SORN-EDHA 25_Enterprise Blood Management System (EBMS)

DEPARTMENT OF DEFENSE
Office of the Secretary of Defense
Narrative Statement on a New System of Records
Under the Privacy Act of 1974
1. System identifier and name: EDHA 25 DoD, entitled
“Enterprise Blood Management System (EBMS).”
2. Responsible official: Mr. Charles D. Updegrove, Defense
Health Clinical Systems/Deployment and Readiness Systems
(DHCS/D&RS) Program Manager, 5109 Leesburg Pike, Skyline 6,
Suite 817, Falls Church, VA 22041-3221.
3. Purpose for establishing the system: The Defense Health
Agency proposes to establish a new system of records to obtain
information from individuals donating blood in order to identify
and verify donor demographics; determine donor suitability;
associate donors to blood collections for testing; and create
records necessary to identify and notify recipients of potential
or known infectious blood units. Information collected is also
used to determine the suitability of voluntary blood donations,
record time of blood donation, and blood type; administer the
Armed Services Blood Program (ASBP); and, in some instances,
recommend medical treatment for prospective blood donors.
4. Authority for the maintenance of the system: 10 U.S.C.
Chapter 55, Medical and Dental Care; 32 CFR Part 199, Civilian
Health and Medical Program of the Uniformed Services (CHAMPUS);
DoD Directive 6000.12E, Health Service Support; DoD Instruction
(DoDI) 6015.23, Delivery of Healthcare at Military Treatment
Facilities: Foreign Service Care; Third-Party Collection;
Beneficiary Counseling and Assistance Coordinators (BCACs); DoDI
6480.04, Armed Services Blood Program Operational Procedures;
and E.O. 9397 (SSN), as amended.
5. Provide the agency’s evaluation on the probable or potential
effects on the privacy of individuals: In reviewing this system
of records notice, the Defense Health Agency (DHA) reviewed the
safeguards established for the system to ensure they are
compliant with the DoD’s requirements and are appropriate to the
sensitivity of the information stored within the system.
6. Is the system, in whole or in part, being maintained,
collected, used or disseminated by a contractor? Yes.
7. Steps taken to minimize risk of unauthorized access:
Systems are maintained in controlled areas accessible only to
EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

1

authorized personnel. Entry into these areas is restricted to
those personnel with a valid requirement and authorization to
enter. Physical entry is restricted by the use of locks,
passwords which are changed periodically, and administrative
procedures.
The system provides two-factor authentication including Common
Access Cards with pin number and user ID/passwords. Access to
personal information is restricted to those who require the data
in the performance of their official duties. All personnel
whose official duties require access to the information are
trained in the proper safeguarding and use of the information.
8.
Routine use compatibility: In addition to those
disclosures generally permitted under 5 U.S.C. 552a(b) of the
Privacy Act of 1974, as amended, these records may be
specifically disclosed outside the DoD as a routine use pursuant
to 5 U.S.C. 552a(b)(3) as follows:
To the Department of Health and Human Services (HHS) and its
components for the purpose of conducting research and analytical
projects, and to facilitate collaborative research activities
between DoD and HHS.
To the Department of Veterans Affairs (VA) for the purpose of
providing medical care to former Armed Services Members and
retirees and facilitating collaborative research activities
between the DoD and VA.
To the National Research Council, National Academy of Sciences,
and similar institutions for authorized health research in the
interest of the Federal Government and the public.
To other federal, local, and state government agencies for
compliance with federal, state, and local laws and regulations
governing blood supply safety, control of communicable diseases,
preventive medicine and safety, and other public health and
welfare mandates relating to blood supplies.
To federal offices and agencies involved in the documentation
and review of defense occupational and environmental exposure
data.
The DoD Blanket Routine Uses may apply to this system of
records, except as stipulated in the Note below.

EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

2

NOTE 1: This system of records contains individually
identifiable health information. The DoD Health Information
Privacy Regulation (DoD 6025.18-R) or any successor DoD
issuances implementing the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and 45 CFR Parts 160 and 164,
Health and Human Services, General Administrative Requirements
and Security & Privacy, respectively, within the DoD applies to
most such health information. DoD 6025.18-R or any successor
issuance may place additional procedural requirements on the
uses and disclosures of such information beyond those found in
the Privacy Act of 1974, as amended, or mentioned in this system
of records notice.
9.

OMB information collection requirements:
OMB collection required: Yes
OMB Control Number (if approved):

Expiration Date (if approved) or Date Submitted to OMB:
If collecting on members of the public and no OMB approval is
required, state the applicable exceptions:
10. Name of IT system (state NONE if paper records only):
Enterprise Blood Management System consists of two commercial
off the shelf products, Blood Donor Management System (BDMS) and
Blood Management Blood Bank Transfusion Services (BMBB/TS). The
Department of Defense Information Technology Portfolio
Repository Identification Number for the Enterprise Blood
Management System is 13520.

EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

3

Billing Code:
DEPARTMENT OF DEFENSE
Office of the Secretary of Defense
[Docket ID:
]
Privacy Act of 1974; System of Records
AGENCY: Defense Health Agency
ACTION: Notice of a New System of Records
SUMMARY: The Defense Health Agency is proposing to establish a
new system of records, EDHA 25 DoD, entitled “Enterprise Blood
Management System (EBMS)” in its inventory of record systems
subject to the Privacy Act of 1974, as amended. This system
will be used to obtain information from individuals donating
blood in order to identify and verify donor demographics;
determine donor suitability; associate donors to blood
collections for testing; and create records necessary to
identify and notify recipients of potential or known infectious
blood units. Information collected is also used to determine
the suitability of voluntary blood donations, record time of
blood donation, and blood type; administer the Armed Services
Blood Program (ASBP); and, in some instances, recommend medical
treatment for prospective blood donors.
DATES: This proposed action will be effective on [INSERT DATE
31 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]
unless comments are received which result in a contrary
determination. Comments will be accepted on or before [INSERT
DATE 30 DAYS FROM DATE PUBLISHED IN THE FEDERAL REGISTER].
ADDRESSES: You may submit comments, identified by docket number
and title, by any of the following methods:
*
Federal Rulemaking Portal: http://www.regulations.gov
Follow the instructions for submitting comments.
*
Mail: Federal Docket Management System Office, 4800
Mark Center Drive, East Tower, 2nd Floor, Suite 02G09,
Alexandria, VA 22350-3100.
Instructions: All submissions received must include the agency
name and docket number for this Federal Register document. The
general policy for comments and other submissions from members
of the public is to make these submissions available for public
viewing on the Internet at http://www.regulations.gov as they
are received without change, including any personal identifiers
or contact information.

EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

4

FOR FURTHER INFORMATION CONTACT: Ms. Linda S. Thomas, Chief,
Defense Health Agency Privacy and Civil Liberties Office,
Defense Health Agency, Defense Health Headquarters, 7700
Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101, or
by phone at (703) 681-7500.
SUPPLEMENTARY INFORMATION: The Defense Health Agency notices
for systems of records subject to the Privacy Act of 1974 (5
U.S.C. 552a), as amended, have been published in the Federal
Register and are available from the address in FOR FURTHER
INFORMATION CONTACT or at the Defense Privacy and Civil
Liberties Office website
http://dpclo.defense.gov/privacy/SORNs/component/dha/index.html
The proposed system report, as required by 5 U.S.C. 552a(r) of
the Privacy Act of 1974, as amended, was submitted on (INSERT
DATE), to the House Committee on Oversight and Government
Reform, the Senate Committee on Governmental Affairs, and the
Office of Management and Budget (OMB) pursuant to paragraph 4c
of Appendix I to OMB Circular No. A-130, “Federal Agency
Responsibilities for Maintaining Records About Individuals,”
dated February 8, 1996 (February 20, 1996, 61 FR 6427).
Dated:

Patricia L. Toppings
OSD Federal Register Liaison Officer, Department of Defense

EDHA 25 DoD
EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

5

System name:
Enterprise Blood Management System (EBMS)
System location:
Primary location: Enterprise Infrastructure (EI) Military
Health System (MHS) Enterprise Services Operations Center
(MESOC) San Antonio, 300 Convent Street, Suite 1800, San
Antonio, TX 78205-3742.
Secondary locations: Enterprise Infrastructure (EI) Military
Health System (MHS) Enterprise Services Operations Center
(MESOC) Aurora, 16401 East Centretech Parkway, Aurora, CO 800119088
For a complete listing of all system location addresses, contact
the system manager.
Categories of individuals covered by the system:
Donors: Any member of the Armed Services, Department of Defense
(DoD) civilian employee (including a non-appropriated fund
employees), DoD contractor, employee of another government
agency, civilian, and foreign nationals donating blood at one or
more DoD blood donor collection site(s).
Recipients: Armed Services medical beneficiaries who receive or
have received medical care at one or more DoD medical treatment
facilities and who have a need for a blood services encounter;
and DoD civilian employees (including non-appropriated fund
employees), other federal government employees, contractors,
civilians, and foreign nationals who receive or have received
care at one or more DoD medical treatment facilities and who
have a need for a blood services encounter.
Categories of records in the system:
Donors: Name; date of birth; Social Security Number (SSN)
and/or DoD Identification (DoD ID) Number; in the case of a
foreign national, the foreign national number assigned to that
individual; donor family member prefix and/or sponsor SSN or DoD
ID Number; gender; race/ethnicity; contact phone number(s); home
address; personal e-mail address; medical history; current
health and disability information; and employment information
(including, for donors who are Armed Services members, the
donor’s organization, station, and duty phone), and previous
donation history.

EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

6

Recipients: Individual’s name and other name(s) used, date of
birth, SSN and/or DoD ID Number, gender, race/ethnicity, medical
information, and recipient’s previous donation history (if any).
Authority for maintenance of the system:
10 U.S.C. Chapter 55, Medical and Dental Care; 32 CFR Part 199,
Civilian Health and Medical Program of the Uniformed Services
(CHAMPUS); DoD Directive 6000.12E, Health Service Support; DoD
Instruction (DoDI) 6015.23, Delivery of Healthcare at Military
Treatment Facilities: Foreign Service Care; Third-Party
Collection; Beneficiary Counseling and Assistance Coordinators
(BCACs); DoDI 6480.04, Armed Services Blood Program Operational
Procedures; and E.O. 9397 (SSN), as amended.
Purpose(s):
To obtain information from individuals donating blood in order
to identify and verify donor demographics; determine donor
suitability; associate donors to blood collections for testing;
and create records necessary to identify and notify recipients
of potential or known infectious blood units. Information
collected is also used to determine the suitability of voluntary
blood donations, record time of blood donation, and blood type;
administer the Armed Services Blood Program (ASBP); and, in some
instances, recommend medical treatment for prospective blood
donors.
To permit verification and authentication of the individuals
receiving blood transfusions.
To trace blood units and blood products that are unsuitable to
transfer, and previous units donated by the same donor, for
review and possible recipient notifications.
To obtain information on individuals receiving blood
transfusions through the ASBP, and the donor(s) of that blood
for use in an automated and standardized quality information
system to ensure the safety and quality of the blood supply in
support of the Military Health System’s medical readiness and
healthcare treatment activities.
Routine uses of records maintained in the system, including
categories of users and the purposes of such uses:
In addition to those disclosures generally permitted under 5
U.S.C. 552a(b) of the Privacy Act of 1974, as amended, these
records may be specifically disclosed outside the DoD as a
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

7

To the Department of Health and Human Services (HHS) and its
components for the purpose of conducting research and analytical
projects, and to facilitate collaborative research activities
between DoD and HHS.
To the Department of Veterans Affairs (VA) for the purpose of
providing medical care to former Armed Services Members and
retirees and facilitating collaborative research activities
between the DoD and VA.
To the National Research Council, National Academy of Sciences,
and similar institutions for authorized health research in the
interest of the Federal Government and the public.
To other federal, local, and state government agencies for
compliance with federal, state, and local laws and regulations
governing blood supply safety, control of communicable diseases,
preventive medicine and safety, and other public health and
welfare mandates relating to blood supplies.
To federal offices and agencies involved in the documentation
and review of defense occupational and environmental exposure
data.
The DoD Blanket Routine Uses may apply to this system of
records, except as stipulated in the Note below.
NOTE 1: This system of records contains individually
identifiable health information. The DoD Health Information
Privacy Regulation (DoD 6025.18-R) or any successor DoD
issuances implementing the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and 45 CFR Parts 160 and 164,
Health and Human Services, General Administrative Requirements
and Security & Privacy, respectively, within the DoD applies to
most such health information. DoD 6025.18-R or any successor
issuance may place additional procedural requirements on the
uses and disclosures of such information beyond those found in
the Privacy Act of 1974, as amended, or mentioned in this system
of records notice.
Policies and practices for storing, retrieving, accessing,
retaining, and disposing of records in the system:
Storage:
Electronic storage media.
Retrievability:
EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

8

Donor:

Donor name, SSN and/or DoD ID Number, and date of birth.

Recipient:
of birth.

Recipient name, SSN and/or DoD ID Number, and date

Safeguards:
Systems are maintained in controlled areas accessible only to
authorized personnel. Entry into these areas is restricted to
those personnel with a valid requirement and authorization to
enter. Physical entry is restricted by the use of locks,
passwords which are changed periodically, and administrative
procedures.
The system provides two-factor authentication including Common
Access Cards with pin number and user ID/passwords. Access to
personal information is restricted to those who require the data
in the performance of their official duties. All personnel
whose official duties require access to the information are
trained in the proper safeguarding and use of the information.
Retention and disposal:
Disposition pending (treat records as permanent until the
National Archives and Records Administration has approved the
retention and disposal schedule).
System manager(s) and address:
EBMS Program Manager, Defense Health Clinical Systems
(DHCS)/Deployment and Readiness System (D&RS), Skyline 6, Suite
817, 5109 Leesburg Pike, Falls Church, VA 22041-3221.
Notification procedure:
Individuals seeking to determine whether information about
themselves is contained in this system of records should address
written inquiries to the Chief, Freedom of Information Act
(FOIA) Service Center, Defense Health Agency Privacy and Civil
Liberties Office, Defense Health Headquarters, 7700 Arlington
Boulevard, Suite 5101, Falls Church, VA 22042-5101.

Requests should contain the individual’s full name, SSN and/or
DoD ID Number, date of birth, and be signed.
Record access procedures:
Individuals seeking access to information about themselves
contained in this system of records should address written
inquiries to the Chief, FOIA Service Center, Defense Health
Agency Privacy and Civil Liberties Office, Defense Health
EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

9

Headquarters, 7700 Arlington Boulevard, Suite 5101, Falls
Church, VA 22042-5101.
Requests should contain the individual’s full name,
SSN and/or DoD ID Number, date of birth, and be signed.
Contesting record procedures:
The Office of the Secretary of Defense (OSD) rules for accessing
records, for contesting contents and appealing initial agency
determinations are published in OSD Administrative Instruction
81, 32 CFR Part 311, or may be obtained from the system manager.
Record source categories:
Individuals, information printed on blood samples, the Composite
Health Care System, and AHLTA.
Exemptions claimed for the system:
None.

EDHA 25 Draft_ 20140204
DHA Privacy and Civil Liberties Support

10