Privacy Act of 1974: Report of Modified System of Records, 12801-12806 [E7-4889]
Download as PDF
<![CDATA[
Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Notices
B. Federal Reserve Bank of Chicago
(Patrick M. Wilder, Assistant Vice
President) 230 South LaSalle Street,
Chicago, Illinois 60690-1414:
1. 1st Source Corporation, South
Bend, Indiana; to acquire 100 percent of
the voting shares of FINA Bancorp, Inc.,
Valparaiso, Indiana, and thereby
indirectly acquire First National Bank of
Valparaiso, Valparaiso, Indiana.
C. Federal Reserve Bank of San
Francisco (Tracy Basinger, Director,
Regional and Community Bank Group)
101 Market Street, San Francisco,
California 94105-1579:
1. Belvedere SoCal, San Francisco,
California; to become a bank holding
company by acquiring 100 percent of
the voting shares of Professional
Business Bank, Pasadena, California. In
connection with this application,
Belvedere Capital Partners II, LLC, and
Belvedere Capital Fund II, LP, San
Francisco, California, will indirectly
acquire up to 58 percent of the voting
shares of Professional Business Bank,
Pasadena, California.
Board of Governors of the Federal Reserve
System, March 14, 2007.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E7–4970 Filed 3–16–07; 8:45 am]
bank holding companies may be
obtained from the National Information
Center website at www.ffiec.gov/nic/.
Unless otherwise noted, comments
regarding the applications must be
received at the Reserve Bank indicated
or the offices of the Board of Governors
not later than April 3, 2007.
A. Federal Reserve Bank of
Richmond (A. Linwood Gill, III, Vice
President) 701 East Byrd Street,
Richmond, Virginia 23261-4528:
1. PSB Holding Corp., Preston,
Maryland; to engage de novo through its
subsidiary, Community Bank Mortgage
Corporation, Easton, Maryland, in the
origination and sale of residential
mortgage loans to the secondary market,
pursuant to section 225.28(b)(1) of
Regulation Y.
Board of Governors of the Federal Reserve
System, March 14, 2007.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. E7–4971 Filed 3–16–07; 8:45 am]
BILLING CODE 6210–01–S
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
BILLING CODE 6210–01–S
Centers for Medicare & Medicaid
Services
FEDERAL RESERVE SYSTEM
Privacy Act of 1974: Report of Modified
System of Records
Department of Health and
Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of Modified System of
Records (SOR).
ycherry on PROD1PC64 with NOTICES
Notice of Proposals to Engage in
Permissible Nonbanking Activities or
to Acquire Companies that are
Engaged in Permissible Nonbanking
Activities
AGENCY:
The companies listed in this notice
have given notice under section 4 of the
Bank Holding Company Act (12 U.S.C.
1843) (BHC Act) and Regulation Y (12
CFR Part 225) to engage de novo, or to
acquire or control voting securities or
assets of a company, including the
companies listed below, that engages
either directly or through a subsidiary or
other company, in a nonbanking activity
that is listed in § 225.28 of Regulation Y
(12 CFR 225.28) or that the Board has
determined by Order to be closely
related to banking and permissible for
bank holding companies. Unless
otherwise noted, these activities will be
conducted throughout the United States.
Each notice is available for inspection
at the Federal Reserve Bank indicated.
The notice also will be available for
inspection at the offices of the Board of
Governors. Interested persons may
express their views in writing on the
question whether the proposal complies
with the standards of section 4 of the
BHC Act. Additional information on all
SUMMARY: In accordance with the
requirements of the Privacy Act of 1974,
we are proposing to modify a SOR
titled, ‘‘Long Term Care-Minimum Data
Set’’ (MDS), System No. 09–70–1517,
most recently modified at 67 FR 6714
(February 13, 2002). We propose to
assign a new CMS identification number
to this system to simplify the obsolete
and confusing numbering system
originally designed to identify the
Bureau, Office, or Center that
maintained information in the Health
Care Financing Administration systems
of records. The new identifying number
for this system should read: System No.
09–70–0528.
We propose to modify existing routine
use number 1 that permits disclosure to
agency contractors and consultants to
include disclosure to CMS grantees who
perform a task for the agency. CMS
grantees, charged with completing
projects or activities that require CMS
data to carry out that activity, are
classified separate from CMS
VerDate Aug<31>2005
15:50 Mar 16, 2007
Jkt 211001
PO 00000
Frm 00050
Fmt 4703
Sfmt 4703
12801
contractors and/or consultants. The
modified routine use will remain as
routine use number 1. We also propose
to modify existing routine use number
3 that permits disclosure to Peer Review
Organizations (PRO). The name of PROs
has been changed to read: ‘‘Quality
Improvement Organizations (QIO).’’
QIOs will continue work to implement
quality improvement programs, provide
consultation to CMS, its contractors,
and to state agencies. The modified
routine use will remain as routine use
number 3.
We will delete routine use number 6
authorizing disclosure to support
constituent requests made to a
congressional representative. If an
authorization for the disclosure has
been obtained from the data subject,
then no routine use is needed. The
Privacy Act allows for disclosures with
the ‘‘prior written consent’’ of the data
subject.
We are modifying the language in the
remaining routine uses to provide a
proper explanation as to the need for the
routine use and to provide clarity to
CMS’s intention to disclose individualspecific information contained in this
system. The routine uses will then be
prioritized and reordered according to
their usage. We will also take the
opportunity to update any sections of
the system that were affected by the
recent reorganization or because of the
impact of the Medicare Prescription
Drug, Improvement, and Modernization
Act of 2003 (MMA) (Pub. L. 108–173)
provisions and to update language in
the administrative sections to
correspond with language used in other
CMS SORs.
The primary purpose of the system is
to aid in the administration of the
survey and certification, and payment of
Medicare Long Term Care services,
which include skilled nursing facilities
(SNFs), nursing facilities (NFs) SNFs/
NFs, and hospital swing beds, and to
study the effectiveness and quality of
care given in those facilities.
Information in this system will also be
used to: (1) Support regulatory,
reimbursement, and policy functions
performed within the Agency or by a
contractor or consultant; (2) assist
another Federal or state agency, agency
of a state government, an agency
established by state law, or its fiscal
agent; (3) support Quality Improvement
Organizations (QIO); (4) assist other
insurers for processing individual
insurance claims; (5) facilitate research
on the quality and effectiveness of care
provided, as well as payment related
projects; (6) support litigation involving
the Agency; (7) assist national
accrediting organizations; and (8)
E:\FR\FM\19MRN1.SGM
19MRN1
12802
Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Notices
combat fraud, waste, and abuse in
certain health benefits programs. We
have provided background information
about the modified system in the
SUPPLEMENTARY INFORMATION section
below. Although the Privacy Act
requires only that CMS provide an
opportunity for interested persons to
comment on the proposed routine uses,
CMS invites comments on all portions
of this notice. See ‘‘Effective Dates’’
section for comment period.
DATES: Effective Dates: CMS filed a
modified system report with the Chair
of the House Committee on Government
Reform and Oversight, the Chair of the
Senate Committee on Homeland
Security and Governmental Affairs, and
the Administrator, Office of Information
and Regulatory Affairs, Office of
Management and Budget (OMB) on
February 22, 2007. To ensure that all
parties have adequate time in which to
comment, the modified SOR, including
routine uses, will become effective 40
days from the publication of the notice,
or from the date it was submitted to
OMB and the Congress, whichever is
later, unless CMS receives comments
that require alterations to this notice.
ADDRESSES: The public should address
comments to: CMS Privacy Officer,
Division of Privacy Compliance,
Enterprise Architecture and Strategy
Group, Office of Information Services,
CMS, Room N2–04–27, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850. Comments received will be
available for review at this location, by
appointment, during regular business
hours, Monday through Friday from 9
a.m.–3 p.m., Eastern Time zone.
FOR FURTHER INFORMATION CONTACT: Tina
Miller, Health Insurance Specialist,
Division of Nursing Homes, Survey and
Certification Group, Center for Medicaid
and State Operations, CMS, Mail stop
S2–12–25, 7500 Security Boulevard,
Baltimore, Maryland 21244–1850. The
telephone number is (410) 786–6735 or
e-mail Tina.Miller@cms.hhs.gov.
SUPPLEMENTARY INFORMATION:
I. Description of the Modified System
ycherry on PROD1PC64 with NOTICES
A. Statutory and Regulatory Basis for
System
Authority for maintenance of the
system is given under §§ 1102(a),
1819(b) (3)(A), 1819(f), 1919(b)(3)(A),
1919(f), and 1864 of the Social Security
Act.
B. Collection and Maintenance of Data
in the System
The system contains information on
residents in all long-term care facilities
that are Medicare and/or Medicaid
certified, including private pay
VerDate Aug<31>2005
15:50 Mar 16, 2007
Jkt 211001
individuals including but not limited to
Medicare enrollment and entitlement,
and Medicare Secondary Payer (MSP)
data containing other party liability
insurance information necessary for
appropriate Medicare claim payment.
The system also contains the
individual’s health insurance numbers,
name, geographic location, race/
ethnicity, sex, and date of birth, hospice
election, premium billing and
collection, direct billing information,
and group health plan enrollment data.
a. Establish administrative, technical,
and physical safeguards to prevent
unauthorized use of disclosure of the
record;
b. Remove or destroy at the earliest
time all patient-identifiable information;
and
c. Agree to not use or disclose the
information for any purpose other than
the stated purpose under which the
information was disclosed.
4. Determines that the data are valid
and reliable.
II. Agency Policies, Procedures, and
Restrictions on the Routine Use
A. The Privacy Act permits us to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such disclosure of data is known as
a ‘‘routine use.’’ The government will
only release MDS information that can
be associated with an individual as
provided for under ‘‘Section III.
Proposed Routine Use Disclosures of
Data in the System.’’ Both identifiable
and non-identifiable data may be
disclosed under a routine use. We will
only disclose the minimum personal
data necessary to achieve the purpose of
MDS.
CMS has the following policies and
procedures concerning disclosures of
information that will be maintained in
the system. Disclosure of information
from the system will be approved only
to the extent necessary to accomplish
the purpose of the disclosure and only
after CMS:
1. Determines that the use or
disclosure is consistent with the reason
that the data is being collected, e.g., to
aid in the administration of the survey
and certification, and payment of
Medicare Long Term Care services,
which include skilled nursing facilities
(SNFs), nursing facilities (NFs) SNFs/
NFs, and hospital swing beds, and to
study the effectiveness and quality of
care given in those facilities.
2. Determines that:
a. The purpose for which the
disclosure is to be made can only be
accomplished if the record is provided
in individually identifiable form;
b. The purpose for which the
disclosure is to be made is of sufficient
importance to warrant the effect and/or
risk on the privacy of the individual that
additional exposure of the record might
bring; and
c. There is a strong probability that
the proposed use of the data would in
fact accomplish the stated purpose(s).
3. Requires the information recipient
to:
III. Modified Routine Use Disclosures of
Data in the System
PO 00000
Frm 00051
Fmt 4703
Sfmt 4703
A. Entities Who May Receive
Disclosures Under Routine Use
These routine uses specify
circumstances, in addition to those
provided by statute in the Privacy Act
of 1974, under which CMS may release
information from the MDS without the
consent of the individual to whom such
information pertains. Each proposed
disclosure of information under these
routine uses will be evaluated to ensure
that the disclosure is legally
permissible, including but not limited to
ensuring that the purpose of the
disclosure is compatible with the
purpose for which the information was
collected. We have provided a brief
explanation of the routine uses we are
proposing to establish or modify for
disclosures of information maintained
in the system:
1. To support Agency contractors,
consultants, or grantees who have been
contracted by the Agency to assist in
accomplishment of a CMS function
relating to the purposes for this system
and who need to have access to the
records in order to assist CMS.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contractual or similar agreement
with a third party to assist in
accomplishing CMS functions relating
to purposes for this system.
CMS occasionally contracts out
certain of its functions when this would
contribute to effective and efficient
operations. CMS must be able to give
contractors, consultants, or grantees
whatever information is necessary for
contractors, consultants, or grantees to
fulfill their duties. In these situations,
safeguards are provided in the contract
prohibiting contractors, consultants, or
grantees from using or disclosing the
information for any purpose other than
that described in the contract and to
return or destroy all information at the
completion of the contract.
2. To assist another Federal or state
agency, agency of a state government, an
E:\FR\FM\19MRN1.SGM
19MRN1
ycherry on PROD1PC64 with NOTICES
Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Notices
agency established by state law, or its
fiscal agent to:
a. Contribute to the accuracy of CMS’s
proper payment of Medicare benefits.
b. Enable such agency to administer a
Federal health benefits program, or as
necessary to enable such agency to
fulfill a requirement of a Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds, and/or
c. Assist Federal/state Medicaid
programs within the state.
Other Federal or state agencies in
their administration of a Federal health
program may require MDS information
in order to support evaluations and
monitoring of Medicare claims
information of beneficiaries, including
proper reimbursement for services
provided.
In addition, other state agencies in
their administration of a Federal health
program may require MDS information
for the purposes of determining,
evaluating and/or assessing cost,
effectiveness, and/or the quality of
health care services provided in the
state.
The Social Security Administration
may require MDS data to enable them to
assist in the implementation and
maintenance of the Medicare program.
Disclosure under this routine use
shall be used by state Medicaid agencies
pursuant to agreements with the HHS
for determining Medicaid and Medicare
eligibility, for quality control studies,
for determining eligibility of recipients
of assistance under Titles IV, XVIII, and
XIX of the Act, and for the
administration of the Medicaid program.
Data will be released to the state only on
those individuals who are patients
under the services of a Medicaid
program within the state or who are
residents of that state.
We also contemplate disclosing
information under this routine use in
situations in which state auditing
agencies require MDS information for
auditing state Medicaid eligibility
considerations. CMS may enter into an
agreement with state auditing agencies
to assist in accomplishing functions
relating to purposes for this system.
3. To assist Quality Improvement
Organizations (QIO) in connection with
review of claims, or in connection with
studies or other review activities,
conducted pursuant to Part B of Title XI
of the Act and in performing affirmative
outreach activities to individuals for the
purpose of establishing and maintaining
their entitlement to Medicare benefits or
health insurance plans.
QIOs will work to implement quality
improvement programs, provide
consultation to CMS, its contractors,
VerDate Aug<31>2005
15:50 Mar 16, 2007
Jkt 211001
and to state agencies. QIOs will assist
state agencies and CMS intermediaries
in program integrity assessments and
preparation of summary information for
release to CMS.
4. To assist insurance companies,
underwriters, third party administrators
(TPA), employers, self-insurers, group
health plans, health maintenance
organizations (HMO), health and
welfare benefit funds, managed care
organizations, other supplemental
insurers, non-coordinating insurers,
multiple employer trusts, liability
insurers, no-fault medical automobile
insurers, workers compensation carriers
or plans, other groups providing
protection against medical expenses
without the beneficiary’s authorization,
and any entity having knowledge of the
occurrence of any event affecting (a) an
individual’s right to any such benefit or
payment, or (b) the initial right to any
such benefit or payment, for the purpose
of coordination of benefits with the
Medicare program and implementation
of the MSP provision at 42 U.S.C. 1395y
(b). Information to be disclosed shall be
limited to Medicare utilization data
necessary to perform that specific
function. In order to receive the
information, they must agree to:
a. Certify that the individual about
whom the information is being provided
is one of its insured or employees, or is
insured and/or employed by another
entity for whom they serve as a TPA;
b. Utilize the information solely for
the purpose of processing the
individual’s insurance claims; and
c. Safeguard the confidentiality of the
data and prevent unauthorized access.
Other insurers may require MDS
information in order to support
evaluations and monitoring of Medicare
claims information of beneficiaries,
including proper reimbursement for
services provided.
5. To support an individual or
organization for research, evaluation, or
epidemiological projects related to the
prevention of disease or disability, the
restoration or maintenance of health, or
payment related projects.
MDS data will provide research,
evaluations and epidemiological
projects, a broader, longitudinal,
national perspective of the status of
Medicare beneficiaries. CMS anticipates
that many researchers will have
legitimate requests to use these data in
projects that could ultimately improve
the care provided to Medicare
beneficiaries and the policy that governs
the care.
6. To support the Department of
Justice (DOJ), court or adjudicatory body
when:
PO 00000
Frm 00052
Fmt 4703
Sfmt 4703
12803
a. The Agency or any component
thereof, or
b. Any employee of the Agency in his
or her official capacity, or
c. Any employee of the Agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. The United States Government is a
party to litigation or has an interest in
such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
Whenever CMS is involved in
litigation, or occasionally when another
party is involved in litigation and CMS’s
policies or operations could be affected
by the outcome of the litigation, CMS
would be able to disclose information to
the DOJ, court or adjudicatory body
involved.
7. To support a national accrediting
organization whose accredited facilities
are presumed to meet certain Medicare
requirements for inpatient hospital
(including swing beds) services; e.g., the
Joint Commission for the Accrediting of
Healthcare Organizations (JCAHO).
Information will be released to
accrediting organizations only for those
facilities that they accredit and that
participate in the Medicare program.
CMS anticipates providing those
national accrediting organizations with
MDS information to enable them to
target potential or identified problems
during the organization’s accreditation
review process of that facility.
8. To assist a CMS contractor
(including, but not limited to fiscal
intermediaries and carriers) that assists
in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud,
waste or abuse in such program.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contract or grant with a third
party to assist in accomplishing CMS
functions relating to the purpose of
combating fraud, waste, and abuse.
CMS occasionally contracts out
certain of its functions when doing so
would contribute to effective and
efficient operations. CMS must be able
to give a contractor or grantee whatever
information is necessary for the
E:\FR\FM\19MRN1.SGM
19MRN1
12804
Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Notices
contractor or grantee to fulfill the
contractor or grantee duties. In these
situations, safeguards are provided in
the contract prohibiting the contractor
or grantee from using or disclosing the
information for any purpose other than
that described in the contract and
requiring the contractor or grantee to
return or destroy all information.
9. To assist another Federal agency or
to an instrumentality of any
governmental jurisdiction within or
under the control of the United States
(including any state or local
governmental agency), that administers,
or that has the authority to investigate
potential fraud, waste, or abuse in a
health benefits program funded in
whole or in part by Federal funds, when
disclosure is deemed reasonably
necessary by CMS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud, waste, or abuse in such
programs.
Other agencies may require MDS
information for the purpose of
combating fraud, waste, and abuse in
such Federally-funded programs.
ycherry on PROD1PC64 with NOTICES
B. Additional Circumstances Affecting
Routine Use Disclosures
To the extent this system contains
Protected Health Information (PHI) as
defined by HHS regulation ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (45 CFR parts 160
and 164, subparts A and E) 65 FR 82462
(12–28–00). Disclosures of such PHI that
are otherwise authorized by these
routine uses may only be made if, and
as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’ (See
45 CFR 164–512(a)(1)).
In addition, our policy will be to
prohibit release even of data not directly
identifiable, except pursuant to one of
the routine uses or if required by law,
if we determine there is a possibility
that an individual can be identified
through implicit deduction based on
small cell sizes (instances where the
patient population is so small that
individuals could, because of the small
size, use this information to deduce the
identity of the beneficiary).
IV. Safeguards
CMS has safeguards in place for
authorized users and monitors such
users to ensure against unauthorized
use. Personnel having access to the
system have been trained in the Privacy
Act and information security
requirements. Employees who maintain
records in this system are instructed not
to release data until the intended
VerDate Aug<31>2005
15:50 Mar 16, 2007
Jkt 211001
recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations include but
are not limited to: The Privacy Act of
1974; the Federal Information Security
Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the
Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002, the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: All pertinent NIST
publications; the HHS Automated
Information Systems Security Handbook
and the CMS Information Security
Handbook.
V. Effect of the Modified System on
Individual Rights
CMS proposes to establish this system
in accordance with the principles and
requirements of the Privacy Act and will
collect, use, and disseminate
information only as prescribed therein.
CMS will only disclose the minimum
personal data necessary to achieve the
purposes of MDS. Disclosure of
information from the system will be
approved only to the extent necessary to
accomplish the purpose of the
disclosure. CMS has assigned a high
level of security clearance for the
information maintained in this system
in an effort to provide added security
and protection of data.
CMS will take precautionary
measures to minimize the risks of
unauthorized access to the records and
the potential harm to individual privacy
or other personal or property rights.
CMS will collect only that information
necessary to perform the system’s
functions. In addition, CMS will make
disclosure from the proposed system
only with consent of the subject
individual, or his/her legal
representative, or in accordance with an
applicable exception provision of the
Privacy Act. CMS, therefore, does not
anticipate an unfavorable effect on
individual privacy as a result of the
PO 00000
Frm 00053
Fmt 4703
Sfmt 4703
disclosure of information relating to
individuals.
Dated: February 22, 2007.
Charlene Frizzera,
Acting Chief Operating Officer, Centers for
Medicare & Medicaid Services.
System No. 09–70–0528
SYSTEM NAME:
‘‘Long Term Care-Minimum Data Set
(MDS),’’ Department of Health and
Human Services (HHS)/Centers for
Medicare & Medicaid Services (CMS)/
Center for Medicaid and State
Operations (CMSO).
SECURITY CLASSIFICATION:
Level Three Privacy Act Sensitive.
SYSTEM LOCATION:
CMS Data Center, 7500 Security
Boulevard, North Building, First Floor,
Baltimore, Maryland 21244–1850, and
at various other remote locations.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
The system contains information on
residents in all long-term care facilities
that are Medicare and/or Medicaid
certified, including private pay
individuals including but not limited to
Medicare enrollment and entitlement,
and Medicare Secondary Payer (MSP)
data containing other party liability
insurance information necessary for
appropriate Medicare claim payment.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system also contains the
individual’s health insurance numbers,
name, geographic location, race/
ethnicity, sex, and date of birth, hospice
election, premium billing and
collection, direct billing information,
and group health plan enrollment data.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of the
system is given under of §§ 1102(a),
1819(b)(3)(A), 1819(f), 919(b)(3)(A),
1919(f), and 1864 of the Social Security
Act.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of the system is
to aid in the administration of the
survey and certification, and payment of
Medicare Long Term Care services,
which include skilled nursing facilities
(SNFs), nursing facilities (NFs) SNFs/
NFs, and hospital swing beds, and to
study the effectiveness and quality of
care given in those facilities.
Information in this system will also be
used to: (1) Support regulatory,
reimbursement, and policy functions
performed within the Agency or by a
contractor or consultant; (2) assist
E:\FR\FM\19MRN1.SGM
19MRN1
Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Notices
another Federal or state agency, agency
of a state government, an agency
established by state law, or its fiscal
agent; (3) support Quality Improvement
Organizations (QIO); (4) assist other
insurers for processing individual
insurance claims; (5) facilitate research
on the quality and effectiveness of care
provided, as well as payment related
projects; (6) support litigation involving
the Agency; (7) assist national
accrediting organizations; and (8)
combat fraud, waste, and abuse in
certain health benefits programs.
ycherry on PROD1PC64 with NOTICES
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OR USERS AND
THE PURPOSES OF SUCH USES:
A. Entities Who May Receive
Disclosures under Routine Use
These routine uses specify
circumstances, in addition to those
provided by statute in the Privacy Act
of 1974, under which CMS may release
information from the MDS without the
consent of the individual to whom such
information pertains. Each proposed
disclosure of information under these
routine uses will be evaluated to ensure
that the disclosure is legally
permissible, including but not limited to
ensuring that the purpose of the
disclosure is compatible with the
purpose for which the information was
collected. We have provided a brief
explanation of the routine uses we are
proposing to establish or modify for
disclosures of information maintained
in the system:
1. To support Agency contractors,
consultants, or grantees who have been
contracted by the Agency to assist in
accomplishment of a CMS function
relating to the purposes for this system
and who need to have access to the
records in order to assist CMS.
2. To assist another Federal or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent to:
a. Contribute to the accuracy of CMS’s
proper payment of Medicare benefits.
b. Enable such agency to administer a
Federal health benefits program, or as
necessary to enable such agency to
fulfill a requirement of a Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds, and/or
c. Assist Federal/state Medicaid
programs within the state.
3. To support Quality Improvement
Organizations (QIO) in connection with
review of claims, or in connection with
studies or other review activities,
conducted pursuant to Part B of Title XI
of the Act and in performing affirmative
outreach activities to individuals for the
purpose of establishing and maintaining
VerDate Aug<31>2005
15:50 Mar 16, 2007
Jkt 211001
their entitlement to Medicare benefits or
health insurance plans.
4. To assist insurance companies,
underwriters, third party administrators
(TPA), employers, self-insurers, group
health plans, health maintenance
organizations (HMO), health and
welfare benefit funds, managed care
organizations, other supplemental
insurers, non-coordinating insurers,
multiple employer trusts, liability
insurers, no-fault medical automobile
insurers, workers compensation carriers
or plans, other groups providing
protection against medical expenses
without the beneficiary’s authorization,
and any entity having knowledge of the
occurrence of any event affecting (a) an
individual’s right to any such benefit or
payment, or (b) the initial right to any
such benefit or payment, for the purpose
of coordination of benefits with the
Medicare program and implementation
of the MSP provision at 42 U.S.C. 1395y
(b). Information to be disclosed shall be
limited to Medicare utilization data
necessary to perform that specific
function. In order to receive the
information, they must agree to:
a. Certify that the individual about
whom the information is being provided
is one of its insured or employees, or is
insured and/or employed by another
entity for whom they serve as a TPA;
b. Utilize the information solely for
the purpose of processing the
individual’s insurance claims; and
c. Safeguard the confidentiality of the
data and prevent unauthorized access.
5. To support an individual or
organization for research, evaluation, or
epidemiological projects related to the
prevention of disease or disability, the
restoration or maintenance of health, or
payment related projects.
6. To assist the Department of Justice
(DOJ), court or adjudicatory body when:
a. The Agency or any component
thereof, or
b. Any employee of the Agency in his
or her official capacity, or
c. Any employee of the Agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. The United States Government is a
party to litigation or has an interest in
such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
7. To support a national accrediting
organization whose accredited facilities
are presumed to meet certain Medicare
requirements for inpatient hospital
PO 00000
Frm 00054
Fmt 4703
Sfmt 4703
12805
(including swing beds) services; e.g., the
Joint Commission for the Accrediting of
Healthcare Organizations (JCAHO).
Information will be released to
accrediting organizations only for those
facilities that they accredit and that
participate in the Medicare program.
8. To assist CMS contractor
(including, but not limited to fiscal
intermediaries and carriers) that assists
in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud,
waste, or abuse in such program.
9. To support another Federal agency
or to an instrumentality of any
governmental jurisdiction within or
under the control of the United States
(including any state or local
governmental agency), that administers,
or that has the authority to investigate
potential fraud, waste, or abuse in a
health benefits program funded in
whole or in part by Federal funds, when
disclosure is deemed reasonably
necessary by CMS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud, waste, or abuse in such
programs.
B. Additional Circumstances
Affecting Routine Use Disclosures
To the extent this system contains
Protected Health Information (PHI) as
defined by HHS regulation ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (45 CFR parts 160
and 164, subparts A and E) 65 FR 82462
(12–28–00). Disclosures of such PHI that
are otherwise authorized by these
routine uses may only be made if, and
as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’ (See
45 CFR 164–512 (a) (1)).
In addition, our policy will be to
prohibit release even of data not directly
identifiable, except pursuant to one of
the routine uses or if required by law,
if we determine there is a possibility
that an individual can be identified
through implicit deduction based on
small cell sizes (instances where the
patient population is so small that
individuals could, because of the small
size, use this information to deduce the
identity of the beneficiary).
E:\FR\FM\19MRN1.SGM
19MRN1
12806
Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Notices
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:
NOTIFICATION PROCEDURE:
All Medicare records are accessible by
HIC number or alpha (name) search.
This system supports both online and
batch access.
For purpose of access, the subject
individual should write to the system
manager who will require the system
name, health insurance claim number,
address, date of birth, and sex, and for
verification purposes, the subject
individual’s name (woman’s maiden
name, if applicable), and social security
number (SSN). Furnishing the SSN is
voluntary, but it may make searching for
a record easier and prevent delay.
SAFEGUARDS:
RECORD ACCESS PROCEDURE:
CMS has safeguards in place for
authorized users and monitors such
users to ensure against unauthorized
use. Personnel having access to the
system have been trained in the Privacy
Act and information security
requirements. Employees who maintain
records in this system are instructed not
to release data until the intended
recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations include but
are not limited to: The Privacy Act of
1974; the Federal Information Security
Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the
Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002, the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: All pertinent NIST
publications; the HHS Automated
Information Systems Security Handbook
and the CMS Information Security
Handbook.
For purpose of access, use the same
procedures outlined in Notification
Procedures above. Requestors should
also reasonably specify the record
contents being sought. (These
procedures are in accordance with
department regulation 45 CFR 5b.5 (a)
(2)).
STORAGE:
All records are stored on magnetic
media.
RETRIEVABILITY:
RETENTION AND DISPOSAL:
ycherry on PROD1PC64 with NOTICES
• ‘‘Records will be retained until an
approved disposition authority is
obtained from the National Archives
and Records Administration.’’
CONTESTING RECORD PROCEDURES:
The subject individual should contact
the system manager named above, and
reasonably identify the record and
specify the information to be contested.
State the corrective action sought and
the reasons for the correction with
supporting justification. (These
procedures are in accordance with
department regulation 45 CFR 5b.7).
RECORD SOURCE CATEGORIES:
The data contained in these records
are furnished by the individual, or in
the case of some MSP situations,
through third party contacts. There are
cases, however, in which the identifying
information is provided to the physician
by the individual; the physician then
adds the medical information and
submits the bill to the carrier for
payment. Updating information is also
obtained from the Railroad Retirement
Board, and the Master Beneficiary
Record maintained by the Social
Security Administration.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS
OF THE ACT:
None.
[FR Doc. E7–4889 Filed 3–16–07; 8:45 am]
BILLING CODE 4120–03–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
Pediatric Advisory Committee; Notice
of Meeting
SYSTEM MANAGER AND ADDRESS:
Director, Survey and Certification
Group, Center for Medicaid and State
Operations, CMS, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850.
AGENCY:
HHS.
VerDate Aug<31>2005
15:50 Mar 16, 2007
Jkt 211001
ACTION:
Food and Drug Administration,
Notice.
This notice announces a forthcoming
meeting of a public advisory committee
PO 00000
Frm 00055
Fmt 4703
Sfmt 4703
of the Food and Drug Administration
(FDA). The meeting will be open to the
public.
Name of Committee: Pediatric
Advisory Committee.
General Function of the Committee:
To provide advice and
recommendations to the agency on
FDA’s regulatory issues. The committee
also advises and makes
recommendations to the Secretary of
Health and Human Services under 21
CFR 50.54 and 45 CFR 46.407 on
research involving children as subjects
that is conducted or supported by the
Department of Health and Human
Services, when that research is also
regulated by FDA.
Date and Time: The meeting will be
held on April 11, 2007, from 4 p.m. to
6 p.m.
Location: Advisory Committee
Conference Room, rm. 1066, 5630
Fishers Lane, Rockville, MD.
Contact Person: Carlos Pena, Office of
Science and Health Coordination, Office
of the Commissioner (HF–33), Food and
Drug Administration, 5600 Fishers
Lane, (for express delivery, rm. 14B–08),
Rockville, MD 20857, 301–827–3340, email: Carlos.Pena@fda.hhs.gov or FDA
Advisory Committee Information Line,
1–800–741–8138 (301–443–0572 in the
Washington, DC area), code
8732310001. Please call the Information
Line for up to date information on this
meeting.
Agenda: The Pediatric Advisory
Committee will hear and discuss reports
by the agency, as mandated in section
17 of the Best Pharmaceuticals for
Children Act, on adverse event reports
for fluvastatin (LESCOL) and octreotide
(SANDOSTATIN). The committee will
also receive updates to adverse event
reports for orlistat (XENICAL) and
oxybutynin (DITROPAN) which were
requested by the Pediatric Advisory
Committee when the reports were first
presented.
FDA intends to make background
material available to the public no later
than 1 business day before the meeting.
If FDA is unable to post the background
material on its Web site prior to the
meeting, the background material will
be made publicly available at the
location of the advisory committee
meeting, and the background material
will be posted on FDA’s Web site after
the meeting. Background material is
available at https://www.fda.gov/ohrms/
dockets/ac/acmenu.htm, click on the
year 2007 and scroll down to the
appropriate advisory committee link.
Procedure: Interested persons may
present data, information, or views,
orally or in writing, on issues pending
before the committee. Written
E:\FR\FM\19MRN1.SGM
19MRN1
]]>Agencies
[Federal Register Volume 72, Number 52 (Monday, March 19, 2007)]
[Notices]
[Pages 12801-12806]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-4889]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974: Report of Modified System of Records
AGENCY: Department of Health and Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of Modified System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, we are proposing to modify a SOR titled, ``Long Term Care-Minimum
Data Set'' (MDS), System No. 09-70-1517, most recently modified at 67
FR 6714 (February 13, 2002). We propose to assign a new CMS
identification number to this system to simplify the obsolete and
confusing numbering system originally designed to identify the Bureau,
Office, or Center that maintained information in the Health Care
Financing Administration systems of records. The new identifying number
for this system should read: System No. 09-70-0528.
We propose to modify existing routine use number 1 that permits
disclosure to agency contractors and consultants to include disclosure
to CMS grantees who perform a task for the agency. CMS grantees,
charged with completing projects or activities that require CMS data to
carry out that activity, are classified separate from CMS contractors
and/or consultants. The modified routine use will remain as routine use
number 1. We also propose to modify existing routine use number 3 that
permits disclosure to Peer Review Organizations (PRO). The name of PROs
has been changed to read: ``Quality Improvement Organizations (QIO).''
QIOs will continue work to implement quality improvement programs,
provide consultation to CMS, its contractors, and to state agencies.
The modified routine use will remain as routine use number 3.
We will delete routine use number 6 authorizing disclosure to
support constituent requests made to a congressional representative. If
an authorization for the disclosure has been obtained from the data
subject, then no routine use is needed. The Privacy Act allows for
disclosures with the ``prior written consent'' of the data subject.
We are modifying the language in the remaining routine uses to
provide a proper explanation as to the need for the routine use and to
provide clarity to CMS's intention to disclose individual-specific
information contained in this system. The routine uses will then be
prioritized and reordered according to their usage. We will also take
the opportunity to update any sections of the system that were affected
by the recent reorganization or because of the impact of the Medicare
Prescription Drug, Improvement, and Modernization Act of 2003 (MMA)
(Pub. L. 108-173) provisions and to update language in the
administrative sections to correspond with language used in other CMS
SORs.
The primary purpose of the system is to aid in the administration
of the survey and certification, and payment of Medicare Long Term Care
services, which include skilled nursing facilities (SNFs), nursing
facilities (NFs) SNFs/NFs, and hospital swing beds, and to study the
effectiveness and quality of care given in those facilities.
Information in this system will also be used to: (1) Support
regulatory, reimbursement, and policy functions performed within the
Agency or by a contractor or consultant; (2) assist another Federal or
state agency, agency of a state government, an agency established by
state law, or its fiscal agent; (3) support Quality Improvement
Organizations (QIO); (4) assist other insurers for processing
individual insurance claims; (5) facilitate research on the quality and
effectiveness of care provided, as well as payment related projects;
(6) support litigation involving the Agency; (7) assist national
accrediting organizations; and (8)
[[Page 12802]]
combat fraud, waste, and abuse in certain health benefits programs. We
have provided background information about the modified system in the
SUPPLEMENTARY INFORMATION section below. Although the Privacy Act
requires only that CMS provide an opportunity for interested persons to
comment on the proposed routine uses, CMS invites comments on all
portions of this notice. See ``Effective Dates'' section for comment
period.
DATES: Effective Dates: CMS filed a modified system report with the
Chair of the House Committee on Government Reform and Oversight, the
Chair of the Senate Committee on Homeland Security and Governmental
Affairs, and the Administrator, Office of Information and Regulatory
Affairs, Office of Management and Budget (OMB) on February 22, 2007. To
ensure that all parties have adequate time in which to comment, the
modified SOR, including routine uses, will become effective 40 days
from the publication of the notice, or from the date it was submitted
to OMB and the Congress, whichever is later, unless CMS receives
comments that require alterations to this notice.
ADDRESSES: The public should address comments to: CMS Privacy Officer,
Division of Privacy Compliance, Enterprise Architecture and Strategy
Group, Office of Information Services, CMS, Room N2-04-27, 7500
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received
will be available for review at this location, by appointment, during
regular business hours, Monday through Friday from 9 a.m.-3 p.m.,
Eastern Time zone.
FOR FURTHER INFORMATION CONTACT: Tina Miller, Health Insurance
Specialist, Division of Nursing Homes, Survey and Certification Group,
Center for Medicaid and State Operations, CMS, Mail stop S2-12-25, 7500
Security Boulevard, Baltimore, Maryland 21244-1850. The telephone
number is (410) 786-6735 or e-mail Tina.Miller@cms.hhs.gov.
SUPPLEMENTARY INFORMATION:
I. Description of the Modified System
A. Statutory and Regulatory Basis for System
Authority for maintenance of the system is given under Sec. Sec.
1102(a), 1819(b) (3)(A), 1819(f), 1919(b)(3)(A), 1919(f), and 1864 of
the Social Security Act.
B. Collection and Maintenance of Data in the System
The system contains information on residents in all long-term care
facilities that are Medicare and/or Medicaid certified, including
private pay individuals including but not limited to Medicare
enrollment and entitlement, and Medicare Secondary Payer (MSP) data
containing other party liability insurance information necessary for
appropriate Medicare claim payment. The system also contains the
individual's health insurance numbers, name, geographic location, race/
ethnicity, sex, and date of birth, hospice election, premium billing
and collection, direct billing information, and group health plan
enrollment data.
II. Agency Policies, Procedures, and Restrictions on the Routine Use
A. The Privacy Act permits us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such disclosure of data is known as a ``routine use.''
The government will only release MDS information that can be associated
with an individual as provided for under ``Section III. Proposed
Routine Use Disclosures of Data in the System.'' Both identifiable and
non-identifiable data may be disclosed under a routine use. We will
only disclose the minimum personal data necessary to achieve the
purpose of MDS.
CMS has the following policies and procedures concerning
disclosures of information that will be maintained in the system.
Disclosure of information from the system will be approved only to the
extent necessary to accomplish the purpose of the disclosure and only
after CMS:
1. Determines that the use or disclosure is consistent with the
reason that the data is being collected, e.g., to aid in the
administration of the survey and certification, and payment of Medicare
Long Term Care services, which include skilled nursing facilities
(SNFs), nursing facilities (NFs) SNFs/NFs, and hospital swing beds, and
to study the effectiveness and quality of care given in those
facilities.
2. Determines that:
a. The purpose for which the disclosure is to be made can only be
accomplished if the record is provided in individually identifiable
form;
b. The purpose for which the disclosure is to be made is of
sufficient importance to warrant the effect and/or risk on the privacy
of the individual that additional exposure of the record might bring;
and
c. There is a strong probability that the proposed use of the data
would in fact accomplish the stated purpose(s).
3. Requires the information recipient to:
a. Establish administrative, technical, and physical safeguards to
prevent unauthorized use of disclosure of the record;
b. Remove or destroy at the earliest time all patient-identifiable
information; and
c. Agree to not use or disclose the information for any purpose
other than the stated purpose under which the information was
disclosed.
4. Determines that the data are valid and reliable.
III. Modified Routine Use Disclosures of Data in the System
A. Entities Who May Receive Disclosures Under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which CMS may
release information from the MDS without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We have provided a
brief explanation of the routine uses we are proposing to establish or
modify for disclosures of information maintained in the system:
1. To support Agency contractors, consultants, or grantees who have
been contracted by the Agency to assist in accomplishment of a CMS
function relating to the purposes for this system and who need to have
access to the records in order to assist CMS.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contractual or similar
agreement with a third party to assist in accomplishing CMS functions
relating to purposes for this system.
CMS occasionally contracts out certain of its functions when this
would contribute to effective and efficient operations. CMS must be
able to give contractors, consultants, or grantees whatever information
is necessary for contractors, consultants, or grantees to fulfill their
duties. In these situations, safeguards are provided in the contract
prohibiting contractors, consultants, or grantees from using or
disclosing the information for any purpose other than that described in
the contract and to return or destroy all information at the completion
of the contract.
2. To assist another Federal or state agency, agency of a state
government, an
[[Page 12803]]
agency established by state law, or its fiscal agent to:
a. Contribute to the accuracy of CMS's proper payment of Medicare
benefits.
b. Enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds, and/or
c. Assist Federal/state Medicaid programs within the state.
Other Federal or state agencies in their administration of a
Federal health program may require MDS information in order to support
evaluations and monitoring of Medicare claims information of
beneficiaries, including proper reimbursement for services provided.
In addition, other state agencies in their administration of a
Federal health program may require MDS information for the purposes of
determining, evaluating and/or assessing cost, effectiveness, and/or
the quality of health care services provided in the state.
The Social Security Administration may require MDS data to enable
them to assist in the implementation and maintenance of the Medicare
program.
Disclosure under this routine use shall be used by state Medicaid
agencies pursuant to agreements with the HHS for determining Medicaid
and Medicare eligibility, for quality control studies, for determining
eligibility of recipients of assistance under Titles IV, XVIII, and XIX
of the Act, and for the administration of the Medicaid program. Data
will be released to the state only on those individuals who are
patients under the services of a Medicaid program within the state or
who are residents of that state.
We also contemplate disclosing information under this routine use
in situations in which state auditing agencies require MDS information
for auditing state Medicaid eligibility considerations. CMS may enter
into an agreement with state auditing agencies to assist in
accomplishing functions relating to purposes for this system.
3. To assist Quality Improvement Organizations (QIO) in connection
with review of claims, or in connection with studies or other review
activities, conducted pursuant to Part B of Title XI of the Act and in
performing affirmative outreach activities to individuals for the
purpose of establishing and maintaining their entitlement to Medicare
benefits or health insurance plans.
QIOs will work to implement quality improvement programs, provide
consultation to CMS, its contractors, and to state agencies. QIOs will
assist state agencies and CMS intermediaries in program integrity
assessments and preparation of summary information for release to CMS.
4. To assist insurance companies, underwriters, third party
administrators (TPA), employers, self-insurers, group health plans,
health maintenance organizations (HMO), health and welfare benefit
funds, managed care organizations, other supplemental insurers, non-
coordinating insurers, multiple employer trusts, liability insurers,
no-fault medical automobile insurers, workers compensation carriers or
plans, other groups providing protection against medical expenses
without the beneficiary's authorization, and any entity having
knowledge of the occurrence of any event affecting (a) an individual's
right to any such benefit or payment, or (b) the initial right to any
such benefit or payment, for the purpose of coordination of benefits
with the Medicare program and implementation of the MSP provision at 42
U.S.C. 1395y (b). Information to be disclosed shall be limited to
Medicare utilization data necessary to perform that specific function.
In order to receive the information, they must agree to:
a. Certify that the individual about whom the information is being
provided is one of its insured or employees, or is insured and/or
employed by another entity for whom they serve as a TPA;
b. Utilize the information solely for the purpose of processing the
individual's insurance claims; and
c. Safeguard the confidentiality of the data and prevent
unauthorized access.
Other insurers may require MDS information in order to support
evaluations and monitoring of Medicare claims information of
beneficiaries, including proper reimbursement for services provided.
5. To support an individual or organization for research,
evaluation, or epidemiological projects related to the prevention of
disease or disability, the restoration or maintenance of health, or
payment related projects.
MDS data will provide research, evaluations and epidemiological
projects, a broader, longitudinal, national perspective of the status
of Medicare beneficiaries. CMS anticipates that many researchers will
have legitimate requests to use these data in projects that could
ultimately improve the care provided to Medicare beneficiaries and the
policy that governs the care.
6. To support the Department of Justice (DOJ), court or
adjudicatory body when:
a. The Agency or any component thereof, or
b. Any employee of the Agency in his or her official capacity, or
c. Any employee of the Agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. The United States Government is a party to litigation or has an
interest in such litigation, and by careful review, CMS determines that
the records are both relevant and necessary to the litigation and that
the use of such records by the DOJ, court or adjudicatory body is
compatible with the purpose for which the agency collected the records.
Whenever CMS is involved in litigation, or occasionally when
another party is involved in litigation and CMS's policies or
operations could be affected by the outcome of the litigation, CMS
would be able to disclose information to the DOJ, court or adjudicatory
body involved.
7. To support a national accrediting organization whose accredited
facilities are presumed to meet certain Medicare requirements for
inpatient hospital (including swing beds) services; e.g., the Joint
Commission for the Accrediting of Healthcare Organizations (JCAHO).
Information will be released to accrediting organizations only for
those facilities that they accredit and that participate in the
Medicare program.
CMS anticipates providing those national accrediting organizations
with MDS information to enable them to target potential or identified
problems during the organization's accreditation review process of that
facility.
8. To assist a CMS contractor (including, but not limited to fiscal
intermediaries and carriers) that assists in the administration of a
CMS-administered health benefits program, or to a grantee of a CMS-
administered grant program, when disclosure is deemed reasonably
necessary by CMS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud, waste or abuse in such program.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contract or grant with a
third party to assist in accomplishing CMS functions relating to the
purpose of combating fraud, waste, and abuse.
CMS occasionally contracts out certain of its functions when doing
so would contribute to effective and efficient operations. CMS must be
able to give a contractor or grantee whatever information is necessary
for the
[[Page 12804]]
contractor or grantee to fulfill the contractor or grantee duties. In
these situations, safeguards are provided in the contract prohibiting
the contractor or grantee from using or disclosing the information for
any purpose other than that described in the contract and requiring the
contractor or grantee to return or destroy all information.
9. To assist another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers, or that has the authority to investigate potential fraud,
waste, or abuse in a health benefits program funded in whole or in part
by Federal funds, when disclosure is deemed reasonably necessary by CMS
to prevent, deter, discover, detect, investigate, examine, prosecute,
sue with respect to, defend against, correct, remedy, or otherwise
combat fraud, waste, or abuse in such programs.
Other agencies may require MDS information for the purpose of
combating fraud, waste, and abuse in such Federally-funded programs.
B. Additional Circumstances Affecting Routine Use Disclosures
To the extent this system contains Protected Health Information
(PHI) as defined by HHS regulation ``Standards for Privacy of
Individually Identifiable Health Information'' (45 CFR parts 160 and
164, subparts A and E) 65 FR 82462 (12-28-00). Disclosures of such PHI
that are otherwise authorized by these routine uses may only be made
if, and as, permitted or required by the ``Standards for Privacy of
Individually Identifiable Health Information.'' (See 45 CFR 164-
512(a)(1)).
In addition, our policy will be to prohibit release even of data
not directly identifiable, except pursuant to one of the routine uses
or if required by law, if we determine there is a possibility that an
individual can be identified through implicit deduction based on small
cell sizes (instances where the patient population is so small that
individuals could, because of the small size, use this information to
deduce the identity of the beneficiary).
IV. Safeguards
CMS has safeguards in place for authorized users and monitors such
users to ensure against unauthorized use. Personnel having access to
the system have been trained in the Privacy Act and information
security requirements. Employees who maintain records in this system
are instructed not to release data until the intended recipient agrees
to implement appropriate management, operational and technical
safeguards sufficient to protect the confidentiality, integrity and
availability of the information and information systems and to prevent
unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations include but are not limited to: The Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the Health Insurance Portability and
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the
corresponding implementing regulations. OMB Circular A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated
Information Resources also applies. Federal, HHS, and CMS policies and
standards include but are not limited to: All pertinent NIST
publications; the HHS Automated Information Systems Security Handbook
and the CMS Information Security Handbook.
V. Effect of the Modified System on Individual Rights
CMS proposes to establish this system in accordance with the
principles and requirements of the Privacy Act and will collect, use,
and disseminate information only as prescribed therein. CMS will only
disclose the minimum personal data necessary to achieve the purposes of
MDS. Disclosure of information from the system will be approved only to
the extent necessary to accomplish the purpose of the disclosure. CMS
has assigned a high level of security clearance for the information
maintained in this system in an effort to provide added security and
protection of data.
CMS will take precautionary measures to minimize the risks of
unauthorized access to the records and the potential harm to individual
privacy or other personal or property rights. CMS will collect only
that information necessary to perform the system's functions. In
addition, CMS will make disclosure from the proposed system only with
consent of the subject individual, or his/her legal representative, or
in accordance with an applicable exception provision of the Privacy
Act. CMS, therefore, does not anticipate an unfavorable effect on
individual privacy as a result of the disclosure of information
relating to individuals.
Dated: February 22, 2007.
Charlene Frizzera,
Acting Chief Operating Officer, Centers for Medicare & Medicaid
Services.
System No. 09-70-0528
System Name:
``Long Term Care-Minimum Data Set (MDS),'' Department of Health and
Human Services (HHS)/Centers for Medicare & Medicaid Services (CMS)/
Center for Medicaid and State Operations (CMSO).
Security Classification:
Level Three Privacy Act Sensitive.
System Location:
CMS Data Center, 7500 Security Boulevard, North Building, First
Floor, Baltimore, Maryland 21244-1850, and at various other remote
locations.
Categories of Individuals Covered by the System:
The system contains information on residents in all long-term care
facilities that are Medicare and/or Medicaid certified, including
private pay individuals including but not limited to Medicare
enrollment and entitlement, and Medicare Secondary Payer (MSP) data
containing other party liability insurance information necessary for
appropriate Medicare claim payment.
Categories of Records in the System:
The system also contains the individual's health insurance numbers,
name, geographic location, race/ethnicity, sex, and date of birth,
hospice election, premium billing and collection, direct billing
information, and group health plan enrollment data.
Authority for Maintenance of the System:
Authority for maintenance of the system is given under of
Sec. Sec. 1102(a), 1819(b)(3)(A), 1819(f), 919(b)(3)(A), 1919(f), and
1864 of the Social Security Act.
Purpose(s) of the System:
The primary purpose of the system is to aid in the administration
of the survey and certification, and payment of Medicare Long Term Care
services, which include skilled nursing facilities (SNFs), nursing
facilities (NFs) SNFs/NFs, and hospital swing beds, and to study the
effectiveness and quality of care given in those facilities.
Information in this system will also be used to: (1) Support
regulatory, reimbursement, and policy functions performed within the
Agency or by a contractor or consultant; (2) assist
[[Page 12805]]
another Federal or state agency, agency of a state government, an
agency established by state law, or its fiscal agent; (3) support
Quality Improvement Organizations (QIO); (4) assist other insurers for
processing individual insurance claims; (5) facilitate research on the
quality and effectiveness of care provided, as well as payment related
projects; (6) support litigation involving the Agency; (7) assist
national accrediting organizations; and (8) combat fraud, waste, and
abuse in certain health benefits programs.
Routine Uses of Records Maintained in the System, Including Categories
or Users and the Purposes of Such Uses:
A. Entities Who May Receive Disclosures under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which CMS may
release information from the MDS without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We have provided a
brief explanation of the routine uses we are proposing to establish or
modify for disclosures of information maintained in the system:
1. To support Agency contractors, consultants, or grantees who have
been contracted by the Agency to assist in accomplishment of a CMS
function relating to the purposes for this system and who need to have
access to the records in order to assist CMS.
2. To assist another Federal or state agency, agency of a state
government, an agency established by state law, or its fiscal agent to:
a. Contribute to the accuracy of CMS's proper payment of Medicare
benefits.
b. Enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds, and/or
c. Assist Federal/state Medicaid programs within the state.
3. To support Quality Improvement Organizations (QIO) in connection
with review of claims, or in connection with studies or other review
activities, conducted pursuant to Part B of Title XI of the Act and in
performing affirmative outreach activities to individuals for the
purpose of establishing and maintaining their entitlement to Medicare
benefits or health insurance plans.
4. To assist insurance companies, underwriters, third party
administrators (TPA), employers, self-insurers, group health plans,
health maintenance organizations (HMO), health and welfare benefit
funds, managed care organizations, other supplemental insurers, non-
coordinating insurers, multiple employer trusts, liability insurers,
no-fault medical automobile insurers, workers compensation carriers or
plans, other groups providing protection against medical expenses
without the beneficiary's authorization, and any entity having
knowledge of the occurrence of any event affecting (a) an individual's
right to any such benefit or payment, or (b) the initial right to any
such benefit or payment, for the purpose of coordination of benefits
with the Medicare program and implementation of the MSP provision at 42
U.S.C. 1395y (b). Information to be disclosed shall be limited to
Medicare utilization data necessary to perform that specific function.
In order to receive the information, they must agree to:
a. Certify that the individual about whom the information is being
provided is one of its insured or employees, or is insured and/or
employed by another entity for whom they serve as a TPA;
b. Utilize the information solely for the purpose of processing the
individual's insurance claims; and
c. Safeguard the confidentiality of the data and prevent
unauthorized access.
5. To support an individual or organization for research,
evaluation, or epidemiological projects related to the prevention of
disease or disability, the restoration or maintenance of health, or
payment related projects.
6. To assist the Department of Justice (DOJ), court or adjudicatory
body when:
a. The Agency or any component thereof, or
b. Any employee of the Agency in his or her official capacity, or
c. Any employee of the Agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. The United States Government is a party to litigation or has an
interest in such litigation, and by careful review, CMS determines that
the records are both relevant and necessary to the litigation and that
the use of such records by the DOJ, court or adjudicatory body is
compatible with the purpose for which the agency collected the records.
7. To support a national accrediting organization whose accredited
facilities are presumed to meet certain Medicare requirements for
inpatient hospital (including swing beds) services; e.g., the Joint
Commission for the Accrediting of Healthcare Organizations (JCAHO).
Information will be released to accrediting organizations only for
those facilities that they accredit and that participate in the
Medicare program.
8. To assist CMS contractor (including, but not limited to fiscal
intermediaries and carriers) that assists in the administration of a
CMS-administered health benefits program, or to a grantee of a CMS-
administered grant program, when disclosure is deemed reasonably
necessary by CMS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud, waste, or abuse in such program.
9. To support another Federal agency or to an instrumentality of
any governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers, or that has the authority to investigate potential fraud,
waste, or abuse in a health benefits program funded in whole or in part
by Federal funds, when disclosure is deemed reasonably necessary by CMS
to prevent, deter, discover, detect, investigate, examine, prosecute,
sue with respect to, defend against, correct, remedy, or otherwise
combat fraud, waste, or abuse in such programs.
B. Additional Circumstances Affecting Routine Use Disclosures
To the extent this system contains Protected Health Information
(PHI) as defined by HHS regulation ``Standards for Privacy of
Individually Identifiable Health Information'' (45 CFR parts 160 and
164, subparts A and E) 65 FR 82462 (12-28-00). Disclosures of such PHI
that are otherwise authorized by these routine uses may only be made
if, and as, permitted or required by the ``Standards for Privacy of
Individually Identifiable Health Information.'' (See 45 CFR 164-512 (a)
(1)).
In addition, our policy will be to prohibit release even of data
not directly identifiable, except pursuant to one of the routine uses
or if required by law, if we determine there is a possibility that an
individual can be identified through implicit deduction based on small
cell sizes (instances where the patient population is so small that
individuals could, because of the small size, use this information to
deduce the identity of the beneficiary).
[[Page 12806]]
Policies and Practices for Storing, Retrieving, Accessing, Retaining,
and Disposing of Records in the System:
Storage:
All records are stored on magnetic media.
Retrievability:
All Medicare records are accessible by HIC number or alpha (name)
search. This system supports both online and batch access.
Safeguards:
CMS has safeguards in place for authorized users and monitors such
users to ensure against unauthorized use. Personnel having access to
the system have been trained in the Privacy Act and information
security requirements. Employees who maintain records in this system
are instructed not to release data until the intended recipient agrees
to implement appropriate management, operational and technical
safeguards sufficient to protect the confidentiality, integrity and
availability of the information and information systems and to prevent
unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations include but are not limited to: The Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the Health Insurance Portability and
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the
corresponding implementing regulations. OMB Circular A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated
Information Resources also applies. Federal, HHS, and CMS policies and
standards include but are not limited to: All pertinent NIST
publications; the HHS Automated Information Systems Security Handbook
and the CMS Information Security Handbook.
Retention and Disposal:
``Records will be retained until an approved disposition
authority is obtained from the National Archives and Records
Administration.''
System Manager and Address:
Director, Survey and Certification Group, Center for Medicaid and
State Operations, CMS, 7500 Security Boulevard, Baltimore, Maryland
21244-1850.
Notification Procedure:
For purpose of access, the subject individual should write to the
system manager who will require the system name, health insurance claim
number, address, date of birth, and sex, and for verification purposes,
the subject individual's name (woman's maiden name, if applicable), and
social security number (SSN). Furnishing the SSN is voluntary, but it
may make searching for a record easier and prevent delay.
Record Access Procedure:
For purpose of access, use the same procedures outlined in
Notification Procedures above. Requestors should also reasonably
specify the record contents being sought. (These procedures are in
accordance with department regulation 45 CFR 5b.5 (a) (2)).
Contesting Record Procedures:
The subject individual should contact the system manager named
above, and reasonably identify the record and specify the information
to be contested. State the corrective action sought and the reasons for
the correction with supporting justification. (These procedures are in
accordance with department regulation 45 CFR 5b.7).
Record Source Categories:
The data contained in these records are furnished by the
individual, or in the case of some MSP situations, through third party
contacts. There are cases, however, in which the identifying
information is provided to the physician by the individual; the
physician then adds the medical information and submits the bill to the
carrier for payment. Updating information is also obtained from the
Railroad Retirement Board, and the Master Beneficiary Record maintained
by the Social Security Administration.
Systems Exempted from Certain Provisions of the Act:
None.
[FR Doc. E7-4889 Filed 3-16-07; 8:45 am]
BILLING CODE 4120-03-P
