Skip Over Navigation Links
​​​​​​​​​​​​​​​​​​​​​​​​​​​Privacy Program

Privacy Program – The NIH Privacy Program is responsible for mitigating and managing privacy breaches within NIH, and coordinates with IC Privacy Coordinators across NIH to prevent and manage situations where persons other than authorized users have access, or potential access, to personally identifiable information (PII).

​​Privacy Impact Assessments

The requirement for PIAs originated in the Electronic Government (E-Gov) Act of 2002, and was further clarified in Office of Management and Business OMB Memorandum (M) 03-22, "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002."

The PIA is an integral part of risk management.  A PIA form creates an opportunity for organizations to anticipate and address the likely impacts of new initiatives, to foresee problems and identify what needs to be done to design features that minimize any impact on privacy and/or to find less privacy intrusive alternatives.  The PIA process helps the public understand what information the organization is collecting, why the information is being collected, how the information will be accessed, used, shared, and securely stored. It demonstrates that the organization has critically analyzed how the project will deal with personal data. Thus, a PIA promotes a more fully informed decision-making process.

The E-Gov Act requires that PIAs be conducted on all new Federal systems collecting information in identifiable form, which means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

Title III of the E-Gov Act is referred to as the Federal Information Security Management Act (FISMA). It requires that the agency conduct annual reviews of information security and privacy programs and report the results to OMB.

HHS requires PIAs to be conducted on all Information Technology (IT) systems and uses of Third-Party Websites and Applications (TPWAs).  HHS also requires quarterly reviews and annual FISMA reports.

PIAs are required for:

  • All FISMA Reportable Electronic Systems(these include General Support Systems, Major Applications and Minor Stand-Alone Applications owned/operated by the NIH or operated on behalf of the agency including those internally hosted at the NIH or externally hosted (i.e., hosted off-site by commercial vendors/contractors, including cloud-based systems)).
  • All Uses of Third-Party Websites and Applications (TPWAs) (these include Web-based technologies that are not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a nongovernment entity. Often these technologies are located on a “.com” website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incormporated on an agency's official website).
  • All Surveys that contain/process PII and Sensitive Information (these include online surveys, employee surveys that ask non-work related information, and those included as part of an OMB request for clearance under the Paperwork Reduction Act to survey 10 or more members of the public in order to evaluate a program, etc.).

A PIA must be completed before an IT system is operational, a third-party website or application account is created and a survey is launched. Since a PIA is an analysis of how information is handled, it ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy determines the risks and effects of collecting, maintaining, and disseminating information in identifiable form; and examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks.

To add a new IT system, TPWA or survey to the NIH Inventory, or receive assistance in completing a PIA, contact your NIH IC Privacy Coordinator or the NIH Privacy Program via email at​​


Additional References

HHS Privacy Impact Assessments
IC Privacy Coordinators
IC Information Systems Security Officers
NIH Information Security and Privacy Awareness Training Dashboard
NIH Project Clearance Branch Website
NIH Records Management Website
NIH Policy 1745-1, Privacy Impact Assessments
NIH PIA Guide​​

Privacy Program

Privacy Program Laws, Policies, and Memoranda
Privacy Act
Privacy Impact Assessments (PIAs)
Privacy Incidents and Breach Response
Social Media and Web Management
Training Resources
Privacy Program FAQs
Privacy Program Glossary
Privacy Program Laws & References
IC Privacy Coordinators​​​

Contacting DCM

Division of Compliance Management

Director, Anna Amar

Administrative Assistant, Raisa Sarwar

Office of Management Assessment (OMA)

Office of Management (OM)

Office of the Director (OD)

6705 Rockledge Dr, Suite 601

Bethesda, MD 20892

Phone: (301) 496-4606

MSC = 7901

Last modified: 5/29/2024 1:41 PM