Privacy Act of 1974; Report of a Modified or Altered System, 69691-69696 [E7-23877]
Download as PDF
<![CDATA[
69691
Federal Register / Vol. 72, No. 236 / Monday, December 10, 2007 / Notices
minimization of potential impacts on
wetlands, and compensation for any
remaining unavoidable impacts. A
wetland assessment will be completed
in accordance with the requirements of
10 CFR Part 1022 once the proposed site
layout is known.
This EA is being prepared pursuant to
the National Environmental Policy Act
of 1969 (NEPA), and regulations
implementing NEPA issued by the
Council on Environmental Quality (40
CFR Parts 1500–1508), GSA (ADM
1095.1F), and to the extent not
inconsistent with ADM 1095.1F, DOE
(10 CFR Part 1021). GSA and NNSA will
consider comments received (see DATES
and ADDRESSES, above) in finalizing the
EA. Based on the final EA, GSA and
NNSA will determine whether to
prepare an environmental impact
statement or issue a finding of no
significant impact if appropriate for the
proposed action.
Carlos Salazar,
Regional NEPA Coordinator, GSA Public
Buildings Service, Heartland Region.
[FR Doc. E7–23843 Filed 12–7–07; 8:45 a.m.]
BILLING CODE 6820–CG–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
[30Day-08–07AJ]
Agency Forms Undergoing Paperwork
Reduction Act Review
The Centers for Disease Control and
Prevention (CDC) publishes a list of
information collection requests under
review by the Office of Management and
Budget (OMB) in compliance with the
Paperwork Reduction Act (44 U.S.C.
Chapter 35). To request a copy of these
requests, call the CDC Reports Clearance
Officer at (404) 639–5960 or send an email to omb@cdc.gov. Send written
comments to CDC Desk Officer, Office of
Management and Budget, Washington,
DC or by fax to (202) 395–6974. Written
comments should be received within 30
days of this notice.
Proposed Project
Racial and Ethnic Approaches to
Community Health Across the U.S.
(REACH U.S.) Management Information
System—New—National Center for
Chronic Disease Prevention and Health
Promotion (NCCDPHP), Centers for
Disease Control and Prevention (CDC).
Background and Brief Description
Racial and Ethnic Approaches to
Community Health Across the U.S.
(REACH U.S.) is a national, multi-level
program that serves as the cornerstone
of CDC’s efforts to eliminate racial and
ethnic disparities in health. Through
REACH U.S., CDC currently supports
forty local coalitions to establish
community-based programs and
culturally-appropriate interventions to
eliminate racial and ethnic health
disparities. REACH U.S. serves
communities with African American,
American Indian, Hispanic American,
Asian American, and Pacific Islander
citizens.
The communities served by REACH
U.S. are assessing the prevalence of selfreported risk behaviors in the following
key health priority areas: Cardiovascular
disease; diabetes mellitus; breast and
cervical cancer; adult/older adult
immunizations, hepatitis B, and/or
tuberculosis; asthma; and infant
mortality. Guided by logic models, each
community is required to articulate
goals, objectives, and related activities;
track whether goals and objectives are
met, ongoing, or revised; and evaluate
all program activities.
CDC requests OMB clearance for a
new, customized, Internet-based
management information system, the
REACH U.S. MIS, designed to replace
the current REACH Information
Network (REACH IN, OMB #0920–
0603). The new REACH U.S. MIS will
allow REACH grantees to perform
remote data entry and retrieval of data,
create on-demand graphs and reports of
grantees’ activities and
accomplishments, monitor progress
toward the achievement of goals and
objectives, and share and synthesize
information across grantees’ activities.
Both quantitative and qualitative
analyses can be performed. The REACH
U.S. MIS will collect new data elements
needed to measure progress toward, or
achievement of, newly developed
performance indicators, and will allow
CDC to monitor, and report on, grantee
activities more efficiently. In addition,
data reported to CDC through the
REACH U.S. MIS will be used by CDC
to identify training and technical
assistance needs and to obtain
information needed to respond to
Congressional and other inquiries
regarding program activities and
effectiveness. Information will be
reported to CDC on a semi-annual
schedule.
There are no costs to respondents
except their time. The total estimated
annualized burden hours are 120.
ESTIMATED ANNUALIZED BURDEN HOURS
Number of
respondents
Type of respondents
REACH U.S. Grantees ................................................................................................................
40
Number of
responses per
respondent
2
Average
burden per
response
(in hours)
90/60
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
ACTION:
Centers for Medicare & Medicaid
Services
BILLING CODE 4163–18–P
rmajette on PROD1PC64 with NOTICES
Dated: December 3, 2007.
Maryam I. Daneshvar,
Acting Reports Clearance Officer, Centers for
Disease Control and Prevention.
[FR Doc. E7–23855 Filed 12–7–07; 8:45 am]
Privacy Act of 1974; Report of a
Modified or Altered System
SUMMARY: In accordance with the
requirements of the Privacy Act of 1974,
we are proposing to modify or alter an
existing SOR, ‘‘Intern and Resident
Information System (IRIS), System No.
09–70–0524, last published at 67
Federal Register 48189 (July 23, 2002).
We propose to modify existing routine
use number 1 that permits disclosure to
agency contractors and consultants to
include disclosure to CMS grantees who
Department of Health and
Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
AGENCY:
VerDate Aug<31>2005
15:35 Dec 07, 2007
Jkt 214001
PO 00000
Frm 00050
Fmt 4703
Sfmt 4703
Notice of a Modified or Altered
System of Records (SOR).
E:\FR\FM\10DEN1.SGM
10DEN1
rmajette on PROD1PC64 with NOTICES
69692
Federal Register / Vol. 72, No. 236 / Monday, December 10, 2007 / Notices
perform a task for the agency. CMS
grantees, charged with completing
projects or activities that require CMS
data to carry out that activity, are
classified separate from CMS
contractors and/or consultants. The
modified routine use will remain as
routine use number 1. We will delete
routine use number 5 authorizing
disclosure to support constituent
requests made to a congressional
representative. If an authorization for
the disclosure has been obtained from
the data subject, then no routine use is
needed. The Privacy Act allows for
disclosures with the ‘‘prior written
consent’’ of the data subject. We will
broaden the scope of published routine
uses number 7 and 8, authorizing
disclosures to combat fraud and abuse
in the Medicare and Medicaid programs
to include combating ‘‘waste’’ which
refers increasingly more to specific
beneficiary or recipient practices that
result in unnecessary cost to Federallyfunded health benefit programs.
We will delete the section titled
‘‘Additional Circumstances Affecting
Routine Use Disclosures,’’ that
addresses ‘‘Protected Health Information
(PHI)’’ and ‘‘small cell size.’’ The
requirement for compliance with HHS
regulation ‘‘Standards for Privacy of
Individually Identifiable Health
Information’’ does not apply because
this system does not collect or maintain
PHI. In addition, our policy to prohibit
release if there is a possibility that an
individual can be identified through
‘‘small cell size’’ is not applicable to the
data maintained in this system.
We are modifying the language in the
remaining routine uses to provide a
proper explanation as to the need for the
routine use and to provide clarity to
CMS’ intention to disclose individualspecific information contained in this
system. The routine uses will then be
prioritized and reordered according to
their usage. We will also take the
opportunity to update any sections of
the system that were affected by the
recent reorganization or by Medicare
Prescription Drug, Improvement, and
Modernization Act of 2003 (Pub. L. 108–
173) provisions and to update language
in the administrative sections to
correspond with language used in other
CMS SORs.
The primary purpose of the SOR is to
ensure that no interns and residents
(IRs) are counted by the Medicare
program as more than one full-time
equivalent (FTE) employee in the
calculation of payments for the costs of
direct graduate medical education
(GME) and indirect medical education
(IME). Information retrieved from this
SOR will also be disclosed to: (1)
VerDate Aug<31>2005
15:35 Dec 07, 2007
Jkt 214001
Support regulatory, reimbursement, and
policy functions performed within the
Agency or by a contractor or consultant,
(2) assist another Federal and/or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent, (3) support providers and
suppliers of services, (4) assist thirdparty contacts where necessary to
establish or verify information, (5)
support litigation involving the Agency,
and (6) combat fraud, waste, and abuse
in certain health benefits programs. We
have provided background information
about the modified system in the
‘‘Supplementary Information’’ section
below. Although the Privacy Act
requires only that CMS provide an
opportunity for interested persons to
comment on the routine uses, CMS
invites comments on all portions of this
notice. See ‘‘Effective Dates’’ section for
comment period.
Effective Dates: CMS filed a
modified or altered system report with
the Chair of the House Committee on
Government Reform and Oversight, the
Chair of the Senate Committee on
Homeland Security and Governmental
Affairs, and the Administrator, Office of
Information and Regulatory Affairs,
Office of Management and Budget
(OMB) on December 4, 2007. To ensure
that all parties have adequate time in
which to comment, the modified
system, including routine uses, will
become effective 30 days from the
publication of the notice, or 40 days
from the date it was submitted to OMB
and Congress, whichever is later, unless
CMS receives comments that require
alterations to this notice.
DATES:
The public should address
comments to: CMS Privacy Officer,
Division of Privacy Compliance,
Enterprise Architecture and Strategy
Group, Office of Information Services,
CMS, Room N2–04–27, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850. Comments received will be
available for review at this location, by
appointment, during regular business
hours, Monday through Friday from 9
a.m.–3 p.m., Eastern Time Zone.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
Milton Jacobson, Division of Provider
Audit Operations, Financial Services
Group, Office of Financial Management,
CMS, Room C3–14–00, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850. Mr. Jacobson can be reached by
telephone at 410–786–7553 or via e-mail
at Milton.Jacobson@cms.hhs.gov.
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00051
Fmt 4703
Sfmt 4703
I. Description of the Modified or
Altered System of Records
A. Statutory and Regulatory Basis for
System
Authority for maintenance of the
system is given under the provisions of
§§ 1886(d)(5)(B) and 1886(h) of the
Social Security Act (Title 42 United
States Code (U.S.C.) 1395ww(d)(5)(B)
and 1395ww(h)).
B. Collection and Maintenance of Data
in the System
The system collects and maintains
information interns and residents in
programs approved under 42 CFR
413.75, working in all areas of the
hospital complex, or other freestanding
providers, as well as non-hospital or
non-provider settings on or after July 1,
1985. The system includes the following
information for each IR: name, social
security number; name of medical,
osteopathic, dental, or podiatric school
graduated from and date of graduation,
type of residency program for the
medical specialty, number of years
completed in all types of residency
programs, foreign medical school
graduation date and certification date,
name of employer (e.g., hospital,
university, corporation) paying the
salary, the percentage of time spent
working in either the inpatient areas of
the hospital subject to the Prospective
Payment System or in the outpatient
areas of the hospital or in a non-hospital
setting under agreement with the
hospital for IME, the percentage of time
spent working in any area of the
hospital complex or in a non-provider
setting under agreement with the
hospital for GME, the start and end
dates assigned to the hospital and any
hospital-based providers (assignment
periods) during the hospital’s cost
reporting period, the start and end dates
assigned to any non-hospital or nonprovider setting in connection with
approved residency programs
(assignment periods) during the
hospital’s cost reporting period, and the
full-time or part-time percentage during
each assignment period.
II. Agency Policies, Procedures, and
Restrictions on the Routine Use
A. The Privacy Act permits us to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such disclosure of data is known as
a ‘‘routine use.’’ The government will
only release IRIS information that can
be associated with an individual as
provided for under ‘‘Section III.
E:\FR\FM\10DEN1.SGM
10DEN1
Federal Register / Vol. 72, No. 236 / Monday, December 10, 2007 / Notices
Proposed Routine Use Disclosures of
Data in the System.’’ Both identifiable
and non-identifiable data may be
disclosed under a routine use.
We will only collect the minimum
personal data necessary to achieve the
purpose of IRIS. CMS has the following
policies and procedures concerning
disclosures of information that will be
maintained in the system. Disclosure of
information from this system will be
approved only to the extent necessary to
accomplish the purpose of the
disclosure and only after CMS:
1. Determines that the use or
disclosure is consistent with the reason
that the data is being collected, e.g., to
ensure that no interns and residents (IR)
are counted by the Medicare program as
more than one full-time equivalent
(FTE) employee in the calculation of
payments for the costs of GME and IME.
2. Determines:
a. That the purpose for which the
disclosure is to be made can only be
accomplished if the record is provided
in individually identifiable form;
b. That the purpose for which the
disclosure is to be made is of sufficient
importance to warrant the potential
effect and/or risk on the privacy of the
individual that additional exposure of
the record might bring; and
c. That there is a strong probability
that the proposed use of the data would
in fact accomplish the stated purpose(s).
3. Requires the information recipient
to:
a. Establish administrative, technical,
and physical safeguards to prevent
unauthorized use of disclosure of the
record; and
b. Remove or destroy at the earliest
time all patient-identifiable information.
4. Determines that the data are valid
and reliable.
rmajette on PROD1PC64 with NOTICES
III. Proposed Routine Use Disclosures
of Data in the System
A. Entities Who May Receive
Disclosures Under Routine Use
These routine uses specify
circumstances, in addition to those
provided by statute in the Privacy Act
of 1974, under which CMS may release
information from the IRIS without the
consent of the individual to whom such
information pertains. Each proposed
disclosure of information under these
routine uses will be evaluated to ensure
that the disclosure is legally
permissible, including but not limited to
ensuring that the purpose of the
disclosure is compatible with the
purpose for which the information was
collected. We are proposing to establish
or modify the following routine use
disclosures of information maintained
in the system:
VerDate Aug<31>2005
15:35 Dec 07, 2007
Jkt 214001
1. To support agency contractors,
consultants, or grantees, who have been
engaged by the agency to assist in the
performance of a service related to this
collection and who need to have access
to the records in order to perform the
activity.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contractual or similar agreement
with a third party to assist in
accomplishing CMS function relating to
purposes for this system.
CMS occasionally contracts out
certain of its functions when doing so
would contribute to effective and
efficient operations. CMS must be able
to give a contractor, consultant or
grantee whatever information is
necessary for the contractor or
consultant to fulfill its duties. In these
situations, safeguards are provided in
the contract prohibiting the contractor,
consultant or grantee from using or
disclosing the information for any
purpose other than that described in the
contract and requires the contractor,
consultant or grantee to return or
destroy all information at the
completion of the contract.
2. To another Federal or state agency,
agency of a state government, an agency
established by state law, or its fiscal
agent:
a. To contribute to the accuracy of
CMS’ proper payment of Medicare
benefits,
b. To enable such agency to
administer a Federal health benefits
program, or as necessary to enable such
agency to fulfill a requirement of a
Federal statute or regulation that
implements a health benefits program
funded in whole or in part with federal
funds.
Other Federal or state agencies in
their administration of a Federal health
program may require IRIS information
in order to support evaluations and
monitoring of reimbursement for
services provided.
SSA may require IRIS data to enable
it to assist in the implementation and
maintenance of the Medicare program.
State licensing boards may require
IRIS data to enable them to assist in the
review of activities related to IRs in
their state.
The Medicare Payment Advisory
Commission and Congressional Budget
Office may require IRIS data to assist in
certain budgetary and planning
activities related to IR status.
3. To providers and suppliers of
services (and their authorized billing
agents) directly or dealing through fiscal
intermediaries or carriers, for
PO 00000
Frm 00052
Fmt 4703
Sfmt 4703
69693
administration of provisions of Title
XVIII of the Social Security Act.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contractual agreement with
providers and suppliers of services to
assist in accomplishing CMS functions
relating to purposes for this SOR.
4. To third-party contacts where
necessary to establish or verify
information provided on or by IR.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contractual or similar agreement
with a third party to assist in
accomplishing CMS functions relating
to purposes for this system of records.
5. To the Department of Justice (DOJ),
court or adjudicatory body when:
a. The agency or any component
thereof, or
b. Any employee of the agency in his
or her official capacity, or
c. Any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. The United States Government
Is a party to litigation or has an interest
in such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
Whenever CMS is involved in
litigation, or occasionally when another
party is involved in litigation and CMS’
policies or operations could be affected
by the outcome of the litigation, CMS
would be able to disclose information to
the DOJ, court or adjudicatory body
involved.
6. To a CMS contractor (including, but
not limited to FIs and carriers) that
assists in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud,
waste, or abuse in such program.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contract or grant with a third
party to assist in accomplishing CMS
functions relating to the purpose of
combating fraud, waste, and abuse.
CMS occasionally contracts out
certain of its functions when doing so
E:\FR\FM\10DEN1.SGM
10DEN1
69694
Federal Register / Vol. 72, No. 236 / Monday, December 10, 2007 / Notices
rmajette on PROD1PC64 with NOTICES
would contribute to effective and
efficient operations. CMS must be able
to give a contractor or grantee whatever
information is necessary for the
contractor or grantee to fulfill its duties.
In these situations, safeguards are
provided in the contract prohibiting the
contractor or grantee from using or
disclosing the information for any
purpose other than that described in the
contract and requiring the contractor or
grantee to return or destroy all
information.
7. To another Federal agency or to an
instrumentality of any governmental
jurisdiction within or under the control
of the United States (including any state
or local governmental agency), that
administers, or that has the authority to
investigate potential fraud or abuse in a
health benefits program funded in
whole or in part by Federal funds, when
disclosure is deemed reasonably
necessary by CMS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud, waste, or abuse in such
programs.
Other agencies may require IRIS
information for the purpose of
combating fraud, waste, and abuse in
such Federally funded programs.
IV. Safeguards
CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the system have been trained
in the Privacy Act and information
security requirements. Employees who
maintain records in this system are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations may apply
but are not limited to: the Privacy Act
of 1974; the Federal Information
Security Management Act of 2002; the
Computer Fraud and Abuse Act of 1986;
the Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002, the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
VerDate Aug<31>2005
15:35 Dec 07, 2007
Jkt 214001
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: all pertinent National
Institute of Standards and Technology
publications; the HHS Information
Systems Program Handbook and the
CMS Information Security Handbook.
V. Effects of the Modified or Altered
System of Records on Individual Rights
CMS proposes to modify this system
in accordance with the principles and
requirements of the Privacy Act and will
collect, use, and disseminate
information only as prescribed therein.
Data in this system will be subject to the
authorized releases in accordance with
the routine uses identified in this
system of records.
CMS will take precautionary
measures to minimize the risks of
unauthorized access to the records and
the potential harm to individual privacy
or other personal or property rights of
patients whose data are maintained in
the system. CMS will collect only that
information necessary to perform the
system’s functions. In addition, CMS
will make disclosure from the proposed
system only with consent of the subject
individual, or his/her legal
representative, or in accordance with an
applicable exception provision of the
Privacy Act. CMS, therefore, does not
anticipate an unfavorable effect on
individual privacy as a result of
information relating to individuals.
Dated: November 28, 2007.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare
& Medicaid Services.
SYSTEM NO. 09–70–0524
SYSTEM NAME:
‘‘Intern and Resident Information
System (IRIS), HHS/CMS/OFM’’
SECURITY CLASSIFICATION:
Level Three Privacy Act Sensitive
Data
SYSTEM LOCATION:
The Centers for Medicare & Medicaid
Services (CMS) Data Center, 7500
Security Boulevard, North Building,
First Floor, Baltimore, Maryland 21244–
1850 and South Building, Baltimore,
Maryland 21244–1850.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
Interns and residents (IR) in medical
residency programs approved under 42
CFR § 413.75, working in all areas of the
hospital complex, or other freestanding
providers, as well as non-hospital or
PO 00000
Frm 00053
Fmt 4703
Sfmt 4703
non-provider settings on or after July 1,
1985.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system includes the following
information for each IR: name, social
security number; name of medical,
osteopathic, dental, or podiatric school
graduated from and date of graduation,
type of residency program for the
medical specialty, number of years
completed in all types of residency
programs, foreign medical school
graduation date and certification date,
name of employer (e.g., hospital,
university, corporation) paying the
salary, the percentage of time spent
working in either the inpatient areas of
the hospital subject to the Prospective
Payment System or in the outpatient
areas of the hospital or in a non-hospital
setting under agreement with the
hospital for indirect medical education
(IME), the percentage of time spent
working in any area of the hospital
complex or in a non-provider setting
under agreement with the hospital for
graduate medical education (GME), the
start and end dates assigned to the
hospital and any hospital-based
providers (assignment periods) during
the hospital’s cost reporting period, the
start and end dates assigned to any nonhospital or non-provider setting in
connection with approved residency
programs (assignment periods) during
the hospital’s cost reporting period, and
the full-time or part-time percentage
during each assignment period.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of the
system is given under the provisions of
§§ 1886(d)(5)(B) and 1886(h) of the
Social Security Act (Title 42 United
States Code (U.S.C.) §§ 1395ww(d)(5)(B)
and 1395ww (h)).
PURPOSE(S) OF THE SYSTEM:
The primary purpose of the SOR is to
ensure that no interns and residents
(IRs) are counted by the Medicare
program as more than one full-time
equivalent (FTE) employee in the
calculation of payments for the costs of
direct graduate medical education
(GME) and indirect medical education
(IME). Information retrieved from this
SOR will also be disclosed to: (1)
Support regulatory, reimbursement, and
policy functions performed within the
Agency or by a contractor or consultant,
(2) assist another Federal and/or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent, (3) support providers and
suppliers of services, (4) assist thirdparty contacts where necessary to
establish or verify information, (5)
E:\FR\FM\10DEN1.SGM
10DEN1
Federal Register / Vol. 72, No. 236 / Monday, December 10, 2007 / Notices
support litigation involving the Agency,
and (6) combat fraud, waste, and abuse
in certain health benefits programs.
rmajette on PROD1PC64 with NOTICES
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OR USERS AND
THE PURPOSES OF SUCH USES:
A. Entities Who May Receive
Disclosures Under Routine Use
These routine uses specify
circumstances, in addition to those
provided by statute in the Privacy Act
of 1974, under which CMS may release
information from the IRIS without the
consent of the individual to whom such
information pertains. Each proposed
disclosure of information under these
routine uses will be evaluated to ensure
that the disclosure is legally
permissible, including but not limited to
ensuring that the purpose of the
disclosure is compatible with the
purpose for which the information was
collected. We are proposing to establish
or modify the following routine use
disclosures of information maintained
in the system:
1. To support agency contractors,
consultants, or grantees, who have been
engaged by the agency to assist in the
performance of a service related to this
collection and who need to have access
to the records in order to perform the
activity.
2. To another Federal or state agency,
agency of a state government, an agency
established by state law, or its fiscal
agent:
a. To contribute to the accuracy of
CMS’ proper payment of Medicare
benefits,
b. To enable such agency to
administer a Federal health benefits
program, or as necessary to enable such
agency to fulfill a requirement of a
Federal statute or regulation that
implements a health benefits program
funded in whole or in part with federal
funds.
3. To providers and suppliers of
services (and their authorized billing
agents) directly or dealing through fiscal
intermediaries or carriers, for
administration of provisions of Title
XVIII of the Social Security Act.
4. To third-party contacts where
necessary to establish or verify
information provided on or by IR.
5. To the Department of Justice (DOJ),
court or adjudicatory body when:
a. The agency or any component
thereof, or
b. Any employee of the agency in his
or her official capacity, or
c. Any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. The United States Government
VerDate Aug<31>2005
15:35 Dec 07, 2007
Jkt 214001
Is a party to litigation or has an
interest in such litigation, and by careful
review, CMS determines that the
records are both relevant and necessary
to the litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
6. To a CMS contractor (including, but
not limited to FIs and carriers) that
assists in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud,
waste, or abuse in such program.
7. To another Federal agency or to an
instrumentality of any governmental
jurisdiction within or under the control
of the United States (including any state
or local governmental agency), that
administers, or that has the authority to
investigate potential fraud or abuse in a
health benefits program funded in
whole or in part by Federal funds, when
disclosure is deemed reasonably
necessary by CMS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud, waste, or abuse in such
programs.
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
All records are stored on paper and
magnetic disk.
RETRIEVABILITY:
Magnetic media records are retrieved
by the name of the employees or other
authorized individual and/or card key
number. Paper records are retrieved
alphabetically by name.
SAFEGUARDS:
CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the system have been trained
in the Privacy Act and information
security requirements. Employees who
maintain records in this system are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
PO 00000
Frm 00054
Fmt 4703
Sfmt 4703
69695
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations may apply
but are not limited to: the Privacy Act
of 1974; the Federal Information
Security Management Act of 2002; the
Computer Fraud and Abuse Act of 1986;
the Health Insurance Portability and
Accountability Act of 1996; the
E-Government Act of 2002, the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: all pertinent National
Institute of Standards and Technology
publications; the HHS Information
Systems Program Handbook and the
CMS Information Security Handbook.
RETENTION AND DISPOSAL:
Records are maintained in a secure
storage area with identifiers. Disposal
occurs three years from the last action
on the hospital’s cost report, and should
be coordinated with disposal of the
reports.
SYSTEM MANAGER AND ADDRESS:
Director, Division of Provider Audit
Operations, Financial Services Group,
Office of Financial Management, CMS,
7500 Security Boulevard, C3–14–00,
Baltimore, Maryland 21244–1850.
NOTIFICATION PROCEDURE:
For purpose of access, the subject
individual should write to the systems
manager who will require the system
name, SSN, address, date of birth, sex,
and for verification purposes, the
subject individual’s name (woman’s
maiden name, if applicable). Furnishing
the SSN is voluntary, but it may make
searching for a record easier and prevent
delay.
RECORD ACCESS PROCEDURE:
For purpose of access, use the same
procedures outlined in Notification
Procedures above. Requestors should
also reasonably specify the record
contents being sought. (These
procedures are in accordance with
Department regulation 45 CFR
5b.5(a)(2).)
CONTESTING RECORD PROCEDURES:
The subject individual should contact
the system manager named above, and
reasonably identify the record and
specify the information to be contested.
E:\FR\FM\10DEN1.SGM
10DEN1
69696
Federal Register / Vol. 72, No. 236 / Monday, December 10, 2007 / Notices
State the corrective action sought and
the reasons for the correction with
supporting justification. (These
procedures are in accordance with
Department regulation 45 CFR 5b.7.)
RECORD SOURCE CATEGORIES:
Data for this system is collected from
IRIS diskettes/CDs as transmitted by the
hospitals.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS
OF THE ACT:
None.
[FR Doc. E7–23877 Filed 12–7–07; 8:45 am]
BILLING CODE 4120–03–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Submission for OMB Review;
Comment Request
Title: Supporting Healthy Marriage
(SHM) Demonstration and Evaluation
Project: 12-month Follow-up and
Implementation Research Data
Collection.
OMB No.: New Collection.
The Administration for Children and
Families (ACF), U.S. Department of
Health and Human Services, is
conducting a demonstration and
evaluation called the Supporting
Healthy Marriage (SHM) project. SHM is
a test of marriage education
demonstration programs in eight
separate locations that will aim to enroll
up to 1,000 couples per location, up to
500 couples participating in SHM
programs and 500 control group
couples.
SHM is designed to inform program
operators and policymakers of the most
effective ways to help low-income
married couples strengthen and
maintain healthy marriages. In
particular, the project will measure the
effectiveness of marriage education
programs by randomly assigning eligible
volunteer couples to SHM program
groups and control groups.
This data collection request includes
three components. First, a survey will
be administered to couples 12 months
after they are enrolled in the program.
The survey is designed to assess the
effects of the SHM program on marital
status and stability, quality of
relationship with spouse, marital
expectations and ideals, marital
satisfaction, participation in services,
parenting outcomes, child outcomes,
parental well-being, employment,
income, material hardship, and social
support characteristics of study
participants assigned to both the
program and control groups. Second,
survey data will be complemented by
videotaped observations of couple, coparenting, and parent-child interactions
with a subset of intact and separated
couples at the 12-month follow-up.
Third, qualitative data will be collected
through a process and implementation
study in each of the eight SHM
demonstration programs across the
country.
These data will complement the
information gathered by the SHM
baseline data collection (OMB Control
No. 0970–0299). The information
collected at the 12-month follow-up will
allow the research team to examine the
effects of SHM services on outcomes of
interest and to identify mechanisms that
might account for these effects. The
process and implementation research
will consist of a qualitative component
that will help ACF to better understand
the results from the impact analysis as
well as how to replicate programs that
prove to be successful.
Respondents: Low-income married
couples with children.
ANNUAL BURDEN ESTIMATES
Annual
number
of respondents
Instrument
Number of
responses per
respondent
Average burden
hours
per response
10,240
3,200
160
1,600
160
504
1
1
1
1
1
1
0.83
0.68
0.17
0.33
0.17
1
12-month survey ..........................................................................................
12-month observational study (intact couples) ............................................
12-month observational study (separated couples) ....................................
12-month observational study (children of intact couples) ..........................
12-month observational study (children of separated couples) ..................
The process and implementation field research guide ...............................
Estimated Total Annual Burden
Hours: 11,761.6.
Additional Information
rmajette on PROD1PC64 with NOTICES
Copies of the proposed collection may
be obtained by writing to the
Administration for Children and
Families, Office of Administration,
Office of Information Services, 370
L’Enfant Promenade, SW., Washington,
DC 20447, Attn: ACF Reports Clearance
Officer. All requests should be
identified by the title of the information
collection. E-mail address:
infocollection@acf.hhs.gov.
OMB Comment
OMB is required to make a decision
concerning the collection of information
between 30 and 60 days after
publication of this document in the
VerDate Aug<31>2005
15:35 Dec 07, 2007
Jkt 214001
Federal Register. Therefore, a comment
is best assured of having its full effect
if OMB receives it within 30 days of
publication. Written comments and
recommendations for the proposed
information collection should be sent
directly to the following: Office of
Management and Budget, Paperwork
Reduction Project, Fax: 202–395–6974,
Attn: Desk Officer for the
Administration for Children and
Families.
Dated: November 29, 2007.
Brendan C. Kelly,
OPRE Reports Clearance Officer.
[FR Doc. 07–5978 Filed 12–7–07; 8:45 am]
BILLING CODE 4184–01–M
PO 00000
Frm 00055
Fmt 4703
Sfmt 4703
Estimated
annual burden
hours
8,499.2
2,176
27.2
528
27.2
504
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Indian Health Service
Request for Public Comment: 60-Day
Proposed Information Collection:
Indian Health Service Customer
Satisfaction Survey
Indian Health Service, HHS.
Notice.
AGENCY:
ACTION:
SUMMARY: In compliance with Section
3506(c)(2)(A) of the Paperwork
Reduction Act of 1995 which requires
60 days advance opportunity for public
comment on proposed information
collection projects, the Indian Health
Service (IHS) in publishing for comment
a summary of a proposed information
collection to be submitted to the Office
E:\FR\FM\10DEN1.SGM
10DEN1
]]>Agencies
[Federal Register Volume 72, Number 236 (Monday, December 10, 2007)]
[Notices]
[Pages 69691-69696]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-23877]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974; Report of a Modified or Altered System
AGENCY: Department of Health and Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of a Modified or Altered System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, we are proposing to modify or alter an existing SOR, ``Intern and
Resident Information System (IRIS), System No. 09-70-0524, last
published at 67 Federal Register 48189 (July 23, 2002). We propose to
modify existing routine use number 1 that permits disclosure to agency
contractors and consultants to include disclosure to CMS grantees who
[[Page 69692]]
perform a task for the agency. CMS grantees, charged with completing
projects or activities that require CMS data to carry out that
activity, are classified separate from CMS contractors and/or
consultants. The modified routine use will remain as routine use number
1. We will delete routine use number 5 authorizing disclosure to
support constituent requests made to a congressional representative. If
an authorization for the disclosure has been obtained from the data
subject, then no routine use is needed. The Privacy Act allows for
disclosures with the ``prior written consent'' of the data subject. We
will broaden the scope of published routine uses number 7 and 8,
authorizing disclosures to combat fraud and abuse in the Medicare and
Medicaid programs to include combating ``waste'' which refers
increasingly more to specific beneficiary or recipient practices that
result in unnecessary cost to Federally-funded health benefit programs.
We will delete the section titled ``Additional Circumstances
Affecting Routine Use Disclosures,'' that addresses ``Protected Health
Information (PHI)'' and ``small cell size.'' The requirement for
compliance with HHS regulation ``Standards for Privacy of Individually
Identifiable Health Information'' does not apply because this system
does not collect or maintain PHI. In addition, our policy to prohibit
release if there is a possibility that an individual can be identified
through ``small cell size'' is not applicable to the data maintained in
this system.
We are modifying the language in the remaining routine uses to
provide a proper explanation as to the need for the routine use and to
provide clarity to CMS' intention to disclose individual-specific
information contained in this system. The routine uses will then be
prioritized and reordered according to their usage. We will also take
the opportunity to update any sections of the system that were affected
by the recent reorganization or by Medicare Prescription Drug,
Improvement, and Modernization Act of 2003 (Pub. L. 108-173) provisions
and to update language in the administrative sections to correspond
with language used in other CMS SORs.
The primary purpose of the SOR is to ensure that no interns and
residents (IRs) are counted by the Medicare program as more than one
full-time equivalent (FTE) employee in the calculation of payments for
the costs of direct graduate medical education (GME) and indirect
medical education (IME). Information retrieved from this SOR will also
be disclosed to: (1) Support regulatory, reimbursement, and policy
functions performed within the Agency or by a contractor or consultant,
(2) assist another Federal and/or state agency, agency of a state
government, an agency established by state law, or its fiscal agent,
(3) support providers and suppliers of services, (4) assist third-party
contacts where necessary to establish or verify information, (5)
support litigation involving the Agency, and (6) combat fraud, waste,
and abuse in certain health benefits programs. We have provided
background information about the modified system in the ``Supplementary
Information'' section below. Although the Privacy Act requires only
that CMS provide an opportunity for interested persons to comment on
the routine uses, CMS invites comments on all portions of this notice.
See ``Effective Dates'' section for comment period.
DATES: Effective Dates: CMS filed a modified or altered system report
with the Chair of the House Committee on Government Reform and
Oversight, the Chair of the Senate Committee on Homeland Security and
Governmental Affairs, and the Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget (OMB) on December
4, 2007. To ensure that all parties have adequate time in which to
comment, the modified system, including routine uses, will become
effective 30 days from the publication of the notice, or 40 days from
the date it was submitted to OMB and Congress, whichever is later,
unless CMS receives comments that require alterations to this notice.
ADDRESSES: The public should address comments to: CMS Privacy Officer,
Division of Privacy Compliance, Enterprise Architecture and Strategy
Group, Office of Information Services, CMS, Room N2-04-27, 7500
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received
will be available for review at this location, by appointment, during
regular business hours, Monday through Friday from 9 a.m.-3 p.m.,
Eastern Time Zone.
FOR FURTHER INFORMATION CONTACT: Milton Jacobson, Division of Provider
Audit Operations, Financial Services Group, Office of Financial
Management, CMS, Room C3-14-00, 7500 Security Boulevard, Baltimore,
Maryland 21244-1850. Mr. Jacobson can be reached by telephone at 410-
786-7553 or via e-mail at Milton.Jacobson@cms.hhs.gov.
SUPPLEMENTARY INFORMATION:
I. Description of the Modified or Altered System of Records
A. Statutory and Regulatory Basis for System
Authority for maintenance of the system is given under the
provisions of Sec. Sec. 1886(d)(5)(B) and 1886(h) of the Social
Security Act (Title 42 United States Code (U.S.C.) 1395ww(d)(5)(B) and
1395ww(h)).
B. Collection and Maintenance of Data in the System
The system collects and maintains information interns and residents
in programs approved under 42 CFR 413.75, working in all areas of the
hospital complex, or other freestanding providers, as well as non-
hospital or non-provider settings on or after July 1, 1985. The system
includes the following information for each IR: name, social security
number; name of medical, osteopathic, dental, or podiatric school
graduated from and date of graduation, type of residency program for
the medical specialty, number of years completed in all types of
residency programs, foreign medical school graduation date and
certification date, name of employer (e.g., hospital, university,
corporation) paying the salary, the percentage of time spent working in
either the inpatient areas of the hospital subject to the Prospective
Payment System or in the outpatient areas of the hospital or in a non-
hospital setting under agreement with the hospital for IME, the
percentage of time spent working in any area of the hospital complex or
in a non-provider setting under agreement with the hospital for GME,
the start and end dates assigned to the hospital and any hospital-based
providers (assignment periods) during the hospital's cost reporting
period, the start and end dates assigned to any non-hospital or non-
provider setting in connection with approved residency programs
(assignment periods) during the hospital's cost reporting period, and
the full-time or part-time percentage during each assignment period.
II. Agency Policies, Procedures, and Restrictions on the Routine Use
A. The Privacy Act permits us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such disclosure of data is known as a ``routine use.''
The government will only release IRIS information that can be
associated with an individual as provided for under ``Section III.
[[Page 69693]]
Proposed Routine Use Disclosures of Data in the System.'' Both
identifiable and non-identifiable data may be disclosed under a routine
use.
We will only collect the minimum personal data necessary to achieve
the purpose of IRIS. CMS has the following policies and procedures
concerning disclosures of information that will be maintained in the
system. Disclosure of information from this system will be approved
only to the extent necessary to accomplish the purpose of the
disclosure and only after CMS:
1. Determines that the use or disclosure is consistent with the
reason that the data is being collected, e.g., to ensure that no
interns and residents (IR) are counted by the Medicare program as more
than one full-time equivalent (FTE) employee in the calculation of
payments for the costs of GME and IME.
2. Determines:
a. That the purpose for which the disclosure is to be made can only
be accomplished if the record is provided in individually identifiable
form;
b. That the purpose for which the disclosure is to be made is of
sufficient importance to warrant the potential effect and/or risk on
the privacy of the individual that additional exposure of the record
might bring; and
c. That there is a strong probability that the proposed use of the
data would in fact accomplish the stated purpose(s).
3. Requires the information recipient to:
a. Establish administrative, technical, and physical safeguards to
prevent unauthorized use of disclosure of the record; and
b. Remove or destroy at the earliest time all patient-identifiable
information.
4. Determines that the data are valid and reliable.
III. Proposed Routine Use Disclosures of Data in the System
A. Entities Who May Receive Disclosures Under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which CMS may
release information from the IRIS without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We are proposing to
establish or modify the following routine use disclosures of
information maintained in the system:
1. To support agency contractors, consultants, or grantees, who
have been engaged by the agency to assist in the performance of a
service related to this collection and who need to have access to the
records in order to perform the activity.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contractual or similar
agreement with a third party to assist in accomplishing CMS function
relating to purposes for this system.
CMS occasionally contracts out certain of its functions when doing
so would contribute to effective and efficient operations. CMS must be
able to give a contractor, consultant or grantee whatever information
is necessary for the contractor or consultant to fulfill its duties. In
these situations, safeguards are provided in the contract prohibiting
the contractor, consultant or grantee from using or disclosing the
information for any purpose other than that described in the contract
and requires the contractor, consultant or grantee to return or destroy
all information at the completion of the contract.
2. To another Federal or state agency, agency of a state
government, an agency established by state law, or its fiscal agent:
a. To contribute to the accuracy of CMS' proper payment of Medicare
benefits,
b. To enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with federal funds.
Other Federal or state agencies in their administration of a
Federal health program may require IRIS information in order to support
evaluations and monitoring of reimbursement for services provided.
SSA may require IRIS data to enable it to assist in the
implementation and maintenance of the Medicare program.
State licensing boards may require IRIS data to enable them to
assist in the review of activities related to IRs in their state.
The Medicare Payment Advisory Commission and Congressional Budget
Office may require IRIS data to assist in certain budgetary and
planning activities related to IR status.
3. To providers and suppliers of services (and their authorized
billing agents) directly or dealing through fiscal intermediaries or
carriers, for administration of provisions of Title XVIII of the Social
Security Act.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contractual agreement with
providers and suppliers of services to assist in accomplishing CMS
functions relating to purposes for this SOR.
4. To third-party contacts where necessary to establish or verify
information provided on or by IR.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contractual or similar
agreement with a third party to assist in accomplishing CMS functions
relating to purposes for this system of records.
5. To the Department of Justice (DOJ), court or adjudicatory body
when:
a. The agency or any component thereof, or
b. Any employee of the agency in his or her official capacity, or
c. Any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. The United States Government
Is a party to litigation or has an interest in such litigation, and by
careful review, CMS determines that the records are both relevant and
necessary to the litigation and that the use of such records by the
DOJ, court or adjudicatory body is compatible with the purpose for
which the agency collected the records.
Whenever CMS is involved in litigation, or occasionally when
another party is involved in litigation and CMS' policies or operations
could be affected by the outcome of the litigation, CMS would be able
to disclose information to the DOJ, court or adjudicatory body
involved.
6. To a CMS contractor (including, but not limited to FIs and
carriers) that assists in the administration of a CMS-administered
health benefits program, or to a grantee of a CMS-administered grant
program, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud, waste, or abuse in such program.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contract or grant with a
third party to assist in accomplishing CMS functions relating to the
purpose of combating fraud, waste, and abuse.
CMS occasionally contracts out certain of its functions when doing
so
[[Page 69694]]
would contribute to effective and efficient operations. CMS must be
able to give a contractor or grantee whatever information is necessary
for the contractor or grantee to fulfill its duties. In these
situations, safeguards are provided in the contract prohibiting the
contractor or grantee from using or disclosing the information for any
purpose other than that described in the contract and requiring the
contractor or grantee to return or destroy all information.
7. To another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers, or that has the authority to investigate potential fraud
or abuse in a health benefits program funded in whole or in part by
Federal funds, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud, waste, or abuse in such programs.
Other agencies may require IRIS information for the purpose of
combating fraud, waste, and abuse in such Federally funded programs.
IV. Safeguards
CMS has safeguards in place for authorized users and monitors such
users to ensure against excessive or unauthorized use. Personnel having
access to the system have been trained in the Privacy Act and
information security requirements. Employees who maintain records in
this system are instructed not to release data until the intended
recipient agrees to implement appropriate management, operational and
technical safeguards sufficient to protect the confidentiality,
integrity and availability of the information and information systems
and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations may apply but are not limited to: the Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the Health Insurance Portability and
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the
corresponding implementing regulations. OMB Circular A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated
Information Resources also applies. Federal, HHS, and CMS policies and
standards include but are not limited to: all pertinent National
Institute of Standards and Technology publications; the HHS Information
Systems Program Handbook and the CMS Information Security Handbook.
V. Effects of the Modified or Altered System of Records on Individual
Rights
CMS proposes to modify this system in accordance with the
principles and requirements of the Privacy Act and will collect, use,
and disseminate information only as prescribed therein. Data in this
system will be subject to the authorized releases in accordance with
the routine uses identified in this system of records.
CMS will take precautionary measures to minimize the risks of
unauthorized access to the records and the potential harm to individual
privacy or other personal or property rights of patients whose data are
maintained in the system. CMS will collect only that information
necessary to perform the system's functions. In addition, CMS will make
disclosure from the proposed system only with consent of the subject
individual, or his/her legal representative, or in accordance with an
applicable exception provision of the Privacy Act. CMS, therefore, does
not anticipate an unfavorable effect on individual privacy as a result
of information relating to individuals.
Dated: November 28, 2007.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
SYSTEM NO. 09-70-0524
SYSTEM NAME:
``Intern and Resident Information System (IRIS), HHS/CMS/OFM''
SECURITY CLASSIFICATION:
Level Three Privacy Act Sensitive Data
SYSTEM LOCATION:
The Centers for Medicare & Medicaid Services (CMS) Data Center,
7500 Security Boulevard, North Building, First Floor, Baltimore,
Maryland 21244-1850 and South Building, Baltimore, Maryland 21244-1850.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Interns and residents (IR) in medical residency programs approved
under 42 CFR Sec. 413.75, working in all areas of the hospital
complex, or other freestanding providers, as well as non-hospital or
non-provider settings on or after July 1, 1985.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system includes the following information for each IR: name,
social security number; name of medical, osteopathic, dental, or
podiatric school graduated from and date of graduation, type of
residency program for the medical specialty, number of years completed
in all types of residency programs, foreign medical school graduation
date and certification date, name of employer (e.g., hospital,
university, corporation) paying the salary, the percentage of time
spent working in either the inpatient areas of the hospital subject to
the Prospective Payment System or in the outpatient areas of the
hospital or in a non-hospital setting under agreement with the hospital
for indirect medical education (IME), the percentage of time spent
working in any area of the hospital complex or in a non-provider
setting under agreement with the hospital for graduate medical
education (GME), the start and end dates assigned to the hospital and
any hospital-based providers (assignment periods) during the hospital's
cost reporting period, the start and end dates assigned to any non-
hospital or non-provider setting in connection with approved residency
programs (assignment periods) during the hospital's cost reporting
period, and the full-time or part-time percentage during each
assignment period.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of the system is given under the
provisions of Sec. Sec. 1886(d)(5)(B) and 1886(h) of the Social
Security Act (Title 42 United States Code (U.S.C.) Sec. Sec.
1395ww(d)(5)(B) and 1395ww (h)).
PURPOSE(S) OF THE SYSTEM:
The primary purpose of the SOR is to ensure that no interns and
residents (IRs) are counted by the Medicare program as more than one
full-time equivalent (FTE) employee in the calculation of payments for
the costs of direct graduate medical education (GME) and indirect
medical education (IME). Information retrieved from this SOR will also
be disclosed to: (1) Support regulatory, reimbursement, and policy
functions performed within the Agency or by a contractor or consultant,
(2) assist another Federal and/or state agency, agency of a state
government, an agency established by state law, or its fiscal agent,
(3) support providers and suppliers of services, (4) assist third-party
contacts where necessary to establish or verify information, (5)
[[Page 69695]]
support litigation involving the Agency, and (6) combat fraud, waste,
and abuse in certain health benefits programs.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures Under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which CMS may
release information from the IRIS without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We are proposing to
establish or modify the following routine use disclosures of
information maintained in the system:
1. To support agency contractors, consultants, or grantees, who
have been engaged by the agency to assist in the performance of a
service related to this collection and who need to have access to the
records in order to perform the activity.
2. To another Federal or state agency, agency of a state
government, an agency established by state law, or its fiscal agent:
a. To contribute to the accuracy of CMS' proper payment of Medicare
benefits,
b. To enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with federal funds.
3. To providers and suppliers of services (and their authorized
billing agents) directly or dealing through fiscal intermediaries or
carriers, for administration of provisions of Title XVIII of the Social
Security Act.
4. To third-party contacts where necessary to establish or verify
information provided on or by IR.
5. To the Department of Justice (DOJ), court or adjudicatory body
when:
a. The agency or any component thereof, or
b. Any employee of the agency in his or her official capacity, or
c. Any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. The United States Government
Is a party to litigation or has an interest in such litigation, and
by careful review, CMS determines that the records are both relevant
and necessary to the litigation and that the use of such records by the
DOJ, court or adjudicatory body is compatible with the purpose for
which the agency collected the records.
6. To a CMS contractor (including, but not limited to FIs and
carriers) that assists in the administration of a CMS-administered
health benefits program, or to a grantee of a CMS-administered grant
program, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud, waste, or abuse in such program.
7. To another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers, or that has the authority to investigate potential fraud
or abuse in a health benefits program funded in whole or in part by
Federal funds, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud, waste, or abuse in such programs.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
All records are stored on paper and magnetic disk.
RETRIEVABILITY:
Magnetic media records are retrieved by the name of the employees
or other authorized individual and/or card key number. Paper records
are retrieved alphabetically by name.
SAFEGUARDS:
CMS has safeguards in place for authorized users and monitors such
users to ensure against excessive or unauthorized use. Personnel having
access to the system have been trained in the Privacy Act and
information security requirements. Employees who maintain records in
this system are instructed not to release data until the intended
recipient agrees to implement appropriate management, operational and
technical safeguards sufficient to protect the confidentiality,
integrity and availability of the information and information systems
and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations may apply but are not limited to: the Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the Health Insurance Portability and
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the
corresponding implementing regulations. OMB Circular A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated
Information Resources also applies. Federal, HHS, and CMS policies and
standards include but are not limited to: all pertinent National
Institute of Standards and Technology publications; the HHS Information
Systems Program Handbook and the CMS Information Security Handbook.
RETENTION AND DISPOSAL:
Records are maintained in a secure storage area with identifiers.
Disposal occurs three years from the last action on the hospital's cost
report, and should be coordinated with disposal of the reports.
SYSTEM MANAGER AND ADDRESS:
Director, Division of Provider Audit Operations, Financial Services
Group, Office of Financial Management, CMS, 7500 Security Boulevard,
C3-14-00, Baltimore, Maryland 21244-1850.
NOTIFICATION PROCEDURE:
For purpose of access, the subject individual should write to the
systems manager who will require the system name, SSN, address, date of
birth, sex, and for verification purposes, the subject individual's
name (woman's maiden name, if applicable). Furnishing the SSN is
voluntary, but it may make searching for a record easier and prevent
delay.
RECORD ACCESS PROCEDURE:
For purpose of access, use the same procedures outlined in
Notification Procedures above. Requestors should also reasonably
specify the record contents being sought. (These procedures are in
accordance with Department regulation 45 CFR 5b.5(a)(2).)
CONTESTING RECORD PROCEDURES:
The subject individual should contact the system manager named
above, and reasonably identify the record and specify the information
to be contested.
[[Page 69696]]
State the corrective action sought and the reasons for the correction
with supporting justification. (These procedures are in accordance with
Department regulation 45 CFR 5b.7.)
RECORD SOURCE CATEGORIES:
Data for this system is collected from IRIS diskettes/CDs as
transmitted by the hospitals.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. E7-23877 Filed 12-7-07; 8:45 am]
BILLING CODE 4120-03-P
