Download:
pdf |
pdfSave
Privacy Impact Assessment Form
v 1.21
Status
Form Number
0920-17AUZ
Question
04/30/18
Answer
1
OPDIV:
CDC
2
PIA Unique Identifier:
0920-17AUZ
2a Name:
Form Date
Navigating Insurance Coverage Expansion/NICE
General Support System (GSS)
Major Application
3
Minor Application (stand-alone)
The subject of this PIA is which of the following?
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Initiation
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
No
Yes
No
Agency
Contractor
POC Title
Project Officer
POC Name
Katherine Roland
POC Organization NCHHSTP/DHPIRS/PRB
POC Email
[email protected]
POC Phone
404-639-0982
New
Existing
Yes
No
8b Planned Date of Security Authorization
Not Applicable
Page 1 of 8
�Save
8c
Briefly explain why security authorization is not
required
Yet to be determined.
10
Describe in further detail any changes to the system
that have occurred since the last PIA.
N/A
The purpose is to evaluate the efficacy of the in-person health
insurance enrollment assistance intervention in a targeted
population and evaluate the effects of the intervention.
11 Describe the purpose of the system.
Analyses will be used to assess the efficacy of the intervention
as an emerging practice. This study will evaluate the effects of
the intervention on successful insurance enrollment, types of
insurance coverage, rates of linkage to and retention in HIVrelated healthcare among Black and Hispanic men who have
sex with men (MSM) and transgender persons age 18 or older.
The University of Chicago plans to collect and maintain
demographic and medical record data on study participants,
on behalf of CDC.
The in-person assistance intervention will help Black and
Hispanic MSM and transgender persons enroll in private health
insurance or Medicaid at the end of their HIV testing session,
regardless of their HIV status.
The data collection system will collect and maintain participant
demographic and medical record data to assess and measure
changes over time after exposure to the study intervention.
Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask
Participant's PII data includes name, date of birth, health
about the specific data elements.)
insurance enrollment number, race, ethnicity, age, gender
identity, and Zip code.
Participant data will be housed in Research Electronic Data
Capture (REDCap), a secure database system utilized by
research institutions nationally. The tablets will contain
portable hot spots for secure data transmission between the
device and the database. The tablets will not store collected
data. All participant data will be linked and stored in REDCap
using a unique study ID for the participant all data will be
collected by the awardee.
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
14 Does the system collect, maintain, use or share PII?
Participant data to be collected includes demographics (date
of birth, race/ethnicity, gender identity, zip code of residence,
current sexual practices, current housing situation [living in
own home, staying with a family member or friend, living in a
temporary shelter, homeless, or in foster/group home], history
of incarceration, travel time to study site), beliefs about HIV
medications, substance use, mental health status, beliefs about
the healthcare system, health insurance enrollment,
satisfaction of study participation. Medical record data will be
downloaded into the database. That information will include
HIV-related clinical care, HIV test results, and viral loads.
Yes
No
Page 2 of 8
�Save
15
Indicate the type of PII that the system will collect or
maintain.
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
Zip code of residence
Race/ethnicity
Age
Gender identity
Incarceration history
Participant's health
insurance enrollment
number
Employees
Public Citizens
16
Indicate the categories of individuals about whom PII
is collected, maintained or shared.
Business Partners/Contacts (Federal, state, local agencies)
Vendors/Suppliers/Contractors
Patients
Other
17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
19
Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)
500-4,999
The primary purpose of PII collection is to track eligibility.
Secondary use of PII is to assess the changes in health
outcomes.
20 Describe the function of the SSN.
N/A, not collecting SSN.
20a Cite the legal authority to use the SSN.
N/A, not collecting SSN.
21
Identify legal authorities governing information use
Public Health Service Act, Title III, Section 301
and disclosure specific to the system and program.
22
Are records on the system retrieved by one or more
PII data elements?
Yes
No
Page 3 of 8
�Save
Published:
Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.
Published:
Published:
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
0920-17AUZ
Yes
24 Is the PII shared with other organizations?
No
Within HHS
Identify with whom the PII is shared or disclosed and
24a
for what purpose.
Other Federal
Agency/Agencies
State or Local
Data to be collected by Chicago Hou
Agency/Agencies
Private Sector
Describe any agreements in place that authorizes the
information sharing or disclosure (e.g. Computer
24b Matching Agreement, Memorandum of
Understanding (MOU), or Information Sharing
Agreement (ISA)).
Data to be shared with CDC.
u
Data to be collected by University of
Chicago.
There is an MOU between the CDC awardee; the University of
Chicago Medicine, who will prepare a Data Management Plan
as a requirement for their annual non-competing review and
the Chicago House and Howard Brown Health.
Page 4 of 8
�Save
24c
Describe the procedures for accounting for
disclosures
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
26
Sample reports will be run prior to CDC and partner agencies
having access to the data to ensure that the permissions and
de-identification process is working correctly. There is slight
risk that identifying data could end up in the data downloads.
If that were to occur, the University of Chicago's data manager
would report this to the CDC within 1 hour of discovery.
The study informed consent form will describe the data
collection process before study participation.
Voluntary
Is the submission of PII by individuals voluntary or
mandatory?
Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.
Mandatory
The consent form describes that the participant can withdraw
from the study at any time. During data collection, participants
are told they can skip any questions they do not want to
answer.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
We do not anticipate major changes occurring to the system
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe that would require participant notification.
why they cannot be notified or have their consent
obtained.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.
The consent form describes privacy procedures to protect the
identity of the study participant. The consent form also
provides the participant the contact information for the
Human Subjects Review Board (IRB) so the participant can call
if they have questions or concerns about their right as a study
participant.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
Within the project database, there is a tracking feature. The
tracking feature is an additional protection in the REDCap
database to help track the security and quality of data. This
feature allows University of Chicago Medicine to review who
has modified, uploaded, created, and viewed records, and to
quickly identify who needs to be contacted regarding potential
data errors or potential breaches in privacy.
Users
Administrators
31
Identify who will have access to the PII in the system
and the reason why they require access.
The administrator is the awardee the
University of Chicago Medicine. They
Developers
Contractors
Howard Brown Health and Chicago
House project staff, partners of the
Others
Page 5 of 8
�Save
Within University of Chicago Medicine, only the Project
Manager, Data Manager, and PI will have access to the full data
set. Chicago House and Howard Brown Health project staff will
be placed into a data access group, only allowing them to see
Describe the procedures in place to determine which the data for the participants they recruited. The University of
Chicago Medicine will be able to review who has modified,
32 system users (administrators, developers,
uploaded, created, and viewed records, and quickly identify
contractors, etc.) may access PII.
who needs to be contacted regarding potential data errors or
potential breaches in privacy. The University of Chicago
Medicine will create collaborator accounts for relevant CDC
staff members and will build the necessary reports for data
downloads every 6 months.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
Only the University of Chicago Medicine Project Manager, Data
Manager, and PI will have access to the full data set. Access to
the full data set is necessary for these three staff to ensure data
quality and consistent management.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
Staff engaging in human research are required to complete
research ethics training. Training includes: informed consent,
data safety and monitoring, and concerns associated with
conducting research with vulnerable populations. All staff are
trained in proper HIPAA procedures at the time of hire. The
University of Chicago Medicine research team and partner
agency data managers have completed human subjects
protections training and are HIPAA certified.
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
All University of Chicago Medicine study coordinators will
complete full day training on research methods, study
procedures, and data collection. After completion of the
training, a University of Chicago Medicine research team
member will create training protocol for the partner agencies
to ensure all related personnel are trained and understand the
purpose of the study and proper research protocol. Individuals
providing the intervention will complete the required Certified
Application Counselor (CAC) training and will observe two
sessions prior to delivering the intervention. Their first session
will be observed by their study coordinator.
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
Yes
No
Records are retained and disposed of in accordance with the
CDC Records Control Schedule 04-4-22 Family of HIV Surveys,
Division of HIV/AIDS Prevention/Surveillance and
Epidemiology.
Page 6 of 8
�Save
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
All data, including the participant profile, will be stored within
the same database utilizing a randomly generated unique
record ID. Study data will not be stored on the hard drive of
any partner agency computer or tablet. Computers used to
access the REDCap database and study data are encrypted and
password-protected. Each individual who has access to the
database will have a unique username and password to log-in,
enter data and access previously entered data. Hand held
tablets used to collect participant data in the field will be
stored in a locked cabinet, in a locked office at the University of
Chicago Medicine. During data collection, tablets will be
maintained by partner agency study staff. When participants
are directly entering data on the tablets, it will be done under
the supervision of the partner agency staff.
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV
Senior Officer for Privacy.
Reviewer Questions
1
Are the questions on the PIA answered correctly, accurately, and completely?
Answer
Yes
No
Reviewer
Notes
2
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose
justified by appropriate legal authorities?
Yes
Do system owners demonstrate appropriate understanding of the impact of the PII in the
system and provide sufficient oversight to employees and contractors?
Yes
No
Reviewer
Notes
3
No
Reviewer
Notes
4
Does the PIA appropriately describe the PII quality and integrity of the data?
Yes
No
Reviewer
Notes
5
Is this a candidate for PII minimization?
Yes
No
Reviewer
Notes
6
Does the PIA accurately identify data retention procedures and records retention schedules?
Yes
No
Reviewer
Notes
7
Are the individuals whose PII is in the system provided appropriate participation?
Yes
No
Reviewer
Notes
Page 7 of 8
�Save
Reviewer Questions
8
Answer
Does the PIA raise any concerns about the security of the PII?
Yes
No
Reviewer
Notes
9
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need
to be?
Yes
No
Reviewer
Notes
10
Is the PII appropriately limited for use internally and with third parties?
Yes
No
Reviewer
Notes
11
Does the PIA demonstrate compliance with all Web privacy requirements?
Yes
No
Reviewer
Notes
12
Were any changes made to the system because of the completion of this PIA?
Yes
No
Reviewer
Notes
General Comments
OPDIV Senior Official
for Privacy Signature
Beverly E.
Walker -S
Digitally signed by
Beverly E. Walker -S
Date: 2018.05.01
08:09:25 -04'00'
HHS Senior
Agency Official
for Privacy
Page 8 of 8
�
| File Type | application/pdf |
| File Modified | 2018-05-01 |
| File Created | 2013-03-29 |