Â鶹ƵµÀ

U.S. flag

SHARE:

FacebookXEmail AHRQPrint

Â鶹ƵµÀPrivacy Program

This Privacy Notice documents AHRQ's Information Security and Privacy Program compliance with Federal privacy legislation and guidance. It includes links to AHRQ’s privacy impact assessments (PIAs) and systems of record notices (SORNs), and describes the policies and procedures Â鶹ƵµÀhas implemented for the protection of information collected, used, and maintained within the Agency.

System of Records Notices (SORNs)

The Privacy Act of 1974, () establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by Federal agencies. A description of the information to be collected in any system of records must be published in the Federal Register before the data collection begins.

For each system of records, a specified Â鶹ƵµÀemployee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about viewing the records, and for amending or correcting information contained therein. The Â鶹ƵµÀsystem manager, along with his or her mailing address, is listed in the Federal Register notice.

on the HHS website.

Privacy Impact Assessments (PIAs)

The , Section 208, establishes the requirement for agencies to conduct PIAs for electronic information systems and collections. The assessment is a method for Â鶹ƵµÀto evaluate the privacy of information it collects, uses, and maintains within its information systems and applications. The Department of Health and Human Services (HHS) reviews, signs, and posts all Â鶹ƵµÀPIAs on the HHS PIA webpage in accordance with the requirements of the E-Government Act of 2002, and can be found .

Matching Notices and Agreements

The Computer Matching and Privacy Protection Act of 1988, [PDF, 1.35 MB], amended the Privacy Act of 1974, 5 U.S.C. § 552a, to include provisions governing computer matching activities. In accordance with Privacy Act stipulation 5 U.S.C. § 552a(o), "no record which is contained in a system of records may be disclosed to a recipient agency or non-Federal agency for use in a computer matching program except pursuant to a written agreement between the source agency and the recipient agency or non-Federal agency." Agencies must publish a matching notice or agreement to notify individuals of the use of their information in this manner. Currently, Â鶹ƵµÀdoes not conduct matching programs.

Exemptions to the Privacy Act

The Privacy Act of 1974 generally grants individuals the right to access Â鶹ƵµÀrecords maintained about themselves, and the right to request that Â鶹ƵµÀamend those records if they are not accurate, relevant, timely, or complete. However, the Privacy Act also exempts Â鶹ƵµÀfrom granting a person access to information about themselves that the agency compiles for certain types of law enforcement or investigatory actions based on 10 specific types of exemptions. The Privacy Act requires Â鶹ƵµÀto provide citations and links to the final rules published in the Federal Register that promulgate each Privacy Act exemption claimed for their systems of records. Â鶹ƵµÀhas published exemptions for the following systems of records, as stated in the Federal Register SORN:

  •     Medical Expenditure Panel Survey (MEPS) and National Medical Expenditure Survey 2 (NMES 2).

Privacy Act Implementation Rules

The Privacy Act of 1974 requires Â鶹ƵµÀto implement Privacy Act implementation rules promulgated pursuant to . Â鶹ƵµÀhas established procedures for individuals to request, access, and address their information found in Â鶹ƵµÀSORNs, which are documented in the Â鶹ƵµÀSORNs published in the Federal Register. In addition, Â鶹ƵµÀSORNs identify and describe the National Archives and Records Administration (NARA) records retention schedules that Â鶹ƵµÀuses to maintain records. Individuals that have questions about these procedures, or about their information, may also contact the following Â鶹ƵµÀpoints of contact:

Publicly Available Â鶹ƵµÀPolicies on Privacy

The Â鶹ƵµÀInformation Security and Privacy Program fosters an enterprise-wide secure and trusted environment in support of AHRQ's mission. It was established to help protect the Agency and its data against potential information technology (IT) threats and vulnerabilities and ensures compliance with Federal mandates and legislation that enable Â鶹ƵµÀto provide mission-critical IT security and privacy services. As an Operating Division (OpDiv) of HHS, Â鶹ƵµÀis also required to comply with HHS policy and guidance. Below is a list of policies and procedures that Â鶹ƵµÀfollows in compliance with Federal privacy legislation and guidance.

Â鶹ƵµÀWeb site Privacy Policy

This Web site is maintained as a public service to provide information on health care research and quality from AHRQ, a component of HHS. We collect no personal information about you when you visit this Web site unless you choose to provide that information to Â鶹ƵµÀvoluntarily. Select for more on the Â鶹ƵµÀWeb site privacy policy.

Health Information Privacy and Security Tool

is an online tool that helps health care providers and organizations meet Health Insurance Portability and Accountability Act (HIPAA) requirements for protecting patient information in electronic health records. The tool provides practical tips in four areas:

  • Preparation.
  • Risk analysis and action planning.
  • Risk management.
  • Meaningful use.

Privacy and Security Toolkit

The to the Health Information Privacy and Security Tool is meant to be a companion document that implements the principles set forth in The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework).

Training and Awareness

Information security and privacy awareness training is mandatory for all Â鶹ƵµÀFederal employees and contract personnel. Federal guidelines and HHS mandate that all employees must complete information security and privacy training upon initial hiring and annually thereafter. The Â鶹ƵµÀInformation Security and Privacy Program is responsible for ensuring that all Agency employees and contractors receive annual information security and privacy awareness training and role-based training in compliance with Federal requirements. Â鶹ƵµÀalso developed an online Information Security and Privacy Awareness Training Module that is available on the Agency Intranet to Â鶹ƵµÀstaff.

HHS also offers the following role-based training courses, which Â鶹ƵµÀtransmits on an annual basis to personnel with significant security responsibilities:

For more information on Â鶹ƵµÀInformation Security and Privacy training, contact the Â鶹ƵµÀInformation Security and Privacy Team (SecureAHRQ@ahrq.hhs.gov).

Publicly Available Â鶹ƵµÀReports on Privacy

Â鶹ƵµÀsubmits a required Federal Information Security Management Act (FISMA) report to HHS, which includes privacy performance metrics, on an annual basis. Â鶹ƵµÀcurrently does not have additional reports on privacy outside of FISMA reporting for publication.

Instructions for Submitting a Privacy Act Request

Â鶹ƵµÀhas established procedures for individuals to request, access, and address their information found in Â鶹ƵµÀSORNs; these procedures can be found in the Â鶹ƵµÀSORNs published in Federal Register notices. For each system of records, a specified Agency employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about seeing the records, and for amending or correcting information contained therein. The system manager, along with his or her mailing address, is also listed in the Federal Register.

Contact Information for Submitting a Privacy Question or Complaint

Â鶹ƵµÀhas established procedures for individuals to request, access, and address their information found in Â鶹ƵµÀSORNs, and these procedures can be found in the Â鶹ƵµÀSORNs published in the Federal Register.  For each system of records, a specified Agency employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about seeing the records, and for amending or correcting information contained therein. The system manager, along with his or her mailing address, is also listed in the Federal Register notice.

Contact Information: Senior Agency Official for Privacy

Individuals that have questions about the information set forth in this Privacy Notice, related procedures, and/or about their information, may also contact the following Â鶹ƵµÀpoints of contact:

Page last reviewed November 2017
Page originally created October 2017

Internet Citation: Â鶹ƵµÀPrivacy Program. Content last reviewed November 2017. Agency for Healthcare Research and Quality, Rockville, MD.
/policy/privacy.html

Click to copy citation