´óÏóÊÓƵ

System of Records Notices (SORNs)

The Privacy Act of 1974, () establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by Federal agencies. A description of the information to be collected in any system of records must be published in the Federal Register before the data collection begins.

For each system of records, a specified ´óÏóÊÓƵemployee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about viewing the records, and for amending or correcting information contained therein. The ´óÏóÊÓƵsystem manager, along with his or her mailing address, is listed in the Federal Register notice.

on the HHS website.

Privacy Impact Assessments (PIAs)

The , Section 208, establishes the requirement for agencies to conduct PIAs for electronic information systems and collections. The assessment is a method for ´óÏóÊÓƵto evaluate the privacy of information it collects, uses, and maintains within its information systems and applications. The Department of Health and Human Services (HHS) reviews, signs, and posts all ´óÏóÊÓƵPIAs on the HHS PIA webpage in accordance with the requirements of the E-Government Act of 2002, and can be found .

Matching Notices and Agreements

The Computer Matching and Privacy Protection Act of 1988, [PDF, 1.35 MB], amended the Privacy Act of 1974, 5 U.S.C. § 552a, to include provisions governing computer matching activities. In accordance with Privacy Act stipulation 5 U.S.C. § 552a(o), "no record which is contained in a system of records may be disclosed to a recipient agency or non-Federal agency for use in a computer matching program except pursuant to a written agreement between the source agency and the recipient agency or non-Federal agency." Agencies must publish a matching notice or agreement to notify individuals of the use of their information in this manner. Currently, ´óÏóÊÓƵdoes not conduct matching programs.

Exemptions to the Privacy Act

The Privacy Act of 1974 generally grants individuals the right to access ´óÏóÊÓƵrecords maintained about themselves, and the right to request that ´óÏóÊÓƵamend those records if they are not accurate, relevant, timely, or complete. However, the Privacy Act also exempts ´óÏóÊÓƵfrom granting a person access to information about themselves that the agency compiles for certain types of law enforcement or investigatory actions based on 10 specific types of exemptions. The Privacy Act requires ´óÏóÊÓƵto provide citations and links to the final rules published in the Federal Register that promulgate each Privacy Act exemption claimed for their systems of records. ´óÏóÊÓƵhas published exemptions for the following systems of records, as stated in the Federal Register SORN:

•     Medical Expenditure Panel Survey (MEPS) and National Medical Expenditure Survey 2 (NMES 2).

Privacy Act Implementation Rules

The Privacy Act of 1974 requires ´óÏóÊÓƵto implement Privacy Act implementation rules promulgated pursuant to . ´óÏóÊÓƵhas established procedures for individuals to request, access, and address their information found in ´óÏóÊÓƵSORNs, which are documented in the ´óÏóÊÓƵSORNs published in the Federal Register. In addition, ´óÏóÊÓƵSORNs identify and describe the National Archives and Records Administration (NARA) records retention schedules that ´óÏóÊÓƵuses to maintain records. Individuals that have questions about these procedures, or about their information, may also contact the following ´óÏóÊÓƵpoints of contact:

• ´óÏóÊÓƵChief Information Security Officer: Eric Colombel
  • Email: eric.colombel@ahrq.hhs.gov
  • Phone: 301-427-1750
• ´óÏóÊÓƵSenior Official for Privacy: Tim Erny
  • Email: tim.erny@ahrq.hhs.gov.
  • Phone: 301-427-1760
• ´óÏóÊÓƵInformation Security and Privacy Team
  • Email: SecureAHRQ@ahrq.hhs.gov

Publicly Available ´óÏóÊÓƵPolicies on Privacy

The ´óÏóÊÓƵInformation Security and Privacy Program fosters an enterprise-wide secure and trusted environment in support of AHRQ's mission. It was established to help protect the Agency and its data against potential information technology (IT) threats and vulnerabilities and ensures compliance with Federal mandates and legislation that enable ´óÏóÊÓƵto provide mission-critical IT security and privacy services. As an Operating Division (OpDiv) of HHS, ´óÏóÊÓƵis also required to comply with HHS policy and guidance. Below is a list of policies and procedures that ´óÏóÊÓƵfollows in compliance with Federal privacy legislation and guidance.

´óÏóÊÓƵWeb site Privacy Policy

This Web site is maintained as a public service to provide information on health care research and quality from AHRQ, a component of HHS. We collect no personal information about you when you visit this Web site unless you choose to provide that information to ´óÏóÊÓƵvoluntarily. Select for more on the ´óÏóÊÓƵWeb site privacy policy.

Health Information Privacy and Security Tool

is an online tool that helps health care providers and organizations meet Health Insurance Portability and Accountability Act (HIPAA) requirements for protecting patient information in electronic health records. The tool provides practical tips in four areas:

• Preparation.
• Risk analysis and action planning.
• Risk management.
• Meaningful use.

Privacy and Security Toolkit

The to the Health Information Privacy and Security Tool is meant to be a companion document that implements the principles set forth in The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework).

Training and Awareness

Information security and privacy awareness training is mandatory for all ´óÏóÊÓƵFederal employees and contract personnel. Federal guidelines and HHS mandate that all employees must complete information security and privacy training upon initial hiring and annually thereafter. The ´óÏóÊÓƵInformation Security and Privacy Program is responsible for ensuring that all Agency employees and contractors receive annual information security and privacy awareness training and role-based training in compliance with Federal requirements. ´óÏóÊÓƵalso developed an online Information Security and Privacy Awareness Training Module that is available on the Agency Intranet to ´óÏóÊÓƵstaff.

HHS also offers the following role-based training courses, which ´óÏóÊÓƵtransmits on an annual basis to personnel with significant security responsibilities:

For more information on ´óÏóÊÓƵInformation Security and Privacy training, contact the ´óÏóÊÓƵInformation Security and Privacy Team (SecureAHRQ@ahrq.hhs.gov).

Publicly Available ´óÏóÊÓƵReports on Privacy

´óÏóÊÓƵsubmits a required Federal Information Security Management Act (FISMA) report to HHS, which includes privacy performance metrics, on an annual basis. ´óÏóÊÓƵcurrently does not have additional reports on privacy outside of FISMA reporting for publication.

Instructions for Submitting a Privacy Act Request

´óÏóÊÓƵhas established procedures for individuals to request, access, and address their information found in ´óÏóÊÓƵSORNs; these procedures can be found in the ´óÏóÊÓƵSORNs published in Federal Register notices. For each system of records, a specified Agency employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about seeing the records, and for amending or correcting information contained therein. The system manager, along with his or her mailing address, is also listed in the Federal Register.

Contact Information for Submitting a Privacy Question or Complaint

´óÏóÊÓƵhas established procedures for individuals to request, access, and address their information found in ´óÏóÊÓƵSORNs, and these procedures can be found in the ´óÏóÊÓƵSORNs published in the Federal Register.  For each system of records, a specified Agency employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about seeing the records, and for amending or correcting information contained therein. The system manager, along with his or her mailing address, is also listed in the Federal Register notice.

Contact Information: Senior Agency Official for Privacy

Individuals that have questions about the information set forth in this Privacy Notice, related procedures, and/or about their information, may also contact the following ´óÏóÊÓƵpoints of contact:

• ´óÏóÊÓƵChief Information Security Officer: Eric Colombel
  • Email: eric.colombel@ahrq.hhs.gov
  • Phone: 301-427-1750
• ´óÏóÊÓƵSenior Official for Privacy: Tim Erny
  • Email: tim.erny@ahrq.hhs.gov.
  • Phone: 301-427-1760
• ´óÏóÊÓƵInformation Security and Privacy Team
  • Email: SecureAHRQ@ahrq.hhs.gov.