Font Size Print Download Reader HHS Home|HHS News|About HHS

National Institutes of Health Privacy Impact Assessments

06.3 HHS PIA Summary for Posting (Form) / NIH CC 3M Automated Medical Record Processing System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 7/1/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Automated Medical Record Processing and Tracking Applications

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Automated medical record processing and tracking applications containing demographic and tracking information is maintained on registered Clinical Center patients in order to route documents for creation, recording, retention, signature and location.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): None

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The automated medical record processing and tracking applications are a part of the medical record system which is an approved Privacy Act System. As such, each individual is informed of all information practices and any major system changes are published under a revised SORN.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: All information is protected by applying user ID, hierarchical passwords and administrative controls including supervisor limiting employee access on a need-to-know and minimum amount basis.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Admissions and Travel Voucher Application (ATV)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 4/23/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Admissions and Travel Voucher (ATV) Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: This is an ancillary application part of the CRIS system that allows research teams to register and procure travel requistions and payments.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Shares information with travel agents so that travel arrangements can be made. Sharing is done per SOR 09-25-0200.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification of all information practices are provide to every patient particpating in research upon initial registration and upon every re-registration, including any changes to collection and types of information.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: IIF is secured using username/passwords, secure sockets, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained,

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Medication Dispensing (Omnicell)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 7/10/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3097-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0999

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC Automated Medication Dispensing (Omnicell)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The system automates the Pharmacy Dept's ability to manage and dispense medications at the point of use, increasing patient safety with the use of medication profiles, improving workflow efficiency and enhancing medication security.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Admission to the Clinical Center (CC) is completely voluntary and requires consent of each patient. Additionally, each patient is provided a full written accounting of established information practices at the CC, including the capture and use of PII, and has the opportunity to ask questions. Each patient must acknowledge receipt of same through manual signature on the Information Practices Form.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: PII will reside on a server in the CC DataCenter protected by restricted access and video monitoring. The server will be behind the NIH and CC clinical firewall. The Omnicell SecureVault PC and stand alone PC in the Pharmacy Dept are protected by restricted access and video monitoring. The Omnicell automated medication dispensing cabinets are on the medical VLAN and located in the Nursing Units behind locked doors with access restricted by Staff ID badge or key or cipher lock. Access to the dispensing cabinets is granted by user type and is set by the Pharmacy Dept Omnicell Administrator in accordance with Pharmacy policies. Access to the dispensing cabinets will require password or fingerprint identification and inclusion in specific user types based on the user role.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Nurse Staff Office Schedule (ANSOS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 6/9/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3008-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC ANSOS: Automated Nurse Staff Office Schedule

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Barbara Quinn

10. Provide an overview of the system: The ANSOS System is used to arrange schedules and project staffing needs for nurses caring for patients at the Clinical Center and is authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): As per SOR 09-90-0019. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each individual is informed of information practices at the time of job application and subsequently when individual schedules are developed. In addition, the CC Nursing Department is responsible for notifying each nurse of major system changes related to IIF, which may be done electronically or in written form.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ANSOS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Barcode Enabled Automated Point of Care Technology (BEAPOCT)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 6/14/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): 009-25-01-02-01-3006-00

7. System Name (Align with system Item name): NIH CC Barcode Enabled Automated Point of Care Technology (BEAPOCT)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: BEAPOCT consists of 2 applications with interfaces to existing hospital and lab systems. SMARTworks Patient Linkup Enterprise (PLUE) system provides printed barcoded patient wristbands, picture wallet ID cards and labels. CareFusion utilizes the barcode technology and wireless scanning to identify patients, staff, lab tests, specimens and blood products while capturing data that is pertinent for safe, accurate and timely documentation.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): NA

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained from interfaces to existing CC clinical systems, including the admission, discharge and transfer (ADT) system, Clinical Research Information System (CRIS) and laboratory information system (LIS). Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient at the time of initial admission. Each patient would be advised at the time of admission about major system changes and the CC Information Practices Notice would be revised and provided to each patient.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, physical security and privacy controls. The system is located on servers in the CC Data Center protected by restricted access, cipher locks and video monitoring. In addition, only authorized user have access which is restricted on user roles and hierarchal passwords.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 7/7/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Biomedical Translational Research Information System (BTRIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 7/9/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3009-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): Awaiting Publication

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Biomedical Translational Research Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Elaine Ayres

10. Provide an overview of the system: BTRIS will contain longitudinal data, text and images from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the NIH intramural research mission. Principal investigators and designees (e.g. associate investigators) will be allowed to access identified data only as permitted by their active protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and query only data in a de-identified manner.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): PII data in BTRIS will only be shared with authorized principal investigators for patients enrolled in their active protocols or others authorized by the appropriate IRB or OHSR e.g. associate investigators. All others will only be granted access to de-identified data. Data will be used for statistical analysis, hypothesis development & testing, clinical comparison and subject recruitment.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Every patient must voluntarily execute a protocol consent and admission consent prior to entry onto an intramural research protocol and treatment at the Clinical Center. In addition, each patient is provided a formal notificaion of Information Practices at the Clinical Center must certify that they have be so advised. BTRIS will contain longitudinal data, text and images from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the NIH intramural research mission. Principal investigators and designees (e.g. associate investigators) will be allowed to access identified data only as permitted by their active protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and query only data in a de-identified manner. If a major change occurs, a revised Information Practices From will be developed and presented to each patient.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The BTRIS system and all data contained therein are protected using administrative, technical and physical security and privacy control. The system is behind locked doors, monitored by closed circuit TV and security cipher locks. In addition, only principal investigators or others authorized by an appropriate IRB or OHSR have access PII, while all others only have access to de-identified data. Access is also restricted based on user roles and password authentication.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Jerry P. King, CC Privacy Officer, (301) 451-4954, jking@nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/14/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Blood Bank Collection System (BBCS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 5/29/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3007-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0011

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Blood Bank Collection System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Boyd Conley

10. Provide an overview of the system: The systems contains data regarding donors at the Department of Transfusion Medicine used to conduct clinical care and research at the Clinical Center as authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): None

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each individual donor is informed of required information collection and uses before donation. Major systems changes would be sent directly to each donor and new consents obtained upon new donations.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Information System (CRIS Core)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 4/27/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-01-3006-00-110-219

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): CC-1

7. System Name (Align with system Item name): Clinical Research Information System (CRIS Core)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Jon McKeeby

10. Provide an overview of the system: Core system and component applications to document clinical care and research for registered patients at the Clinical Research Center: NIH. This activity is authorized by Section 301 of the Public Health and Safety Act

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): The Mayo Clinic for contracted lab tests not performed by the Department Of Laboratory Medicine at the CC.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained from patient interviews, referring physicians, a multi-disciplinary care team, and diagnostic, therapeutic, and research results. Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient a the time of initial admission. Each patient would be advised at the time of admission about major system changes and the CC Information Practices notice would be revised and provided to each patient.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, and physical security and privacy controls. System is behind locked doors, monitored by CC TV and cipher locks. In addition, only authorized users have access which is restricted based on user roles and hierarchal passwords.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Volunteer Program (CRVP)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 5/6/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0012

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Clinical Research: Candidate Potential Volunteer and Research Subject Records

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: System is used to contain information about potential candidates for participation as volunteers or research subjects participating in clinical research protocols at the Clinical Center.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0012, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each person is verbally informed of information uses and verabl consent is obtained from each person who wishes to be evaluated as a potential research subject. Each indiviudal is informed of information collection and uses prior to acceptance as a volunteer or patient. Each applicant would be notified directly by phone of any major system changes and new consent would be obtained.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the collection, maintenance and destruction of computer files, as well as as specified in the PA Systems Notice.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240 - smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC DTM SQL System Applications

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 7/7/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0011

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): CC DTM Applications Non-COTS (DANC)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The DTM Applications Non-Cots (DANC) provides the Department of Transfusion Medicine (DTM) with administrative reporting functionality for donors and research management. The system provides DTM staff with tools to make decisions about the collection, use and distribution of donated blood.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Not Applicable

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: Only authorized persons with assigned roles may have access to the system. The DANC system is protected in the CC Data Center through door locks and other physical controls. Access to DANC is secured by technical controls; including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Executive Information System (EIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 7/1/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): CC Executive Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Executive Information System (EIS) is an application designed to provide real time reporting of key hospital performance indicators. The EIS provides query and reporting capabilities for executive decision makers, and allows staff to view daily, monthly, annual patient census information and key hospital performance metrics. Census data can be reported by hospital unit and protocol, IC, branch, and Principal Investigator name associated with protocol activitiy.

EIS reports (does not collect) census statistics and resource utilization. Metrics include admissions, inpatient days, outpatient visits, average length of stay, discharges, patient counts and volume and cost of services provided. The information is used by nursing staff, clinical departments and institutes to manage operations and by executive leadership to track trends in hospital census activity and resource utilization.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Priniciple investigators provide name at the time they apply for protocol approval from their IRB, which is required for protocol review and administrative approval. If any information other than principle investigator names are collected, then notification will be sent out from OFRM to each individual. CC social workers provide name when they confirm the outpatient appointment in the scheduling.com application. If any information other than CC social workers name are collected, then notification will be sent out from OFRM to each individual.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: IIF is secured using user names/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access and background investigations.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC IT Infrastructure

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: Not Applicable

1. Date of this Submission: 3/1/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): Not Applicable

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): Not Applicable

7. System Name (Align with system Item name): CC IT Infrastructure

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The CC IT Infrastructure ( CC ITI) is a GSS that supports approximately 4,500 users within the NIH Clinical Center, and is located in Bldg 10 on the NIH campus in Bethesda, Maryland. The CC ITI hosts a myriad of servers, components, workstations, network and infrastructure devices uses to manage the NIH information. The Department of Clinical Research Informatics (DCRI) is responsible for the management of the CC ITI. The CC ITI comprises a variety of servers including network servers, application servers, Web and Internet Servers. While many applications with PII reside on servers in the CC ITI, the CC ITI provides the infrastructure to support those applications. The collection, storage and processing of PII for those applications will be covered by separate system Privacy Impact Assessments (PIA) , not by the CC ITI PIA.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses PII please specify with whom and for what purpose(s): PII collected, stored or processed by applications in the CC ITI are covered by separate Privacy Impact Assessments; not by the CC ITI PIA.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable - No PII is collected, stored or processed.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: No PII is collected, stored or processed. Details on the administrative, technical, and physical controls are not required for the CC ITI GSS. The controls for applications that do collect, store or process PII residing in the CC ITI will be covered by separate system Privacy Impact Assessments (PIA), not the CC ITI PIA.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 3/18/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Laboratory Information System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: Not Applicable

1. Date of this Submission: 1/5/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Laboratory Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The LIS is an automated system designed to track, report and maintain results for laboratory tests performed on Clinical Center patients. Results comprise part of the official patient medical record.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): The LIS captures laboratory results for specific Clinical Center patients and shares those results along with identifying PII with caregivers and scientists at the Clinical Center.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Admission to the Clinical Center is completely voluntary and each patient is advised of Clinical Center information practices at the time of admission. In addition, each patient signs an informed consent at the time of each admission. All notifications and consents are done in hard copy.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: All data is maintained in digital form and can only be accessed by NIH employees who have been authorized to do so by virtue of their need to know to deliver clinical care or conduct biomedical research. Access is controlled by role and password. The system servers etc are maintained in a controlled-access data center.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, Clinical Center, Privacy Officer

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 3/1/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Lawson

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 4/29/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Lawson

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: Lawson is an Inventory Management System. Everything that is bought, received, stored, transferred, issued, or disposed of is recorded and controlled. The program is a live inventory instantaneously recording any supply activity that is entered in the system. It makes daily recommendations for both replenishing the Central Hospital Supply shelves from the Storage & Distribution Warehouse; as well as provide reorder for supplies that have fallen below their "par levels". It is the database that is linked to the Visual Supply Catalogue to provide the users the best "picture" and information on medical supplies. Finally, in the absence of a true financial link to inventory.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses PII please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This is an inventory management system - No IIF is collected or maintained

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: This is an inventory management system - no IIF is collected or maintained.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: jfranco@nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medical Staff Credentialing Processes (SACRED)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 5/7/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0169

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Medical Staff Credentials Files

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Information is collected from individual members of the Clinical Center Medical Staff and is used to document their credentialing and privileging under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Private medical facilities, state medical boards and accrediting bodies as part of the credentialing process.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained directly from each applicant and each is informed about information collection procedures and rules when each applicant signs the consent authorizing the collection. Major systems changes would be sent electronically to each member of the medical staff and new consents obtained at the time of reappointment to the staff.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the maintenance, archiving and destruction of computer files and as published in the PA SORN.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medicolegal Request Tracking System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 6/30/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Medicolegal Request Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Medicolegal Request Tracking System is used to receive requests for and track copies of medical record documentation sent out by the Medical Record Department to Clinical Center patients and the third parties they authorize to receive such information.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0099, published in the Federal Register, Volume 67, No 187, September 26, 2002.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each individual patient is informed of CC information practices before they are accepted as patients. In addition, each patient must provide a written release before information if sent out for any other purpose. The Medical Record Department would be responsible for revising release request authorization and information practices forms if any major system changes take place.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The system is maintained under controlled physical access and user identification as well as passwords are in effect for all users.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Nutrition System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 8/25/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC Nutrition System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Nutrition CBORD Food Management System consists of two major components; the Food Service Suite (FSS) and the Nutrition Service Suite (NSS). FSS is used to track information regarding recipes, nutritional values, stock inventory, and vendor information. NSS uses the recipe and nutrition information to determkine which foods are appropriate for patients based upon their diets as entered into the CRIS. This determination is then used by employees in the room service call center to assist patients in selecting appropriate food items.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): CBORD receives infromation from CRIS through a unidirectional interface.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each patient must manually reconsent upon every admission to the CC including permission for the submission of PII and information practices at the CC.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: All staff with access are requried to take Computer Security and Provicy Awareness Training. Access is controlled by passwords and role-based security. All hardware is located in the CC Data Center behind locked doors and indiviudal workstations are also kept behind locked doors.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin:CC Privacy Office, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 12/10/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC PeriOperative Information System (POIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 12/21/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name (Align with system Item name): Perioperative Information System (POIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: COTS application providing OR and Anesthesia specific functions to the Department of Anesthesia and Surgical Services. The functions include: Scheduling the OR, Anesthesia, IC human resources and material resources for surgical and anesthesia procedures at the Clinical Center, documentation of clinical and research care provided to registered patients, inventory management, tracking patients across the perioperative continuum, integration with CC Clinical Research Information Systems (CRIS Core) for receipt of patient demographics, allergies and laboratory test results, integration with patient care monitors for automated collection of specific vital signs, and reporting to DASS and CC Leadership.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained from patient interviews, a multi-disciplinary care team in the Department of Anesthesia and Surgical Services and patient observations. Admission and protocol consent forms are signed by each patient and a CC information practices notification form is provided to each patient at the time of initial admission. Consent to Invasive Procedure forms are signed by the patient before each procedure. Each patient would be advised at the time of admission about major system changes and the CC Information Practices notice would be revised and provided to each patient.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, physical security and privacy controls. The system is located behind locked doors, monitored by CC TV and requires key card access for admission to both the CC Data Center and the Department of Anesthesia and Surgical Services. In addition, only authorized users may access the system based on user roles and hierarchial passwords.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 3/1/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Picker: Clinical Center Survey Results

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 7/13/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Required

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): NRC Picker/NIH: Clinical Center Survey Results

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Information resulting from various surveys and questionnaires conducted by the Clinical Center from patients and staff regarding quality of care and hospital operations. The categories of evaluative information varies according to the service being surveyed and may include data related to the research experience, the clinical services received, the respondent's level of satisfaction, time of delivery and future plans.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): No identified data is shared. Only de-identified aggregate data is shared with CC Administration. Once individual responses are aggregated, indiviudals are no longer able to be retrieved by name.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Consent is not obtained because participation is entirely voluntary and because the data derived from the surveys and questionnaire is only provided in a de-identified aggregate manner. Any indiviudal can opt not to participate. Each particpant is provided a written introduction and explanation of the survey. There has never been any major changes to the system and none are anticipated at this time. If such changes do occur, each participant will be notified directly. There are no other notification procedures in place.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The information is kept in a physically secure location utilizing guards, identification badges and key cards. Data is secured behind adequate firewalls and is protected by use of passwords and role-based access.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/14/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Picture Archive Communications System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 1/5/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC Picture Archive Communications System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The PACS collects, disseminates and stores radiological images pertaining to Clinical Center patients and provides those images to authorized care gives involved in the delivery of clinical care or to scientists conducting approved biomedical research. The information collected includes PII to identify specific patients by name, medical record number and other identifiers. Admission to the Clinical Cetner is entirely voluntary and each indiviidual is informed of Clinical Center information practices and gives informed consent before providing PII.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): The PACS provides radiological images and PII identifying those images with specific Clinical Center patients with authorized care givers and scientists.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Admission to the Clinical Cetner is entirely voluntary and each indiviidual is informed of Clinical Center information practices and gives informed consent before providing PII. The process may be completed again if major chnages occur. All notifications are done in hard copy.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: Access is restricted only to authorized users with a need to know and is secured using passwords and role based security. Servers are located is secure data center.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, Clinical Center, Privacy Officer

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 4/20/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Protocol Tracking (PROTRACK)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 4/8/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC Patient & Research Services: Protocol Tracking

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Protocol Tracking System is used to collect, maintain and report administrative data about intramural research protocols under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): NIH Employees for protocol approval, control and reporting.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Employees provide names at the time as a part of the protocol approval process and the names of Government employees are a matter of public record. There are no plans to add additional IIF information at the current time, but the Office of Protocol Services would provide notification to each investigator if additions were made in the future.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the Protocol Tracking System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Prototype

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 6/15/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): Not Applicable

7. System Name (Align with system Item name): CC Prototype

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Custom application providing a Web-based protocol authoring tool that utilizes a systematic framework to develop and maintain research protocols throughout their lifecycle. The application utilizes templates and language specified by the IC Institutional Review Board (IRB). Users include Primary Investigators (PI), Associate Investigators (AI) and IC reveiwers.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Release Notes describing system changes are electronically distributed to the registered users accessing the CC Prototype system with each version upgrade. The Release Notes provides notice of changes made during upgrades to add/ modify data fields and add/modify data flow and add new features and functionality. The PII collected about users is limited, i.e., name, address, phone number, email and organization. The PII is collected from the user at the time a new account is created. The user may update the address, phone number and email at any time. The information is used to identify the authors and reviewers associated with protocols during the protocol development and approval phase. The information is not shared with other systems.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, physical security and privacy controls. The system is located behind locked doors, monitored on CC TV and requires key card access for admission to the CC Data Center. In addition only authorized user may access the ssystem based on user roles and passwords.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 7/7/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC ProVation

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 5/15/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): CC Provation

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: CC Provation is a Major Application whose mission is to digitally report findings from gastroenterological endoscopic exams of the upper and lower gastrointestinal tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Printed reports of endoscopic procedures are printed from the system and stored in the patient's medical record.

The submission of the personal information is voluntary. SSNs are not entered into the CC Provation database here at NIH although there is a field that could be used. Instead, we identify and track patients by their medical record #, name and procedure dates. We have no plans to use SSNs

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Protocol consent forms are signed by each patient and an information practices notification form is provided to each patient at the time of initial admission. Data is retained on servers maintained by DCRI in the CC Data Center and a hard copy is printed which is inserted into the patient’s medical chart. This is kept in medical records.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: Technical, Physical and administrative controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. The system is certified and accredited.

The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and the CC.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Rehabilitation-Social Security Administration Data Sharing System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: 8/17/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 17-60-0196

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC: Rehabilitation Medicine - Social Security Administration Data Sharing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry P. King, CC Privacy Officer

10. Provide an overview of the system: The Clinical Center Rehabilitation Medicine Department (CC-RMD) at the National Institutes of Health (NIH) has agreed to assist the Social Security Administration (SSA) to explore innovative methods for augmenting and improving the current disability evaluation process. The first major line of work requires analysis of data from longitudinal research files maintained by the Social Security Administration and assessing the feasibility of developing Computer Adaptive Testing (CAT) instruments that can be integrated into the SSA data collection and determination processes.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): PII is only shared between the SSA and the specific RMD staff authorized to perform statistical and other related analyses of the information.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All individuals are notified of use at the time of disability filing and consent is written. Major changes will be communicated by the CC CIO to the SSA Proejct Director for diessemination. PII is only shared between the SSA and the specific RMD staff authorized to perform statistical and other related analyses of the information.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: PII is only shared between the SSA and the specific RMD staff authorized to perform statistical and other related analyses of the information. Access is password protected and role based security is also used. All data resides on a server and SAN soley dedicated to that purpose and is located within the secure CC Data Center which uses state of the art backup and physical security measures.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Jerry P. King, CC Privacy Officer

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 9/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Scheduling System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 6/30/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): NIH CC Scheduling System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: An ASP web-based application used for scheduling patient appointments in the Clinical Center. Schedules for physicians, nurses, ancillary care givers, resources and locations are built so that specific schedules can be created and viewed. A third-party contractor sends individualized appointment reminder letters to patients.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): PII is required for patient identification at the point of scheduling, as well as for contacting patients and mailing them reminder letters regarding their scheduled appointments.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each patient signs a consent to be admitted to the Clinical Center and is advised as to each of the specific information practices at the Clinical Center including how information about them will be stored and shared and for what purposes. Major changes will be updated in the current information practices and patients will be informed at the time of admission.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: CC users and contractors have completed information security and privacy training. Access to data is based on user role. SCI Solutions security policy includes review of all incidents and action plans to mitigate, repair and prevent damage. Access is restricted by firewalls, use of virtual IP and physical separation of database servers from systems serving HTTP pages. Production systems access is limited to specific need-to-know employees. Physical access is limited by locked doors, pass-coded ID, cameras, etc.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, Privacy Officer, Clinical Center, Department of Clinical Research Informatics

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 10/23/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC TheraDoc Epidemiology System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 1/9/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0223

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC TheraDoc Epidemiology System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The system provides the Hospital Epidemiology Service with continuous infection surveillance, alerts, and analysis to help promote better and more timely infection control practices.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Not applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Admission to the Clinical Center is completely voluntary and requires consent of each patient. In addition, each patient is provided a full written accounting of established information practices at the Clinical Center , including the capture and use of PII, and has the opportunity to ask questions and must acknowlege receipt of same through manual signature on the Information Practices From.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: PII will reside on a server in the CC Datacenter protected by restricted access and video monitoring. The server will be behind the NIH & CC firewalls. Access will be granted by the application administrator to each indiviudal on a need-to-know basis. Access will require password and specific security group inclusion. Passwords at the NIH and application level require updates as required by CIT policy and users are automatically logged off the system after inactivity.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 1/26/2010

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Administrative Database (ADB)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 6/8/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-3104-00-402-129

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Administrative Database System (ADB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol A. Perrone

10. Provide an overview of the system: The Administrative Data Base (ADB) is a legacy system project that is over twenty years old. The new NIH Business System (NBS) is projected to replace the ADB by FY06. The system provides support for a broad range of NIH business (financial and administrative) functions including the purchase, receipt, and payment of goods and services (internal and external); the tracking and supplying of inventories; services and supply fund activities; and property management. Development of the ADB began in 1978 to automate the processes related to the procurement of goods and services and to translate the procurement actions into accounting transactons that are processed by the Central Accounting System (CAS). Since then the CAS has been modified to interface with the ADB. Several other systems have been added and modifications/enhancements continue to be made to the ADB to reflect changing policies, requirements and the need for increased functionality. NIH heavily relies on this system for much of its business transactions and management information. The legislation authorizing this activity is found in the Privacy Act System of Record (SOR) Notice #09-90-0018. It is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): The information is shared with the IRS and the Department of the Treasury. SOR 09-90-0018.

The agency collects data pertaining to the procurement of goods and services for the NIH as well as data pertaining to stipend payment to NIH Fellows. Some of the data collected such as the EIN or SSN and ACH Banking information is required in order to effect payments and prepare 1099s and 1042s. Submission of this data is mandatory.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification or consent is not done via the Operations and Maintenance Support group; the system is merely collecting and storing data entered by the users. Any notification will have to be done by the Business Owners and ICs.

Changes to the ADB system software does not affect the data collected and maintained in the ADB Vendor file. However, if changes in uses occur, notification to the individuals are done by the Institute or Center (IC) where the original request was initiated or by the Office of Financial Management (OFM) and follows the processes in place for those organizations.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The system is run under a secure server and access is restricted through RACF as well as security within the system.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT ALTIRIS

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 5/5/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): Altiris Client Management Suite

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Connie Latzko NIH/CIT/DCS

10. Provide an overview of the system: Altiris Client Management Suite is an agent based systems management solution used to provide hardware and software inventory, patch management, and software delivery for CIT commodity desktops.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses PII please specify with whom and for what purpose(s): No

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is collected.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: No IIF is collected

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Business Intelligence System (formerly nVision)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 6/8/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-01-3105-00-404-142

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 and 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): NIH Business Intelligence System (NBIS) (nVision)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Foecking

10. Provide an overview of the system: The NIH Business Intelligence System (NBIS) is an enhanced data warehouse that is a consolidation of the legacy data warehouse, and the next generation data warehouse, nVision. It is designed to improve reporting capabilities of the NIH business source systems. This consolidation integrates the query and reporting capabilities of NIH business systems into one system. The legal authority is referenced in HHS Privacy Act Systems of Record 09-90-0018 and 09-90-0024.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Only authorized personnel have access to this data. Data may be obtained through FOIA requests. SOR 09-90-0018 and 09-90-0024

HHS, Congress and via FOIA requests.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Agreements have been obtained from the NIH source systems in collaboration with the business community requirement groups to provide the data needed to support the mission of NIH. The warehouse and source systems teams are in constant communication with regard to the data and changes in that data or access permissions granted to users. Users sign the NIH BIS registration form, consenting to the use of PII for NIH BIS registration purposes. When a major change occurs to the NIH BIS system, users are notified by email. A privacy statement is posted on the NIH BIS website.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: NBIS administrative controls include C&A, a System Security Plan, a Contingency Plan, system backups, and documented procedures. Technical controls include a User ID and strong password to access the system and access is only granted when there is a documented request by an authorized official. Other technical controls include Firewalls and VPN. Physical controls to the server room include guards, ID Badges, Key Cards and locks.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Central Accounting System (CAS) (FISMA)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 5/5/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-3101-00-402-124

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Central Accounting System (CAS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol A. Perrone

10. Provide an overview of the system: The NIH CIT Central Accounting System is a legacy system that processes all accounting and financial transactions for the NIH from systems: ADB, Central Payroll, PMS and IMPAC II.

The CAS will be replaced by the new NIH Business System (NBS). Please refer to project # 009-25-01-4601. The CAS project resides in the Division of Enterprise and Custom Applications, Center for Information Technology, NIH. The CAS is a legacy system project that is over twenty years old, and processes accounting and financial transactions for the NIH. It processes data from several sources including: the Administrative Data Base (ADB); Central Payroll; Payment Management System (PMS); and Information for Management, Planning, Analysis and Coordination (IMPAC). The CAS provides data exchange to the ADB, PMS and IMPAC. Data is extracted from the CAS nightly and made available to the NIH through the NIH Data Warehouse. The CAS produces a wide range of reports that detail spending within the Agency. Financial reports are generated for the Department of Health and Human Services, the Treasury Department, the Office of Management and Budget, and the Public Health Service. The legal authority for SOR #09-90-0024 is found in the Budget and Accounting Act of 1950 (P.L. 81-784) and Debt Collection Act of 1982 (P.L. 97-365).

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses PII please specify with whom and for what purpose(s): Department of Treasury for payments and IRS for 1099 reporting. SOR 09-90-0024

Financial reports are generated for the Department of Health and Human Services, the Treasury Department, the Office of Management and Budget, and the Public Health Service.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No processes are in place other than those specified through the ADB, Central Payroll, IMPAC and PMS systems.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: The CAS is a mainframe legacy system that operates in a batch environment. The CAS is not accessible to users other than the individuals who maintain it. Those individuals must have proper RACF security in order to access the system.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Computer Installation Management System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 6/8/2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Computer Installation Management System (CIMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Burke

10. Provide an overview of the system: The Computer Installation Management System (CIMS) provides comprehensive job accounting and chargeback reporting. CIMS identifies the billable services that each organization uses and creates invoices that are presented to Customer Accounts for payment.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses PII please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 8/11/2009

Approved for Web Publishing: Yes

Date Published: July 26, 2010

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA 2010? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: 1/28/2010

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adrienne Yang

10. Provide an overview of the system: NIH Data Center is a controlled access facility for housing (1) CIT-provided general support systems that host NIH, HHS, and other federal agency applications, (2) scientific computing services for NIH researchers, and (3) NIH infrastructure servers (Active Directory, email, and networking (NIHnet)). The facility also provides monthly rental space for housing customer-owned and operated equipment. An off-campus site, the NIH Consolidated Co-Location Site (NCSS) provides space for housing IC servers in a secure, environmentally controlled vendor-provided facility located approximately 30 miles from the NIH campus.