Privacy Act System Notice 09-20-0165
This page contains several links to PDF files which may require a browser plug-in to view correctly. If you do not have the most recent version of Adobe Acrobat Reader, or are having difficulty viewing the PDF, download the plug-in here.
System name: Health Facilities’ Inventories and Surveys. HHS/CDC/NCHS.
System location: National Center for Health Statistics, Coordinating Center for Health Information and Service (CCHIS), Prince George’s Metro IV Bldg., Room 7209, Centers for Disease Control and Prevention, 3311 Toledo Road, Hyattsville, MD 20782.
Categories of individuals covered by the system: Individuals trained in specific health occupations, such as dentists, nurses, pharmacists, optometrists, dental hygienists, and other providers of health care services.
Categories of records in the system: Records containing information on education attainment, place of education, activity status, place and setting of employment or practice, place of residence, date of birth, sex, and marital status.
Purpose(s): The data are used for statistical purposes only. Uses within the Department include the preparation of aggregated data in the form of statistical tables for publication, analysis, and interpretation to meet legislative mandates of the Public Health Service Act, Section 306 (42 U.S.C. 242k), such as an annual report on health resources, including a description and analysis of the statistics included under Section 306(b)(1)(G). In addition, probability samples of individuals are selected by NCHS for statistical research purposes. Tables, computer tapes, and statistical samples of individuals are provided for statistical purposes only to the Bureau of Health Professions, Health Resources and Services Administration, for its use in determining health facility scarcity areas, for loan forgiveness, and developing and evaluating educational and training programs for health facilities.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses: The data are made available to health systems agencies including the State agency designated under the Public Health Service Act (42 U.S.C. 300 1 and m) for statistical purposes only for developing and evaluating health plans.
The Department occasionally contracts with a private firm for the purpose of collecting, analyzing, aggregating or otherwise refining records in the system. Relevant records are disclosed to such a contractor. The contractor is required to maintain Privacy Act safeguards and to strictly follow Section 308(d) of the Public Health Service Act with respect to such records.
NCHS may disclose selected identifiable information to authorized recipients such as the Social Security Administration for statistical analysis purposes only, consistent with the requirements of Section 308(d) of the Public Health Service Act and the Privacy Act.
Retrievability: Name and address, date of the inventory or survey, and other identifiers permit the retrieval of a computer record of the individual's information contained on computer tape. Original records of information are reviewed by the contractor and/or National Center for Health Statistics (NCHS) staff for accuracy and edited, and data with personal identifiers (such as name and address) are transferred to computer tape. The records are then matched by personal identifiers to produce an unduplicated file of individuals in a health occupation.
Safeguards: Measures to prevent unauthorized disclosures are implemented as appropriate for the particular records maintained. NCHS and its contractors implement personnel, physical, and procedural safeguards as follows:
- Authorized Users: Persons authorized and needing to use the records, including Project Directors, contract officers, interviewers, analysts, statisticians, statistical clerks, and data entry personnel on the staffs of the Center and the contractors.
- Physical Safeguards: The manual portions of the records are stored in locked files or offices when not in use. Building security in Hyattsville, MD includes the use of identification badges by employees and a card key system used to enter NCHS occupied space. In the Research Triangle Park, North Carolina facility access is controlled by a security guard, a card key system, and the use of identification badges by employees.
- Procedural Safeguards: All employees of NCHS and contractor personnel with access to NCHS records are required, as a condition of employment, to sign an affidavit binding them to nondisclosure of individually identifiable information and to view an NCHS video tape addressing confidentiality and systems security. Periodic correspondence is sent to staff to reinforce confidentiality regulations, guidelines, and procedures.
Protection for computerized records both on the mainframe and the National Center Local Area Network (LAN) includes programmed verification of valid user identification code and password prior to logging on to the system, mandatory password changes, limited log-ins, virus protection, and user rights/file attribute restrictions. Password protection imposes user name and password log-in requirements to prevent unauthorized access. Each user name is assigned limited access rights to files and directories at varying levels to control file sharing. There are routine daily backup procedures and secure off-site storage is available for backup tapes. Additional safeguards may be built into the program by the system analyst as warranted by the sensitivity of the data.
Contractors who maintain records in the system are instructed to make no further disclosure of the records. Privacy Act and Section 308(d) of the Public Health Service Act requirements are specifically included in contracts for survey and research activities related to this system. The HHS Project Directors, contract officers, and project officers oversee compliance with these requirements.
- Implementation Guidelines: The safeguards outlined above are in accordance with the HHS Information Security Program Policy and FIPS Pub 200, “Minimum Security Requirements for Federal Information and Information Systems,” and the NCHS Staff Manual on Confidentiality. Data maintained on CDC’s Mainframe and the National Center LAN are in compliance with OMB Circular A-130, Appendix III. Security is provided for information collection, processing, transmission, storage, and dissemination in general support systems and major applications.
Retention and disposal: Records are retained and disposed of in accordance with the CDC Records Control Schedule for NCHS records. The original records are retained in the offices of national professional associations and/or State boards of licensure, or the NCHS data processing facility until the process of conversion to computer tape and verification of information is completed and a subsequent inventory or survey is initiated. For these reasons the records may be retained for a period of up to five years before disposal.
System manager(s) and address: Director, National Center for Health Statistics, CCHIS, Prince George’s Metro IV Bldg., Rm. 7209, MS P08, Centers for Disease Control and Prevention, 3311 Toledo Road, Hyattsville, MD 20782.
Record access procedures: Access to record systems which have been granted an exemption from the Privacy Act access requirement may be made at the discretion of the system manager. Positive identification is required from anyone seeking access. Appeal of access refusal may be made to the Director, FOI/Privacy Act Divisions, Office of Public Affairs, Office of the Secretary, HHS. An individual may also request an accounting of disclosures of his or her record, if any.
Contesting record procedures: If access has been granted, contact the system manager and reasonably identify the record, specify the information being contested, and state the corrective active sought, with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.
Systems exempted from certain provisions of the act: With respect to this system of records, exemption has been granted from the requirements contained in subsections 552a(c)(3), (d)(1) through (4), and (e)(4)(G) and (H) in accordance with the provisions of subsection 552a(k)(4) of the Privacy Act of 1974. The reason this system has been exempted is that this system contains only records required by statute to be maintained and used solely as statistical records. The exemption was published in the Federal Register. October 8, 1975, page 47413.
- Page last updated: April 11, 2012