09-10-0019 Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/CDRH
Mammography Quality Standards Act (MQSA) Training Records, HHS/FDA/CDRH.
Division of Mammography Quality and Radiation Programs, Center for Devices and Radiological Health, 10903 New Hampshire Avenue, WO66 Room 4675, Silver Spring, MD 20993. A current list of contractor sites is available by writing to the System manager, indicated below, at this address.
Categories of individuals covered by the system:
All individuals who receive training for the purpose of implementing the Mammography Quality Standards Act of 1992; individuals who successfully complete the training will become certified to conduct inspections and audits of mammograph facilities.
Categories of records in the system:
Contains name; date of birth; education; professional experience; employment address; dates of mammography training; participant's test scores, class grades, and an analysis of those scores; dates of certification of the inspector; dates of renewal or withdrawal of certification; and an evaluation of the inspector's field performance (records of complaints received and how the complaints received and how the complaints were resolved).
Authority for maintenance of the system:
Pub. L. 102–539, the Mammography Quality Standards Act (MQSA) of 1992 (42 U.S.C. 263b).
To provide the Food and Drug Administration (FDA) with information about the training, certification, and recertification of MQSA inspectors for the purpose of implementing the Mammography Quality Standards Act of 1992.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
1. Disclosure may be made to a congressional office from the records of an individuals, in response to an inquiry from the congressional office made at the request of that individual.
2. The Department of Health and Human Services (HHS) may disclose information from this system of records to the Department of Justice, or to a court or other tribunal, when
(a) HHS, or any component thereof; or
(b) Any HHS employee in his or her official capacity; or
(c) Any HHS employee in his or her official capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or
(d) The United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components.
is a party to litigation or has an interest to such litigation, and HHS determines that the use of such records by the Department of Justice, the court or other tribunal, is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.
3. Disclosure may be made with the individual's supervisor since MQSA inspections will be a significant part of many inspector's jobs; therefore, performance in the training courses is an importance element of information to help the supervisor determine employee assignments as well as the level of supervision needed.
4. Disclosure may be made to contractors for the purpose of collecting, compiling, aggregating, analyzing, or refining records in the system. Contractors will be required to maintain Privacy Act safeguards with respect to such records.
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system:
Data are maintained in hard copy files and on computer disks, hard drive, and file servers.
Indexed by name, state, specific courses, training dates, grades, date of certification, and date of withdrawal of certification.
1. Authorized users: Personnel of the Division of Mammography Quality Reporting Program who are engaged in training the individuals who inspect mammography facilities, and personnel in the Division who compile and analyze the test and personal data of the students.
2. Physical safeguards: All records (such as disketts, computer listings, or documents) are kept in a secured area, locked rooms, and locked building. The facility has a 24–hour guard service, and access to the building is further controlled by an operational card key system. Access to the computer room is limited to a subset of persons with general access to the building. Access to individual offices is controlled by simplex locks. The building has smoke/fire detectors; the computer room has additional smoke/fire detectors plus water, temperature, and humidity sensors. The computers room hasan uninterruptible power supply and a power supply and a power conditioning system.
3.Procedural safeguards: End users and system professionals continue to receive regular training in information systems security and have signed an agreement indicating their cooperation with FDA policies. Users are further instructed on system security during training sessions for this application and in accordance with the Privacy Act. Users of personal information in the performance of their duties have been instructed to protect personal information from public views and from unauthorized personnel.
All reports containing confidential data are marked "confidential" and placed in the developer's or system manager's mail slot, which is located in an access–controlled room. CDRH SOP requires that all reports containing confidential information be shredded before disposal.
4. Technical safeguards: All users have individual IDS and regularly expiring passwords at least 6 characters long. All users are assigned specific levels of database control based on their needs and authority. All users of valid IDs and passwords will be monitored. Upon job change, the user's authorization is reviewed and updated as necessary.
All changes to data, as well as the time of change and the operator's ID are captured in a file as part of the database design. All data entered online is edited checked.
The system's intrusion alarms, which list all logins and their source, are monitored daily by the Information Systems Security Officer. In addition, CDRH maintains commercial auditing software that permit logging of keystrokes by individual accounts.
CDRH maintains three audits trails for this system:
1. System–wide intrusion alarms and file access notices.
2. Application–dependent logging of all data transactions.
3. Commercial software that permits capturing all keystrokes from suspicious accounts and terminals.
All systems in support of this database are under the control of CDRH and meet the same security standards as the application.
5. Inplementation guidelines: Safeguards are established in accordance with Chapter 45–13 and PHS hf:45–13 of the Department's General Administration Manual and the Department's Automated Information Systems Security Handbook.
Retention and disposal:
Records are retained for five years after the certificed MQSA inspector leaves government service. At the end of five years, in individual's paper records are shredded and automated records are erased.
System manager(s) and address:
Director, Division of Mammography Quality and Radiation Programs (HFZ–240), Center for Devices and Radiological Health, 1350 Piccard Drive, Rockville, Maryland 20850.
An individual may learn if a record exists about him or her upon written request, with notarized signature if request is made by mail, or with identification if request is made in person, directed to:
FDA Privacy Act Coordinator (HF1–30), Food and Drug Administration, 5600 Fishers Lane, Rockville, MD 20857.
Record access procedures:
Same as notification procedure. Requests should also reasonably specify the record contents being sought. You may also request an accounting of disclosures that have been made of your record, if any.
Contesting record procedures:
Contact the official at the address specified under notification procedure above and reasonably identify the record, specify the information being contested, the corrective action sought, and your reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.
Record source categories:
Individuals on whom the record is maintained and training records pertaining to that individual. Information about certification renewal or withdrawal is generated in–house by the Division of Mammography Quality and Radiation Programs. Sources of information about field performance could include the inspector's supervisor, as well as any investigation of an inspector's performance as a result of an inspector's performance as a result of complaints by a mammography facility.