Privacy Assessment

Save

Privacy Impact Assessment Form
v 1.47.4
Status Draft

Form Number

F-21315

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

P-9039673-368482

2a Name:

9/5/2018 1:24:27 PM

ID Enterprise LIMS - Interoperability HL7 Messaging (ID ELIMS
HL7)
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Implementation
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8b Planned Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

Business Steward

POC Name

Wendi Kuhnert-Tallman

POC Organization CDC/OID/OD
POC Email

[email protected]

POC Phone

404-639-3103
New
Existing
Yes
No
December 5, 2018
Not Applicable

Page 1 of 8

Save

11 Describe the purpose of the system.

ID Enterprise LIMS - Interoperability HL7 Messaging (ID ELIMS
HL7) is the unified laboratory information management
platform used by the infectious diseases laboratories for
specimen management and testing. ID ELIMS HL7 provides an
infectious disease enterprise system of specimen tracking and
data management which can electronically interoperate with
CDC, State and local partners' enterprise Laboratory
Information Management System (LIMS) systems. Its
implementation improves patient care as well as public health
surveillance and response.

ID ELIMS HL7 collects the following data from another system,
ID ELIMS (ESC# 1188), which has its own PIA:
Patient Demographics ( Name, DOB, Address, Medical Record
Numbers, Patient Ids, Age, Illness Onset Date and Gender),
Ordering Provider and Organization ( Provider name, Address,
Describe the type of information the system will
National Provider Identifiers, and Organization Identifiers),
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask Lab Performing the tests, Test Ordered by requesters, Test
Performed, Results reported in ID ELIMS, Specimen details, Lab
about the specific data elements.)
Result Medical Notes, and information obtained from any ask
at order entry (AAOE) questions.
Internal staff connect to the system via PIV and Active
Directory (AD). AD is a separate system with its own PIA form.
The ID ELIMS HL7 system is used to provide lab test result data
to State Public Health submitters. State Health partners
accurately match the submitted samples with the testing
results performed by CDC for patient care or a public health
response. The testing results contains PII data elements that is
retrieved from the system ID ELIMS (ESC# 1188) .

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

The PII data elements included : Patients Demographics
(Name, DOB, Address, Medical Record Numbers, Patient Ids,
Age, Illness Onset Date and Gender), Ordering Provider and
Organization( Provider name, Address, National Provider
Identifiers, and Organization Identifiers) , Diagnostic Lab, Test
ordered, Test Performed, the results in ID ELIMS, Specimen
details, lab results medical notes, and ask at order entry (AAOE)
information.
The data above is provided to the states agencies to match the
information submitted with samples as testing results are
returned. This is used to properly identify the samples at the
State Public Health Partner agencies.
Internal staff connect to the system using PIV credentials with
authentication via Active Directory (AD). AD is a separate
access system with its own PIA.

14 Does the system collect, maintain, use or share PII?

Yes
No

Page 2 of 8

Save

15

Indicate the type of PII that the system will collect or
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
Gender
Age

Employees
Public Citizens
16

Business Partners/Contacts (Federal, state, local agencies)

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?

18 For what primary purpose is the PII used?

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

100,000-999,999
The primary use of PII data in ELIMS is the State Public Health
submitters can accurately match the submitted sample with
the testing results performed by CDC for patient care or a
public health response.
The secondary uses for which the PII includes other
communications such as telephone, where CDC and the
submitting Public Health Agency need to use PII information
to convey additional information about a laboratory testing
method for a specific patient, specimen or interpretation of the
results of a test.

20 Describe the function of the SSN.

N/A

20a Cite the legal authority to use the SSN.

N/A

Page 3 of 8

Save
Public Health Service Act, Section 301, "Research and
Identify legal authorities governing information use Investigation," (42 U.S.C. 241); and Sections 304, 306 and 308(d)
21
which discuss authority to grant assurances of confidentiality
and disclosure specific to the system and program.
for health research and related activities (42 U.S.C. 242 b, k, and
m(d)).
22

Yes

Are records on the system retrieved by one or more
PII data elements?

No
Published:

Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.

09-20-0106 Specimen Handling for Testing and
Related Data

Published:

Published:
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

The OMB package is in development. In 2011 the OMB
package was determined to be exempt; we are currently
reevaluating this.
Yes
No

Page 4 of 8

Save
Within HHS
Other Federal
Agency/Agencies
PII data is shared with the other Federal Agencies submitters
for the purpose of reporting or communicating the
laboratory testing results specific patient and/or specimen.
24a

Identify with whom the PII is shared or disclosed and
for what purpose.

State or Local
Agency/Agencies
PII data is shared with the State or Local Public Health
Agency submitter for the purpose of reporting or
communicating the laboratory testing results for a specific
patient and/or specimen.
Private Sector

Describe any agreements in place that authorizes the
information sharing or disclosure (e.g. Computer
24b Matching Agreement, Memorandum of
N/A
Understanding (MOU), or Information Sharing
Agreement (ISA)).

24c

Describe the procedures for accounting for
disclosures

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

26

Is the submission of PII by individuals voluntary or
mandatory?

Data reporting disclosures are tracked by the audit/traceability
functionality provided by the ELIMS system. All other
disclosures such as FOIA and legal requests are tracked via a
spreadsheet and must be approved in writing by the specimen
owner, laboratory Team Lead, and the ELIMS Science Advisor.
There is no process for CDC to notify individuals that their
personal information will be collected, because CDC does not
directly collect the data but receives it from a third party (State
Public Health Lab, other Federal Agencies, International
Institutions, and Peace Corp.) The notification process for
individuals is the responsibility of the specimen submitters.
Voluntary
Mandatory

Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.

CDC does not have an opt out process because it does not
directly collect the data but receives it from a third party. Any
opt-out methods would be implemented by said third party
(State Public Health Labs, other Federal Agencies, International
Institutions, and Peace Corp.).

Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.

PII data are collected by State Public Health laboratories who
submitted to CDC in support of Public Health laboratory
testing, outbreaks, surveillance, and investigation activities. In
the event a major system change that significantly alters the
disclosure and/or use of PII maintained in the system, CDC will
notify the State Public Health Partners (State Public Health
Labs, other Federal Agencies, International Institutions, and
Peace Corp.) of the change so they can take appropriate action
to notify and obtain consent from the affected individuals.

Page 5 of 8

Save
If there is a PII incident where an individual believes their data
has been compromised or is inaccurate, they would contact
the CDC official specified in the SORN. The CDC Official will
work with the CDC testing laboratory to investigate and
resolve the data security issue or discrepancy. CDC would
Describe the process in place to resolve an
facilitate the resolution based on the individual’s request and
individual's concerns when they believe their PII has report back to the individual following a successful resolution
29 been inappropriately obtained, used, or disclosed, or with the Public Health Agency submitter.
that the PII is inaccurate. If no process exists, explain
why not.
In the case of a discrepancy, the submitter must provide
identification and be able to reasonably identify the record and
specify the information being contested, the reasons for
requesting the correction, and the corrective action sought
along with supporting information to show how the record is
inaccurate, incomplete, untimely, or irrelevant.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

31

Identify who will have access to the PII in the system
and the reason why they require access.

No ELIMS-level process is in place for periodic reviews of PII for
data integrity, availability, accuracy and relevancy. ELIMS
provides laboratory units access to review all data including PII.
As the data owners, the laboratories can conduct their own
reviews as needed or as consistent with their existing policies.
ELIMS does not have the authority to mandate a review.
Users

Specimen data entry, analytical results
entry, reporting

Administrators

Administrators have access to PII data
in ELIMS for troubleshooting, database
and system management.

Developers
Contractors

Direct contractors are used on this
project for maintenance and user
support and may incidentally view PII
data to help troubleshoot user's
Describe the procedures in place to determine which Accessing ID ELIMS HL7 data is provided via Role based access
32 system users (administrators, developers,
with approval from the Business Steward (BS). Accessing PII
contractors, etc.) may access PII.
data is limited to the technical support staff who may
Others

Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

ID ELIMS HL7 utilizes the Least Privilege Model for granting
access to system data. CDC administrators create unique
profiles for each user and assign users to groups and
determine controls and background clearance levels
associated with each user and group (e.g. User 1 associated
with Lab A can only access specimen data and its PII that is
associated with Lab A; User 1 will not see data associated with
Lab B). Specific data permissions include access rights to edit/
add/delete. A user’s role or group controls access to specific
ELIMS modules and functionality.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

All IDELIMS users receive Security and Privacy Awareness
Training at least annually.

Page 6 of 8

Save
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?

Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

All IDELIMS users receive Role-Based Training.
Yes
No
Final reports and substantive reporting materials are
maintained permanently (CDC RCS, B-321, 2&4). Routine
reports are maintained for five years (GRS 20.6). Other input/
output records are disposed of when no longer needed (GRS
20.2a.4, 20.2d, and 20.6). Disposal methods include erasing
computer tapes, burning or shredding paper materials or
transferring records to the Federal Records Center when no
longer needed for evaluation and analysis.
Physical Safeguards: Access to the CDC Clifton Road facility
where the mainframe computer is located is controlled by a
cardkey system. Access to the computer room is controlled by
a cardkey and security code (numeric keypad) system. Access
to the data entry area is also controlled by a cardkey system.
The hard copy records are kept in locked cabinets in locked
rooms. The computer room is protected by an automatic
sprinkler system, automatic sensors (e.g., water, heat, smoke,
etc.) are installed, and portable fire extinguishers are located
throughout the computer room. The system is backed up on a
nightly basis with copies of the files stored off site in a secure
fireproof safe. The 24-hour guard service in buildings provides
personnel screening of visitors. Electronic anti-intrusion
devices are in effect at the Federal Records Center.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Administrative Safeguards: Protection for computerized
records includes programmed verification of valid user
identification code and password prior to logging on to the
system, mandatory password changes, limited log-ins, virus
protection, and user rights/file attribute restrictions. Password
protection imposes user name and password log-in
requirements to prevent unauthorized access. Each user name
is assigned limited access rights to files and directories at
varying levels to control file sharing. There is routine daily
backup procedures and secure off-site storage is available for
backup tapes. To avoid inadvertent data disclosure,
“degaussing” is performed to ensure that all data are removed
from Privacy Act computer tapes and/or other magnetic
media. Additional safeguards may be built into the program
by the system analyst as warranted by the sensitivity of the
data.
Technical Safeguards: The ID ELIMS HL7 system is behind
firewalls and intrusion detection system to protect the data at
rest. Encryption is in place to protect the data in transit as well
as at rest.

Page 7 of 8

Save

General Comments

OPDIV Senior Official
for Privacy Signature

Beverly E.
Walker -S

Digitally signed by
Beverly E. Walker -S
Date: 2018.10.17 19:53:54
-04'00'

Page 8 of 8