SOCIAL SECURITY ADMINISTRATION
PRIVACY IMPACT ASSESSMENT
· Name of Project
SSA Functional Assessment Study System
· Unique Project Identifier
None
· Privacy Impact Assessment Contact
Contracting Officer Technical Representative
Office of Disability Programs
Office of Retirement and Disability Policy
Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235
· Background
The Social Security Administration’s (SSA) Office of Disability Programs (ODP) is sponsoring a Functional Assessment Study. The National Institutes of Health (NIH), Clinical Research Center, Rehabilitation Medicine Department (CRC/RMD), will conduct this study to explore a new automated claimant-reported method of functional assessment to improve our disability determination process.
Study participants are applicants for Social Security disability benefits (claimants) and two of their health care providers (primary medical providers and supplementary health care providers). Participation in this study is voluntary. Claimants and their health care providers who choose to participate will receive a small payment.
We will use computerized adaptive testing (CAT) using the Calibration Study Management System (SMS) to perform this study. SMS is a web-based system designed to administer and track study questionnaires.
NIH CRC/RMD subcontracted with Boston University Health and Disability Research Institute (BU-HDRI) to develop CAT instruments and to develop specific questions for two health domains: Physical Demands and Interpersonal Interactions. NIH CRC/RMD and BU-HDRI will conduct a calibration study to test the questions developed for the two domains.
BU-HDRI sub-contracted with Westat, an external survey center, to assist with collecting data. Westat built the CAT Calibration SMS to collect information from the study participants. Westat will house the CAT Calibration SMS. This system is comprised of two discrete modules, the core SMS and a questionnaire delivery system (QDS):
· The SMS module prescreens, enrolls and tracks participants, protects and encrypts data, and delivers questionnaires.
· The QDS delivers questionnaires to system users. These questionnaires are administered either by a Westat telephone interviewer, or are completed directly by participants via the Internet using a web-based application.
The SMS will store, process, and transmit information related to the study, including respondent and/or survey data and reports, and other electronic and hardcopy information.
Westat will collect information from claimants and the claimants’ health care providers about the claimant’s functional ability (mobility and interpersonal interactions and relationships).
NIH CRC/RMD and BU-HDRI will use the functional information collected to develop computer adaptive testing tools. BU-HDRI will prepare a final report for NIH CRC/RMD and SSA.
· Describe the specific legal authority and/or agreement for the collection of information.
Section 234 [42 U.S.C. § 434] [Demonstration Project Authority] of the Social Security Act, as amended, authorizes us to collect and maintain this information. This section directs the Commissioner of Social Security to carry out experiments and demonstration projects to determine the relative advantages and disadvantages of various alternative methods of treating the work activity of persons entitled to disability insurance benefits.
· Describe the information we plan to collect, why we will collect the information, how we intend to use the information, and with whom we will share the information.
We collect information from the claimants and the claimants’ health care providers to process Social Security disability claims. Through NIH CRC/RMD and BU-HDRI, ODP will provide Westat with some claims-related personally identifiable information (PII) that we collected when the claimants applied for Social Security disability benefits. We will provide Westat with records that contain information such as:
· Name
· Age
· Gender
· Address
· Social Security number
· Email Address
· Impairment Allegations
Westat will randomly select participants for two study groups, which will be divided into two domains: Physical Demands and Interpersonal Interactions. Westat will collect information from the study participants for NIH CRC/RMD and BU-HDRI to conduct a calibration study to test the two CAT domains. The study results will be used to determine if CAT domains can assist us in our disability determination process.
Westat will use the information we provide about the claimant to:
· contact the claimant to invite them to participate in the study,
· identify the claimant’s eligibility to participate, and
· mail a pre-notification package to randomly selected claimants.
The claimant will provide Westat with the names, addresses, and telephone numbers of the primary and secondary care providers. Westat will use this information to:
· establish contact with the health care providers to invite them to participate in the study, and
· mail them advance letters with information pertaining to the study.
Westat will collect functional information, such as mobility and interpersonal interactions and relationships, to develop computer software to improve our disability determination process. The software is intended to improve our speed when processing disability claims and more comprehensively capture functional information.
Westat will share the information it collects from the study participants with BU-HDRI in non-identifiable form. BU-HDRI will conduct analyses to finalize question banks. Question banks are collections of questions that the CAT tool will use when eliciting information from claimants. BU-HDRI will use the data Westat collected to conduct statistical analyses and to develop a final report for NIH CRC/RMD and SSA.
We will not disclose any information defined as “return or return information” under 26 U.S.C. § 6103 of the Internal Revenue Code (IRC) unless authorized by statute, the IRC, the Internal Revenue Service (IRS), or IRS regulations.
· Describe the administrative and technological controls we have in place or that we plan to use to secure the information we will collect.
Westat will not share any information with NIH CRC/RMD and BU-HDRI in identifiable form. We will not know if the claimant or the claimant’s health care provider participated in the study, nor will we receive any identifying information pertaining to the study participants. The study results will be transferred in a non-identifiable form.
Westat controls access to the information that it collects by limiting access rights on a person and group basis to specific information relevant to users’ assigned tasks. We will provide Westat with an encrypted CD containing claimants’ PII. The encryption meets the National Institutes of Standards and Technology (NIST) Federal Information Processing Standards (FIPS). Westat has agreed to follow safeguards to protect the data and has agreed to allow us to conduct on-site inspections.
Westat’s network is divided via a system of firewalls. Several network zones with varying levels of access restrictions have been established to control access to the information collected for this study. Westat staff participating on this project have received approved suitability clearance notices from us. All Westat employees must complete Westat’s Annual Information Security Awareness Training.
Westat’s security awareness and training policy ensures that staff are aware of the importance of information systems security and receive appropriate training to protect the confidentiality, integrity, and availability of information and information systems in accordance with agency requirements and NIST (Special Publication 800-53) directives and guidelines. NIST standards incorporate updated effective practices for information security and best practices that provide broad based and comprehensive safeguards and countermeasures for protecting today’s information systems.
We have received System Security Plans (SSP) from NIH CRC/RMD, BU-HDRI, and Westat. The SSPs document to our satisfaction that each party will take the appropriate actions to protect confidential information. The SSPs include, but are not limited to, the security controls required by NIST. These security controls include managerial, operational, and technical controls. The SSPs also include an evaluation of security and audit controls proven effective in protecting the information collected, stored, processed, and transmitted by Westat.
The SSPs ensure that the appropriate administrative and technological controls are in place to secure data that meet the security requirements. We have reviewed and concurred with the policies and procedures to secure our data.
Our security controls include technical, management, and operational controls that permit access to our information only to persons with an official “need to know.” Audit mechanisms are in place to record sensitive transactions as an additional measure to protect information from unauthorized disclosure or modification. We secure the electronic information by requiring the use of a unique personal identification number and password. We employ security measures to protect access to information and prevent unauthorized disclosure or modification of records in the systems.
We store the computerized records in secure areas accessible only to those employees and contractors who require the information to perform their official duties. We provide appropriate security awareness training to all our employees and contractors annually that include reminders about the need to protect PII and the criminal penalties that apply to unauthorized access to, or disclosure of, PII.
See 5 U.S.C. § 552a(i)(1). Furthermore, employees and contractors with access to databases maintaining PII must annually sign a sanction document, acknowledging their accountability for inappropriately accessing or disclosing such information.
· Describe the impact on persons’ privacy rights. Do we afford people an opportunity to decline to provide information?
Yes. Participation in the study is voluntary. The information collected for this study is for research purposes only.
· Do we afford people an opportunity to consent to only particular uses of the information?
No. Westat staff advises participants that the information collected from them and their health care providers will be used for research purposes only. We further advise participants that we will disclose this information without their prior written consent only when we have specific legal authority to do so (e.g., the Privacy Act). We do not otherwise offer persons an opportunity to determine how and with whom we will share their information.
· Does the collection of this information require a new system of records under the Privacy Act (5 U.S.C. § 552a) or an alteration to an existing system of records?
No. The information we will collect for this research study is covered under an existing Privacy Act System of Records (SOR) entitled, Disability Insurance and Supplemental Security Income Demonstration Projects and Experiments System, (60-0218). We published the SOR and its applicable routine uses in the Federal Register on January 11, 2006 (71 FR 1836). The SOR appropriately reflects the information covered as well as the purpose for which we collect, maintain, disclose, and use the information.
PIA CONDUCTED BY SSA ACTING PRIVACY OFFICER:
_/s/ Mary Ann Zimmerman_____ 07/02/2012_____________
Signature Date
_ /s/ David F. Black______________ 07/10/2012_____________
Signature Date