BioSense
Supporting Statement Section A
OMB Control Number 0920-0824
Program Contact/Project Officer
Kathleen Gallagher,
Director, Division of Notifiable Diseases and Healthcare Information
Public Health Surveillance and Informatics Program Office
Office of Surveillance, Epidemiology and Laboratory Services
Centers for Disease Control and Prevention
Phone: 404-498-6631
E-mail: kxg7@cdc.gov
BioSense - Request for Revision
Table of Contents
Section
A. Justification
Circumstances Making the Collection of Information Necessary
Purpose and Use of Information Collection
Use of Improved Information Technology and Burden Reduction
Efforts to Identify Duplication and Use of Similar Information
Impact on Small Businesses or Other Small Entities
Consequences of Collecting the Information Less frequently
Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
Comments in Response to the Federal Register Notice and Efforts to Consult Outside the Agency
Explanation of Any Payment or Gift to Respondents
Assurance of Confidentiality Provided to Respondents
Justification for Sensitive Questions
Estimates of Annualized Burden Hours and Costs
Estimates of Other Total Annual Cost Burden to Respondents or Record Keepers
Annualized Cost to the Government
Explanation for Program Changes or Adjustments
Plans for Tabulation and Publication and Project Time Schedule
Reason(s) Display of OMB Expiration Date is Inappropriate
Exceptions to Certification for Paperwork Reduction Act Submissions
Exhibits
Exhibit 12-A Estimates of Annualized Burden Hours
Exhibit 12-B Estimates of Annualized Burden Costs
Exhibit 14-A Estimated Annualized Cost to the Government
Attachments
Legislation: Public Health Service Act and Pandemic and All-Hazards Preparedness Act
60-day Federal Register Notice (FRN)
BioSense 2.0 Registration Screen Shot
BioSense 2.0 Security Letter
BioSense 2.0 Data Sharing Screen Shot
BioSense 2.0 Variables
BioSense 2.0 Technical Expert Panel (TEP) and Advanced User Panel (AUP) Members Lists
BioSense 2.0 Privacy Impact Assessment (PIA)
BioSense 2.0 Research Determination
BioSense Supporting Statement
Section A – justification for information collection, identifiability of respondents
1 Circumstances making collection of information necessary
CDC requests a three year approval for a Revision for the BioSense program OMB Control No. 0920-0824, Expiration Date 10/31/2012.
Congress passed the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which requires specific information collection activities related to bioterrorism preparedness and response. This congressional mandate outlines the need for protecting the overall public’s health through electronic surveillance. The Department of Health and Human Services outlined strategies aimed at achieving this goal via the Public Health IT Initiative thereby creating the BioSense program. The Public Health Service Act (42 U.S.C. 241, 247b and 247d-4) and the Pandemic and All-Hazards Preparedness Act (PAHPA), Public Law No. 109-417 authorizing this activity are included as Attachment 1.
BioSense is a national-level, electronic, human health surveillance system designed to improve the nation’s capabilities for disease detection, monitoring, and health situation awareness through timely access to existing healthcare encounter information for just-in-time public health decision-making. The BioSense Program is in the process of transitioning from the original BioSense 1.0 to the new BioSense 2.0 that has new governance, a new organizational structure, and a new process for data submission and management. Initially intended to serve as a tool for early detection and rapid assessment of potential bioterrorism-related illness, the BioSense Program has since expanded its role to detecting changes over time in predefined syndromes and sub-syndromes of public health importance (ex., injury, chronic disease, and influenza) and providing timely, all-hazard, national public health situational awareness throughout the course of public health emergencies (ex., 2009 H1N1).
This is a request for a Revision (approval is requested for three years) of:
The BioSense program has 3 different types of information collection: (1) information needed for recruitment of participating jurisdictions to BioSense 2.0 each year; (2) the one-time collection of information to provide access to the BioSense 2.0 Application to all appropriate users in participating jurisdictions and organizations, and (3) collecting already existing healthcare encounter data.
Recruitment
In BioSense 1.0, jurisdictions were approached and asked to complete an extensive survey assessing their capabilities to participate. BioSense 2.0 has taken a user centered approach, so the state, local, and territorial and health departments respond to communication outreach materials and can solicit information themselves on how to join. The BioSense technical team works to accommodate their specifications for data submission, if they do choose to join; this is a one-time event in the form of an unstructured conversation. Because additional information technologies were added to the application (multiple easy-to-use ways to institute data transfer), the previously used extensive spreadsheet for gathering information is no longer necessary. Outreach efforts to public health jurisdictions will be ongoing throughout the requested three-year authorization period.
Web Application Access
In BioSense 1.0, there was annual collection of data on the CDC Secure Data Network in order to register prospective users and their interests in using the data. Because of the move to the cloud environment in BioSense 2.0, there is a new registration form on the application (http://biosen.se, see Attachment 3), which users must complete one time only. They are then approved by the public health jurisdiction administrator as is applicable. As a result, once applicants are approved users, they do not have any further burden of renewing their account. Users may access the BioSense 2.0 application that provides analysis tools and a dashboard that allows customizable queries that produce time series charts to enable the user to identify increased numbers or rates of patient visits that might indicate an outbreak, maps to visualize geographic distribution, and charts to assist in monitoring long-term trends in disease activity and increase understanding of disease patterns in an area.
Data Collection
In order to meet the congressional mandate outlined above, the BioSense Program must have access to electronic health information. Under BioSense 1.0, participating organizations submitted already existing healthcare encounter data to CDC, and the data were processed and stored at CDC in the CDC owned and operated Information Technology Services Office’s Mid-Tier Data Center on secure servers. In BioSense 1.0, data from Veterans Administration (VA), Department of Defense (DoD), a health information exchange company, and national clinical laboratories were received directly into the Mid-Tier servers. Data from participating non-federal hospitals were received in the following two ways: 1) state, local, and territorial health departments submitted to the Mid-Tier servers the data that they had received from participating non-federal hospitals and 2) non-federal hospitals submitted data directly to the Mid-Tier servers.
Under BioSense 2.0, the difference lies primarily in where the data will be stored and how it will be shared. All data submitted by its users will reside not at CDC but in a cloud-enabled, web-based platform that has Authorization to Operate from CDC, because it has been through the CDC’s Certification & Accreditation process, which meets Federal Information Security Management Act (FISMA) requirements and incorporates the use of NIST Special Publications (computer security guidance at http://csrc.nist.gov/publications/PubsSPs.html) (Attachment 4). The BioSense 2.0 application sits in the secure, private Government Cloud (http://www.howto.gov/tech-solutions/cloud-computing). This cloud is simply used as a different storage and processing mechanism, as opposed to the on-site servers traditionally used by the BioSense Program. This means that the data will reside in 7 different cloud servers, and has a 99.99% success rate (i.e., there is almost no chance of a data drop, because if one server has a problem, the other replicates and supports within 15 seconds).
The Association of State and Territorial Health Officials (ASTHO) funded through a cooperative agreement with CDC will contract with a vendor to offer BioSense 2.0 on a voluntary basis to public health jurisdictions for their use. The platform will provide users with an exclusive secure space and tools for posting, receiving, controlling, and analyzing their public health surveillance information. A public health jurisdiction may submit to its exclusive, secure space in the cloud data it receives from reporting non-federal hospitals (emergency departments, outpatient clinics, and inpatient facilities) within its jurisdiction. Or, it may have the non-federal hospitals in its jurisdiction submit data directly to its secure space. However, whether a state, local, or territorial public health department arranges to receive data from non-federal hospitals within its jurisdiction or has those hospitals submit data directly to the health department’s space in the BioSense 2.0 cloud, the health department is responsible for creating its own data use agreements with the hospitals that are sending the data. The public health department will retain ownership of any data it contributes to its exclusive secure space, and is not required to share its data with any other BioSense 2.0 users.
The BioSense 2.0 cloud will also provide the CDC’s BioSense Program its own exclusive, secure space to receive, store, and analyze data. CDC has data use agreements with DoD and the VA to use the clinical encounter data from DoD and VA outpatient hospitals and clinics for anomaly analysis to provide national public health situation awareness. CDC also has data use agreements with two national-level private sector clinical laboratories that voluntarily provide laboratory data from their existing data bases for the purpose of surveillance. Finally, CDC currently has a contract with a private sector health information exchange company for data services to extract and process data from their existing pharmacy claims data base for the purpose of surveillance. The data being received is the same as that received under BioSense 1.0; the only difference is the location where the data is stored.
In addition to providing a secure, exclusive space for use by CDC and secure, exclusive spaces for use by each participating state, local, and territorial public health jurisdiction, BioSense 2.0 provides a second secure space in the cloud for public health jurisdictions to share whatever aggregated data they chooses with other participating public health jurisdictions and CDC. Whenever possible, the BioSense Program plans to share aggregate level pharmacy and laboratory data with public health departments. BioSense 2.0 is designed to promote the contribution of public health data by all users and the appropriate sharing of aggregated data in the shared space, because a greater number of data sources increases situational awareness and coverage of geographic areas. Public health jurisdictions will be responsible for de-identifying and/or encrypting all protected health information and identifiable health information prior to releasing these data into this shared space. As part of access to the shared space, public health jurisdictions will be required in their Information Sharing and Data Use Agreements with ASTHO to grant CDC access to, at minimum, aggregate level data (city or county or state) that contain the ISDS recommended minimum dataset variables from their jurisdiction that have been placed in the shared space, and they agree that CDC may review data contributed to the shared space for public health practice and surveillance purposes. To participate in the shared space, public health jurisdictions must simply select from drop-down lists to choose their sharing permissions on the BioSense 2.0 application (Attachment 5), and they will have the right at any time to revise the level of sharing permissions regarding the data in their secure space.
1.1 Privacy Impact Assessment
BioSense has three types of information collection systems for the 3 different types of data described above: recruitment, web access, and data collection.
Recruitment
In BioSense 2.0, CDC collaborates with the associations ASTHO, NACCHO, CSTE, and ISDS to reach out to the public health community. The efforts focus on outreach and information, and no survey or questionnaire is performed. State, local, and territorial public health jurisdictions approach the CDC via a general email account (info@biosen.se) and request the Information Sharing and Data Use Agreement to join BioSense 2.0. Once the agreement is signed, the BioSense technical team begins work to onboard their data sources to the system. Though during this process the first and last names, email addresses, organizational affiliations, and telephone numbers of individuals responding on behalf of the public health jurisdictions are collected, the information is for contact purposes only, i.e., to facilitate communication. The information is gathered through the CDC email account mentioned above, and further communication with them is conducted via email, phone, or in person meeting, in order to accommodate their needs to join BioSense 2.0. This information will be maintained for as long as the jurisdiction maintains an Information Sharing and Data Use Agreement with ASTHO. No other information in identifiable form is collected for this activity.
Web Application Access
Access to the BioSense 2.0 web environment is obtained through the one-time completion of a registration form on the site that is maintained by the vendor contracted by ASTHO (http://biosen.se). Information collected on this form contains first and last names, email addresses, organizational affiliations, security questions and passwords. This information is used only for the purpose of facilitating user approval and the setting of user data access privileges by the system. This information will be maintained for as long as the user chooses to keep an account. No other information in identifiable form is collected for this activity (Attachment 3).
Data Collection
BioSense 2.0 is designed to promote the contribution of public health data by all users and the appropriate sharing of aggregated data in the shared space. Public health jurisdictions will be responsible for de-identifying and/or encrypting all protected health information and identifiable health information prior to releasing these data into the shared space. As part of access to the shared space, public health jurisdictions will be required in their Information Sharing and Data Use Agreements with ASTHO to grant CDC access to, at minimum, aggregate level data (city or county or state) that contain the ISDS recommended minimum dataset variables from their jurisdiction that have been placed in the shared space, and they agree that CDC may review data contributed to the shared space for public health practice and surveillance purposes. To participate in the shared space, public health jurisdictions must simply select from drop-down lists to choose their sharing permissions on the BioSense 2.0 application, and they will have the right at any time to revise the level of sharing permissions regarding the data in their secure space.
Additionally, data from VA, DoD, a private sector health information exchange company with pharmacy claims data, and two national clinical laboratories will be received directly into the BioSense Program’s exclusive, secure space. These activities are covered by Data Use Agreements with DoD, VA, and the two national clinical laboratories and a contract for data services to extract and process data with the private sector health information exchange company. Data from the shared space and data from the BioSense Program’s secure space will be maintained by CDC for 2 years then archived permanently. For the list of variables from each type of data source see Attachment 6. The public health jurisdictions, VA, DoD, the national clinical laboratories, and the private sector health information exchange company are not providing CDC with individually identifiable information about their organization, they are providing healthcare encounter data from people seen in their jurisdiction or by their organization. Some of these data do contain combinations of variables that can be considered individually identifiable information, such as, Date of birth (month/year), date of death (month/day/year), sex, ethnic group, race, state, zip code, date of visit, and name of facility visited. However, there are security measures and policies in place that protect the data and prohibit anyone attempting to identify individuals using BioSense data (Attachment 4).
2 Purpose and Use of Information Collection
Recruitment
In BioSense 2.0, CDC collaborates with the associations ASTHO, NACCHO, CSTE, and ISDS to reach out to the public health community. The efforts focus on outreach and information, and no survey or questionnaire is performed. State, local, and territorial public health jurisdictions approach the CDC via a general email account (info@biosen.se) and request the Information Sharing and Data Use Agreement to join BioSense 2.0. Though during this process the names, email addresses, organizational affiliations, and telephone numbers of individuals responding on behalf of the public health jurisdictions are collected, the information is for contact purposes only, i.e., to facilitate communication. The information is gathered through the CDC email account mentioned above. Once the agreement is signed, the BioSense technical team begins work to onboard their data sources to the system and further communication with individual representatives is conducted via email, phone, or in person meeting in the form of an unstructured conversation, in order to accommodate their needs to join BioSense 2.0. Outreach efforts to state and local health departments will be ongoing throughout the requested three year authorization. The goal is to have over 50 jurisdictions participating in BioSense 2.0 by 2015. Without this activity, jurisdictions would not be able to use the BioSense 2.0 application, and CDC’s BioSense Program would not receive the data in needs to perform its necessary activities.
Web Application Access
Information collected for granting access to the web application will be used only internally and only to inform the granting of access to the web application and setting user permissions. Additionally, this information in aggregate form might be used to establish application use statistics, such as, the number of total users of the application or number of users of the application by state. The BioSense Application may be viewed by federal, state, and local public health personnel; by officials of the VA and DoD; and by personnel at hospitals or hospital systems providing data. Without access to the BioSense 2.0 application, users would not be able to take advantage of its analysis tools and the dashboard that allows customizable queries that produce time series charts to enable the user to identify increased numbers or rates of patient visits that might indicate an outbreak, maps to visualize geographic distribution, and charts to assist in monitoring long-term trends in disease activity and increase understanding of disease patterns in an area.
Data Collection
Addition of data sources is ongoing as state and local jurisdictions elect to utilize the BioSense 2.0 environment. Current information sources include state and local health departments, the Department of Veterans Affairs (which transmits data from 820 facilities), the Department of Defense (which transmits data from 320 facilities), two national laboratory corporations, and one pharmacy claims system (which transmits data from >30,000 pharmacies).
As with the data collected in BioSense 1.0, data collected in the BioSense 2.0 shared space will be aggregated into pre-defined syndromes and sub-syndromes. Then 6-month time series are created that can be viewed on the web application dashboard by approved users. Additionally, the BioSense Team at CDC will process the data through a modified C2 EARS algorithm for analysis on a daily basis. CDC analysts will review 6-month time series from shared space, VA, and DoD data for the presence of anomalies on a daily basis. Pharmacy and laboratory data are currently only used to provide additional data for influenza-related syndromes and sub-syndromes; however, the use of these data will be expanded to other conditions as part of BioSense 2.0. All of these uses of the data collected will allow CDC to continue to meet the congressional mandate by maintaining syndromic surveillance activities that provide national public health situation awareness.
The BioSense Program was initially intended to serve as a tool for early detection and rapid assessment of potential bioterrorism-related illness; however, to fulfill additional needs, the Program has since expanded its role to include detecting changes over time in predefined syndromes and sub-syndromes of public health importance, for example, injury, chronic disease, and influenza and providing timely, all-hazard, national public health situation awareness throughout the course of high profile events (e.g., North American Leaders Summit) and public health emergencies (e.g., 2009 H1N1). Without BioSense 1.0 and now BioSense 2.0, there would be no syndromic surveillance system that could combine non-federal hospital, VA, DoD, pharmacy and laboratory data to provide public health situation awareness at the national level. Continuing this data collection under BioSense 2.0 will not only allow CDC to maintain and even improve its current level of surveillance, but it will also promote the use of this data at the state, local, and territorial levels. BioSense 2.0 will provide public health jurisdictions with an infrastructure at no cost to them for their own syndromic surveillance and a mechanism to pursue Meaningful Use of data. The BioSense Program continues to receive funding directly from Congress as the BioSense Line (called the Biosurveillance Line prior to 2011) in the CDC Preparedness and Response Budget Appropriation Activity.
2.1 Privacy Impact Assessment
Recruitment
In BioSense 2.0, CDC collaborates with the associations ASTHO, NACCHO, CSTE, and ISDS to reach out to the public health community. The efforts focus on outreach and information, and no survey or questionnaire is performed. State, local, and territorial public health jurisdictions approach the CDC via a general email account (info@biosen.se) and request the Information Sharing and Data Use Agreement to join BioSense 2.0. Though during this process the names, email addresses, organizational affiliations, and telephone numbers of individuals responding on behalf of the public health jurisdictions or organizations are collected, the information is for contact purposes only, i.e., to facilitate communication. The proposed information collections will have little or no effect on the respondents’ privacy.
Web Application Access
Information collected for granting access to the web application will be used only internally and only to inform the granting of access to the web application and setting user permissions. This information is not shared with other users outside the user’s jurisdiction; within the users jurisdiction, only their name and health department affiliation are shared with the jurisdiction administrators. Thus, the proposed information collections will have little or no effect on the respondents’ privacy.
Data Collection
Data that is placed by state, local, and territorial public health jurisdictions on a voluntary basis into the shared space will be shared with other jurisdictions and CDC. This data will be aggregated into pre-defined syndromes and sub-syndromes and displayed as 6-month time series that can be viewed on the web application dashboard by approved users. No individually identifiable information will be displayed on the dashboard. If shared by the public health jurisdiction, CDC will be able to view Patient Lists that could contain combinations of variables that can be considered individually identifiable information, but this type of data is only used internally to investigate the public health importance of an anomaly and is not shared.
VA, DoD, pharmacy, and laboratory data received by CDC will be used internally to conduct anomaly analysis, and will only be shared in aggregate format containing no individually identifiable information with CDC EOC and applicable public health jurisdictions when the BioSense Program is engaged in conducting surveillance on high profile events or public health emergencies.
The proposed collection will have no impact on the respondents’ privacy. The respondents are not providing information about themselves; they are providing healthcare encounter data from their already existing data bases.
3 Use of Improved Information Technology and Burden Reduction
Recruitment
By moving BioSense 2.0 into a cloud computing environment, we have significantly reduced the technical and monetary burden often placed on state, local, and territorial public health jurisdictions. Further, the BioSense team provides onboarding services, technical assistance, and multiple ways to transfer data into the BioSense 2.0 cloud environment. This allows the jurisdictions to use technology they already have in place; thus, they spend minimal time and resources to participate in BioSense 2.0.
Web Application Access
For providing access to the BioSense 2.0 application, an automated data collection form (Attachment 3) is used. This use of information technology reduces burden on prospective BioSense users and facilitates the most rapid processing of requests.
Data Collection
To reduce burden, 100% of data collection will be conducted electronically. To participate in the shared space, public health jurisdictions must simply select from drop-down lists to choose their sharing permissions on the BioSense 2.0 application (Attachment 5). Once a jurisdiction chooses to share, the data they dedicate for sharing is automatically electronically transferred from their exclusive, secure space to the shared space on a daily basis. Similarly, VA, DoD, pharmacy, and laboratory data are automatically electronically transferred from their already existing data bases to CDC’s exclusive, secure space on at least a daily basis. This use of improved information technology reduces burden on BioSense 2.0 users sharing data with the CDC BioSense Program.
4 Efforts to Identify Duplication and Use of Similar Information
Recruitment
BioSense 2.0 has taken a user centered approach, so the state, local, and territorial and health departments respond to communication outreach materials and can solicit information themselves on how to join. If they do choose to join The BioSense technical team works to accommodate their specifications for data submission. There is no information other than contact information collected during this process; therefore, information must be collected directly from those applying for use of BioSense 2.0 and would not be available from another source.
Web Application Access
Regarding provision of access to the BioSense 2.0 application, the information must be collected directly from those applying for access and would not be available from another source.
Data Collection
Though there are public health jurisdiction-level syndromic surveillance systems established in some areas of the country (e.g., statewide syndromic surveillance systems in North Carolina – NC DETECT, Ohio – EpiCenter, and New Hampshire – AHEDD), without BioSense 2.0, there would be no syndromic surveillance system that could combine non-federal hospital, VA, DoD, pharmacy and laboratory data to provide public health situation awareness at the national level. This was the case when the BioSense Program was mandated by Congress in 2002, and it is still the case today.
5 Impact on Small businesses or Other Small Entities
Recruitment
This collection of information does not involve small businesses or other small entities.
Web Application Access
This collection of information does not involve small businesses or other small entities.
Data Collection
This collection of information does not involve small businesses or other small entities.
6 Consequences of Collecting the Information Less Frequently
Recruitment and Web Application Access
Regarding addition of new data sources, the connection for data transmission from a hospital, jurisdiction syndromic surveillance system, etc. to BioSense 2.0, is a one-time event. Similarly, registration for BioSense 2.0 application access requires only a one-time collection of information. There are no recurring burdens on the user for these activities. This is a shift from BioSense 1.0 to 2.0, which reduces the burden on the user.
There are no legal obstacles to reducing the burden.
Data Collection
Public health jurisdictions are encouraged to contribute data to the shared space on a voluntary basis. To participate in the shared space, public health jurisdictions must simply select from drop-down lists to choose their sharing permissions on the BioSense 2.0 application (Attachment 5). They must perform this task one time; thereafter, the data they dedicate for sharing is automatically electronically transferred from their exclusive, secure space to the shared space on a daily basis. Regarding VA, DoD, the two national clinical laboratory corporations, and the private sector health information exchange company, they automatically chose to share with CDC when they were recruited to submit data to the BioSense 2.0 cloud environment. Thus, data collection for them encompassed a one-time redirection of their data feed from the Information Technology Services Office’s Mid-Tier Data Center to the BioSense Program’s secure space in the BioSense 2.0 application. As a Congressionally mandated, national, human health surveillance system designed to improve the nation’s capabilities for disease detection, monitoring, and health situational awareness and to provide public health near real-time access to existing information from healthcare encounters for just-in-time public health decision-making, the BioSense Program requires daily feeds from its data sources. Jurisdictions will, however, have the right at any time to revise the level of sharing permissions regarding the data in their secure space.
7 Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
Recruitment
This request fully complies with the regulation 5 CFR 1320.5.
Web Application Access
This request fully complies with the regulation 5 CFR 1320.5.
Data Collection
Data is received by the BioSense Program from public health jurisdictions, DoD, VA, two national clinical laboratories, and a private sector health information exchange company on at least a daily basis, because the Program must have access to electronic health information at this frequency in order to meet the congressional mandate outlined in A.1. Notably, however, the collection of data requires only a one-time initial set-up by the sender; afterward, data is sent in an automatic, electronic transmission that involves no effort on the part of the sender. Other than this exception, the request fully complies with the regulation 5 CFR 1320.5.
8 Comments in Response to the Federal Register Notice and Efforts to Consult Outside the Agency
A.
A 60-day Federal Register Notice was published in the Federal Register on June 6, 2012, vol. 77, No. 109, pp. 33464–33465 (Attachment 2). There were no public comments.
B.
CDC has engaged with external stakeholders throughout the process in various ways. At the beginning of the redesign effort, a Technical Expert Panel (TEP) was engaged to guide and advise during the redesign process. This group comprised of state and local health department representatives, other federal partners, leaders in the public health industry, and other experts in the field. The names and affiliations of the TEP are in Attachment 7. We have also consulted with an Advanced User Panel (AUP) to test new features and garner feedback on the BioSense 2.0 application. The AUP was comprised of 12 users (5 federal and 7 seven non-federal members) (Attachment 7). Further, a series of user feedback opportunities have been released through the BioSense Redesign website (www.biosenseredesign.org). We have also worked closely with our partners in ASTHO, CSTE, NACCHO, and ISDS to gain feedback from their constituencies.
No major data collection problems exist that could not be resolved through these consultations.
9 Explanation of Any Payment or Gift to Respondents
No payment or gift is provided to respondents who provide information for enrolling new public health jurisdictions, who apply for user access to the BioSense 2.0 Application or who provide data to CDC BioSense Program.
10 Assurance of Confidentiality Provided to Respondents
The Privacy Act does not apply to the BioSense Program.
Institutional review board (IRB) review and approval is not necessary for BioSense 2.0, because its surveillance activities are conducted solely to provide national public health situation awareness and are considered public health practice, not research (Attachment 9).
Recruitment
Information collected for recruitment of public health jurisdictions contains first and last names, email addresses, organizational affiliations, and telephone numbers. This information is not considered IIF, because when the information is given, the respondents are acting in professional roles as representatives of their organization. Additionally, this information will be used only internally and only as contact information. This information will not be analyzed or shared.
Web Application Access
Information collected for granting access to the web application contains first and last names, email addresses, organizational affiliations, security questions, and passwords. This information is not considered IIF, because when the information is given, the respondents are acting in professional roles as representatives of their organization. Additionally, this information will be used only internally and only to inform the granting of access to the web application. Only the number of total users of the application or number of users of the application by state might be shared as aggregate application statistics.
Data Collection
The public health jurisdictions, DoD, VA, the national clinical laboratories, or the private sector health information exchange company are not providing CDC with individually identifiable information about their organization, they are providing healthcare encounter data from people seen in their jurisdiction or by their organization. Some of these data do contain combinations of variables that can be considered IIF that is only indirectly identifiable,,such as, Date of birth (month/year), date of death (month/day/year), sex, ethnic group, race, state, zip code, date of visit, and name of facility visited (Attachment 6). However, there are security measures and policies in place that protect the data and prohibit anyone attempting to identify individuals using BioSense data (Attachment 4 and 8). This activity is not research involving human subjects; it is the public health practice of surveillance.
10.1 Privacy Impact Assessment Information
Recruitment and Web Application Access
Gaining a user account and adding a jurisdiction to BioSense 2.0 are both voluntary activities. Individuals or organizations are not mandated to participate. This information is used for communication and access purposes only, and is kept only as long as the individuals or organizations choose to participate in BioSense 2.0.
Data Collection
It is clearly stated in the Information Sharing and Data Use Agreements that are signed by public health jurisdictions that sharing data with other jurisdictions and CDC is voluntary. They consent to the sharing of data by simply choosing their sharing permissions from drop-down lists on the BioSense 2.0. All sharing privileges are at the discretion of the jurisdiction and the administrator therein, and sharing privileges can be changed at any time at the discretion of the administrator.
The data collected is in electronic format and is secured on a cloud-enabled, web-based platform that is in compliance with the Federal Information Security Management Act (FISMA). (Attachment 4 and 8). The BioSense 2.0 application is a FISMA-moderate environment, and has also been through the Certification and Accreditation process performed by CDC security personnel. It does not collect data from state and local health departments that contain PII. All data in the application is aggregated. (Attachment 4 and 8)
The BioSense program completed an HHS Privacy Impact Assessment, and that form was approved by CDC on April, 2011.
11 Justification for Sensitive Questions
Recruitment
There are no questions of a sensitive nature asked in the collection of information for the recruitment of data sources.
Web Application Access
There are no questions of a sensitive nature asked in the collection of information for access to the BioSense application.
Data Collection
There are no questions of a sensitive nature asked of the public health jurisdictions, DoD, VA, the national clinical laboratories, or the private sector health information exchange company during collection of their healthcare encounter data.
12 Estimates of Annualized Burden Hours and Costs
RTI, the contractor participating in recruitment, has provided an estimate of 1 hour per respondent. This encompasses the unstructured conversation between the contractor and the respondent where the contractor discusses the respondent’s various options to connect to the BioSense 2.0 cloud environment and answers questions from the respondent. Thus there is no longer a need for the previously used data collection instrument. This includes state, local, and territorial public health jurisdictions as well as VA, DoD, the two national clinical laboratory corporations, and the private sector health information exchange company. The state, local, and territorial public health jurisdiction number is an average divided over three years. We expect the number to be highest for the first year then decrease in subsequent years with an estimated total of 60 jurisdictions over 3 years.
CDC personnel who have applied for access to the BioSense 2.0 Application provided an estimate of 5/60 hours per respondent. (Attachment 3)
State, local, and territorial public health jurisdictions using the BioSense 2.0 application have the option to participate in the shared space. This activity entails accessing a submenu of the BioSense 2.0 cloud-enabled, web-based platform. The submenu allows respondents to choose with whom to share data and at what level of aggregation from a series of drop-down lists. Based on their expertise in the field and internal trial runs, RTI, the contractor who designed this submenu, provided an estimate of 5/60 hours per respondent. In the table below this is captured under “Data Collection”. (Attachment 5)
VA, DoD, the two national clinical laboratory corporations, and the private sector health information exchange company automatically chose to share with CDC when they were recruited to submit data to the BioSense 2.0 cloud environment. This entails 0 hours of burden per respondent as the data is shared directly with the CDC BioSense Program.
A.12-A. Estimates of Annualized Burden Hours
Type of Respondents |
Number of Respondents |
Number of Responses per Respondent |
Average Burden Per Response (in hours) |
Total Burden (in hours) |
Recruitment |
||||
State, Local, and Territorial Public Health Jurisdictions |
20 |
1 |
1 |
20 |
Federal Government |
2 |
1 |
1 |
2 |
Private Sector (national clinical laboratory corporations, and a private sector health information exchange company) |
3 |
1 |
1 |
3 |
Total |
|
|
|
25 |
Access to BioSense 2.0 Application |
||||
State, Local, and Territorial Public Health Jurisdictions |
200 |
1 |
5/60 |
17 |
Federal Government |
30 |
1 |
5/60 |
3 |
Private Sector |
50 |
1 |
5/60 |
4 |
Total |
|
|
|
24 |
Data Collection |
||||
State, Local, and Territorial Public Health Jurisdictions |
20 |
1 |
5/60 |
2 |
Federal Government |
2 |
0 |
0 |
0 |
Private Sector (national clinical laboratory corporations, and a private sector health information exchange company) |
3 |
0 |
0 |
0 |
Total |
|
|
|
2 |
Overall Total |
|
|
|
51 |
There has been a change in the burden hours from the previous Information Collection Request approved by OMB on 10/13/09. The category “Recruitment” and “Access to BioSense 2.0 Application” both decreased in hours of burden, and the category “Data Collection” was newly added. Even with the addition of a category, the overall total burden hours decreased. The “Recruitment” category decreased in total burden hours, because additional information technologies were added to the application (multiple easy-to-use ways to institute data transfer) that made the previously used extensive spreadsheet for gathering information no longer necessary. Now the information needed is gathered during an unstructured conversation with the respondent. The “Access to BioSense 2.0 Application” decreased in total burden hours, because there is a decreased number of individuals and organizations projected to request access to the application per year. Additionally, the data collection instrument has been changed. Because of the move to the cloud environment, it has become a onetime only activity, so there is no longer a yearly requirement to renew. The “Data Collection” category was added to reflect a change in policy and information technology in the application. There is now an option for public health jurisdictions to choose to share data with others; this activity entails accessing a submenu of the BioSense 2.0 cloud-enabled, web-based platform. The submenu allows respondents to choose with whom to share data and at what level of aggregation from a series of drop-down lists. Because information technology was used, this activity takes very little time, thus adding very few burden hours.
A.12-B. Estimates of Annualized Cost Burden
Type of Respondents |
Number of Respondents |
Number of Responses per Respondent |
Average Burden Per Response (in hours) |
Hourly Wage Rate |
Respondent Cost |
Recruitment |
|||||
State, Local, and Territorial Public Health Jurisdictions |
20 |
1 |
1 |
$37.85 |
$757.00 |
Federal Government |
2 |
1 |
1 |
$37.85 |
$75.70 |
Private Sector (national clinical laboratory corporations, and a private sector health information exchange company) |
3 |
1 |
1 |
$37.85 |
$113.55 |
Total |
|
|
|
|
$946.25 |
Access to BioSense Application |
|||||
State, Local, and Territorial Public Health Jurisdictions |
200 |
1 |
5/60 |
$32.44 |
$551.48 |
Federal Government |
30 |
1 |
5/60 |
$32.44 |
$97.32 |
Private Sector |
50 |
1 |
5/60 |
$32.44 |
$129.76 |
Total |
|
|
|
|
$778.56 |
Data Collection |
|||||
State, Local, and Territorial Public Health Jurisdictions |
20 |
1 |
5/60 |
$32.44 |
$64.88 |
Federal Government |
2 |
1 |
0 |
$32.44 |
$0 |
Private Sector (national clinical laboratory corporations, and a private sector health information exchange company) |
3 |
1 |
0 |
$32.44 |
$0 |
Total |
|
|
|
|
$64.88 |
Overall Total |
|
|
|
|
$1789.69 |
According to the U.S. Department of Labor, Bureau of Labor Statistics, Occupational Employment Statistics, May 2011 National Occupational Employment and Wage Estimates, the mean hourly wage for Computer and Mathematical Occupations is $37.85. This rate is used as the hourly wage rate for respondents to the recruitment survey of prospective data sources because it represents the category of occupations most likely held by the respondents
For data collection and requesting access to the BioSense 2.0 application, the hourly wage rate is taken from the Life, Physical, and Social Science Occupations listed under the U.S. Department of Labor Employment and Wage Estimates because it best represents the occupations of the application’s current and potential users. The mean hourly wage is $32.44.
13 Estimates of Other Total Annual Cost Burden to Respondents or Record Keepers
There are no costs to respondents other than their time.
14 Annualized Cost to the Government
The total cost covered by the maximum 3-year term for OMB clearance will be $28.2M. The annualized cost shown below was estimated by including the known contract costs for FY 2013-2015, the projected value of cooperative agreements for the same time period, and projected salaries and benefits. By switching to the cloud environment, CDC’s BioSense Program will move from spending 80% of its budget on IT costs to spending less than 20% of its budget on IT costs.
A.14-A. Estimates of Annualized Cost Burden
Recruitment |
Cost per year |
Contracts/ Cooperative Agreements |
$3M |
Project Officer (FTE) |
$50,000 |
Access to Application |
|
Contracts |
$1.75M |
Project Officer (FTE) |
$50,000 |
Data Collection |
|
Cooperative Agreement |
$1..75M |
FTE Salaries and Benefits |
$2.8M |
15 Explanation for Program Changes or Adjustments
Recruitment
As noted earlier, the recruitment process has shifted to focus on outreach and education. State and local health departments are now electing to join BioSense 2.0 instead of being solicited by CDC and its conduits. Thus there is no longer a need to use an extensive survey to assess their capabilities to participate. This change is a result of a federal government action to redesign the BioSense Program, and allow for collective ownership by the public health community performing all hazards situation awareness activities.
Web Application Access
As noted earlier, the BioSense 2.0 application is now a FISMA-moderate system, as opposed to BioSense 1.0, which was at a triple-high security setting. The system has passed the CDC C&A process and is secure according to federal NIST regulations (Attachment 4). This reduces the burden on state and local health departments to join BioSense 2.0 and also lowers the burden for individuals attempting to gain user accounts. Thus, there is no longer a need to use the CDC Secure Data Network that mandates permissions be renewed each year. There is now a registration form on the application (http://biosen.se), which users must fill out one time only (Attachment 3).
Data Collection
Under BioSense 2.0, the difference lies primarily in where the data will be stored and how it will be shared. All data submitted by its users will reside not in the CDC owned and operated Information Technology Services Office’s Mid-Tier Data Center but in a cloud-enabled, web-based platform that is in compliance with the Federal Information Security Management Act. ASTHO funded through a cooperative agreement with CDC will contract with a vendor to offer BioSense 2.0 on a voluntary basis to public health jurisdictions for their use. The platform will provide users with an exclusive secure space and tools for posting, receiving, controlling, and analyzing their public health surveillance information. The public health department will retain ownership of any data it contributes to its exclusive secure space, and are not required to share their data with any other BioSense 2.0 users. The BioSense 2.0 cloud will also provide the CDC’s BioSense Program its own exclusive, secure space to receive, store, and analyze data. CDC will receive data directly into this space from DoD, VA, two national-level private sector clinical laboratories, and a private sector health information exchange company.
In addition to providing a secure, exclusive space for use by CDC and secure, exclusive spaces for use by each participating public health jurisdictions, BioSense 2.0 provides a second secure space in the cloud for health departments to share whatever aggregated data they chooses with other participating public health jurisdictions and CDC. Whenever possible, the BioSense Program plans to share aggregate level pharmacy and laboratory data with public health jurisdictions. BioSense 2.0 is designed to promote the contribution of public health data by all users and the appropriate sharing of aggregated data in the shared space. As part of access to the shared space, public health jurisdictions will be required in their Information Sharing and Data Use Agreements with ASTHO to grant CDC access to, at minimum, aggregate level data (city or county or state) that contain the variables ISDS recommended minimum dataset variables from their jurisdiction that have been placed in the shared space, and they agree that CDC may review data contributed to the shared space for public health practice and surveillance purposes. To participate in the shared space, public health jurisdictions must simply select from drop-down lists to choose their sharing permissions on the BioSense 2.0 application, and they will have the right at any time to revise the level of sharing permissions regarding the data in their secure space (Attachment 5).
16 Plans for Tabulation and Publication and Project Time Schedule
Recruitment
Jurisdictions have the potential to begin participating in BioSense 2.0 throughout the duration of the three year authorization requested. The goal is to have over 50 jurisdictions participating in BioSense 2.0 by 2015. Recruitment and outreach information is not reported or published.
Web Application Access
User accounts have the potential to be granted throughout the three year authorization requested. Information collected to grant user accounts is not reported or published.
Data Collection
Once a jurisdiction elects to share, the data they dedicate for sharing is automatically electronically transferred from their exclusive, secure space to the shared space on a daily basis. Similarly, VA, DoD, pharmacy, and laboratory data are automatically electronically transferred from their already existing data bases to CDC’s exclusive, secure space on a daily basis. These data transfers will continue to function unless a public health jurisdiction chooses to revise the level of sharing permissions regarding the data in its secure space or any organization sharing data declines to renew its Data Use Agreement after its 5-year term or decides to terminate their agreement. The BioSense Program is an ongoing program, so we are requesting the maximum 3-year term for OMB clearance.
Regarding analysis, the BioSense Program receives and analyzes data on a daily basis (Monday–Friday) for syndromic surveillance purposes. The Program uses a modified C2 EARS algorithm applied to separately categorized time series of patient visit records using categories chosen to capture predefined syndromes and sub-syndromes of public health interest to assess for the presence of statistical anomalies (statistically significant increases in patient visits). When an anomaly is found, it is reviewed, prioritized, characterized, and if appropriate reported. Reports containing aggregate data are sent to the CDC Emergency Operations Center and involved public health jurisdictions to provide public health situation awareness throughout the course of high profile events and public health emergencies and to VA and DoD if there is an anomaly involving their data that is considered to be of potential public health importance by the Program.
17 Reason(s) Display of OMB Expiration Date is Inappropriate
Recruitment
There is no collection instrument used in this process.
Web Application Access
It would be inappropriate to display an OMB expiration date on the information collection instrument used to request access to the BioSense 2.0 application. The information collection site is a submenu of the BioSense 2.0 cloud-enabled, web-based platform that is not exclusive to sharing data with CDC. This is where people who desire access to the application can apply regardless of whether or not they are sharing data with CDC’s BioSense Program. (Attachment 3)
Data Collection
It would be inappropriate to display an OMB expiration date on the information collection instrument used to voluntarily allow data sharing. The information collection instrument is a submenu of the BioSense 2.0 cloud-enabled, web-based platform that is not exclusive to sharing with CDC. This submenu allows for the selection of sharing with any other public health jurisdictions participating in BioSense 2.0 with or without inclusion of CDC’s BioSense Program. (Attachment 5)
18 Exception to Certification for Paperwork Reduction Act Submissions
Recruitment
There are no exceptions to the certification
Web Application Access
There are no exceptions to the certification
Data Collection
There are no exceptions to the certification
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | BioSense ICR (0920-0824) |
Author | Sherry Burrer |
File Modified | 0000-00-00 |
File Created | 2021-01-30 |