Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Similar presentations


Presentation on theme: "Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office."— Presentation transcript:

1 Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office

2 Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS

3 TRICARE Management Activity HEALTH AFFAIRS 3 Privacy Reporting and Investment Certification Purpose The purpose of this presentation is to provide an overview of how privacy reporting and investment certification are an important aspect on our road to compliance

4 TRICARE Management Activity HEALTH AFFAIRS 4 Privacy Reporting and Investment Certification Objectives Upon completion of this course, you should be able to: − Identify privacy reporting requirements and what role the Federal Information Security Management Act (FISMA) has in consolidating these reporting requirements − Identify the role of privacy in the Military Health System (MHS) Defense Business Transformation (DBT) Investment Certification process − Describe the importance of the Defense Health Program System Inventory Reporting Tool (DHP-SIRT) in collecting important privacy information for reporting purposes

5 TRICARE Management Activity HEALTH AFFAIRS 5 Privacy Reporting

6 TRICARE Management Activity HEALTH AFFAIRS 6 Privacy Reporting and Investment Certification Types of Privacy Reporting SSN Reduction DoD Quarterly Privacy Training Privacy Act Review Public Law FISMA

7 TRICARE Management Activity HEALTH AFFAIRS 7 Privacy Reporting and Investment Certification Privacy Act Review Agency Responsibilities − Required by agencies subject to the Privacy Act of 1974 − OMB A-130 provides specific guidelines What types of review must be completed? − Section (M) contracts − Records practices − Routine Uses/System of Records/Exemptions − Matching programs − Training − Violations − (e)(3) Statements

8 TRICARE Management Activity HEALTH AFFAIRS 8 Privacy Reporting and Investment Certification SSN Reduction What brought about Social Security Number (SSN) reduction? − Task Force on Identity Theft Strategic Plan − Office of Management and Budget (OMB) How is SSN reduction being addressed for privacy reporting purposes? − What role does the TMA Privacy Officer have? Provide consultation related to review of SSN usage on forms and surveys Verify program managers are reporting SSN usage for TMA systems

9 TRICARE Management Activity HEALTH AFFAIRS 9 Privacy Reporting and Investment Certification Public Law What is Public Law ? − Implementing recommendations of the 9/11 Commission Act of 2007 − Title VIII contains sections on privacy and civil liberties Contains four sections Section 803 speaks specifically to the quarterly privacy reporting What privacy information is being collected? − Privacy reviews − Advice and responses − Privacy complaints and dispositions

10 TRICARE Management Activity HEALTH AFFAIRS 10 Privacy Reporting and Investment Certification DoD Quarterly Privacy Training How is DoD Privacy Training being reported? − Requirement of OMB to ensure privacy training − Requirement from the Defense Privacy Office to report quarterly via FISMA What training elements are being reported? − Orientation training − Specialized training − Management training − Annual Refresher training

11 TRICARE Management Activity HEALTH AFFAIRS 11 Privacy Reporting and Investment Certification FISMA What is FISMA? − Report required by the E-Government Act of 2002 − Report on the security and privacy of sensitive information in federal computer systems How often are we reporting for FISMA purposes? − Quarterly − Annually

12 TRICARE Management Activity HEALTH AFFAIRS 12 Privacy Reporting and Investment Certification FISMA – Quarterly Reporting Why is quarterly reporting different than annual reporting? − Provides a pulse check on both security and privacy of systems − Quarterly report is not as comprehensive as annual report What exactly is being reported in the quarterly FISMA report? − Privacy Impact Assessment (PIA) and System of Records Notice (SORN) information − Inventory of systems − Certification & accreditation information

13 TRICARE Management Activity HEALTH AFFAIRS 13 Privacy Reporting and Investment Certification FISMA – Annual Reporting How does FISMA bring all these privacy reporting requirements together? FISMA SSN Reduction Public Law DoD Quarterly Privacy Training Privacy Act Review

14 TRICARE Management Activity HEALTH AFFAIRS 14 Investment Certification

15 TRICARE Management Activity HEALTH AFFAIRS 15 Privacy Reporting and Investment Certification Investment Certification What is investment certification? − Method to ensure appropriate due diligence has been applied to MHS programs/systems which receive funding − Allows MHS key stakeholders to address system concerns How did TMA Privacy Office get involved? − MHS DBT met with TMA Privacy Office − Privacy framework was developed − TMA Privacy Office designated as privacy subject matter expert for investment certification review

16 TRICARE Management Activity HEALTH AFFAIRS 16 Privacy Reporting and Investment Certification Investment Certification (continued) What documents are reviewed by the TMA Privacy Office? − Privacy Investment Framework − PII/PIA/FISMA checklist − Investment Concept of Operations MHS DBT Investment Package Completion MHS Investment Review Committee Meeting Packages Sent to Additional Investment Review Boards Discussion of Unresolved Issues Investment Review Process

17 TRICARE Management Activity HEALTH AFFAIRS 17 Privacy Reporting and Investment Certification Investment Certification (continued) How has the Privacy Office/DBT relationship been beneficial? − Organizational privacy awareness − Proactive approach by various program offices − Addressing privacy earlier in the system development life cycle

18 TRICARE Management Activity HEALTH AFFAIRS 18 DHP-SIRT

19 TRICARE Management Activity HEALTH AFFAIRS 19 Privacy Reporting and Investment Certification DHP-SIRT What is DHP-SIRT? − Assistant Secretary of Defense for Health Affairs (ASD/HA)/TMA System Repository Driven by development of Defense Information Technology Portfolio Repository Contains different system information to include privacy data DHP-SIRT helps facilitate collection of privacy information for privacy reporting − Collects certain data privacy elements for reporting purposes PIA information SORN information SSN information

20 TRICARE Management Activity HEALTH AFFAIRS 20 Privacy Reporting and Investment Certification Summary You should now be able to: − Identify privacy reporting requirements and what role FISMA has in consolidating these reporting requirements − Understand the role of privacy in the MHS DBT Investment Certification process − Understand the importance of the DHP-SIRT in collecting important privacy information for reporting purposes

21 TRICARE Management Activity HEALTH AFFAIRS 21 Privacy Reporting and Investment Certification Resources Public Law Section 208, “E-Government Act of 2002”, 17 December 2002 Public Law , Title III, “Federal Information Security Management Act”, 17 December 2002 Public Law , “Implementing Recommendations of the 9/11 Commission Act of 2007”, 3 August 2007 “Federal Agency Data Mining Reporting Act of 2007”, 4 June 2007 DoDI , “DoD Privacy Impact Assessment (PIA) Guidance”, 12 February 2009 DTM USD(P&R) – “DoD Social Security Number (SSN) Reduction Plan”, 28 March 2008


Download ppt "Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office."

Similar presentations


Ads by Google