Privacy Impact Assessment for the Wellness Program Medical Records
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
Generally describe what data/information will be collected in the system.
- Employee name
- Social Security Number
- Office Address
- Office Phone Number
- Home Address
- Home Phone Number
- Medical exam results (Blood pressure, blood test results and shot record)
- Medical History
- Emergency Point of Contact Info
- Physician Name
What are the sources and types of the information in the system?
Individuals voluntarily fill out evaluation forms and consent to EPA Medical Exams.
How will the data be used by the Agency?
Used to determine if the individual is healthy enough to exercise. Also used for historical / comparison purposes.
Why is the information being collected? (Purpose)
To determine eligibility for Fitness Center membership and to provide routine preventative health care.
II. Access to the Data
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
Access is limited to nurses and doctors working in the clinics - contractors acquired by HHS through IAG with EPA.
What controls are in place to prevent the misuse of data by those having authorized access?
All hard copy files are double locked. They are kept in locked file cabinets and the suites are locked. Employees follow the rules of conduct and are given security training annually.
Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
No. The data is not shared.
Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
III. Attributes of the Data
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
Only pertinent medical data is being stored for retention purposes.
If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.
Data is not being consolidated.
If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
Process is not being consolidated.
How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
The data is retrieved by the person's full name and confirmed by the last four digits of their SSN.
IV. Maintenance of Administrative Controls
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)
There is an annual record control schedule (Schedule #023) for EPA information in the system. Records are kept as long as an individual continues to work for the EPA. Once the clinics are notified of transfer or termination, the records will either be transferred to the proper agency / clinic or the records will be shredded.
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
The separation process ensure that individuals notify the Health unit when they move or retire. In addition, individuals demographic information is verified every time they visit the health unit. Medical evalution records are also updated when individuals renew their fitness membership every five years.
Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
The system provides name and address but does not monitor individuals.
Does the system use any persistent tracking technologies?
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)
EPA health unit records are maintained according to the provisions outlined in EPA-3 System of Records.