AHRQ Privacy Program

This Privacy Notice documents AHRQ's Information Security and Privacy Program compliance with Federal privacy legislation and guidance. It includes links to AHRQ’s privacy impact assessments (PIAs) and systems of record notices (SORNs), and describes the policies and procedures AHRQ has implemented for the protection of information collected, used, and maintained within the Agency.

System of Records Notices (SORNs)

The Privacy Act of 1974, (5 U.S.C. § 552a) establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by Federal agencies. A description of the information to be collected in any system of records must be published in the Federal Register before the data collection begins.

For each system of records, a specified AHRQ employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about viewing the records, and for amending or correcting information contained therein. The AHRQ system manager, along with his or her mailing address, is listed in the Federal Register notice.

AHRQ Privacy Act SORNs:

System Number  System Name
09-90-1201   ONC Health IT Dashboard [pending transfer from ONC to AHRQ]
09–90–1401 Records About Restricted Dataset Requesters
09-35-0001 Agency Management Information System (AMIS)/Grants and Contracts and Grants Information and Tracking System (GIAnT)
09-35-0002 Medical Expenditure Panel Survey (MEPS) and National Medical Expenditure Survey 2 (NMES 2).

Privacy Impact Assessments (PIAs)

The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct PIAs for electronic information systems and collections. The assessment is a method for AHRQ to evaluate the privacy of information it collects, uses, and maintains within its information systems and applications. The Department of Health and Human Services (HHS) reviews, signs, and posts all AHRQ PIAs on the HHS PIA webpage in accordance with the requirements of the E-Government Act of 2002, and can be found on the HHS Web site.

Matching Notices and Agreements

The Computer Matching and Privacy Protection Act of 1988, Pub. L. No. 100-503, 102 Stat. 2507 (1988) [PDF, 1.35 MB], amended the Privacy Act of 1974, 5 U.S.C. § 552a, to include provisions governing computer matching activities. In accordance with Privacy Act stipulation 5 U.S.C. § 552a(o), "no record which is contained in a system of records may be disclosed to a recipient agency or non-Federal agency for use in a computer matching program except pursuant to a written agreement between the source agency and the recipient agency or non-Federal agency." Agencies must publish a matching notice or agreement to notify individuals of the use of their information in this manner. Currently, AHRQ does not conduct matching programs.

Exemptions to the Privacy Act

The Privacy Act of 1974 generally grants individuals the right to access AHRQ records maintained about themselves, and the right to request that AHRQ amend those records if they are not accurate, relevant, timely, or complete. However, the Privacy Act also exempts AHRQ from granting a person access to information about themselves that the agency compiles for certain types of law enforcement or investigatory actions based on 10 specific types of exemptions. The Privacy Act requires AHRQ to provide citations and links to the final rules published in the Federal Register that promulgate each Privacy Act exemption claimed for their systems of records. AHRQ has published exemptions for the following systems of records, as stated in the Federal Register SORN:

  • 09-35-0002    Medical Expenditure Panel Survey (MEPS) and National Medical Expenditure Survey 2 (NMES 2).

Privacy Act Implementation Rules

The Privacy Act of 1974 requires AHRQ to implement Privacy Act implementation rules promulgated pursuant to 5 U.S.C. § 552a(f). AHRQ has established procedures for individuals to request, access, and address their information found in AHRQ SORNs, which are documented in the AHRQ SORNs published in the Federal Register. In addition, AHRQ SORNs identify and describe the National Archives and Records Administration (NARA) records retention schedules that AHRQ uses to maintain records. Individuals that have questions about these procedures, or about their information, may also contact the following AHRQ points of contact:

Publicly Available AHRQ Policies on Privacy

The AHRQ Information Security and Privacy Program fosters an enterprise-wide secure and trusted environment in support of AHRQ's mission. It was established to help protect the Agency and its data against potential information technology (IT) threats and vulnerabilities and ensures compliance with Federal mandates and legislation that enable AHRQ to provide mission-critical IT security and privacy services. As an Operating Division (OpDiv) of HHS, AHRQ is also required to comply with HHS policy and guidance. Below is a list of policies and procedures that AHRQ follows in compliance with Federal privacy legislation and guidance.

AHRQ Web site Privacy Policy

This Web site is maintained as a public service to provide information on health care research and quality from AHRQ, a component of HHS. We collect no personal information about you when you visit this Web site unless you choose to provide that information to AHRQ voluntarily. Select for more on the AHRQ Web site privacy policy.

Health Information Privacy and Security Tool

Health Information Privacy and Security: A 10-Step Plan is an online tool that helps health care providers and organizations meet Health Insurance Portability and Accountability Act (HIPAA) requirements for protecting patient information in electronic health records. The tool provides practical tips in four areas:

  • Preparation.
  • Risk analysis and action planning.
  • Risk management.
  • Meaningful use.

Privacy and Security Toolkit

The Privacy and Security Toolkit to the Health Information Privacy and Security Tool is meant to be a companion document that implements the principles set forth in The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework).

Training and Awareness

Information security and privacy awareness training is mandatory for all AHRQ Federal employees and contract personnel. Federal guidelines and HHS mandate that all employees must complete information security and privacy training upon initial hiring and annually thereafter. The AHRQ Information Security and Privacy Program is responsible for ensuring that all Agency employees and contractors receive annual information security and privacy awareness training and role-based training in compliance with Federal requirements. AHRQ also developed an online Information Security and Privacy Awareness Training Module that is available on the Agency Intranet to AHRQ staff.

HHS also offers the following role-based training courses, which AHRQ transmits on an annual basis to personnel with significant security responsibilities:

For more information on AHRQ Information Security and Privacy training, contact the AHRQ Information Security and Privacy Team (SecureAHRQ@ahrq.hhs.gov).

Publicly Available AHRQ Reports on Privacy

AHRQ submits a required Federal Information Security Management Act (FISMA) report to HHS, which includes privacy performance metrics, on an annual basis.  AHRQ currently does not have additional reports on privacy outside of FISMA reporting for publication.

Instructions for Submitting a Privacy Act Request

AHRQ has established procedures for individuals to request, access, and address their information found in AHRQ SORNs; these procedures can be found in the AHRQ SORNs published in Federal Register notices. For each system of records, a specified Agency employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about seeing the records, and for amending or correcting information contained therein. The system manager, along with his or her mailing address, is also listed in the Federal Register.

Contact Information for Submitting a Privacy Question or Complaint

AHRQ has established procedures for individuals to request, access, and address their information found in AHRQ SORNs, and these procedures can be found in the AHRQ SORNs published in the Federal Register.  For each system of records, a specified Agency employee, known as a system manager, is responsible for the business requirements of the data maintained in the system, for answering any questions about seeing the records, and for amending or correcting information contained therein. The system manager, along with his or her mailing address, is also listed in the Federal Register notice.

Contact Information: Senior Agency Official for Privacy

Individuals that have questions about the information set forth in this Privacy Notice, related procedures, and/or about their information, may also contact the following AHRQ points of contact:

Page last reviewed November 2017
Page originally created October 2017
Internet Citation: AHRQ Privacy Program. Content last reviewed November 2017. Agency for Healthcare Research and Quality, Rockville, MD. http://www.ahrq.gov/policy/privacy.html