Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
Skip Navigation U.S. Department of Health and Human Services
Agency for Healthcare Research Quality

Privacy Impact Assessment (PIA) Guide

Table of Contents

1. Introduction

1.1 Purpose

1.2 Background

1.3 Scope

1.4 Document Organization

2. Federal Privacy Requirements

2.1 Federal Statutes

2.1.1 The Privacy Act of 1974

2.1.2 The E-Government Act of 2002

2.1.3 The Children's Online Privacy and Protection Act (COPPA) of 1998

2.1.4 The Clinger-Cohen Act of 1996

2.1.5 The Health Insurance Portability and Accountability Act (HIPAA) of 1996

2.1.6 The Paperwork Reduction Act (PRA) of 1995

2.1.7 The Computer Matching and Privacy Protection Act of 1988

2.1.8 The Freedom of Information Act (FOIA) of 1966

2.2 Federal Memoranda and Other Guidance

2.2.1 OMB Circular A-130, Appendix III

2.2.2 OMB Circular A-11

2.2.3 OMB Memorandum 01-05

2.2.4 OMB Memorandum 03-22

2.2.5 OMB Memorandum 05-08

2.2.6 OMB Memorandum 06-16

2.2.7 OMB Memorandum 06-20

3. PIA Roles and Responsibilities

3.1 Department Level Roles and Responsibilities

3.1.1 HHS Senior Agency Official for Privacy

3.1.2 Inspector General (IG)

3.1.3 HHS Privacy Act Officer

3.2 OPDIV Level Roles and Responsibilities

3.2.1 OPDIV Chief Information Security Officer (CISO)

3.2.2 OPDIV Senior Official for Privacy (SOP)

3.2.3 OPDIV Privacy Contact

3.2.4 System PIA Author

3.2.5 System Owners/ Program Managers

3.2.6 Web site Owners/ Administrators

4.0 Privacy Impact Assessment Process

4.1 PIA Overview
4.1.1 Purpose of the PIA

4.1.2 Benefits of PIA

4.1.3 Scope

4.1.4 Timing

4.2 PIA Activities

4.2.1 Step One: Determine When a PIA Must Be Conducted

4.2.2 Step Two: Assign Roles and Responsibilities

4.2.3 Step Three: Prepare to Begin the PIA

4.2.4 Step Four: Compose a PIA

4.2.5 Step Five: Characterize the System

4.2.6 Step Six: Complete the PIA

4.2.7 Step Seven: Approve or Demote the PIA

4.2.8 Step Eight: Maintain the PIA

5.0 Conclusion

Appendix A: Document Feedback

Appendix B: References

Appendix C: Acronyms

Appendix D: Glossary

Appendix E: PIA Question-by-Question Tutorial

Internet Citation:

Privacy Impact Assessment (PIA) Guide. U.S. Department of Health & Human Services.


AHRQAdvancing Excellence in Health Care