent practicable directly from the subject individual; and
- The individual providing the record is informed when the record is collected under the authority NIH has for requesting the record.
5. When are supervisor notes considered agency records?
- Supervisor notes are agency records when they are:
- Used as the basis for an employment action; and
- Otherwise made a part of an employee’s personnel file and treated as official agency documentation.
- Supervisor notes are NOT agency records when they are:
- The personal property of the supervisor only;
- Never circulated or shared with others;
- Never passed to replacement supervisors or those acting in the absence of the supervisor;
- Used as memory joggers only; and
- Not used as official agency documentation.
6. What is a Privacy Act Records System?
- A group of records (more than one), not available in the public domain;
- A record that contains information about an individual that is personal in nature (i.e., name, age, sex, gender, ethnicity, home address, phone, SSN, medical credentials, medical, financial and/or educational background, etc.); and
- A record designed to be retrieved by the individual’s name, or another personal identifier such as an ID number, protocol number, photo, fingerprint, etc.
7. What is a System of Records Notice (SORN)?
- A document posted in the Federal Register that notifies the public of what information is contained in a specific system and how that information is collected, used, maintained, and disseminated in relation to other systems; and
- A SORN also explains how individuals may gain access to information about themselves.
8. How do I submit a records request?
- An individual who wishes to request a specific record must submit a request in writing to the appropriate NIH Institute or Center (IC) that collected and maintains that record;
- The written request should be as specific as possible. Please describe what type of information was collected, who collected it, why it was collected, when it was collected, and, if known, who (individual or organization) collected it; and
- For more details regarding this process, please reference the "How Do I Submit a Privacy Act (PA) Request for Records?" segment of the Privacy Act section of this website.
9. How do I amend an incorrect record?
- An individual who notices that a record is incorrect must submit a request in writing to the appropriate NIH IC that collected and maintains that record;
- The written notice should include the current record and provide an accurate correction of the record; and
- For more details regarding this process, please reference the "How Do I Submit a Privacy Act (PA) Request for Records?" segment of the Privacy Act section of this website.
10. Can I appeal the denial to access or correct my information?
11. Are there circumstances in which certain information cannot be released?
- NIH will provide access to records within their possession unless one of the exceptions or exemptions applies:
- The records contain information about a third party;
- Information that is not about the subject of the file, and therefore not accessible under the Privacy Act;
- Records were compiled in reasonable anticipation of a civil action or proceeding;
- Records are maintained by the CIA; or
- Records are maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws.
- For more specific details regarding exemptions, please reference the "NIH Privacy Act Exceptions & Exemptions" segment of the Privacy Act section of this website.
12. Where can I find information regarding the Paperwork Reduction Act (PRA) / Office of Management and Budget (OMB) Clearance procedures?
- NIH PRA/OMB Website: http://www.hhs.gov/ocio/policy/collection/infocollectfaq.html
- The Paperwork Reduction Act (PRA) of 1995 requires agencies to obtain approval from OMB prior to soliciting and/or obtaining identical information from ten or more members of the public in multiple forms. PRA/OMB approval is required whether the Federal agency collects the information itself or uses an outside agent or contractor. OMB requires 90-120 days to approve new information collections and renew existing approvals.
- You can click on the Office of Extramural Research (OER) Intranet website at: http://odoerdb2.od.nih.gov/oer/policies/project_clearance/pcb.htm to obtain a list of NIH PRA/OMB Project Clearance Liaisons, and get more information about whether your IT system has been approved for PRA/OMB information collection.
13. Where can I find information about the HIPAA Privacy Rule?
-
For additional information on a wide range of topics about the Privacy Rule, please visit the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Privacy Rule Web Site at: www.hhs.gov/ocr/hipaa/, You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at: www.hhs.gov/ocr.
14. Where can I find guidance regarding the HIPAA Privacy Rule and the Electronic Exchange of Health Information?
-
The HHS OCR has published new HIPAA Privacy Rule guidance as part of the Department’s Privacy and Security Toolkit to implement The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework). The Privacy and Security Framework and Toolkit is designed to establish privacy and security principles for health care stakeholders engaged in the electronic exchange of health information and includes tangible tools to facilitate implementation of these principles. The new HIPAA Privacy Rule guidance in the Toolkit discusses how the Privacy Rule supports and can facilitate electronic health information exchange in a networked environment. In addition, the guidance includes documents that address electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to and supports the use of Personal Health Records. HIPAA guidance documents are available at: http://www.hhs.gov/ocr/hipaa/hit/. For more information on the Privacy and Security Framework and to view other documents in the Privacy and Security Toolkit, visit: http://www.hhs.gov/healthit/privacy/framework.html.
15. Can I subscribe to an electronic listserv in order to receive information sent directly to my email inbox?
16. Who can I contact if a person or organization covered by the Privacy Rule violates my health information privacy rights?
-
NIH does not meet the definition of a “covered entity” and is therefore not covered by HIPAA because it does not bill third parties for the health care they receive at the Clinical Center. However, if you believe that a person or organization outside of NIH who is covered by the Privacy Rule (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rule, you may file a complaint with OCR. For additional information about how to file a complaint, see the Fact Sheet "How to File a Health Information Privacy Complaint," available at: http://www.hhs.gov/ocr/privacyhowtofile.htm.
17. Where can I find information about the Family Educational rights and Privacy Act (FERPA) regulation and other helpful information?
-
FERPA is a Federal law that protects the privacy of students’ “education records.” (See 20 U.S.C. § 1232g; 34 CFR Part 99). The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information and gives patients rights over their health information. The guidance is available at: http://www.hhs.gov/ocr/hipaa. Information about the Family Policy Compliance Office (FPCO) is available at: http://www.ed.gov/policy/gen/guid/fpco/index.html.
18. Where can I find U.S. Department of Health and Human Services (HHS) and U.S. Department of Education (ED) joint guidance on the application of FERPA and HIPPA to Student Health Records?
-
The Departments of Education and Health and Human Services have jointly released guidance to explain the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and to address apparent confusion on the part of school administrators, health care professionals, and others as to how these two laws apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those disclosures related to health and safety emergency situations. The guidance was developed in response to the “Report to the President on Issues Raised by the Virginia Tech Tragedy” (June 13, 2007) as well as to address questions the respective Departments have heard generally from stakeholders regarding the intersection of the HIPAA Privacy Rule and FERPA. The Departments of Health and Human Services and Education are committed to a continuing dialogue with school officials and other professionals on these important matters affecting the safety and security of our nation’s schools. While this guidance seeks to answer many questions that school officials and others have had about the intersection of these federal laws, ongoing discussions may cause more issues to emerge. Contact information for submitting additional questions or suggestions for purposes of informing future guidance is provided at the end of the guidance document available at: http://www.hhs.gov/vtreport.html.
The Freedom of Information Act (FOIA), Public Law 104-231
Learn more about the process to request personal records on file at NIH at: http://www.nih.gov/icd/od/foia/index.htm
FOIA text: http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm
Privacy Impact Assessments (PIAs)
1. What is a PIA?
- A means to assure compliance with applicable privacy laws and regulations;
- An evaluation tool used to embed privacy into the design of information technology (IT) systems;
- An analysis instrument to enable system developers and system owners/managers to identify and evaluate privacy risks; and
- A tool that evaluates:
- Data in the IT System;
- Attributes of the Data;
- Access to the Data;
- Information Sharing Practices;
- Web Site Host; and
- Maintenance of Administrative & Technical Controls
- Parts of a PIA include:
- Date of Submission;
- Agency/OPDIV/IC;
- Title of System;
- Existing, New or Modified?;
- Unique Project Identifier;
- System of Records Number;
- OMB Info Collection Approval Number & Expiration Date;
- Other Identifier;
- System Overview;
- Legislative Authority;
- How will information be collected?;
- How will IC use the information?;
- Why is information collected?;
- With whom will the information be shared?;
- From whom will the information be collected?;
- What will subjects be told about the collection?;
- How will the message be conveyed?;
- What are opportunities for consent?;
- Will information be collected from children under 13 on the internet? If so, how will parental approval be obtained?;
- How will information be secured?; and
- How will information be retained and destroyed?
2. Why do we conduct PIAs?
- To help determine what type of information is collected by IT systems throughout NIH;
- To decide which precautions need to be implemented to protect such information;
- To provide privacy stakeholders an orderly process in which they can report IT system collected information to the SOP; and
- To have an orderly process for submitting IT system information related to privacy for FISMA reporting.
3. Who is responsible for the PIA process?
- The PIA process is a collaborative one, and involves multiple stakeholders;
- Those with the most knowledge and insight into a system, its characteristics, and the privacy and security controls in place should complete the PIA. This can include a System Owner/Manager or program official. PIA authors can also consult with the IC Privacy Coordinator and Information System Security Officer (ISSO);
- Once the PIA is completed by the PIA author, it is sent to the PIA Reviewer for their review and comments. The PIA Reviewer role should be assigned to the IC Privacy Coordinator or a designee. If no revisions are required, the PIA Reviewer can promote the PIA to the NIH OSOP; and
- The OSOP reviews completed PIAs and promotes them to the HHS SAOP, if complete and accurate, or returns the PIA to the IC Privacy Coordinator if it is incomplete or requires changes.
4. When do I fill out the entire PIA vs. the PIA Summary?
- If the system for which the PIA is being completed collects PII, the entire PIA form must be completed. If it does NOT collect PII, you only need to complete the PIA Summary tab; and
- NOTE: If you are working to complete the PIA Summary, you must clearly explain why/how the system does not collect PII.
5. How do I determine if a system collects PII?
- PII is defined as any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and
information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual;
- If any of these, or any other categories of information that can be linked to an individual, are stored, maintained, passed through, or disseminated by the system, the system collects PII; and
- IC Privacy Coordinators should be able to validate whether or not a system collects PII based on the information provided to them by System Owners/Managers.
6. Must I complete a new PIA for an existing IT system each year?
- A new PIA is not required if information has been previously assessed under a similar evaluation, or if the system has not undergone any major changes as defined in OMB M03-22; and
- All existing PIAs must be reviewed for accuracy each year.
7. Are there any quick tips that would make PIA completion easier?
- Consult with other privacy stakeholders as appropriate (e.g. IC Privacy Coordinator, IC Chief Information Officer and ISSOs) when questions about PIAs, privacy, or other questions arise;
- Ensure that your answers are accurate and complete (specifically answer the questions, provide sufficient detail, spell out acronyms, check spelling etc.);
- Remember that PIAs are published to a public website;
- Avoid contradicting answers. For example, do not deny that the system collects Social Security Numbers (SSN) and then later claim that the system retrieves information using SSN;
- System Owners/Managers should work with IC Privacy Coordinators and ISSOs early in the SDLC to ensure that the PIA process is properly incorporated;
- Know the business objective of the system; and
- Know the difference between privacy and security
8. Does the FISMA Tool inform the OSOP when I update/promote a PIA?
- No. The FISMA Tool does not inform the OSOP when any changes are made to a PIA. System Owners/Managers and IC Privacy Coordinators should alert the OSOP when a PIA has been updated/promoted. This will improve the NIH’s PIA process and increase its efficiency.
PIA Form FAQs
9. What is a Unique Project Identifier (UPI) Number and how can I find one?
- The UPI Number is used to report IT investments during the budget process and ensure the integration of strategic planning, budgeting, procurement, and the management of IT investments in support of the agency’s mission and business needs. It reflects information such as the OPDIV and office where the investment project was initiated, the type of investment, and other information. The UPI is used by OMB to track the system through the PIA, C&A, and POA&M processes. The number is attached to Exhibit 53s and described in Exhibit 300s, which are submitted to OMB prior to major investment and budget requests. The number is long and appears as follows: 009-25-xx-xx-xx-xxxx-xx-xxx-xxx (Defined in OMB A-11, Sedction 53.8). If you are not sure if a UPI is associated with the system for which you are conducting a PIA, please contact the Project Officer. If he/she is not able to assist you, contact the OCIO IT Policy and Review Office (ITPRO), the OCIO Information Technology Acquisition Services Office (ITASO) or the OCIO Information Security and Awareness Office (ISAO);
- 2008 UPI means the unique project identifier used to report the investment in the 2008 Budget. Indicating the UPI used for the 2008 Budget process allows crosswalk and historical analysis crossing fiscal years for tracking purposes;
- 2009 UPI means the identifier depicting agency code, bureau code, mission area (where appropriate), part of the exhibit where investment will be reported, type of investment, agency four-digit identifier, and two-digit investment category code;
- NOTE: Not all systems require UPI numbers. If a UPI does not exist for a system, you must provide an explanation in the PIA form; and
- If you are unsure about the UPI, contact the Project Officer. If he/she is not able to assist you, contact the ODCIO IT Policy and Review Office (ITPRO), the ODCIO Information Technology Acquisition Services Office (ITASO), or the ODCIO Information Security and Awareness Office (ISAO).
10. What is a System of Records Notice (SORN) and where can I find one?
- A SORN describes the Privacy Act system of records, and the categories of PII collected, maintained, retrieved, and used within the system. It provides information to the public on various characteristics of the system (e.g. description, purpose, data collection, notification, retention and disposal, etc.) and how NIH intends to manage and protect the system. The SORN Number is that which is assigned to the Privacy Act SORN (also referred to as the Systems Notice)
NOTE: If the system is subject to the Privacy Act, then a SORN must be cited as an answer in question 4; and
- All NIH SORNs are located at:
http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm
11. What is an OMB Information Collection Approval Number?
- The Paperwork Reduction Act (PRA) of 1995 requires agencies to obtain approval from OMB prior to soliciting and/or obtaining identical information from ten or more members of the public in multiple forms. PRA/OMB approval is required whether the Federal agency collects the information itself or uses an outside agent or contractor. OMB requires 90-120 days to approve new information collections and renew existing approvals. The OMB Information Collection Approval Number should be identical to the one OMB assigned pursuant to having been filed under the Paperwork Reduction Act and is sometimes referred to as an OMB control number. It would only apply if the system maintains data as part of an approved OMB information collection from 10 or more members of the general public; and
- You can click on the Office of Extramural Research (OER) Intranet website at: http://odoerdb2.od.nih.gov/oer/policies/project_clearance/pcb.htm to obtain a list of NIH PRA/OMB Project Clearance Liaisons, and get more information about whether your IT system has been approved for PRA/OMB information collection.
12. Are there policies or guidelines in place with regard to the retention and destruction of PII?
- For Privacy Act systems of records, records retention and disposal procedures should be indicated within the SORN cited for the system. If the system is not subject to the Privacy Act and does not have a SORN in place, consult with the IC Records Liaison to ascertain the appropriate records retention and disposal schedule for the system. A list of IC Records Liaisons can be accessed from OMA’s webpage at: http://oma.od.nih.gov/about/contact/browse.asp?fa_id=2
Web Privacy
HHS Machine-Readable Privacy Policy FAQs:
http://intranet.hhs.gov/infosec/docs/privacy/MRFAQ/Machine-Readable_Privacy_Policy_FAQs.html
1. Where can I find NIH Privacy Act Notification Criteria and Sample Statements?
2. Who do I contact if a user inquires about the web site’s privacy standards?
3. Can I post a new web site or update an existing web site before it complies with NIH web privacy requirements?
4. Does Section 508 compliance apply to emails?
- Section 508 or machine-readability compliance applies to website design and page information, documents available on the website (such as forms, newsletters and brochures) and on-line systems used both for internal and external purposes. Emails sent in text format can generally be read by everyone. If they include web links, the fully qualifying URL should be shown as well, including the ‘http://www’ part.
However, Section 508 does apply to email messages, particularly those which are sent to larger groups, often referred to as 'broadcast mailings.' The current HHS standard with links to more information is available at the following website: http://www.hhs.gov/web/policies/webstandards/accessemail.html.
The Department standard generally states that "HHS must make email accessible to persons with disabilities. All emails—internal or external—as well as their attachments, including graphics, audio, and video must be accessible." In terms of e-mails that are sent to smaller and known audiences, HHS states that these e-mails "should meet Section 508 standards as much as practicable. Alternative or accessible formats ["accommodations"] must be made available upon request."
Questions or concerns about Section 508 Compliance can be directed to the NIH Section 508 Help inbox at the email address: Section508Help@nih.gov.
Homeland Security Presidential Directive (HSPD) - 12
1. Why not continue with the standard form of identification?
- A Federal identification standard eliminates differing identification systems amongst Federal agencies, which increases security personnel’s ability to validate Federal employees’ identification;
- Provides security personnel with one easy to recognize, yet hard to duplicate/counterfeit identification card;
- Before HSPD-12 each Government agency maintained its own system of identification, making it more difficult for Federal employees to transfer or visit other agencies; and
- The new system will streamline the Federal identification system and increase security.
2. Will my current form of identification still be valid after I receive my PIV card?
- No. Former agency identification cards are obsolete once an agency has fully implemented the HSPD-12 program.
3. When can I expect the new NIH HSPD-12 identification card?
- Phase II of the PIV Process will involve the issuing of new PIV Cards to personnel who have successfully completed the Phase I background investigation process. PIV Card technology is currently being tested by the U.S. Department of Health and Human Services (HHS). Until PIV Card approval, the existing NIH ID badges will be used.
4. Does the HSPD-12 identification system grant me access to all Federal Government facilities?
- No, the PIV card is a baseline requirement for facility admittance. Some agencies, or branches thereof, will require additional security standards beyond those of the PIV card.
Federal Information Security Management Act and Agency Privacy Management (FISMA)
1. What is FISMA's purpose?
- Inform and raise awareness among Federal agency heads of the importance of information security programs;
- Facilitate the development of security programs through mandatory comprehensive reporting and evaluation; and
- Ensure that federal agencies take the necessary precautions to secure agency IT systems and protect personally identifiable information(PII) and mitigate the risk of a breach to PII.
2. What are the major components of the FISMA Section D report?
- Inventory of Systems that Contain Federal Information in Identifiable Form which require a Privacy Impact Assessment (PIA) or System of Records Notice (SORN);
- Links to PIAs and SORNs;
- Senior Agency Official for Privacy (SAOP) Responsibilities;
- Information Privacy Training and Awareness;
- PIA and Web Privacy Policies and Processes;
- Policy Compliance;
- Agency Use of Persistent Tracking Technology; and
- Privacy Points of Contact.
3. What is the FISMA report process/timeline?
- While FISMA compliance is an ongoing process, which requires quality reviews, the final annual report is due at the end of the Federal fiscal year (September 30);
- All FISMA report data is collected approximately two months in advance of the report deadline in order to compile the data and promote it, through the Department, to the IG; and
- Agencies must continually monitor IT systems and privacy procedures and responsibilities to ensure that OPDIVs are compliant with Federal IT and privacy laws.
Breach Response
1. What is a security or privacy breach?
- The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
2. What are some examples of paper and electronic breaches?
- Paper Breach:
- Having hardcopy documents containing PII stolen from one’s desk;
- Losing a briefcase that contained hardcopy documents containing PII; and
- Intentionally sharing hardcopy documents that contain PII without authorization.
- Electronic Breach:
- Unauthorized users gain access to electronic documents containing PII via sharing of passwords, leaving work station unlocked/unattended, etc;
- PII is posted, in any format, onto the world wide web without authorization; and
- Having a laptop containing PII lost or stolen.
3. When do I report a breach?
- You should report both suspected and confirmed record breaches as soon as they are discovered in order to begin remediation and investigation of any compromised information.
4. To whom do I report a breach?
- All employees should immediately inform their supervisor immediately; and
- Supervisors should then notify the IC ISSO and IC Privacy Coordinator, as appropriate.
Training Resources
1. Is SPORT Tool training available? If so, how do I go about requesting it?
2. Is it mandatory that I take NIH Privacy Awareness training?
- Yes. As mandated by FISMA and OMB Memorandum 07-19, all NIH employees and contractors are required to take privacy awareness training. It is imperative that NIH employees possess a general understanding of the importance of privacy protection. Privacy awareness training will also inform NIH staff of relevant privacy policy, guidelines, and procedures. Training must be completed annually.
Return to the top
|