Pia

Save

Privacy Impact Assessment Form
v 1.47.4
Status Draft

Form Number

F-10454

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

P-6157643-742311

2a Name:

10/15/2018 2:08:13 PM

Long term sequela of Rocky Mountain spotted fever (RMSFLTS)
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Development
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8b Planned Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

Medical Epidemiologist

POC Name

Paige Armstrong

POC Organization NCEZID/RZB
POC Email

[email protected]

POC Phone

404.639.8450
New
Existing
Yes
No
November 9, 2018
Not Applicable

Page 1 of 6

Save

11 Describe the purpose of the system.

Rocky Mountain Spotted Fever is a life-threatening and rapidly
progressive tick-borne disease. Infection begins with nonspecific symptoms like fever, headache, and muscle pain, but
unmitigated damage to the vascular endothelium quickly
results in organ failure, necrosis, and ultimately death. The
purpose of this study is to help identify long term disability
related to RMSF illness. The information obtained from this
study will help inform providers as they treat and manage
patients with RMSF. It will also help inform time to recovery
and expected disability outcomes. This system, RMSF-LTS, will
serve as a repository for data obtained from this study.
Patients will be asked a series of screening questions to
determine if they have had any ongoing or residual effects
from their acute illness with RMSF. If they report any ongoing
symptoms or deficits they will be asked to participate in a full
neurological assessment. Results of the assessment will be
collected and stored.

Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask
about the specific data elements.)

The medical chart abstraction portion of the study will collect
information on name, age at illness, date of birth, address,
phone number, sex, symptoms, date of illness onset,
diagnostic and treatment information. For hospitalized
patients, additional information on procedures performed and
course will be obtained.
The PII collected will be kept in Paper form only and will not be
entered into this electronic system. User access is validated by
CDC Active Directory and no user credentials are collected by
this system. AD is a separate system with its own PIA.

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

Long term sequela of Rocky Mountain spotted fever (RMSFLTS) will collect the following data on paper forms:
Neurological assessment results, name, age at illness, date of
birth, address, phone number, sex, symptoms, date of illness
onset, diagnostic and treatment information. For hospitalized
patients, additional information on procedures performed and
course will be obtained. PII collected will be retained in paper
form only and will not be entered into this electronic system;
however, the CDC Rickettsial Zoonoses Branch (RZB) staff will
enter the non-PII data into this system.
Data will be analyzed by RZB epidemiologists and they will act
as the owners and stewards of the data. The data collected for
this study will be used to help identify long term disability
related to RMSF illness. The information obtained from this
study will help inform providers as they treat and manage
patients with RMSF.
User access to the system is validated by CDC Active Directory
and no user credentials are collected by this system. AD is a
separate system with its own PIA.

14 Does the system collect, maintain, use or share PII?

Yes
No

Page 2 of 6

Save

15

Indicate the type of PII that the system will collect or
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
sex
age

Employees
Public Citizens
16

Business Partners/Contacts (Federal, state, local agencies)

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?

18 For what primary purpose is the PII used?

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

100-499
In order to contact individuals to interview them for inclusion
in the neurologic exam portion of the study, we require
contact information.
NA

20 Describe the function of the SSN.

NA

20a Cite the legal authority to use the SSN.

NA

Public Health Service Act, section 301, "Research and
Identify legal authorities governing information use Investigation," (42 U.S.C. 241); sections 304, 306 and 308(d)
21
which discuss authority to grant assurances of confidentiality
and disclosure specific to the system and program.
for health research and related activities (42 U.S.C. 242 b, k, and
m(d)).
22

Are records on the system retrieved by one or more
PII data elements?

Yes
No

Page 3 of 6

Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

26

Is the submission of PII by individuals voluntary or
mandatory?

0920-1011 Exp. 01/31/2020
Yes
No
State surveillance data is first screened for individuals who
tested positive for RMSF during the study period to determine
eligibility. Eligible individuals are then contacted by phone or
in-person and are provided with an IRB-approved informed
consent form. Parents of children under the age of 8 years will
be asked to respond to the questionnaire on behalf of their
child. .
Voluntary
Mandatory

Describe the method for individuals to opt-out of the
Individuals may choose not to answer questions or provide
collection or use of their PII. If there is no option to
27
their Personally Identifiable Information (PII) at any time during
object to the information collection, provide a
the questionnaire process.
reason.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.

There is no process in place because this is a one time data
collection and consent was obtained at the beginning of the
data collection. It is not anticipated that there will be major
changes made to the system; therefore there would be no
reason to obtain consent a second time.

The consent form has the contact information of the principal
investigator. Any concerns can be reported to that individual.

Page 4 of 6

Save
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

PII is held in paper form only. It is manually inventoried
annually by principal investigators for integrity, availability,
accuracy, relevancy by comparing the PII collection and
destruction records and associated questionnaires to ensure all
originally collected PII information is accounted for.
Users

Identify who will have access to the PII in the system
31
and the reason why they require access.

Users, who are Principal Investigators,
and will conduct interviews and collect
data.

Administrators
Developers
Contractors
Others

The RZB program selects the individuals who will be the
principal investigators for this study. Their selection is based
on their training and knowledge of the subject matter. The PII
Describe the procedures in place to determine which is collected during the course of the completion of
questionnaires for eligible individuals. The principal
32 system users (administrators, developers,
investigators are the only users with access to the PII which is
contractors, etc.) may access PII.
only held in paper form and not entered into the electronic
system. Administrators, developers, and contractors will not
have access to the PII because it is not part of the electronic
system.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

Least privilege, Role Based Access methods are used to allow
those with access to PII to only access the minimum amount of
information necessary to perform their job. The system
administrator is responsible for setting up the user access to
the system based on the CDC user id and the permissions
assigned to it.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

Users are required to complete CDC’s Annual Security and
Privacy Awareness Training to make them aware of their
responsibilities for protecting the information being collected
and maintained.

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

Users with significant security and privacy responsibilities are
provided additional role-based training.

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

Yes
No
Data is held for 10 years in accordance with the CDC General
Records Schedule (GRS) 20.6, maintain for 10 years after system
retirement.

Page 5 of 6

Save
PII is held in paper form only and locked in a cabinet, in a
locked room, in a locked building, and protected by armed
security guards.
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Additionally, all personnel are required to undergo Privacy
Awareness Training at least annually.

General Comments

OPDIV Senior Official
for Privacy Signature

Beverly E.
Walker -S

Digitally signed by
Beverly E. Walker -S
Date: 2018.11.21 14:58:12
-05'00'

Page 6 of 6