Skip Over Navigation Links
Privacy Program

Privacy Program – The NIH Privacy Program is responsible for mitigating and managing privacy breaches within NIH, and coordinates with IC Privacy Coordinators across NIH to prevent and manage situations where persons other than authorized users have access, or potential access, to personally identifiable information (PII).

Privacy Incidents and Breach Response

Overview

In May 2007, OMB Memorandum (M) 07-16 "Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)" required every agency, among other things, to implement more stringent breach notification and response policies and procedures.

Let the OSOP know if:

  • The compromised system or lost/stolen equipment contained NIH data;
  • A compromised account had access to NIH data;
  • If the data was personally identifiable or sensitive in nature;
  • If the data/equipment/device was encrypted;
  • Data elements involved in loss/theft (name, SSN, DOB, race, gender, medical record number, biometric identifier, photo, etc.);
  • Number of individuals potentially affected;
  • Types of controls in place to mitigate risk;
  • Level of risk to agency and individual.

Contact us using the information on the top right of this page so that a breach response plan and/or letter to notify individuals of the breach of PII/Sensitive Information (SI) can be prepared (if required).

Privacy Incident

A privacy incident is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, PHI or SI, whether physical or electronic.

Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”  PII is protected by the provisions of the Privacy Act if the record in which it is located is under the control of an agency and is contained in an authorized system of records retrieved by a personal identifier.

Protected Health Information (PHI): Individually identifiable information maintained by a covered health care provider, health plan, or health care clearinghouse.  The formal definition is “any information in the medical record or designated record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.”

Sensitive Information (SI): Information for which the loss, misuse, or unauthorized access could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act). Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Privacy Breach

A breach is any successful compromise at any level of protective controls to, or unauthorized access to or use of, systems or data. An attempt, successful or unsuccessful, is an incident, making a breach a subset of incidents.

To report lost or stolen NIH data (PII, PHI, SI) or equipment (i.e. laptop/tablet, digital camera, USB drive, Blackberry, cell phone), contact the NIH IT Service Desk within one (1) hour of the discovery of the loss/theft:

Phone Number: (301) 496-HELP (4357)
Toll Free Number: (866) 319-4357
TTY: (301) 496-8294

Visit the Incident Response Team (IRT) Portal to create an incident report.

Email Security

The NIH E-mail System is not secure! PII distributed or communicated by email must be encrypted whether the PII is within an attachment or part of the actual message.  This applies to email distributed with the NIH network or on the Internet.

  • If the recipient of the email is within the HHS community, employees/contractors can use their HHS ID to encrypt the email by inserting the PIV card into the computer's smart card reader.
  • For both NIH and non-NIH recipients, data can be protected using the NIH Secure Email and File Transfer (SEFT) service.

Personally-Owned Equipment (POE) and Software

The use of personally-owned or non-NIH equipment and/or software to store PII or sensitive government data is not permitted. POE and software includes, but is not limited to, personal computers and related equipment (e.g., wireless laptops, printers, USB drives) and software, personal e-mail providers (e.g., Yahoo!, Hotmail, Gmail), personal library resources, hand-held and PDA devices, facsimile machines and photocopiers. POE and software cannot be physically connected to, or installed on, NIH systems or networks without written authorization from the IC Chief Information Officer.

Additional Reference

HHS Cybersecurity Program - Privacy page
NIH Guide for Handling Sensitive Information
NIH Incident Response Team (IRT) Portal
NIH SEFT vs. PKI Comparison Chart
NIH SEFT Users Guide
NIH Encryption
NIH PKI Quick Reference Guide
FTC OnGuard Online
FTC Identify Theft

Privacy Program

Privacy Program Laws, Policies, and Memoranda
Privacy Act
Privacy Impact Assessments (PIAs)
Privacy Incidents and Breach Response
Social Media and Web Management
Training Resources
Privacy Program FAQs
Privacy Program Glossary
Privacy Program Laws & References
IC Privacy Coordinators​​​
​​​​​​​​

Contacting DMS

Division of Management Support

Acting Director, Pamala Cery

National Institutes of Health,

Office of Management Assessment

6011 Executive Blvd., Suite 601, MSC 7669

Rockville, MD 20852

Phone: (301) 496-2832 or (301) 496-4606

Fax: (301) 402-0169

Want to know more about allegations?

DPI has the authority to conduct reviews using certain rules and acts.

Learn More About Allegations
​​ ​​​