Pia

Save

Privacy Impact Assessment Form
v 1.21
Status

Form Number

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

TBD

2a Name:

01/09/20

Asthma Information Reporting System (AIRS)
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Planning
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

No
Yes
No
Agency
Contractor
POC Title

Public Health Advisor

POC Name

Alisha Etheredge

POC Organization Asthma and Community Health B
POC Email

[email protected]

POC Phone

770-488-7884
New
Existing
Yes
No

8b Planned Date of Security Authorization
Not Applicable

Page 1 of 5

Save
8c

Briefly explain why security authorization is not
required

The study will use multiple CDC authorized systems to collect,
store, and analyze data.

10

Describe in further detail any changes to the system
that have occurred since the last PIA.

N/A

11 Describe the purpose of the system.

The National Center for Environmental Health’s (NCEH)
National Asthma Control Program (NACP) supports state, local
and territorial health departments to better understand the
impact of asthma and to encourage a comprehensive public
health approach to asthma control. The purpose of this
information collection is to monitor recipient programs’
planning and delivery of public health activities and level of
collaboration with health care systems under a new
cooperative agreement.
The system will collect and maintain the following types of
information:
Recipient Program Contact Information (program name,
address, phone number)
*phone number is for the program and not an individual.
Patient Demographics (age range)
Location of Treatment (facility name, facility type, county, state,
zip)
Performance Measures (asthma control status, interventions)
Hospitalizations (number of visits per age range)
Emergency Department Visits (number of visits per age range)
Recipient Program Surveys (compliance, evaluations, outcome
linkage, quality improvement processes)

Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask Aggregate, de-identified performance measures data will be
about the specific data elements.)
shared with the public (posted on CDC webpage) and
presented at the American Evaluation Association conference.
Data regarding the hospitalizations and emergency rooms
visits is publicly available data that has been previously
collected by the recipient, not at the request of CDC. This deidentified data is shared with the public on the CDC website.

Authentication will be handled by NCEZID's RedCap system via
CDC's Secure Access Management System (SAMS). CDC's
Active Directory (AD) will also be used for internal
authentication. Both SAMS and AD are separate systems with
their own PIAs.

Page 2 of 5

Save
The system will collect and maintain the following types of
information:
Recipient Program Contact Information (program name,
address, phone number)
*phone number is for the program and not an individual.
Patient Demographics (age range)
Location of Treatment (facility name, facility type, county, state,
zip)
Performance Measures (asthma control status, interventions)
Hospitalizations (number of visits per age range)
Emergency Department Visits (number of visits per age range)
Recipient Program Surveys (compliance, evaluations, outcome
linkage, quality improvement processes)

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

The data collected from funded recipients will be used to
monitor state and national progress toward achieving the
outcomes identified in the National Asthma Control Program’s
logic model; facilitate aggregate reporting of outcomes to
state and national stakeholders; and identify and respond to
technical assistance needs from recipients. Recipient program
information is needed to contact the recipient programs and to
link data to health outcomes and program recipient surveys.
All other data collected from the funded recipients is used to
evaluate the effectiveness of the funded programs. This data
can be divided into program specific data and health
outcomes. Program specific data is about the program and its
activities, and is collected from the program itself.
Health outcome data is about members of the general public
with asthma who were provided care in the geographic
location served by the recipients. This data is already collected
by the recipient programs for other purposes and is provided
to CDC de-identified.
Aggregate, de-identified performance measures data will be
shared with the public (posted on CDC webpage) and
presented at the American Evaluation Association conference.
Data regarding the hospitalizations and emergency rooms
visits is publicly available data that has been previously
collected by the recipient, not at the request of CDC. This deidentified data is shared with the public on the CDC website.
Authentication will be handled by NCEZID's RedCap system via
CDC's Secure Access Management System (SAMS). CDC's
Active Directory (AD) will also be used for internal
authentication. Both SAMS and AD are separate systems with
their own PIAs.

14 Does the system collect, maintain, use or share PII?

Yes
No

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV
Senior Officer for Privacy.

Page 3 of 5

Save
Reviewer Questions
1

Are the questions on the PIA answered correctly, accurately, and completely?

Answer
Yes
No

Reviewer
Notes
2

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose
justified by appropriate legal authorities?

Yes

Do system owners demonstrate appropriate understanding of the impact of the PII in the
system and provide sufficient oversight to employees and contractors?

Yes

No

Reviewer
Notes
3

No

Reviewer
Notes
4

Does the PIA appropriately describe the PII quality and integrity of the data?

Yes
No

Reviewer
Notes
5

Is this a candidate for PII minimization?

Yes
No

Reviewer
Notes
6

Does the PIA accurately identify data retention procedures and records retention schedules?

Yes
No

Reviewer
Notes
7

Are the individuals whose PII is in the system provided appropriate participation?

Yes
No

Reviewer
Notes
8

Does the PIA raise any concerns about the security of the PII?

Yes
No

Reviewer
Notes
9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need
to be?

Yes
No

Reviewer
Notes
10

Is the PII appropriately limited for use internally and with third parties?

Yes
No

Reviewer
Notes
11

Does the PIA demonstrate compliance with all Web privacy requirements?

Yes
No

Page 4 of 5

Save
Reviewer Questions

Answer

Reviewer
Notes
12

Were any changes made to the system because of the completion of this PIA?

Yes
No

Reviewer
Notes

General Comments

OPDIV Senior Official
for Privacy Signature

Beverly E.
Walker -S

Digitally signed by
Beverly E. Walker -S
Date: 2020.02.04
13:51:27 -05'00'

HHS Senior
Agency Official
for Privacy

Page 5 of 5