PRIVACY IMPACT ASSESSMENT (PIA) Fr the Medical Bards Online Tracking System (MEDBOLTS) Department f the Navy - TMA DHP Funded System SECTION 1: IS A PIA REQUIRED? a. Will this Department f Defense (000) infrmatin system r electrnic cllectin f infrmatin (referred t as an "electrnic cllectin" fr the purpse f this frm) cllect, maintain, use, andlr disseminate PII abut members f the public, Federal persnnel, cntractrs r freign natinals emplyed at U.S. military facilities internatinally? Chse ne ptin frm the chices belw. (Chse (3) fr freign natinals). D (1) Yes, frm members f the general public. [g] D D (2) Yes, frm Federal persnnel' and/r Federal cntractrs. (3) Yes, frm bth members f the general public and Federal persnnel and/r Federal cntractrs. (4) N * "Federal persnnel" are referred t in the DD IT Prtfli Repsitry (DITPR) as "Federal emplyees." b. If "N," ensure that DITPR r the authritative database that updates DITPR is anntated fr the reasn(s) why a PIA is nt required. If the 000 infrmatin system r electrnic cllectin is nt in DITPR, ensure that the reasn(s) are recrded in apprpriate dcumentatin. c. If "Yes," then a PIA is required. Prceed t Sectin 2. DO FORM 2930 NOV 2008 Pagelf17
SECTION 2: PIA SUMMARY INFORMATION a. Why is this PIA being created r updated? Chse ne: New DD Infrmatin System New Electrnic Cllectin Existing DD Infrmatin System Existing Electrnic Cllectin Significantly Mdified DD Infrmatin System b. Is this DD infrmatin system registered in the DITPR r the 000 Secret Internet Prtcl Ruter Netwrk (SIPRNET) IT Registry? Yes, DITPR Enter DITPR System Identificatin Number 1141 ============ Yes, SIPRNET Enter SIPRNET Identificatin Number N c. Des this 000 infrmatin system have an IT investment Unique Prject Identifier (UPI), required by sectin 53 f Office f Management and Budget (OMB) Circular A-11? Yes N If "Yes," enter UPI 1007-97-01-15-02-0096-00 If unsure, cnsult the Cmpnent IT Budget Pint f Cntact t btain the UPI. d. Des this 000 infrmatin system r electrnic cllectin require a Privacy Act System f Recrds Ntice (SORN)? A Privacy Act SORN is required if the infrmatin system r electrnic cllectin cntains infrmatin abut U.S. citizens r lawful permanent U.S. residents that is retrieved by name r ther unique identifier. PIA and Privacy Act BORN infrmatin shuld be cnsistent. Yes N If "Yes," enter Privacy Act SORN Identifier ILN_0_6_15_0_-_2 _ DD Cmpnent-assigned designatr, nt the Federal Register number. Cnsult the Cmpnent Privacy Office fr additinal infrmatin r access DD Privacy Act SORNs at: http://www.defenselink.mil/privacy/ntices/ r Date f submissin fr apprval t Defense Privacy Office Cnsult the Cmpnent Privacy Office fr this date. DD FORM 2930 NOV 2008 Page 2 f 17
e. Des this 000 infrmatin system r electrnic cllectin have an OMS Cntrl Number? Cntact the Cmpnent Infrmatin Management Cntrl Officer r DD Clearance Officer fr this infrmatin. This number indicates OMB apprval t cllect data frm 10 r mre members f the public in a 12-mnth perid regardless f frm r frmat. DYes Enter OMS Cntrl Number Enter Expiratin Date [gj N f. Authrity t cllect infrmatin. A Federal law, Executive Order f the President (EO), r 000 requirement must authrize the cllectin and maintenance f a system f recrds. (1) If this system has a Privacy Act SORN, the authrities in this PIA and the existing Privacy Act SORN shuld be the same. (2) Cite the authrity fr this DD infrmatin system r electrnic cllectin t cllect, use, maintain and/r disseminate PII. (If multiple authrities are cited, prvide all that apply.) (a) Whenever pssible, cite the specific prvisins f the statute and/r EO that authrizes the peratin f the system and the cllectin f PII. (b) If a specific statute r EO des nt exist, determine if an indirect statutry authrity can be cited. An indirect authrity may be cited if the authrity requires the peratin r administratin f a prgram, the executin f which will require the cllectin and maintenance f a system f recrds. (c) DD Cmpnents can use their general statutry grants f authrity ("internal husekeeping") as the primary authrity. The requirement, directive, r instructin implementing the statute within the DD Cmpnent shuld be ideniified. System f Recrd Authrities: 5 U.S.C. 301, Departmental Regulatins; 10 U.S.C. 1095, Cllectin frm Third Party Payers Act; 10 U.S.C. 5131 (as amended); 10 U.S.C. 5132; 44 U.S.C. 3101; 10 CFR part 20, Standards fr Prtectin Against Radiatin; and, E.O. 9397 (SSN) Additinal Authrities: Manual f the Medical Department (MANMED), NAVMED P-117, Chapter 18, Medical Evaluatin Bards DD FORM 2930 NOV 2008 Page 3 f 17
g. Summary f 000 infrmatin system r electrnic cllectin. Answers t these questins shuld be cnsistent with security guidelines fr release f infrmatin t the public. (1) Describe the purpse f this DD infrmatin system r electrnic cllectin and briefly describe the types f persnal infrmatin abut individuals cllected in the system. MEDBOLTS prvides its users with a rbust, web-applicatin fr perfrming the fllwing functins: maintain demgraphic infrmatin assciated with military persnnel, administer and maintain medicai bards, and t generate assciated medical bard frms, etc. MEDBOLTS is a Web-based system accessible t thse Medical Treatment Facilities MTF(s) with Cnvening Authrity t perfrm Medical Evaluatin Bards (MEB). A MEB evaluates a patient and prduces a Medical Evaluatin Bard Reprt (MEBR) n that patient's cnditin. MTF Cnvening Authrities may cnvene a MEB t evaluate and prepare an MEBR n any member f the military. MEBR(s) are used fr tw purpses: 1) Placing a patient n Temprary Limited Duty (TLD) r Limited Duty (L1MDU); r 2) Referring a patient t the Physical Evaluatin Bard (PEB) fr a determinatin f the patient's fitness fr cntinued Naval service. MEDBOLTS captures and shares data glbally, allwing all MTF(s) with Cnvening Authrity t research, fr any patient referred t an MEB, bth the cntemprary bard activity as well as histrical referrals t any MEB. These histrical checks are vital t assisting service headquarters and parent cmmands with ensuring apprpriate persnnel cmmunity management acrss the Navy and Marine Crps, and prper ruting f Medical Evaluatin Bard Reprts. PII cllected abut individuals include: name, SSN, date f birth, gender, marital status, hme address, military recrds, security clearance and emplyment, medical and disability infrmatin. (2) Briefly describe the privacy risks assciated with the PII cllected and hw these risks are addressed t safeguard privacy. All systems are vulnerable t "insider threats." MEDBOLTS managers are vigilant t this threat by limiting system access t thse individuals wh have a defined need t access the infrmatin. There are defined criteria t identify wh shuld have access t MEDBOLTS. These individuals have gne thrugh extensive backgrund and emplyment investigatins. Data in MEDBOLTS is maintained in accrdance with HIPAA requirements. Only users with apprpriate access and need-ta-knw are authrized t manage data in this system. The level f access and authrizatin fthese users is detailed in the MEDBOLTS System Security Authrizatin Agreement. All users have backgrund investigatin and are apprved ADP II clearances prir t being granted access t MEDBOLTS. The MEDBOLTS system has a thrugh Audit lg t track the activities f any user when lgged in t the system. These prcedures mitigate any risk f cmprmise f PII. h. With whm will the PII be shared thrugh data exchange, bth within yur 000 Cmpnent and utside yur Cmpnent (e.g., ther 000 Cmpnents, Federal Agencies)? Indicate all that apply. I:Sl Within the 000 Cmpnent. PII is shared within MEDBOLTS, Navy Medicine Infrmatin Systems Supprt Activity (NAVMISSA), Bureau f Medicine and Surgery (BUMED) Claimancy, BUPERS and Marine Crps authrized users. Individuals are authrized t view MEDBOLTS fr their specific cmmands. Data is als utilized by the Navy, Marine Crps and NAVMISSA fr infrmatin reprting statistics. DD FORM 2930 NOV 2008 Page 4 f 17
Other 000 Cmpnents. Other Federal Agencies. State and Lcal Agencies. Cntractr (Enter name and describe the language in the cntract that safeguards PII.) Other (e.g.' cmmercial prviders, clleges). i. D individuals have the pprtunity t bject t the cllectin f their PII? DYes I:><J N (1) If "Yes," describe methd by which individuals can bject t the cllectin f PII. (2) If "N," state the reasn why individuals cannt bject. NAVMED P-117 (Manual f Medicine) requires an evaluatin fsuitability fr cntinued service fr all members remved frm full duty fr medical reasns within the Department f the Navy. As such, the service member is required t prvide the apprpriate PII. All PII available in MEDBOLTS is able t be reviewed via the Medical Bard Office in the Patient Administratin Department fthe Military Treatment Facility where the case is being managed. j. D individuals have the pprtunity t cnsent t the specific uses f their PII? DYes I:><J N (1) If "Yes," describe the methd by which individuals can give r withhld their cnsent. DD JRIVI 2930 NOv 2008 Page 5 f 17
(2) If "N," state the reasn why individuals cannt give r withhld their cnsent. NAVMED P-117 (Manual f Medicine) requires an evaluatin f suitability fr cntinued service fr all members remved frm full duty fr medical reasns within the Department f the Navy. As such, the service member is required t prvide the apprpriate PII. All PII available in MEDBOLTS is able t be reviewed via the Medical Bard Office in the Patient Administratin Department f the Military Treatment Facility where the case is being managed. k. What infrmatin is prvided t an individual when asked t prvide PII data? Indicate all that apply. ~ Privacy Act Statement D Privacy Advisry ~ Other D Nne Describe A pre-printed Department f Defense (DD) Frm 2005, "Privacy Act Statement - Health Care each Recrds" is prvided t the patient at the pint f care fr review and signature and it is placed in the applicable patient's medical recrd. frmat. All members wh have PII entered in MEDBOLTS are interviewed by Medical Bard Office staff members prir t and during the data cllectin prcess. The prcess f the cllectin and evaluatin f the data is verbally explained t each member. The privacy f the infrmatin is detailed t the member and member signature- is required prir t the data being frwarded t the evaluatin bard. DD FORM 2930 NOV 2008 Page 6 f 17
, NOTE: Sectins 1 and 2 abve are t be psted t the Cmpnent's Web site. Psting f these Sectins indicates that the PIA has been reviewed t ensure that apprpriate safeguards are in place t prtect privacy. A Cmpnent may restrict the publicatin f Sectins 1 and/r 2 if they cntain infrmatin that wuld reveal sensitive infrmatin r raise security cncerns. DD FORM 2930 NOV 2008 Page 7 f 17