Privacy Act of 1974; Report of a New System of Records, 11638-11643 [E8-4069]
Download as PDF
<![CDATA[
11638
Federal Register / Vol. 73, No. 43 / Tuesday, March 4, 2008 / Notices
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Committee Management Officer.
[FR Doc. E8–4084 Filed 3–3–08; 8:45 am]
BILLING CODE 6714–01–P
FEDERAL TRADE COMMISSION
Sunshine Act Meeting Notice
AGENCY:
Federal Trade Commission.
TIME AND DATE:
2 p.m., Tuesday, April 1,
2008.
Federal Trade Commission
Building, Room 532, 600 Pennsylvania
Avenue, NW., Washington, DC 20580.
STATUS: Part of this meeting will be
open to the public. The rest of the
meeting will be closed to the public.
MATTERS TO BE CONSIDERED:
Portion Open to Public: (1) Oral
Argument in REALCOMP II, LTD.,
Docket 9320.
Portion Closed to the Public: (2)
Executive Session to follow Oral
Argument in REALCOMP II, LTD.,
Docket 9320.
Contact Person for More Information:
Mitch Katz.
Office of Public Affairs: (202) 326–
2180.
Recorded Message: (202) 326–2711.
PLACE:
Donald S. Clark,
Secretary.
[FR Doc. 08–955 Filed 2–29–08; 2:06 pm]
BILLING CODE 6750–07–M
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
sroberts on PROD1PC70 with NOTICES
National Center for Health Statistics
(NCHS), Classifications and Public
Health Data Standards Staff,
Announces the Following Meeting
Name: ICD–9–CM Coordination and
Maintenance Committee Meeting.
Time and Date: 8:30 a.m.–6 p.m.,
March 19, 2008. 8:30 a.m.–6 p.m.,
March 20, 2008.
Place: Centers for Medicare and
Medicaid Services (CMS) Auditorium,
7500 Security Boulevard, Baltimore,
Maryland 21244.
Status: Open to the public.
Purpose: The ICD–9–CM Coordination
and Maintenance (C&M) Committee will
hold its first meeting of the 2008
calendar year cycle on Wednesday and
Thursday, March 19–20, 2008. The C&M
meeting is a public forum for the
presentation of proposed modifications
VerDate Aug<31>2005
17:57 Mar 03, 2008
Jkt 214001
to the International Classification of
Diseases, Ninth Revision, Clinical
Modification.
Matters To Be Discussed: Tentative
agenda items include:
Antidepressant poisonings
Gastroschisis and omphalocele
History of t–PA
Methicillin resistant staphylococcus
aureus
Military-related external cause of injury
codes and activity codes
Premature birth status
Venous complications in pregnancy and
the puerperium
Venous thromboembolism
Addenda (diagnoses)
Bilateral ventricular assist devices
Collateral air flow assessment
Episiotomy and repair of spontaneous
lacerations
Fenestrated endograft repair of
infrarenal abdominal aortic
aneurysms
Laparoscopic robotic assisted surgery
Spinal fusion robotic assisted surgery
Total breast reconstruction
Addenda (procedures)
Contact Person for Additional
Information: Amy Blum, Medical
Systems Specialist, Classifications and
Public Health Data Standards Staff,
NCHS, 3311 Toledo Road, Room 2402,
Hyattsville, Maryland 20782, e-mail
alb8@cdc.gov, telephone 301–458–4106
(diagnosis), Mady Hue, Health
Insurance Specialist, Division of Acute
Care, CMS, 7500 Security Blvd.,
Baltimore, Maryland 21244, e-mail
marilu.hue@cms.hhs.gov, telephone
410–786–4510 (procedures).
Notice: Because of increased security
requirements, CMS has instituted
stringent procedures for entrance into
the building by non-government
employees. Persons without a
government I.D. will need to show an
official form of picture I.D., (such as a
driver’s license), and sign in at the
security desk upon entering the
building.
Those who wish to attend a specific
ICD–9–CM C&M meeting in the CMS
auditorium must submit their name and
organization for addition to the meeting
visitor’s list. Those wishing to attend
the March 19–20, 2008 meeting must
submit their name and organization by
March 12, 2008 for inclusion on the
visitor’s list. This visitor’s list will be
maintained at the front desk of the CMS
building and be used by the guards to
admit visitors to the meeting. Those
who attended previous ICD–9–CM C&M
meetings will no longer be
automatically added to the visitor’s list.
You must request inclusion of your
name prior to each meeting you attend.
PO 00000
Frm 00028
Fmt 4703
Sfmt 4703
Register to attend the meeting on-line
at: https://www.cms.hhs.gov/apps/
events/.
Notice: This is a public meeting.
However, because of fire code
requirements, should the number of
attendants meet the capacity of the
room, the meeting will be closed.
The Director, Management Analysis
and Services Office, has been delegated
the authority to sign Federal Register
notices pertaining to announcements of
meetings and other committee
management activities, for both CDC
and the Agency for Toxic Substances
and Disease Registry.
Dated: February 25, 2008.
Elaine L. Baker,
Director, Management Analysis and Services
Office, Centers for Disease Control and
Prevention (CDC).
[FR Doc. E8–4095 Filed 3–3–08; 8:45 am]
BILLING CODE 4160–18–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
Privacy Act of 1974; Report of a New
System of Records
Department of Health and
Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of a New System of
Records (SOR).
AGENCY:
SUMMARY: In accordance with the
Privacy Act of 1974, we are proposing
to establish a new SOR titled,
‘‘Medicaid Integrity Program System
(MIPS),’’ System No. 09–70–0599. With
passage of the Deficit Reduction Act
(DRA) of 2005, the Secretary of HHS
was directed to establish a Medicaid
Integrity Program (MIP) designed to
provide CMS the resources necessary to
combat fraud, waste and abuse in the
Medicaid program. The DRA takes the
partnership between CMS and the State
Medicaid agencies to a new level. The
MIP represents CMS’ first national
strategy to combat fraud and abuse in
the 41-year history of the Medicaid
program. MIP offers a unique
opportunity to identify, recover and
prevent inappropriate Medicaid
payments. It will also support the efforts
of State Medicaid agencies through a
combination of oversight and technical
assistance. Although individual States
work to ensure the integrity of their
respective Medicaid programs, MIP
provides CMS with the ability to more
directly ensure the accuracy of
Medicaid payments and to deter those
E:\FR\FM\04MRN1.SGM
04MRN1
sroberts on PROD1PC70 with NOTICES
Federal Register / Vol. 73, No. 43 / Tuesday, March 4, 2008 / Notices
who would exploit the program. It
advances these goals which are shared
by the States and the Federal
government. The combined Federal and
State resources for preventing fraud will
be marshaled more effectively than ever.
The primary purpose of this system is
to establish an accurate, current, and
comprehensive database containing
standardized enrollment, eligibility, and
paid claims of Medicaid beneficiaries to
assist in the detection of fraud, waste
and abuse in the Medicare and
Medicaid programs. Information
retrieved from this system will also be
disclosed to: (1) Support regulatory,
reimbursement, and policy functions
performed within the agency or by a
contractor, consultant or a CMS grantee;
(2) assist another Federal or state agency
with information to enable such agency
to administer a Federal health benefits
program, or to enable such agency to
fulfill a requirement of Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds; (3) support a
research or evaluation project; (4)
support litigation involving the agency;
and (5) combat fraud, waste, and abuse
in a federally-funded health benefit
program. We have provided background
information about the new system in the
‘‘Supplementary Information’’ section
below. Although the Privacy Act
requires only that CMS provide an
opportunity for interested persons to
comment on the routine uses, CMS
invites comments on all portions of this
notice. See ‘‘Effective Dates’’ section for
comment period.
DATES: Effective Dates: CMS filed a new
system report with the Chair of the
House Committee on Oversight and
Government Reform, the Chair of the
Senate Committee on Homeland
Security & Governmental Affairs, and
the Administrator, Office of Information
and Regulatory Affairs, Office of
Management and Budget (OMB) on
February 26, 2008. To ensure that all
parties have adequate time in which to
comment, the new system, including
routine uses, will become effective 30
days from the publication of the notice,
or 40 days from the date it was
submitted to OMB and Congress,
whichever is later, unless CMS receives
comments that require alterations to this
notice.
ADDRESSES: The public should address
comments to: CMS Privacy Officer,
Division of Privacy Compliance,
Enterprise Architecture and Strategy
Group, Office of Information Services,
CMS, Room N2–04–27, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850. Comments received will be
VerDate Aug<31>2005
17:57 Mar 03, 2008
Jkt 214001
available for review at this location, by
appointment, during regular business
hours, Monday through Friday from 9
a.m.–3 p.m., Eastern Time zone.
FOR FURTHER INFORMATION CONTACT:
James Gorman, Director, Division of
Medicaid Integrity Contracting, Program
Integrity Group, Center for Medicaid
and State Operations, CMS, Mail Stop
B2–2923, 7111 Security Boulevard,
Baltimore, Maryland 21244–1850. He
can also be reached by telephone at
410–786–1417, or via e-mail at
james.gorman@cms.hhs.gov.
SUPPLEMENTARY INFORMATION: With
passage of the Deficit Reduction Act
(DRA) of 2005 the Department of Health
and Human Services was directed to
establish a Medicaid Integrity Program
(MIP) designed to provide CMS the
resources necessary to combat fraud,
waste and abuse in Medicaid. Section
6034 of the DRA requires that a
comprehensive plan be developed every
five years by a collective group
including the Secretary of Health and
Human Services (HHS), the United
States Attorney General, the Director of
the Federal Bureau of Investigation, the
Comptroller General of the United
States, the Inspector General of HHS,
and state officials with responsibility for
controlling provider fraud and abuse
under Medicaid. The MIP planning
group has broadly interpreted ‘‘state
officials’’ to represent directors from
State Medicaid programs, their program
integrity units, and Medicaid Fraud
Control Units. CMS’ Center for
Medicaid and State Operations (CMSO)
is responsible for agency activities
related to Medicaid and will be
organizationally responsible for the
administration of the MIP.
I. Description of the Proposed System of
Records
A. Statutory and Regulatory Basis for
SOR
Authority for maintenance of the
system is given under § 6034 of the
Deficient Reduction Act of 2005 Act
(Pub. L. 109–171) (revising Title XIX of
the Social Security Act (42 U.S.C. 1396
et seq.) which establishes the Medicaid
Integrity Program under which the
Secretary shall provide CMS the
resources necessary to combat fraud,
waste and abuse in the Medicaid
program.
B. Collection and Maintenance of Data
in the System
MIPS contain information on
Medicaid beneficiaries, and physicians
and other providers involved in
furnishing services to Medicaid
beneficiaries. Information contained in
PO 00000
Frm 00029
Fmt 4703
Sfmt 4703
11639
this system includes, but is not limited
to: assigned Medicaid identification
number, name, address, social security
number, health insurance claim
number, date of birth, gender, ethnicity
and race, medical services, equipment,
and supplies for which Medicaid
reimbursement is requested, and
materials used to determine amount of
benefits allowable under Medicaid.
Information on physicians and other
providers of services to the beneficiary
consist of an assigned provider
identification number, and information
used to determine whether a sanction or
suspension is warranted.
II. Agency Policies, Procedures, and
Restrictions on Routine Uses
A. Agency Policies, Procedures, and
Restrictions on the Routine Use
The Privacy Act permits us to disclose
information without an individual’s
consent if the information is to be used
for a purpose that is compatible with the
purpose(s) for which the information
was collected. Any such disclosure of
data is known as a ‘‘routine use.’’ The
government will only release MIPS
information that can be associated with
an individual as provided for under
‘‘Section III. Proposed Routine Use
Disclosures of Data in the System.’’ Both
identifiable and non-identifiable data
may be disclosed under a routine use.
We will only collect the minimum
personal data necessary to achieve the
purpose of MIPS. CMS has the following
policies and procedures concerning
disclosures of information that will be
maintained in the system. Disclosure of
information from this system will be
approved only to the extent necessary to
accomplish the purpose of the
disclosure and only after CMS:
1. Determines that the use or
disclosure is consistent with the reason
that the data is being collected, e.g., to
establish an accurate, current, and
comprehensive database containing
standardized enrollment, eligibility, and
paid claims of Medicaid beneficiaries to
be used for the administration of
Medicaid at the Federal level, produce
statistical reports, support Medicaid
related research, and assist in the
detection of fraud and abuse in the
Medicare and Medicaid programs.
2. Determines that:
a. The purpose for which the
disclosure is to be made can only be
accomplished if the record is provided
in individually identifiable form;
b. The purpose for which the
disclosure is to be made is of sufficient
importance to warrant the effect and/or
risk on the privacy of the individual that
E:\FR\FM\04MRN1.SGM
04MRN1
11640
Federal Register / Vol. 73, No. 43 / Tuesday, March 4, 2008 / Notices
additional exposure of the record might
bring; and
c. There is a strong probability that
the proposed use of the data would in
fact accomplish the stated purpose(s).
3. Requires the information recipient
to:
a. Establish administrative, technical,
and physical safeguards to prevent
unauthorized use of disclosure of the
record;
b. Remove or destroy at the earliest
time all patient-identifiable information;
and
c. Agree to not use or disclose the
information for any purpose other than
the stated purpose under which the
information was disclosed.
4. Determines that the data are valid
and reliable.
sroberts on PROD1PC70 with NOTICES
III. Proposed Routine Use Disclosures
of Data In the System
A. The Privacy Act allows us to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such compatible use of data is
known as a ‘‘routine use.’’ The proposed
routine uses in this system meet the
compatibility requirement of the Privacy
Act. We are proposing to establish the
following routine use disclosures of
information maintained in the system:
1. To support agency contractors, or
consultants, or to a grantee of a CMSadministered grant program who have
been engaged by the agency to assist in
the accomplishment of a CMS function
relating to the purposes for this system
and who need to have access to the
records in order to assist CMS.
We contemplate disclosing this
information under this routine use only
in situations in which CMS may enter
into a contractual or similar agreement
with a third party to assist in
accomplishing a CMS function relating
to purposes for this system.
CMS occasionally contracts out
certain of its functions when doing so
would contribute to effective and
efficient operations. CMS must be able
to give a contractor, consultant or
grantee whatever information is
necessary for the contractor, or
consultant to fulfill its duties. In these
situations, safeguards are provided in
the contract prohibiting the contractor,
consultant or grantee from using or
disclosing the information for any
purpose other than that described in the
contract and requires the contractor,
consultant or grantee to return or
destroy all information at the
completion of the contract.
VerDate Aug<31>2005
17:57 Mar 03, 2008
Jkt 214001
2. To assist another Federal or state
agency to:
a. Contribute to the accuracy of CMS’
proper payment of Medicare/Medicaid
benefits; and/or
b. Enable such agency to administer a
Federal health benefits program, or as
necessary to enable such agency to
fulfill a requirement of a Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds; and/or
c. Assist Federal/state Medicaid
programs within the state.
Other Federal or state agencies in
their administration of a Federal health
program may require MIPS information
for the purposes of determining,
evaluating, and/or assessing cost,
effectiveness, and/or the quality of
health care services provided in the
state.
CMS may require MIPS data to enable
them to assist in the implementation
and maintenance of the Medi-Medi
program.
Disclosure under this routine use
shall be used by state Medicaid agencies
pursuant to agreements with HHS for
determining Medicaid and Medicare
eligibility, for quality control studies,
for determining eligibility of recipients
of assistance under Title IV, XVIII, XIX
and XXI of the Act, and for the
administration of the Medicaid program.
Data will be released to the state only
on those individuals who are eligible
enrollees, and beneficiaries under the
services of a Medicaid program within
the state or who are residents of that
state.
We also contemplate disclosing
information under this routine use in
situations in which state auditing
agencies require MIPS information for
auditing state Medicaid eligibility
considerations. CMS may enter into an
agreement with state auditing agencies
to assist in accomplishing functions
relating to purposes for this system of
records.
3. To support an individual or
organization for a research project or in
support of an evaluation project related
to the prevention of disease or
disability, the restoration or
maintenance of health, or payment
related projects.
The MIPS data will provide for
research or in support of evaluation
projects, a broader, national perspective
of the status of Medicare beneficiaries.
CMS anticipates that many researchers
will have legitimate requests to use
these data in projects that could
ultimately improve the care provided to
Medicare beneficiaries and the policy
that governs the care.
PO 00000
Frm 00030
Fmt 4703
Sfmt 4703
4. To support the Department of
Justice (DOJ), court or adjudicatory body
when:
a. The agency or any component
thereof, or
b. Any employee of the agency in his
or her official capacity, or
c. Any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. The United States Government is a
party to litigation or has an interest in
such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
Whenever CMS is involved in
litigation, and occasionally when
another party is involved in litigation
and CMS’ policies or operations could
be affected by the outcome of the
litigation, CMS would be able to
disclose information to the DOJ, court or
adjudicatory body involved.
5. To assist a CMS contractor
(including, but not necessarily limited
to fiscal intermediaries and carriers) that
assists in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such program.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contractual relationship or grant
with a third party to assist in
accomplishing CMS functions relating
to the purpose of combating fraud and
abuse.
CMS occasionally contracts out
certain of its functions and makes grants
when doing so would contribute to
effective and efficient operations. CMS
must be able to give a contractor or
grantee whatever information is
necessary for the contractor or grantee to
fulfill its duties. In these situations,
safeguards are provided in the contract
prohibiting the contractor or grantee
from using or disclosing the information
for any purpose other than that
described in the contract and requiring
the contractor or grantee to return or
destroy all information.
6. To assist another Federal agency or
to assist an instrumentality of any
governmental jurisdiction within or
under the control of the United States
E:\FR\FM\04MRN1.SGM
04MRN1
Federal Register / Vol. 73, No. 43 / Tuesday, March 4, 2008 / Notices
(including any State or local
governmental agency), that administers,
or that has the authority to investigate
potential fraud or abuse in, a health
benefits program funded in whole or in
part by Federal funds, when disclosure
is deemed reasonably necessary by CMS
to prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such programs.
Other agencies may require MIPS
information for the purpose of
combating fraud and abuse in such
Federally-funded programs.
sroberts on PROD1PC70 with NOTICES
B. Additional Provisions Affecting
Routine Use Disclosures
To the extent this system contains
Protected Health Information (PHI) as
defined by HHS regulation ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (45 CFR Parts 160
and 164, 65 FR 82462 (12–28–00),
Subparts A and E) disclosures of such
PHI that are otherwise authorized by
these routine uses may only be made if,
and as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’
In addition, our policy will be to
prohibit release even of data not directly
identifiable, except pursuant to one of
the routine uses or if required by law,
if we determine there is a possibility
that an individual can be identified
through implicit deduction based on
small cell sizes (instances where the
patient population is so small that
individuals who are familiar with the
enrollees could, because of the small
size, use this information to deduce the
identity of the beneficiary).
IV. Safeguards
CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the system have been trained
in the Privacy Act and information
security requirements. Employees who
maintain records in this system are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations may apply
but are not limited to: The Privacy Act
VerDate Aug<31>2005
17:57 Mar 03, 2008
Jkt 214001
of 1974; the Federal Information
Security Management Act of 2002; the
Computer Fraud and Abuse Act of 1986;
the Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002, the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: All pertinent National
Institute of Standards and Technology
publications; the HHS Information
Systems Program Handbook and the
CMS Information Security Handbook.
V. Effects of the Proposed System of
Records on Individual Rights
CMS proposes to establish this system
in accordance with the principles and
requirements of the Privacy Act and will
collect, use, and disseminate
information only as prescribed therein.
Data in this system will be subject to the
authorized releases in accordance with
the routine uses identified in this
system of records.
CMS will take precautionary
measures (see item IV above) to
minimize the risks of unauthorized
access to the records and the potential
harm to individual privacy or other
personal or property rights of patients
whose data are maintained in the
system. CMS will collect only that
information necessary to perform the
system’s functions. In addition, CMS
will make disclosure from the proposed
system only with consent of the subject
individual, or his/her legal
representative, or in accordance with an
applicable exception provision of the
Privacy Act. CMS, therefore, does not
anticipate an unfavorable effect on
individual privacy as a result of
information relating to individuals.
Dated: February 25, 2008.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare
& Medicaid Services.
SYSTEM NO. 09–70–0599
SYSTEM NAME:
‘‘Medicaid Integrity Program System
(MIPS),’’ HHS/CMS/CMSO.
SECURITY CLASSIFICATION:
Level Three Privacy Act Sensitive
Data.
SYSTEM LOCATION:
The Centers for Medicare & Medicaid
Services (CMS) Data Center, 7500
PO 00000
Frm 00031
Fmt 4703
Sfmt 4703
11641
Security Boulevard, North Building,
First Floor, Baltimore, Maryland 21244–
1850 and at various contractor sites and
at CMS Regional Offices.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
MIPS contain information on
Medicaid beneficiaries, and physicians
and other providers involved in
furnishing services to Medicaid
beneficiaries.
CATEGORIES OF RECORDS IN THE SYSTEM:
Information contained in this system
includes, but is not limited to: Assigned
Medicaid identification number, name,
address, social security number (SSN),
health insurance claim number (HICN),
date of birth, gender, ethnicity and race,
medical services, equipment, and
supplies for which Medicaid
reimbursement is requested, and
materials used to determine amount of
benefits allowable under Medicaid.
Information on physicians and other
providers of services to the beneficiary
consist of an assigned provider
identification number, and information
used to determine whether a sanction or
suspension is warranted.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of the
system is given under section 6034 of
the Deficient Reduction Act of 2005 Act
(Pub. L. 109–171) (revising Title XIX of
the Social Security Act (42 U.S.C. 1396
et seq.)) which establishes the Medicaid
Integrity Program under which the
Secretary shall provide CMS the
resources necessary to combat fraud,
waste and abuse in the Medicaid
program.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of this system is
to establish an accurate, current, and
comprehensive database containing
standardized enrollment, eligibility, and
paid claims of Medicaid beneficiaries to
assist in the detection of fraud, waste
and abuse in the Medicare and
Medicaid programs. Information
retrieved from this system will also be
disclosed to: (1) Support regulatory,
reimbursement, and policy functions
performed within the agency or by a
contractor, consultant or a CMS grantee;
(2) assist another Federal or state agency
with information to enable such agency
to administer a Federal health benefits
program, or to enable such agency to
fulfill a requirement of Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds; (3) support a
research or evaluation project; (4)
support litigation involving the agency;
and (5) combat fraud, waste, and abuse
E:\FR\FM\04MRN1.SGM
04MRN1
11642
Federal Register / Vol. 73, No. 43 / Tuesday, March 4, 2008 / Notices
in a federally-funded health benefit
program.
sroberts on PROD1PC70 with NOTICES
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OR USERS AND
THE PURPOSES OF SUCH USES:
A. The Privacy Act allows us to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such compatible use of data is
known as a ‘‘routine use.’’ The proposed
routine uses in this system meet the
compatibility requirement of the Privacy
Act. We are proposing to establish the
following routine use disclosures of
information maintained in the system:
1. To agency contractors, or
consultants, or to a grantee of a CMSadministered grant program who have
been engaged by the agency to assist in
the accomplishment of a CMS function
relating to the purposes for this system
and who need to have access to the
records in order to assist CMS.
2. To another Federal or state agency
to:
a. Contribute to the accuracy of CMS’
proper management of Medicare/
Medicaid benefits; and/or
b. Enable such agency to administer a
Federal health benefits program, or as
necessary to enable such agency to
fulfill a requirement of a Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds; and/or
c. Assist Federal/state Medicaid
programs within the state.
3. To an individual or organization for
a research project or in support of an
evaluation project related to the
prevention of disease or disability, the
restoration or maintenance of health, or
payment related projects.
4. To the Department of Justice (DOJ),
court or adjudicatory body when:
a. The agency or any component
thereof, or
b. any employee of the agency in his
or her official capacity, or
c. any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. the United States Government is a
party to litigation or has an interest in
such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
5. To a CMS contractor (including, but
not necessarily limited to fiscal
VerDate Aug<31>2005
17:57 Mar 03, 2008
Jkt 214001
intermediaries and carriers) that assists
in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such program.
6. To another Federal agency or to an
instrumentality of any governmental
jurisdiction within or under the control
of the United States (including any State
or local governmental agency), that
administers, or that has the authority to
investigate potential fraud or abuse in,
a health benefits program funded in
whole or in part by Federal funds, when
disclosure is deemed reasonably
necessary by CMS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud or abuse in such programs.
B. Additional Provisions Affecting
Routine Use Disclosures
To the extent this system contains
Protected Health Information (PHI) as
defined by HHS regulation ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (45 CFR Parts 160
and 164, 65 FR 82462 (12–28–00),
Subparts A and E) disclosures of such
PHI that are otherwise authorized by
these routine uses may only be made if,
and as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’
In addition, our policy will be to
prohibit release even of data not directly
identifiable, except pursuant to one of
the routine uses or if required by law,
if we determine there is a possibility
that an individual can be identified
through implicit deduction based on
small cell sizes (instances where the
patient population is so small that
individuals who are familiar with the
enrollees could, because of the small
size, use this information to deduce the
identity of the beneficiary).
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
All records are stored on computer
diskette and magnetic media.
RETRIEVABILITY:
Information can be retrieved by the
assigned beneficiary identification
number, SSN, HICN, and the assigned
physician or other providers of services
identification number.
PO 00000
Frm 00032
Fmt 4703
Sfmt 4703
SAFEGUARDS:
CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the system have been trained
in the Privacy Act and information
security requirements. Employees who
maintain records in this system are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations may apply
but are not limited to: The Privacy Act
of 1974; the Federal Information
Security Management Act of 2002; the
Computer Fraud and Abuse Act of 1986;
the Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002; the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003; and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: All pertinent National
Institute of Standards and Technology
publications; the HHS Information
Systems Program Handbook and the
CMS Information Security Handbook.
RETENTION AND DISPOSAL:
CMS will retain identifiable MIPS
data for a total period not to exceed 5
years after the final determination of the
case is completed.
SYSTEM MANAGER(S) AND ADDRESS:
Director, Division of Medicaid
Integrity Contracting, Program Integrity
Group, Center for Medicaid and State
Operations, CMS, Mail Stop B2–2923,
7111 Security Boulevard, Baltimore,
Maryland 21244–1850.
NOTIFICATION PROCEDURE:
For purpose of access, the subject
individual should write to the system
manager who will require the system
name, HICN, address, date of birth, and
gender, and for verification purposes,
the subject individual’s name (woman’s
maiden name, if applicable), and SSN.
Furnishing the SSN is voluntary, but it
E:\FR\FM\04MRN1.SGM
04MRN1
Federal Register / Vol. 73, No. 43 / Tuesday, March 4, 2008 / Notices
may make searching for a record easier
and prevent delay.
RECORD ACCESS PROCEDURE:
For purpose of access, use the same
procedures outlined in Notification
Procedures above. Requestors should
also specify the record contents being
sought. (These procedures are in
accordance with department regulation
45 CFR 5b.5(a)(2)).
CONTESTING RECORDS PROCEDURES:
The subject individual should contact
the system manager named above, and
reasonably identify the records and
specify the information to be contested.
State the corrective action sought and
the reasons for the correction with
supporting justification. (These
Procedures are in accordance with
Department regulation 45 CFR 5b.7).
RECORDS SOURCE CATEGORIES:
CMS obtains the identifying
information contained in this system
from state Medicaid agencies, or
Medicaid Management Information
Systems maintained by the individual
states, and information contained on
CMS Form 2082.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS
OF THE ACT:
None.
[FR Doc. E8–4069 Filed 3–3–08; 8:45 am]
BILLING CODE 4120–03–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
Privacy Act of 1974; Report of a
Modified or Altered System of Records
Department of Health and
Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of a Modified or Altered
System of Records (SOR).
sroberts on PROD1PC70 with NOTICES
AGENCY:
SUMMARY: In accordance with the
requirements of the Privacy Act of 1974,
we are proposing to modify or alter an
existing system of records titled ‘‘Links
of Social Security Administration (SSA)
and Health Care Financing
Administration (HCFA) Data (LOD),
System No. 09–70–0069, established at
65 Federal Register 50544 (August 18,
2000). The system name reflects the
former name of the Agency—the Health
Care Financing Administration. For this
reason, we propose to change the name
of the system to read: the ‘‘Links of
Social Security Administration (SSA)
and the Centers for Medicare &
VerDate Aug<31>2005
17:57 Mar 03, 2008
Jkt 214001
Medicaid Services Data (LOD).’’ We
propose to assign a new CMS
identification number to this system to
simplify the obsolete and confusing
numbering system originally designed
to identify the Bureau, Office, or Center
that maintained information in the
Health Care Financing Administration
systems of records. The new assigned
identifying number for this system
should read: System No. 09–70–0512.
We propose to modify existing routine
use number 2 that permits disclosure to
agency contractors and consultants to
include disclosure to CMS grantees who
perform a task for the agency. CMS
grantees, charged with completing
projects or activities that require CMS
data to carry out that activity, are
classified separate from CMS
contractors and/or consultants. The
modified routine use will be
renumbered as routine use number 1.
We will delete routine use number 3
authorizing disclosure to support
constituent requests made to a
congressional representative. If an
authorization for the disclosure has
been obtained from the data subject,
then no routine use is needed. We
propose to broaden the scope of the
disclosure provisions of this system by
adding a routine use to permit the
release of information to another
Federal and state agencies to: (1) Allow
such agency to comply with Title XI,
Part C of the Act; (2) enable such agency
to administer a Federal health benefits
program, and/or as necessary to enable
such agency to fulfill a requirement of
a Federal statute or regulation that
implements a health benefits program
funded in whole or in part with Federal
funds; and (3) support data exchanges
between the cooperating agencies. The
new routine use will be numbered as
routine use number 2.
We will broaden the scope of this
system by including the section titled
‘‘Additional Circumstances Affecting
Routine Use Disclosures,’’ that
addresses ‘‘Protected Health Information
(PHI)’’ and ‘‘small cell size.’’ The
requirement for compliance with HHS
regulation ‘‘Standards for Privacy of
Individually Identifiable Health
Information’’ apply whenever the
system collects or maintains PHI. This
system may contain PHI. In addition,
our policy to prohibit release if there is
a possibility that an individual can be
identified through ‘‘small cell size’’ will
apply to the data disclosed from this
system.
We are modifying the language in the
remaining routine uses to provide a
proper explanation as to the need for the
routine use and to provide clarity to
CMS’s intention to disclose individual-
PO 00000
Frm 00033
Fmt 4703
Sfmt 4703
11643
specific information contained in this
system. The routine uses will then be
prioritized and reordered according to
their usage. We will also take the
opportunity to update any sections of
the system that were affected by the
recent reorganization or because of the
impact of the Medicare Prescription
Drug, Improvement, and Modernization
Act of 2003 (MMA) (Pub. L. 108–173)
provisions and to update language in
the administrative sections to
correspond with language used in other
CMS SORs.
The primary purpose of the LOD is to
collect and maintain information that
will be used to conduct research,
perform policy analysis, and improve
program management for populations
served by both SSA and CMS.
Information maintained in this system
will also be disclosed to: (1) Support
regulatory, reimbursement, and policy
functions performed within the Agency
or by a contractor, consultant or grantee;
(2) assist another Federal or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent; (3) facilitate research on the
quality and effectiveness of care
provided, as well as epidemiological
projects; and (4) support litigation
involving the Agency. We have
provided background information about
the new system in the ‘‘Supplementary
Information’’ section below. Although
the Privacy Act requires only that CMS
provide an opportunity for interested
persons to comment on the proposed
routine uses, CMS invites comments on
all portions of this notice. See ‘‘Effective
Dates’’ section for comment period.
Effective Dates: CMS filed a modified
or altered system report with the Chair
of the House Committee on Government
Reform and Oversight, the Chair of the
Senate Committee on Homeland
Security & Governmental Affairs, and
the Administrator, Office of Information
and Regulatory Affairs, Office of
Management and Budget (OMB) on
February 26, 2008. To ensure that all
parties have adequate time in which to
comment, the modified system,
including routine uses, will become
effective 30 days from the publication of
the notice, or 40 days from the date it
was submitted to OMB and Congress,
whichever is later, unless CMS receives
comments that require alterations to this
notice.
ADDRESSES: The public should address
comments to: CMS Privacy Officer,
Division of Privacy Compliance,
Enterprise Architecture and Strategy
Group, Office of Information Services,
CMS, Room N2–04–27, 7500 Security
Boulevard, Baltimore, Maryland 21244–
E:\FR\FM\04MRN1.SGM
04MRN1
]]>Agencies
[Federal Register Volume 73, Number 43 (Tuesday, March 4, 2008)]
[Notices]
[Pages 11638-11643]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-4069]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974; Report of a New System of Records
AGENCY: Department of Health and Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of a New System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, we are proposing
to establish a new SOR titled, ``Medicaid Integrity Program System
(MIPS),'' System No. 09-70-0599. With passage of the Deficit Reduction
Act (DRA) of 2005, the Secretary of HHS was directed to establish a
Medicaid Integrity Program (MIP) designed to provide CMS the resources
necessary to combat fraud, waste and abuse in the Medicaid program. The
DRA takes the partnership between CMS and the State Medicaid agencies
to a new level. The MIP represents CMS' first national strategy to
combat fraud and abuse in the 41-year history of the Medicaid program.
MIP offers a unique opportunity to identify, recover and prevent
inappropriate Medicaid payments. It will also support the efforts of
State Medicaid agencies through a combination of oversight and
technical assistance. Although individual States work to ensure the
integrity of their respective Medicaid programs, MIP provides CMS with
the ability to more directly ensure the accuracy of Medicaid payments
and to deter those
[[Page 11639]]
who would exploit the program. It advances these goals which are shared
by the States and the Federal government. The combined Federal and
State resources for preventing fraud will be marshaled more effectively
than ever.
The primary purpose of this system is to establish an accurate,
current, and comprehensive database containing standardized enrollment,
eligibility, and paid claims of Medicaid beneficiaries to assist in the
detection of fraud, waste and abuse in the Medicare and Medicaid
programs. Information retrieved from this system will also be disclosed
to: (1) Support regulatory, reimbursement, and policy functions
performed within the agency or by a contractor, consultant or a CMS
grantee; (2) assist another Federal or state agency with information to
enable such agency to administer a Federal health benefits program, or
to enable such agency to fulfill a requirement of Federal statute or
regulation that implements a health benefits program funded in whole or
in part with Federal funds; (3) support a research or evaluation
project; (4) support litigation involving the agency; and (5) combat
fraud, waste, and abuse in a federally-funded health benefit program.
We have provided background information about the new system in the
``Supplementary Information'' section below. Although the Privacy Act
requires only that CMS provide an opportunity for interested persons to
comment on the routine uses, CMS invites comments on all portions of
this notice. See ``Effective Dates'' section for comment period.
DATES: Effective Dates: CMS filed a new system report with the Chair of
the House Committee on Oversight and Government Reform, the Chair of
the Senate Committee on Homeland Security & Governmental Affairs, and
the Administrator, Office of Information and Regulatory Affairs, Office
of Management and Budget (OMB) on February 26, 2008. To ensure that all
parties have adequate time in which to comment, the new system,
including routine uses, will become effective 30 days from the
publication of the notice, or 40 days from the date it was submitted to
OMB and Congress, whichever is later, unless CMS receives comments that
require alterations to this notice.
ADDRESSES: The public should address comments to: CMS Privacy Officer,
Division of Privacy Compliance, Enterprise Architecture and Strategy
Group, Office of Information Services, CMS, Room N2-04-27, 7500
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received
will be available for review at this location, by appointment, during
regular business hours, Monday through Friday from 9 a.m.-3 p.m.,
Eastern Time zone.
FOR FURTHER INFORMATION CONTACT: James Gorman, Director, Division of
Medicaid Integrity Contracting, Program Integrity Group, Center for
Medicaid and State Operations, CMS, Mail Stop B2-2923, 7111 Security
Boulevard, Baltimore, Maryland 21244-1850. He can also be reached by
telephone at 410-786-1417, or via e-mail at james.gorman@cms.hhs.gov.
SUPPLEMENTARY INFORMATION: With passage of the Deficit Reduction Act
(DRA) of 2005 the Department of Health and Human Services was directed
to establish a Medicaid Integrity Program (MIP) designed to provide CMS
the resources necessary to combat fraud, waste and abuse in Medicaid.
Section 6034 of the DRA requires that a comprehensive plan be developed
every five years by a collective group including the Secretary of
Health and Human Services (HHS), the United States Attorney General,
the Director of the Federal Bureau of Investigation, the Comptroller
General of the United States, the Inspector General of HHS, and state
officials with responsibility for controlling provider fraud and abuse
under Medicaid. The MIP planning group has broadly interpreted ``state
officials'' to represent directors from State Medicaid programs, their
program integrity units, and Medicaid Fraud Control Units. CMS' Center
for Medicaid and State Operations (CMSO) is responsible for agency
activities related to Medicaid and will be organizationally responsible
for the administration of the MIP.
I. Description of the Proposed System of Records
A. Statutory and Regulatory Basis for SOR
Authority for maintenance of the system is given under Sec. 6034
of the Deficient Reduction Act of 2005 Act (Pub. L. 109-171) (revising
Title XIX of the Social Security Act (42 U.S.C. 1396 et seq.) which
establishes the Medicaid Integrity Program under which the Secretary
shall provide CMS the resources necessary to combat fraud, waste and
abuse in the Medicaid program.
B. Collection and Maintenance of Data in the System
MIPS contain information on Medicaid beneficiaries, and physicians
and other providers involved in furnishing services to Medicaid
beneficiaries. Information contained in this system includes, but is
not limited to: assigned Medicaid identification number, name, address,
social security number, health insurance claim number, date of birth,
gender, ethnicity and race, medical services, equipment, and supplies
for which Medicaid reimbursement is requested, and materials used to
determine amount of benefits allowable under Medicaid. Information on
physicians and other providers of services to the beneficiary consist
of an assigned provider identification number, and information used to
determine whether a sanction or suspension is warranted.
II. Agency Policies, Procedures, and Restrictions on Routine Uses
A. Agency Policies, Procedures, and Restrictions on the Routine Use
The Privacy Act permits us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such disclosure of data is known as a ``routine use.''
The government will only release MIPS information that can be
associated with an individual as provided for under ``Section III.
Proposed Routine Use Disclosures of Data in the System.'' Both
identifiable and non-identifiable data may be disclosed under a routine
use.
We will only collect the minimum personal data necessary to achieve
the purpose of MIPS. CMS has the following policies and procedures
concerning disclosures of information that will be maintained in the
system. Disclosure of information from this system will be approved
only to the extent necessary to accomplish the purpose of the
disclosure and only after CMS:
1. Determines that the use or disclosure is consistent with the
reason that the data is being collected, e.g., to establish an
accurate, current, and comprehensive database containing standardized
enrollment, eligibility, and paid claims of Medicaid beneficiaries to
be used for the administration of Medicaid at the Federal level,
produce statistical reports, support Medicaid related research, and
assist in the detection of fraud and abuse in the Medicare and Medicaid
programs.
2. Determines that:
a. The purpose for which the disclosure is to be made can only be
accomplished if the record is provided in individually identifiable
form;
b. The purpose for which the disclosure is to be made is of
sufficient importance to warrant the effect and/or risk on the privacy
of the individual that
[[Page 11640]]
additional exposure of the record might bring; and
c. There is a strong probability that the proposed use of the data
would in fact accomplish the stated purpose(s).
3. Requires the information recipient to:
a. Establish administrative, technical, and physical safeguards to
prevent unauthorized use of disclosure of the record;
b. Remove or destroy at the earliest time all patient-identifiable
information; and
c. Agree to not use or disclose the information for any purpose
other than the stated purpose under which the information was
disclosed.
4. Determines that the data are valid and reliable.
III. Proposed Routine Use Disclosures of Data In the System
A. The Privacy Act allows us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use.'' The proposed routine uses in this system meet the compatibility
requirement of the Privacy Act. We are proposing to establish the
following routine use disclosures of information maintained in the
system:
1. To support agency contractors, or consultants, or to a grantee
of a CMS-administered grant program who have been engaged by the agency
to assist in the accomplishment of a CMS function relating to the
purposes for this system and who need to have access to the records in
order to assist CMS.
We contemplate disclosing this information under this routine use
only in situations in which CMS may enter into a contractual or similar
agreement with a third party to assist in accomplishing a CMS function
relating to purposes for this system.
CMS occasionally contracts out certain of its functions when doing
so would contribute to effective and efficient operations. CMS must be
able to give a contractor, consultant or grantee whatever information
is necessary for the contractor, or consultant to fulfill its duties.
In these situations, safeguards are provided in the contract
prohibiting the contractor, consultant or grantee from using or
disclosing the information for any purpose other than that described in
the contract and requires the contractor, consultant or grantee to
return or destroy all information at the completion of the contract.
2. To assist another Federal or state agency to:
a. Contribute to the accuracy of CMS' proper payment of Medicare/
Medicaid benefits; and/or
b. Enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds; and/or
c. Assist Federal/state Medicaid programs within the state.
Other Federal or state agencies in their administration of a
Federal health program may require MIPS information for the purposes of
determining, evaluating, and/or assessing cost, effectiveness, and/or
the quality of health care services provided in the state.
CMS may require MIPS data to enable them to assist in the
implementation and maintenance of the Medi-Medi program.
Disclosure under this routine use shall be used by state Medicaid
agencies pursuant to agreements with HHS for determining Medicaid and
Medicare eligibility, for quality control studies, for determining
eligibility of recipients of assistance under Title IV, XVIII, XIX and
XXI of the Act, and for the administration of the Medicaid program.
Data will be released to the state only on those individuals who
are eligible enrollees, and beneficiaries under the services of a
Medicaid program within the state or who are residents of that state.
We also contemplate disclosing information under this routine use
in situations in which state auditing agencies require MIPS information
for auditing state Medicaid eligibility considerations. CMS may enter
into an agreement with state auditing agencies to assist in
accomplishing functions relating to purposes for this system of
records.
3. To support an individual or organization for a research project
or in support of an evaluation project related to the prevention of
disease or disability, the restoration or maintenance of health, or
payment related projects.
The MIPS data will provide for research or in support of evaluation
projects, a broader, national perspective of the status of Medicare
beneficiaries. CMS anticipates that many researchers will have
legitimate requests to use these data in projects that could ultimately
improve the care provided to Medicare beneficiaries and the policy that
governs the care.
4. To support the Department of Justice (DOJ), court or
adjudicatory body when:
a. The agency or any component thereof, or
b. Any employee of the agency in his or her official capacity, or
c. Any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. The United States Government is a party to litigation or has an
interest in such litigation, and by careful review, CMS determines that
the records are both relevant and necessary to the litigation and that
the use of such records by the DOJ, court or adjudicatory body is
compatible with the purpose for which the agency collected the records.
Whenever CMS is involved in litigation, and occasionally when
another party is involved in litigation and CMS' policies or operations
could be affected by the outcome of the litigation, CMS would be able
to disclose information to the DOJ, court or adjudicatory body
involved.
5. To assist a CMS contractor (including, but not necessarily
limited to fiscal intermediaries and carriers) that assists in the
administration of a CMS-administered health benefits program, or to a
grantee of a CMS-administered grant program, when disclosure is deemed
reasonably necessary by CMS to prevent, deter, discover, detect,
investigate, examine, prosecute, sue with respect to, defend against,
correct, remedy, or otherwise combat fraud or abuse in such program.
We contemplate disclosing information under this routine use only
in situations in which CMS may enter into a contractual relationship or
grant with a third party to assist in accomplishing CMS functions
relating to the purpose of combating fraud and abuse.
CMS occasionally contracts out certain of its functions and makes
grants when doing so would contribute to effective and efficient
operations. CMS must be able to give a contractor or grantee whatever
information is necessary for the contractor or grantee to fulfill its
duties. In these situations, safeguards are provided in the contract
prohibiting the contractor or grantee from using or disclosing the
information for any purpose other than that described in the contract
and requiring the contractor or grantee to return or destroy all
information.
6. To assist another Federal agency or to assist an instrumentality
of any governmental jurisdiction within or under the control of the
United States
[[Page 11641]]
(including any State or local governmental agency), that administers,
or that has the authority to investigate potential fraud or abuse in, a
health benefits program funded in whole or in part by Federal funds,
when disclosure is deemed reasonably necessary by CMS to prevent,
deter, discover, detect, investigate, examine, prosecute, sue with
respect to, defend against, correct, remedy, or otherwise combat fraud
or abuse in such programs.
Other agencies may require MIPS information for the purpose of
combating fraud and abuse in such Federally-funded programs.
B. Additional Provisions Affecting Routine Use Disclosures
To the extent this system contains Protected Health Information
(PHI) as defined by HHS regulation ``Standards for Privacy of
Individually Identifiable Health Information'' (45 CFR Parts 160 and
164, 65 FR 82462 (12-28-00), Subparts A and E) disclosures of such PHI
that are otherwise authorized by these routine uses may only be made
if, and as, permitted or required by the ``Standards for Privacy of
Individually Identifiable Health Information.''
In addition, our policy will be to prohibit release even of data
not directly identifiable, except pursuant to one of the routine uses
or if required by law, if we determine there is a possibility that an
individual can be identified through implicit deduction based on small
cell sizes (instances where the patient population is so small that
individuals who are familiar with the enrollees could, because of the
small size, use this information to deduce the identity of the
beneficiary).
IV. Safeguards
CMS has safeguards in place for authorized users and monitors such
users to ensure against excessive or unauthorized use. Personnel having
access to the system have been trained in the Privacy Act and
information security requirements. Employees who maintain records in
this system are instructed not to release data until the intended
recipient agrees to implement appropriate management, operational and
technical safeguards sufficient to protect the confidentiality,
integrity and availability of the information and information systems
and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations may apply but are not limited to: The Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the Health Insurance Portability and
Accountability Act of 1996; the E-Government Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003, and the
corresponding implementing regulations. OMB Circular A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated
Information Resources also applies. Federal, HHS, and CMS policies and
standards include but are not limited to: All pertinent National
Institute of Standards and Technology publications; the HHS Information
Systems Program Handbook and the CMS Information Security Handbook.
V. Effects of the Proposed System of Records on Individual Rights
CMS proposes to establish this system in accordance with the
principles and requirements of the Privacy Act and will collect, use,
and disseminate information only as prescribed therein. Data in this
system will be subject to the authorized releases in accordance with
the routine uses identified in this system of records.
CMS will take precautionary measures (see item IV above) to
minimize the risks of unauthorized access to the records and the
potential harm to individual privacy or other personal or property
rights of patients whose data are maintained in the system. CMS will
collect only that information necessary to perform the system's
functions. In addition, CMS will make disclosure from the proposed
system only with consent of the subject individual, or his/her legal
representative, or in accordance with an applicable exception provision
of the Privacy Act. CMS, therefore, does not anticipate an unfavorable
effect on individual privacy as a result of information relating to
individuals.
Dated: February 25, 2008.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
SYSTEM NO. 09-70-0599
SYSTEM NAME:
``Medicaid Integrity Program System (MIPS),'' HHS/CMS/CMSO.
SECURITY CLASSIFICATION:
Level Three Privacy Act Sensitive Data.
SYSTEM LOCATION:
The Centers for Medicare & Medicaid Services (CMS) Data Center,
7500 Security Boulevard, North Building, First Floor, Baltimore,
Maryland 21244-1850 and at various contractor sites and at CMS Regional
Offices.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
MIPS contain information on Medicaid beneficiaries, and physicians
and other providers involved in furnishing services to Medicaid
beneficiaries.
CATEGORIES OF RECORDS IN THE SYSTEM:
Information contained in this system includes, but is not limited
to: Assigned Medicaid identification number, name, address, social
security number (SSN), health insurance claim number (HICN), date of
birth, gender, ethnicity and race, medical services, equipment, and
supplies for which Medicaid reimbursement is requested, and materials
used to determine amount of benefits allowable under Medicaid.
Information on physicians and other providers of services to the
beneficiary consist of an assigned provider identification number, and
information used to determine whether a sanction or suspension is
warranted.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of the system is given under section 6034
of the Deficient Reduction Act of 2005 Act (Pub. L. 109-171) (revising
Title XIX of the Social Security Act (42 U.S.C. 1396 et seq.)) which
establishes the Medicaid Integrity Program under which the Secretary
shall provide CMS the resources necessary to combat fraud, waste and
abuse in the Medicaid program.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of this system is to establish an accurate,
current, and comprehensive database containing standardized enrollment,
eligibility, and paid claims of Medicaid beneficiaries to assist in the
detection of fraud, waste and abuse in the Medicare and Medicaid
programs. Information retrieved from this system will also be disclosed
to: (1) Support regulatory, reimbursement, and policy functions
performed within the agency or by a contractor, consultant or a CMS
grantee; (2) assist another Federal or state agency with information to
enable such agency to administer a Federal health benefits program, or
to enable such agency to fulfill a requirement of Federal statute or
regulation that implements a health benefits program funded in whole or
in part with Federal funds; (3) support a research or evaluation
project; (4) support litigation involving the agency; and (5) combat
fraud, waste, and abuse
[[Page 11642]]
in a federally-funded health benefit program.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
A. The Privacy Act allows us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use.'' The proposed routine uses in this system meet the compatibility
requirement of the Privacy Act. We are proposing to establish the
following routine use disclosures of information maintained in the
system:
1. To agency contractors, or consultants, or to a grantee of a CMS-
administered grant program who have been engaged by the agency to
assist in the accomplishment of a CMS function relating to the purposes
for this system and who need to have access to the records in order to
assist CMS.
2. To another Federal or state agency to:
a. Contribute to the accuracy of CMS' proper management of
Medicare/Medicaid benefits; and/or
b. Enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds; and/or
c. Assist Federal/state Medicaid programs within the state.
3. To an individual or organization for a research project or in
support of an evaluation project related to the prevention of disease
or disability, the restoration or maintenance of health, or payment
related projects.
4. To the Department of Justice (DOJ), court or adjudicatory body
when:
a. The agency or any component thereof, or
b. any employee of the agency in his or her official capacity, or
c. any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. the United States Government is a party to litigation or has an
interest in such litigation, and by careful review, CMS determines that
the records are both relevant and necessary to the litigation and that
the use of such records by the DOJ, court or adjudicatory body is
compatible with the purpose for which the agency collected the records.
5. To a CMS contractor (including, but not necessarily limited to
fiscal intermediaries and carriers) that assists in the administration
of a CMS-administered health benefits program, or to a grantee of a
CMS-administered grant program, when disclosure is deemed reasonably
necessary by CMS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud or abuse in such program.
6. To another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any State or local governmental agency), that
administers, or that has the authority to investigate potential fraud
or abuse in, a health benefits program funded in whole or in part by
Federal funds, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud or abuse in such programs.
B. Additional Provisions Affecting Routine Use Disclosures
To the extent this system contains Protected Health Information
(PHI) as defined by HHS regulation ``Standards for Privacy of
Individually Identifiable Health Information'' (45 CFR Parts 160 and
164, 65 FR 82462 (12-28-00), Subparts A and E) disclosures of such PHI
that are otherwise authorized by these routine uses may only be made
if, and as, permitted or required by the ``Standards for Privacy of
Individually Identifiable Health Information.''
In addition, our policy will be to prohibit release even of data
not directly identifiable, except pursuant to one of the routine uses
or if required by law, if we determine there is a possibility that an
individual can be identified through implicit deduction based on small
cell sizes (instances where the patient population is so small that
individuals who are familiar with the enrollees could, because of the
small size, use this information to deduce the identity of the
beneficiary).
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
All records are stored on computer diskette and magnetic media.
RETRIEVABILITY:
Information can be retrieved by the assigned beneficiary
identification number, SSN, HICN, and the assigned physician or other
providers of services identification number.
SAFEGUARDS:
CMS has safeguards in place for authorized users and monitors such
users to ensure against excessive or unauthorized use. Personnel having
access to the system have been trained in the Privacy Act and
information security requirements. Employees who maintain records in
this system are instructed not to release data until the intended
recipient agrees to implement appropriate management, operational and
technical safeguards sufficient to protect the confidentiality,
integrity and availability of the information and information systems
and to prevent unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and CMS policies and standards as they
relate to information security and data privacy. These laws and
regulations may apply but are not limited to: The Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the Health Insurance Portability and
Accountability Act of 1996; the E-Government Act of 2002; the Clinger-
Cohen Act of 1996; the Medicare Modernization Act of 2003; and the
corresponding implementing regulations. OMB Circular A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated
Information Resources also applies. Federal, HHS, and CMS policies and
standards include but are not limited to: All pertinent National
Institute of Standards and Technology publications; the HHS Information
Systems Program Handbook and the CMS Information Security Handbook.
RETENTION AND DISPOSAL:
CMS will retain identifiable MIPS data for a total period not to
exceed 5 years after the final determination of the case is completed.
SYSTEM MANAGER(S) AND ADDRESS:
Director, Division of Medicaid Integrity Contracting, Program
Integrity Group, Center for Medicaid and State Operations, CMS, Mail
Stop B2-2923, 7111 Security Boulevard, Baltimore, Maryland 21244-1850.
NOTIFICATION PROCEDURE:
For purpose of access, the subject individual should write to the
system manager who will require the system name, HICN, address, date of
birth, and gender, and for verification purposes, the subject
individual's name (woman's maiden name, if applicable), and SSN.
Furnishing the SSN is voluntary, but it
[[Page 11643]]
may make searching for a record easier and prevent delay.
RECORD ACCESS PROCEDURE:
For purpose of access, use the same procedures outlined in
Notification Procedures above. Requestors should also specify the
record contents being sought. (These procedures are in accordance with
department regulation 45 CFR 5b.5(a)(2)).
CONTESTING RECORDS PROCEDURES:
The subject individual should contact the system manager named
above, and reasonably identify the records and specify the information
to be contested. State the corrective action sought and the reasons for
the correction with supporting justification. (These Procedures are in
accordance with Department regulation 45 CFR 5b.7).
RECORDS SOURCE CATEGORIES:
CMS obtains the identifying information contained in this system
from state Medicaid agencies, or Medicaid Management Information
Systems maintained by the individual states, and information contained
on CMS Form 2082.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. E8-4069 Filed 3-3-08; 8:45 am]
BILLING CODE 4120-03-P
