Privacy Act of 1974; Report of a Modified or Altered System of Records, 30943-30949 [E8-11949]

Download as PDF Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices jlentini on PROD1PC65 with NOTICES 1923(e)(2) provides an exception to section 1923(g), and, if so, whether the State meets the criteria for such an exception; and • Clarification of the status of State plan amendment components that address changes to conversion factors and updates to cost reporting citations based on changes to the CMS Hospital Cost Report. If the State does not prevail on the first two issues, whether the State is asking the hearing officer to withdraw affected components of the State plan amendment and remand remaining components for a determination of whether approval is warranted. Section 1116 of the Act and Federal regulations at 42 CFR Part 430, establish Department procedures that provide an administrative hearing for reconsideration of a disapproval of a State plan or plan amendment. CMS is required to publish a copy of the notice to a State Medicaid agency that informs the agency of the time and place of the hearing, and the issues to be considered. If we subsequently notify the agency of additional issues that will be considered at the hearing, we will also publish that notice. Any individual or group that wants to participate in the hearing as a party must petition the presiding officer within 15 days after publication of this notice, in accordance with the requirements contained at 42 CFR 430.76(b)(2). Any interested person or organization that wants to participate as amicus curiae must petition the presiding officer before the hearing begins in accordance with the requirements contained at 42 CFR 430.76(c). If the hearing is later rescheduled, the presiding officer will notify all participants. The notice to Texas announcing an administrative hearing to reconsider the disapproval of its SPA reads as follows: Mr. Chris Traylor, State Medicaid Director, Texas Health and Human Services Commission, P.O. Box 13247, Austin, TX 78711. Dear Mr. Traylor: I am responding to your request for reconsideration of the decision to disapprove the Texas State plan amendment (SPA) 07–020, which was submitted on July 20, 2007, and disapproved on February 22, 2008. Under this SPA, the State would guarantee that, at the request of a hospital impacted as a result of a federally declared natural disaster, disproportionate share hospital (DSH) payments to that hospital would remain level from the prior year. In addition, the SPA would amend the conversion factors that expire August 31, 2007, and would update cost reporting citations that have changed due to a format change in the Centers for Medicare & Medicaid Services’ (CMS) Hospital and Hospital Health Care Complex Cost Report. VerDate Aug<31>2005 17:45 May 28, 2008 Jkt 214001 The amendment was disapproved because it does not comply with the requirements of section 1902(a)(13)(A) of the Social Security Act (the Act) together with the hospital specific limits under 1923(g)(1) of the Act. The hearing will involve the following issues: • Compliance with section 1923(g) of the Act. Whether the proposed State plan language concerning DSH payments assures compliance with hospital specific payment limits for current year DSH payments, and sufficient documentation of such compliance; • Applicability of section 1923(e)(2) of the Act providing an exception to the section 1923(g) limits. Whether section 1923(e)(2) provides an exception to section 1923(g) and, if so, whether the State meets the criteria for such an exception; and • Clarification of the status of SPA components that address changes to conversion factors and updates to cost reporting citations based on changes to the CMS Hospital and Hospital Health Care Complex Cost Report. If the State does not prevail on the first two issues, whether the State is asking the hearing officer to withdraw affected components of the SPA and remand remaining components for a determination of whether approval is warranted. I am scheduling a hearing on your request for reconsideration to be held on July 8, 2008, at the CMS Dallas Regional Office, 1301 Young Street, Suite 833, Room 1196, Dallas, Texas 75202, in order to reconsider the decision to disapprove SPA 07–020. If this date is not acceptable, we would be glad to set another date that is mutually agreeable to the parties. The hearing will be governed by the procedures prescribed by Federal regulations at 42 CFR Part 430. I am designating Mr. Benjamin Cohen as the presiding officer. If these arrangements present any problems, please contact the presiding officer at (410) 786–3169. In order to facilitate any communication which may be necessary between the parties to the hearing, please notify the presiding officer to indicate acceptability of the hearing date that has been scheduled and provide names of the individuals who will represent the State at the hearing. Sincerely, Kerry Weems, Acting Administrator. Section 1116 of the Social Security Act (42 U.S.C. 1316; 42 CFR 430.18). (Catalog of Federal Domestic Assistance program No. 13.714, Medicaid Assistance Program.) Dated: May 20, 2008. Kerry Weems, Acting Administrator, Centers for Medicare & Medicaid Services. [FR Doc. E8–12022 Filed 5–28–08; 8:45 am] BILLING CODE 4120–01–P PO 00000 Frm 00064 Fmt 4703 Sfmt 4703 30943 DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare & Medicaid Services Privacy Act of 1974; Report of a Modified or Altered System of Records Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS). ACTION: Notice of a modified or altered system of records. AGENCY: SUMMARY: The Privacy Act of 1974 and section 1106 of the Social Security Act (the Act) explain when and how CMS may use and disclose the personal data of people with Medicare. The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108–173) added requirements for releasing and using personal data. To meet these additional requirements, CMS proposes to modify the existing system of records (SOR) titled ‘‘Medicare Drug Data Processing System (DDPS),’’ System No. 09–70–0553, established at 70 FR 58436 (October 6, 2005). Under this modification we are clarifying the statutory authorities for which these data are collected and disclosed. The original SOR notice cited the statutory section governing CMS’s payment of Part D plan sponsors (Social Security Act § 1860D–15) that limits the uses of the data collected to purposes related to plan payment and oversight of plan payment. However, the broad authority of § 1860D–12(b)(3)(D) authorizes CMS to collect, use and disclose Part D data for broader purposes related to CMS’s responsibilities for program administration and research. Furthermore the authority under § 1106 of the Act allows the Secretary to use and disclose data pursuant to a regulation, which in this case would be 42 CFR 423.505. CMS has published a final rule in order to clarify our statutory authority and explain how we propose to implement the broad authority of § 1860D–12(b)(3)(D) and 1106 of the Act. This SOR is being revised to reflect our intended use of this broader statutory authority. In addition to updating this SOR to reflect our broader statutory authority, CMS proposes to make the following modifications to the DDPS system: • Revise published routine use number 1 to include CMS grantees that perform a task for the agency. • Add a new routine use number 2 to allow the use and disclosure of information to other Federal and state agencies for accurate payment of E:\FR\FM\29MYN1.SGM 29MYN1 jlentini on PROD1PC65 with NOTICES 30944 Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices Medicare benefits; to fulfill a requirement or allowance of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and to help Federal/state Medicaid programs that may need information from this system. • Broaden the scope of routine use number 4 to allow the use and disclosure of specified data as described in CMS’s Part D data final rule, 42 CFR 423.505(m) to other government agencies, States or external organizations, in accordance with the minimum data necessary policy and Federal law. • Delete published routine use number 5 which authorizes disclosure to support constituent requests made to a congressional representative. • Broaden the scope of routine use number 7 and 8, to include combating ‘‘waste,’’ in addition to fraud and abuse that result in unnecessary cost to federally-funded health benefit programs. • Revise language regarding routine uses disclosures to explain the purpose of the routine use and make clear CMS’s intention to use and disclose personal information contained in this system. • Reorder and prioritize the routine uses. • Update any sections of the system affected by the reorganization or revision of routine uses because of MMA provisions or regulations promulgated based on MMA provisions. • Update language in the administrative sections to be consistent with language used in other CMS SORs. The primary purpose of this system is to collect, maintain, and process information on all Medicare covered, and as many non-covered drug events as possible, for people with Medicare who have enrolled into a Medicare Part D plan. The system helps CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the expanded use and disclosure of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, operational, and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) support another Federal and/or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) assist Medicare Part D sponsors; (4) support an individual or organization with projects that provide transparency in health care on a broad- VerDate Aug<31>2005 17:45 May 28, 2008 Jkt 214001 scale enabling consumers to compare the quality and price of health care services for a research, evaluation, or epidemiological or other project related to protecting the public’s health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) assist Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain Federally funded health benefits programs. DATES: Effective Dates: CMS filed a modified or altered system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security & Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on May 22, 2008. To ensure that all parties have adequate time in which to comment, the modified system, including routine uses, will become effective 30 days from the publication of the notice, or 40 days from the date it was submitted to OMB and Congress, whichever is later, unless CMS receives comments that require alterations to this notice. ADDRESSES: The public should send comments to: CMS Privacy Officer, Division of Privacy Compliance, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Mail stop N2–04–27, 7500 Security Boulevard, Baltimore, Maryland 21244–1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.–3 p.m., Eastern Time zone. FOR FURTHER INFORMATION CONTACT: Alissa Deboy, Director, Division of Drug Plan Policy & Analysis, Medicare Drug Benefit Group, Centers for Beneficiary Choices, CMS, Room C1–26–26, 7500 Security Boulevard, Baltimore, Maryland 21244–1850. The telephone number is 410–786–6041 or e-mail at Alissa.Deboy@cms.hhs.gov. SUPPLEMENTARY INFORMATION: In December 2003, Congress added Part D under Title XVIII when it passed the Medicare Prescription Drug, Improvement, and Modernization Act. The Act allows Medicare to pay plans to provide Part D prescription drug coverage as described in Title 42, Code of Federal Regulations (CFR) § 423.301. The Act allows Medicare to pay Part D sponsors in one of four ways: 1. Direct subsidies; 2. Premium and cost-sharing subsidies for qualifying low-income individuals (low-income subsidy); 3. PO 00000 Frm 00065 Fmt 4703 Sfmt 4703 Federal reinsurance subsidies; and 4. Risk-sharing. Throughout this notice, the term ‘‘sponsor’’ means all entities that provide Part D prescription drug coverage and submit claims data to CMS for payment calculations. As a condition of payment, all Part D sponsors must submit data and information necessary for CMS to carry out payment provisions (§ 1860D– 15(c)(1)(C) and (d)(2) of the Act, and 42 CFR 423.322). In addition, these data may be disclosed to other entities, pursuant to § 1860D–12(b)(3)(D) and 42 CFR 423.505(b)(8) and (f), (l), and (m)) for the purposes described in the routine uses described in this SOR notice. Furthermore, this data may be disclosed pursuant to § 1106 of the Act. This notice explains how CMS would collect data elements on Part D prescription drug events (PDE data, also called ‘‘claims’’ data) according to the statute. Data elements such as beneficiary, plan, pharmacy and prescriber identifiers would be used to validate claims and meet other legislative requirements or initiatives such as quality monitoring, program integrity, and payment oversight. In addition, the original 37 data elements submitted as part of the prescription drug event data would be used for other purposes as allowed by § 1860D–12 and its implementing regulations. In addition, summary prescription drug claim information based on the original 37 elements maintained in this system will be used to (1) generate reports to Congress and the public on overall statistics associated with the operation of the Medicare prescription drug program; (2) conduct evaluations of the overall Medicare program; (3) make legislative proposals to the Congress regarding Federal health care programs; (4) conduct demonstration and pilot projects and make recommendations for improving the economy, efficiency or effectiveness of the Medicare program; (5) support care coordination and disease management programs; (6) support quality improvement, performance measurement, and public reporting activities; (7) populate personal health care records; and (8) as otherwise permitted under 42 CFR 423.505. In addition to the individually identifiable information identified in section I. B. (Data in the System) below, we will maintain the following data elements, which may be used under the authority of sections 1860D–12 and D– 15 as noted above: Identification of pharmacy where the prescription was filled; indication of whether drug was compounded or mixed; indication of prescriber instruction regarding E:\FR\FM\29MYN1.SGM 29MYN1 Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices substitution of generic equivalents or order to ‘‘dispense as written;’’ quantity dispensed (for example, number of tablets, grams, milliliters, or other unit); days supply; fill number; dispensing status and whether the full quantity is dispensed at one time, or the quantity is partially filled; identification of coverage status, such as whether the product dispensed is covered under the plan benefit package or under Part D or both. This code also identifies whether the drug is being covered as part of a Part D supplemental benefit; indication of whether unique pricing rules apply, for example because of an out-ofnetwork or Medicare as Secondary Payer services; indication of whether the beneficiary has reached the annual out-of-pocket threshold, which triggers reduced beneficiary cost-sharing and the reinsurance subsidy; ingredient cost of the product dispensed; dispensing fee paid to pharmacy; sales tax; for covered Part D drugs, the amount of gross drug costs that are both below and above the annual out-of-pocket threshold; amount paid by patient and not reimbursed by a third party (such as co-payments, coinsurance, or deductibles); amount of third party payment that would count toward a beneficiary’s true out-of-pocket (TrOOP) costs in meeting the annual out-of-pocket threshold, such as payments on behalf of a beneficiary by a qualifying State Pharmacy Assistance Program (SPAP); low-income costsharing subsidy amount (if any); and reduction in patient liability due to nonTrOOP-eligible payers paying on behalf of the beneficiary (which would exclude payers whose payments count toward a beneficiary’s true out of pocket costs, such as SPAPs amounts paid by the plan for basic prescription drug coverage and amounts paid by plan for benefits beyond basic prescription drug coverage). I. Description of the Modified System of Records jlentini on PROD1PC65 with NOTICES A. Statutory and Regulatory Basis for System This system is mandated and authorized under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D–15(c)(1)(C) and (d)(2), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et.seq. as well as1860D–12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8) and (f),(l), and (m). VerDate Aug<31>2005 17:45 May 28, 2008 Jkt 214001 B. Data in the System This system collects and maintains individually identifiable information on Medicare beneficiaries who have enrolled in a Medicare Part D plan and individually identifiable data on prescribing health care professionals and referring/servicing pharmacies. The data includes, but is not limited to, summary prescription drug claim data and individually identifiable beneficiary information such as: health insurance claim number, card holder identification number, date of service, gender, other identifying data, and optionally, the patient’s date of birth. Identifying information of prescribing health care providers include the prescriber identification number and qualifier and the pharmacy service provider ID and qualifier. II. Agency Policies, Procedures, and Restrictions on Routine Uses A. Below are CMS’ policies and procedures for giving out individually identifiable information maintained in the system. CMS would only use and disclose the minimum data necessary to achieve the purpose of the DDPS if the following requirements are met: 1. The information or use of the information is consistent with the reason that the data is being collected; 2. The individually identifiable information is necessary to complete the project (taking into account the risk to the privacy of the individual); 3. The organization receiving the information establishes administrative, technical, and physical protections to prevent unauthorized use of the information; 4. The organization removes or destroys the information that allows the individual to be identified at the earliest time; 5. The organization generally agrees to not use or disclose the information for any purpose other than the stated purpose under which the information was disclosed; and 6. The data are valid and reliable. The Privacy Act allows CMS to give out identifiable and non-identifiable information for routine uses without an individual’s consent/authorization. The identifiable data described in this notice is listed under Section I. B. above. III. Routine Uses of Data A. In addition to those entities specified in the Privacy Act of 1974, CMS may use and disclose information from the DDPS without the consent of the individual for routine uses pursuant to sections 1860D–15 and 1860D– 12(b)(3)(D) of the Social Security Act . PO 00000 Frm 00066 Fmt 4703 Sfmt 4703 30945 Below are the modified routine uses for releasing information without individual consent that CMS would add or modify in the DDPS. 1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS. We contemplate disclosing information under this routine use only in situations in which CMS may enter into a contractual or similar agreement with a third party to assist in accomplishing a CMS function relating to purposes for this SOR. CMS occasionally contracts out or makes other arrangements for certain functions when doing so would contribute to effective and efficient operations. CMS must be able to give a contractor, consultant, or CMS grantee whatever information is necessary for the contractor, consultant, or grantee to fulfill its duties. In these situations, safeguards are provided in the contract/ similar agreement prohibiting the contractor, consultant, or grantee from using or disclosing the information for any purpose other than that described in the contract/similar agreement and requires the contractor, consultant, or grantee to destroy all information at the completion of the contract or similar agreement. 2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent to: a. Contribute to the accuracy of CMS’ payment of Medicare benefits, b. Administer a Federal health benefits program or fulfill a Federal statute or regulatory requirement or allowance that implements a health benefits program funded in whole or in part with Federal funds, c. Access data required for Federal/ state Medicaid programs, or Other Federal or state agencies in their administration of a Federal health program may require DDPS information in order to support evaluations and monitoring of Medicare claims information of beneficiaries, including proper reimbursement for services provided. In addition, disclosure under this routine use may be used by state agencies pursuant to agreements with the HHS for determining Medicare or Medicaid eligibility, for determining eligibility of recipients of assistance under titles IV, XVIII, and XIX of the Act, and for the administration and operation of the Medicare and Medicaid programs including quality E:\FR\FM\29MYN1.SGM 29MYN1 jlentini on PROD1PC65 with NOTICES 30946 Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices improvement and care coordination. Data will be disclosed to the state only on those individuals who are or were patients under the services of a program within the state or who are residents of that state. 3. To support Part D Sponsors, pharmacy benefit managers, claims processors, and other Prescription Drug Event submitters, in protecting their own members (and former members for the periods enrolled in a given plan) against medical expenses of their enrollees without the beneficiary’s authorization, and having knowledge of the occurrence of any event affecting (a) an individual’s right to any such benefit or payment, or (b) the initial right to any such benefit or payment, for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provision at 42 U.S.C. 1395y (b). Information to be disclosed shall be limited to Medicare utilization data necessary to perform that specific function. In order to receive the information, they must agree to: a. Certify that the individual about whom the information is being provided is one of its insured or employees, or is insured and/or employed by another entity for whom they serve as a Third Party Administrator; b. Utilize the information solely for the purpose of processing the individual’s insurance claims; and c. Safeguard the confidentiality of the data and prevent unauthorized access. Other insurers may need data in order to support evaluations and monitoring of Medicare claims information, including proper reimbursement for services. 4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public’s health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. This includes projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services. CMS must: a. Determine if the use or disclosure of data violate legal limitations under which the record was provided, collected, or obtained; b. Determine that the purpose for the use or disclosure of information: (1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form, (2) Is of sufficient importance to warrant the effect or risk on the privacy of the individual, and VerDate Aug<31>2005 17:45 May 28, 2008 Jkt 214001 (3) Meets the objectives of the project; c. Requires the recipient of the information to: (1) Establish reasonable administrative, technical, and physical protections to prevent unauthorized use or disclosure of information, (2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification for retaining such information, and (3) No longer use or disclose information except: (a) In emergency circumstances affecting the health or safety of any individual; (b) For use in another research project, under these same conditions and with written CMS approval; (c) For an audit related to the research; (d) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or (e) When required by Federal law. d. Get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice. e. Complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies. CMS anticipates that there will be many legitimate requests to use these data in projects that could ultimately improve the care provided to Medicare beneficiaries and the policy that governs the care. 5. To support Quality Improvement Organizations (QIO) in the claims review process, or with studies or other review activities performed in accordance with Part B of Title XI of the Act. QIOs can also use the data for outreach activities to establish and maintain entitlement to Medicare benefits or health insurance plans. QIOs will work to implement quality improvement and performance measurement programs, provide consultation to CMS, its contractors, and to state agencies. QIOs will assist the state agencies in related monitoring and enforcement efforts, assist CMS and intermediaries in program integrity assessment, and prepare summary information for disclosure to CMS. 6. To assist the Department of Justice (DOJ), court, or adjudicatory body when PO 00000 Frm 00067 Fmt 4703 Sfmt 4703 there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individual capacity (if the DOJ agrees to represent the employee), or the United States Government is a party or CMS’ policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of the records is for a purpose that is compatible with the purpose for which CMS collected the records. Whenever CMS is involved in litigation, or occasionally when another party is involved in litigation and CMS’ policies or operations could be affected by the outcome of the litigation, CMS would be able to disclose information to the DOJ, court, or adjudicatory body involved. 7. To support a CMS contractor that assists in the administration of a CMS health benefits program or a grantee of a CMS-administered grant program if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose. CMS must be able to give a contractor or CMS grantee necessary information in order to complete their contractual responsibilities. In these situations, protections are provided in the contract prohibiting the contractor or grantee from using or releasing the information for any purpose other than that described in the contract. It also requires the contractor or grantee to return or destroy all information when the contract ends. 8. To support another Federal agency or any United States government jurisdiction (including any state or local governmental agency) if the information is necessary, in any capacity, to combat fraud, waste, or abuse in a health benefits program that is funded in whole or in part by Federal funds. Other agencies may require DDPS information for the purpose of combating fraud, waste, or abuse in such federally-funded programs. B. Additional Circumstances Affecting Routine Use Disclosures To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (December 28, 2000), use and disclosure of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy E:\FR\FM\29MYN1.SGM 29MYN1 Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices of Individually Identifiable Health Information.’’ (See 45 CFR 164.512(a)(1).) In addition, CMS will not give out information that is not directly identifiable if there is a possibility that a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it’s required by law. jlentini on PROD1PC65 with NOTICES IV. Safeguards and Protections CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system cannot use or disclose data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems. This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002 (when applicable); the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A–130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook. V. Effects on Individual Rights CMS does not anticipate a negative effect on individual privacy as a result of giving out personal information from this system. CMS established this system in accordance with the principles and requirements of the Privacy Act and would collect, use, and disclose information that follow these requirements. CMS would only give out the minimum amount of personal data to achieve the purpose of the system. Use and disclosure of information from VerDate Aug<31>2005 17:45 May 28, 2008 Jkt 214001 the system will be approved only to the extent necessary to accomplish the purpose of releasing the data. CMS has assigned a higher level of security clearance for the information maintained in this system in an effort to provide added security and protection of individuals’ personal information and, if feasible, ask that once the information is no longer needed that it be returned or destroyed. CMS would take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy, or other personal or property rights. CMS would collect only information necessary to perform the system’s functions. In addition, CMS would only give out information if the individual, or his or her legal representative has given approval, or if allowed by one of the exceptions noted in the Privacy Act. Dated: May 22, 2008. Charlene Frizzera, Chief Operating Officer, Centers for Medicare & Medicaid Services. SYSTEM NO. 09–70–0553. SYSTEM NAME: Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC. SECURITY CLASSIFICATION: Level Three Privacy Act Sensitive. SYSTEM LOCATION: CMS Data Center, 7500 Security Boulevard, North Building, First Floor, Baltimore, Maryland 21244–1850 and at various contractor sites. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: This system collects and maintains individually identifiable information on all people with Medicare who have enrolled into a Medicare Part D plan and individually identifiable data on prescribing health care professional, referring/servicing physician, and providers. CATEGORIES OF RECORDS IN THE SYSTEM: The data includes, but is not limited to, summary prescription drug claim data and individually identifiable beneficiary information such as: Beneficiary name, address, city, state, ZIP code, card holder identification number, date of service, gender, demographic, other identifying data, and optionally, the patient’s date of birth. Identifying information of prescribing health care professional and providers of services and referring/ PO 00000 Frm 00068 Fmt 4703 Sfmt 4703 30947 servicing physician include provider/ physician name, title, address, city, state, ZIP code, e-mail address, telephone numbers, fax number, state licensure number, Social Security Numbers, Federal tax identification numbers, prescriber identification number, assigned provider number (facility, referring/servicing physician), Drug Enforcement Agency (DEA) assigned identification number, and numerous other data elements related to the processing of the prescription drug claim. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: This system is mandated under provisions of the Medicare Prescription Drug, Improvement, and Modernization Act, amending the Social Security Act by adding Part D under Title XVIII (§§ 1860D–15(c)(1)(C) and (d)(2)), as described in Title 42, Code of Federal Regulations (CFR) 423.301 et seq. as well as1860D–12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), and (m). PURPOSE(S) OF THE SYSTEM: The primary purpose of this system is to collect, maintain, and process information on all Medicare covered, and as many non-covered drug events as possible, for people with Medicare who have enrolled into a Medicare Part D plan. The system will help CMS determine appropriate payment of covered drugs. It will also provide for processing, storing, and maintaining drug transaction data in a large-scale database, while putting data into data marts to support payment analysis. CMS would allow the expanded release of information in this system to: (1) Support regulatory, analysis, oversight, reimbursement, operational and policy functions performed within the agency or by a contractor, consultant, or a CMS grantee; (2) help another Federal and/or state agency, agency of a state government, an agency established by state law, or its fiscal agent; (3) assist Medicare Part D sponsors; (4) support an individual or organization with projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services or for a research, evaluation, or epidemiological or other project related to protecting the public’s health, the prevention of disease or disability, the restoration or maintenance of health, or for payment related purposes; (5) assist Quality Improvement Organizations; (6) support lawsuits involving the agency; and (7) combat fraud, waste, and abuse in certain Federally funded health benefits programs. E:\FR\FM\29MYN1.SGM 29MYN1 30948 Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES: jlentini on PROD1PC65 with NOTICES A. ENTITIES WHO MAY RECEIVE DISCLOSURES UNDER ROUTINE USE: These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may use and disclose information from the DDPS without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish or modify the following routine use disclosures of information maintained in the system: 1. To support Agency contractors, consultants, or CMS grantees who have been engaged by the Agency to assist in accomplishment of a CMS function relating to the purposes for this SOR and who need to have access to the records in order to assist CMS. 2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent pursuant to agreements with CMS to: a. Contribute to the accuracy of CMS’s payment of Medicare benefits; b. Administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or c. Access data required for Federal/ state Medicaid programs. 3. To support Part D Prescription Drug sponsors, pharmacy benefit managers, claims processors, and other Prescription Drug Event submitters, in protecting their own members (and former members for the periods enrolled in a given plan) against medical expenses of their enrollees without the beneficiary’s authorization, and having knowledge of the occurrence of any event affecting (a) an individual’s right to any such benefit or payment, or (b) the initial right to any such benefit or payment, for the purpose of coordination of benefits with the Medicare program and implementation of the Medicare Secondary Payer provision at 42 U.S.C. 1395y(b). Information to be disclosed shall be limited to Medicare utilization data necessary to perform that specific function. In order to receive the information, they must agree to: VerDate Aug<31>2005 17:45 May 28, 2008 Jkt 214001 a. Certify that the individual about whom the information is being provided is one of its insured or employees, or is insured and/or employed by another entity for whom they serve as a Third Party Administrator; b. Utilize the information solely for the purpose of processing the individual’s insurance claims; and c. Safeguard the confidentiality of the data and prevent unauthorized access. 4. To assist an individual or organization with research, an evaluation, or an epidemiological or other project related to protecting the public’s health, the prevention of disease or disability, restoration or maintenance of health, or for payment related purposes. This includes projects that provide transparency in health care on a broad-scale enabling consumers to compare the quality and price of health care services. CMS must: a. Determine if the use or disclosure of data violate legal limitations under which the record was provided, collected, or obtained; b. Determine that the purpose for the use or disclosure of information: (1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form; (2) Is of sufficient importance to warrant the effect or risk on the privacy of the individual; and (3) Meets the objectives of the project; c. Requires the recipient of the information to: (1) Establish reasonable administrative, technical, and physical protections to prevent unauthorized use or disclosure of information; (2) Remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the project, unless the recipient presents an adequate justification for retaining such information; and (3) No longer use or disclose information except: (a) In emergency circumstances affecting the health or safety of any individual; (b) For use in another research project, under these same conditions and with written CMS approval; (c) For an audit related to the research; (d) For disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit; or PO 00000 Frm 00069 Fmt 4703 Sfmt 4703 (e) When required by Federal law. d. Get signed, written statements from the entity receiving the information that they understand and will follow all provisions in this notice. e. Complete and submit a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies. 5. To support Quality Improvement Organization (QIO) with claims review process or with studies or other review activities performed in accordance with Part B of Title XI of the Social Security Act. QIOs can also use the data for outreach activities to individuals for the purpose of establishing and maintaining their entitlement to Medicare benefits or health insurance plans. 6. To assist the Department of Justice (DOJ), court, or adjudicatory body when there is a lawsuit in which the Agency, any employee of the Agency in his or her official capacity or individuals capacity (if the DOJ agrees to represent the employee), or the United States Government is a part of CMS’ policies or operations could be affected by the outcome. The information must be both relevant and necessary to the lawsuit, and the use of records is for a purpose that is compatible with the purpose for which CMS collected records. 7. To support a CMS contractor that assists in the administration of a CMS health benefits program, or a grantee of a CMS-administered grant program, if the information is necessary, in any capacity, to combat fraud, waste, or abuse in such program. CMS will only provide this information if CMS can enter into a contract or grant for this purpose. 8. To support another Federal agency or any United States government jurisdiction (including any state, or local governmental agency), if the information is necessary, in any capacity to combat fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds. B. ADDITIONAL CIRCUMSTANCES AFFECTING ROUTINE USE DISCLOSURES: To the extent this system contains Protected Health Information (PHI) as defined by HHS regulation ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (45 CFR Parts 160 and 164, Subparts A and E) 65 FR 82462 (12–28–00) release of information that are otherwise allowed by these routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy of Individually Identifiable Health Information.’’ (See 45 CFR 164– 512 (a)(1).) In addition, CMS will not give out information that is not directly identifiable if there is a possibility that E:\FR\FM\29MYN1.SGM 29MYN1 Federal Register / Vol. 73, No. 104 / Thursday, May 29, 2008 / Notices are entered into the system for a period of 20 years. Records are housed in both active and archival files. All claimsrelated records are encompassed by the document preservation order and will be retained until notification is received from the Department of Justice. a person with Medicare could be identified because the sample is small enough to identify participants. CMS would make exceptions if the information is needed for one of the routine uses or if it’s required by law. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: SYSTEM MANAGER AND ADDRESS: STORAGE: Records are stored on both tape cartridges (magnetic storage media) and in a DB2 relational database management environment (DASD data storage media). RETRIEVABILITY: Information is most frequently retrieved by HICN, provider number (facility, physician, IDs), service dates, and beneficiary state code. jlentini on PROD1PC65 with NOTICES Jkt 214001 [Docket Nos. FDA–2007–E–0461 (formerly Docket No. 2007E–0424), FDA–2007–E–0165 (formerly Docket No. 2007E–0425), FDA– 2007–E–0459 (formerly Docket No. 2007E– 0146)] NOTIFICATION PROCEDURE: HHS. For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., HICN, facility/pharmacy number, service dates, etc.). RECORD ACCESS PROCEDURE: For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a)(2).) CONTESTING RECORD PROCEDURES: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.) RECORD SOURCE CATEGORIES: Summary prescription drug claim information contained in this system is obtained from the Part D Sponsor daily and monthly drug event transaction reports, Medicare Beneficiary Database (09–70–0530), and other payer information to be provided by the TROOP Facilitator. SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: None. [FR Doc. E8–11949 Filed 5–28–08; 8:45 am] BILLING CODE 4120–03–P Records are maintained with identifiers for all transactions after they 17:45 May 28, 2008 Food and Drug Administration Determination of Regulatory Review Period for Purposes of Patent Extension; LUCENTIS RETENTION AND DISPOSAL: VerDate Aug<31>2005 DEPARTMENT OF HEALTH AND HUMAN SERVICES Director, Centers for Beneficiary Choices, CMS, Mail stop C5–19–07, 7500 Security Boulevard, Baltimore, Maryland 21244–1850. SAFEGUARDS AND PROTECTIONS: CMS has protections in place for authorized users to make sure they are properly using the data and there is no unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system cannot use or disclose data until the recipient agrees to implement appropriate management, operational and technical safeguards that will protect the confidentiality, integrity, and availability of the information and information systems. This system would follow all applicable Federal laws and regulations, and Federal, HHS, and CMS security and data privacy policies and standards. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002 (when applicable); the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare Modernization Act of 2003, and the corresponding implementing regulations. OMB Circular A–130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and CMS policies and standards include but are not limited to all pertinent National Institute of Standards and Technology publications, the HHS Information Systems Program Handbook, and the CMS Information Security Handbook. 30949 PO 00000 Frm 00070 Fmt 4703 Sfmt 4703 AGENCY: ACTION: Food and Drug Administration, Notice. SUMMARY: The Food and Drug Administration (FDA) has determined the regulatory review period for LUCENTIS and is publishing this notice of that determination as required by law. FDA has made the determination because of the submission of applications to the Director of Patents and Trademarks, Department of Commerce, for the extension of patents which claim that human biological product. Submit written or electronic comments and petitions to the Division of Dockets Management (HFA–305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. Submit electronic comments to http://www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Beverly Friedman, Center for Drug Evaluation and Research, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 51, rm. 6222, Silver Spring, MD, 20993–0002, 301– 796–3602. SUPPLEMENTARY INFORMATION: The Drug Price Competition and Patent Term Restoration Act of 1984 (Public Law 98– 417) and the Generic Animal Drug and Patent Term Restoration Act (Public Law 100–670) generally provide that a patent may be extended for a period of up to 5 years so long as the patented item (human drug product, animal drug product, medical device, food additive, or color additive) was subject to regulatory review by FDA before the item was marketed. Under these acts, a product’s regulatory review period forms the basis for determining the amount of extension an applicant may receive. A regulatory review period consists of two periods of time: A testing phase and an approval phase. For human biological products, the testing phase begins when the exemption to permit the clinical investigations of the biological product becomes effective ADDRESSES: E:\FR\FM\29MYN1.SGM 29MYN1

Agencies

[Federal Register Volume 73, Number 104 (Thursday, May 29, 2008)]
[Notices]
[Pages 30943-30949]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-11949]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of a Modified or Altered System of 
Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a modified or altered system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 and section 1106 of the Social 
Security Act (the Act) explain when and how CMS may use and disclose 
the personal data of people with Medicare. The Medicare Prescription 
Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-
173) added requirements for releasing and using personal data. To meet 
these additional requirements, CMS proposes to modify the existing 
system of records (SOR) titled ``Medicare Drug Data Processing System 
(DDPS),'' System No. 09-70-0553, established at 70 FR 58436 (October 6, 
2005). Under this modification we are clarifying the statutory 
authorities for which these data are collected and disclosed. The 
original SOR notice cited the statutory section governing CMS's payment 
of Part D plan sponsors (Social Security Act Sec.  1860D-15) that 
limits the uses of the data collected to purposes related to plan 
payment and oversight of plan payment. However, the broad authority of 
Sec.  1860D-12(b)(3)(D) authorizes CMS to collect, use and disclose 
Part D data for broader purposes related to CMS's responsibilities for 
program administration and research. Furthermore the authority under 
Sec.  1106 of the Act allows the Secretary to use and disclose data 
pursuant to a regulation, which in this case would be 42 CFR 423.505. 
CMS has published a final rule in order to clarify our statutory 
authority and explain how we propose to implement the broad authority 
of Sec.  1860D-12(b)(3)(D) and 1106 of the Act. This SOR is being 
revised to reflect our intended use of this broader statutory 
authority.
    In addition to updating this SOR to reflect our broader statutory 
authority, CMS proposes to make the following modifications to the DDPS 
system:
     Revise published routine use number 1 to include CMS 
grantees that perform a task for the agency.
     Add a new routine use number 2 to allow the use and 
disclosure of information to other Federal and state agencies for 
accurate payment of

[[Page 30944]]

Medicare benefits; to fulfill a requirement or allowance of a Federal 
statute or regulation that implements a health benefits program funded 
in whole or in part with Federal funds; and to help Federal/state 
Medicaid programs that may need information from this system.
     Broaden the scope of routine use number 4 to allow the use 
and disclosure of specified data as described in CMS's Part D data 
final rule, 42 CFR 423.505(m) to other government agencies, States or 
external organizations, in accordance with the minimum data necessary 
policy and Federal law.
     Delete published routine use number 5 which authorizes 
disclosure to support constituent requests made to a congressional 
representative.
     Broaden the scope of routine use number 7 and 8, to 
include combating ``waste,'' in addition to fraud and abuse that result 
in unnecessary cost to federally-funded health benefit programs.
     Revise language regarding routine uses disclosures to 
explain the purpose of the routine use and make clear CMS's intention 
to use and disclose personal information contained in this system.
     Reorder and prioritize the routine uses.
     Update any sections of the system affected by the 
reorganization or revision of routine uses because of MMA provisions or 
regulations promulgated based on MMA provisions.
     Update language in the administrative sections to be 
consistent with language used in other CMS SORs.
    The primary purpose of this system is to collect, maintain, and 
process information on all Medicare covered, and as many non-covered 
drug events as possible, for people with Medicare who have enrolled 
into a Medicare Part D plan. The system helps CMS determine appropriate 
payment of covered drugs. It will also provide for processing, storing, 
and maintaining drug transaction data in a large-scale database, while 
putting data into data marts to support payment analysis. CMS would 
allow the expanded use and disclosure of information in this system to: 
(1) Support regulatory, analysis, oversight, reimbursement, 
operational, and policy functions performed within the agency or by a 
contractor, consultant, or a CMS grantee; (2) support another Federal 
and/or state agency, agency of a state government, an agency 
established by state law, or its fiscal agent; (3) assist Medicare Part 
D sponsors; (4) support an individual or organization with projects 
that provide transparency in health care on a broad-scale enabling 
consumers to compare the quality and price of health care services for 
a research, evaluation, or epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, the restoration or maintenance of health, or for payment 
related purposes; (5) assist Quality Improvement Organizations; (6) 
support lawsuits involving the agency; and (7) combat fraud, waste, and 
abuse in certain Federally funded health benefits programs.

DATES: Effective Dates: CMS filed a modified or altered system report 
with the Chair of the House Committee on Government Reform and 
Oversight, the Chair of the Senate Committee on Homeland Security & 
Governmental Affairs, and the Administrator, Office of Information and 
Regulatory Affairs, Office of Management and Budget (OMB) on May 22, 
2008. To ensure that all parties have adequate time in which to 
comment, the modified system, including routine uses, will become 
effective 30 days from the publication of the notice, or 40 days from 
the date it was submitted to OMB and Congress, whichever is later, 
unless CMS receives comments that require alterations to this notice.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Compliance, Enterprise Architecture and Strategy 
Group, Office of Information Services, CMS, Mail stop N2-04-27, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received 
will be available for review at this location, by appointment, during 
regular business hours, Monday through Friday from 9 a.m.-3 p.m., 
Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Alissa Deboy, Director, Division of 
Drug Plan Policy & Analysis, Medicare Drug Benefit Group, Centers for 
Beneficiary Choices, CMS, Room C1-26-26, 7500 Security Boulevard, 
Baltimore, Maryland 21244-1850. The telephone number is 410-786-6041 or 
e-mail at Alissa.Deboy@cms.hhs.gov.

SUPPLEMENTARY INFORMATION: In December 2003, Congress added Part D 
under Title XVIII when it passed the Medicare Prescription Drug, 
Improvement, and Modernization Act. The Act allows Medicare to pay 
plans to provide Part D prescription drug coverage as described in 
Title 42, Code of Federal Regulations (CFR) Sec.  423.301. The Act 
allows Medicare to pay Part D sponsors in one of four ways: 1. Direct 
subsidies; 2. Premium and cost-sharing subsidies for qualifying low-
income individuals (low-income subsidy); 3. Federal reinsurance 
subsidies; and 4. Risk-sharing. Throughout this notice, the term 
``sponsor'' means all entities that provide Part D prescription drug 
coverage and submit claims data to CMS for payment calculations.
    As a condition of payment, all Part D sponsors must submit data and 
information necessary for CMS to carry out payment provisions (Sec.  
1860D-15(c)(1)(C) and (d)(2) of the Act, and 42 CFR 423.322). In 
addition, these data may be disclosed to other entities, pursuant to 
Sec.  1860D-12(b)(3)(D) and 42 CFR 423.505(b)(8) and (f), (l), and (m)) 
for the purposes described in the routine uses described in this SOR 
notice. Furthermore, this data may be disclosed pursuant to Sec.  1106 
of the Act.
    This notice explains how CMS would collect data elements on Part D 
prescription drug events (PDE data, also called ``claims'' data) 
according to the statute. Data elements such as beneficiary, plan, 
pharmacy and prescriber identifiers would be used to validate claims 
and meet other legislative requirements or initiatives such as quality 
monitoring, program integrity, and payment oversight. In addition, the 
original 37 data elements submitted as part of the prescription drug 
event data would be used for other purposes as allowed by Sec.  1860D-
12 and its implementing regulations.
    In addition, summary prescription drug claim information based on 
the original 37 elements maintained in this system will be used to (1) 
generate reports to Congress and the public on overall statistics 
associated with the operation of the Medicare prescription drug 
program; (2) conduct evaluations of the overall Medicare program; (3) 
make legislative proposals to the Congress regarding Federal health 
care programs; (4) conduct demonstration and pilot projects and make 
recommendations for improving the economy, efficiency or effectiveness 
of the Medicare program; (5) support care coordination and disease 
management programs; (6) support quality improvement, performance 
measurement, and public reporting activities; (7) populate personal 
health care records; and (8) as otherwise permitted under 42 CFR 
423.505.
    In addition to the individually identifiable information identified 
in section I. B. (Data in the System) below, we will maintain the 
following data elements, which may be used under the authority of 
sections 1860D-12 and D-15 as noted above: Identification of pharmacy 
where the prescription was filled; indication of whether drug was 
compounded or mixed; indication of prescriber instruction regarding

[[Page 30945]]

substitution of generic equivalents or order to ``dispense as 
written;'' quantity dispensed (for example, number of tablets, grams, 
milliliters, or other unit); days supply; fill number; dispensing 
status and whether the full quantity is dispensed at one time, or the 
quantity is partially filled; identification of coverage status, such 
as whether the product dispensed is covered under the plan benefit 
package or under Part D or both. This code also identifies whether the 
drug is being covered as part of a Part D supplemental benefit; 
indication of whether unique pricing rules apply, for example because 
of an out-of-network or Medicare as Secondary Payer services; 
indication of whether the beneficiary has reached the annual out-of-
pocket threshold, which triggers reduced beneficiary cost-sharing and 
the reinsurance subsidy; ingredient cost of the product dispensed; 
dispensing fee paid to pharmacy; sales tax; for covered Part D drugs, 
the amount of gross drug costs that are both below and above the annual 
out-of-pocket threshold; amount paid by patient and not reimbursed by a 
third party (such as co-payments, coinsurance, or deductibles); amount 
of third party payment that would count toward a beneficiary's true 
out-of-pocket (TrOOP) costs in meeting the annual out-of-pocket 
threshold, such as payments on behalf of a beneficiary by a qualifying 
State Pharmacy Assistance Program (SPAP); low-income cost-sharing 
subsidy amount (if any); and reduction in patient liability due to non-
TrOOP-eligible payers paying on behalf of the beneficiary (which would 
exclude payers whose payments count toward a beneficiary's true out of 
pocket costs, such as SPAPs amounts paid by the plan for basic 
prescription drug coverage and amounts paid by plan for benefits beyond 
basic prescription drug coverage).

I. Description of the Modified System of Records

A. Statutory and Regulatory Basis for System

    This system is mandated and authorized under provisions of the 
Medicare Prescription Drug, Improvement, and Modernization Act, 
amending the Social Security Act by adding Part D under Title XVIII 
(Sec. Sec.  1860D-15(c)(1)(C) and (d)(2), as described in Title 42, 
Code of Federal Regulations (CFR) 423.301 et.seq. as well as1860D-
12(b)(3)(D) and 1106 of the Act, as described in 42 CFR 423.505(b)(8) 
and (f),(l), and (m).

B. Data in the System

    This system collects and maintains individually identifiable 
information on Medicare beneficiaries who have enrolled in a Medicare 
Part D plan and individually identifiable data on prescribing health 
care professionals and referring/servicing pharmacies. The data 
includes, but is not limited to, summary prescription drug claim data 
and individually identifiable beneficiary information such as: health 
insurance claim number, card holder identification number, date of 
service, gender, other identifying data, and optionally, the patient's 
date of birth. Identifying information of prescribing health care 
providers include the prescriber identification number and qualifier 
and the pharmacy service provider ID and qualifier.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

    A. Below are CMS' policies and procedures for giving out 
individually identifiable information maintained in the system. CMS 
would only use and disclose the minimum data necessary to achieve the 
purpose of the DDPS if the following requirements are met:
    1. The information or use of the information is consistent with the 
reason that the data is being collected;
    2. The individually identifiable information is necessary to 
complete the project (taking into account the risk to the privacy of 
the individual);
    3. The organization receiving the information establishes 
administrative, technical, and physical protections to prevent 
unauthorized use of the information;
    4. The organization removes or destroys the information that allows 
the individual to be identified at the earliest time;
    5. The organization generally agrees to not use or disclose the 
information for any purpose other than the stated purpose under which 
the information was disclosed; and
    6. The data are valid and reliable.
    The Privacy Act allows CMS to give out identifiable and non-
identifiable information for routine uses without an individual's 
consent/authorization. The identifiable data described in this notice 
is listed under Section I. B. above.

III. Routine Uses of Data

    A. In addition to those entities specified in the Privacy Act of 
1974, CMS may use and disclose information from the DDPS without the 
consent of the individual for routine uses pursuant to sections 1860D-
15 and 1860D-12(b)(3)(D) of the Social Security Act . Below are the 
modified routine uses for releasing information without individual 
consent that CMS would add or modify in the DDPS.
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    We contemplate disclosing information under this routine use only 
in situations in which CMS may enter into a contractual or similar 
agreement with a third party to assist in accomplishing a CMS function 
relating to purposes for this SOR.
    CMS occasionally contracts out or makes other arrangements for 
certain functions when doing so would contribute to effective and 
efficient operations. CMS must be able to give a contractor, 
consultant, or CMS grantee whatever information is necessary for the 
contractor, consultant, or grantee to fulfill its duties. In these 
situations, safeguards are provided in the contract/similar agreement 
prohibiting the contractor, consultant, or grantee from using or 
disclosing the information for any purpose other than that described in 
the contract/similar agreement and requires the contractor, consultant, 
or grantee to destroy all information at the completion of the contract 
or similar agreement.
    2. To assist another Federal or state agency, agency of a state 
government, an agency established by state law, or its fiscal agent to:
    a. Contribute to the accuracy of CMS' payment of Medicare benefits,
    b. Administer a Federal health benefits program or fulfill a 
Federal statute or regulatory requirement or allowance that implements 
a health benefits program funded in whole or in part with Federal 
funds,
    c. Access data required for Federal/state Medicaid programs, or
    Other Federal or state agencies in their administration of a 
Federal health program may require DDPS information in order to support 
evaluations and monitoring of Medicare claims information of 
beneficiaries, including proper reimbursement for services provided.
    In addition, disclosure under this routine use may be used by state 
agencies pursuant to agreements with the HHS for determining Medicare 
or Medicaid eligibility, for determining eligibility of recipients of 
assistance under titles IV, XVIII, and XIX of the Act, and for the 
administration and operation of the Medicare and Medicaid programs 
including quality

[[Page 30946]]

improvement and care coordination. Data will be disclosed to the state 
only on those individuals who are or were patients under the services 
of a program within the state or who are residents of that state.
    3. To support Part D Sponsors, pharmacy benefit managers, claims 
processors, and other Prescription Drug Event submitters, in protecting 
their own members (and former members for the periods enrolled in a 
given plan) against medical expenses of their enrollees without the 
beneficiary's authorization, and having knowledge of the occurrence of 
any event affecting (a) an individual's right to any such benefit or 
payment, or (b) the initial right to any such benefit or payment, for 
the purpose of coordination of benefits with the Medicare program and 
implementation of the Medicare Secondary Payer provision at 42 U.S.C. 
1395y (b). Information to be disclosed shall be limited to Medicare 
utilization data necessary to perform that specific function. In order 
to receive the information, they must agree to:
    a. Certify that the individual about whom the information is being 
provided is one of its insured or employees, or is insured and/or 
employed by another entity for whom they serve as a Third Party 
Administrator;
    b. Utilize the information solely for the purpose of processing the 
individual's insurance claims; and
    c. Safeguard the confidentiality of the data and prevent 
unauthorized access.
    Other insurers may need data in order to support evaluations and 
monitoring of Medicare claims information, including proper 
reimbursement for services.
    4. To assist an individual or organization with research, an 
evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, restoration or maintenance of health, or for payment 
related purposes. This includes projects that provide transparency in 
health care on a broad-scale enabling consumers to compare the quality 
and price of health care services. CMS must:
    a. Determine if the use or disclosure of data violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determine that the purpose for the use or disclosure of 
information:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) Is of sufficient importance to warrant the effect or risk on 
the privacy of the individual, and
    (3) Meets the objectives of the project;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
protections to prevent unauthorized use or disclosure of information,
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification for retaining such 
information, and
    (3) No longer use or disclose information except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another research project, under these same 
conditions and with written CMS approval;
    (c) For an audit related to the research;
    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (e) When required by Federal law.
    d. Get signed, written statements from the entity receiving the 
information that they understand and will follow all provisions in this 
notice.
    e. Complete and submit a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    CMS anticipates that there will be many legitimate requests to use 
these data in projects that could ultimately improve the care provided 
to Medicare beneficiaries and the policy that governs the care.
    5. To support Quality Improvement Organizations (QIO) in the claims 
review process, or with studies or other review activities performed in 
accordance with Part B of Title XI of the Act. QIOs can also use the 
data for outreach activities to establish and maintain entitlement to 
Medicare benefits or health insurance plans.
    QIOs will work to implement quality improvement and performance 
measurement programs, provide consultation to CMS, its contractors, and 
to state agencies. QIOs will assist the state agencies in related 
monitoring and enforcement efforts, assist CMS and intermediaries in 
program integrity assessment, and prepare summary information for 
disclosure to CMS.
    6. To assist the Department of Justice (DOJ), court, or 
adjudicatory body when there is a lawsuit in which the Agency, any 
employee of the Agency in his or her official capacity or individual 
capacity (if the DOJ agrees to represent the employee), or the United 
States Government is a party or CMS' policies or operations could be 
affected by the outcome. The information must be both relevant and 
necessary to the lawsuit, and the use of the records is for a purpose 
that is compatible with the purpose for which CMS collected the 
records.
    Whenever CMS is involved in litigation, or occasionally when 
another party is involved in litigation and CMS' policies or operations 
could be affected by the outcome of the litigation, CMS would be able 
to disclose information to the DOJ, court, or adjudicatory body 
involved.
    7. To support a CMS contractor that assists in the administration 
of a CMS health benefits program or a grantee of a CMS-administered 
grant program if the information is necessary, in any capacity, to 
combat fraud, waste, or abuse in such program. CMS will only provide 
this information if CMS can enter into a contract or grant for this 
purpose.
    CMS must be able to give a contractor or CMS grantee necessary 
information in order to complete their contractual responsibilities. In 
these situations, protections are provided in the contract prohibiting 
the contractor or grantee from using or releasing the information for 
any purpose other than that described in the contract. It also requires 
the contractor or grantee to return or destroy all information when the 
contract ends.
    8. To support another Federal agency or any United States 
government jurisdiction (including any state or local governmental 
agency) if the information is necessary, in any capacity, to combat 
fraud, waste, or abuse in a health benefits program that is funded in 
whole or in part by Federal funds.
    Other agencies may require DDPS information for the purpose of 
combating fraud, waste, or abuse in such federally-funded programs.

B. Additional Circumstances Affecting Routine Use Disclosures

    To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 FR 82462 (December 28, 2000), use and 
disclosure of information that are otherwise allowed by these routine 
uses may only be made if, and as, permitted or required by the 
``Standards for Privacy

[[Page 30947]]

of Individually Identifiable Health Information.'' (See 45 CFR 
164.512(a)(1).)
    In addition, CMS will not give out information that is not directly 
identifiable if there is a possibility that a person with Medicare 
could be identified because the sample is small enough to identify 
participants. CMS would make exceptions if the information is needed 
for one of the routine uses or if it's required by law.

IV. Safeguards and Protections

    CMS has protections in place for authorized users to make sure they 
are properly using the data and there is no unauthorized use. Personnel 
having access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system cannot use or disclose data until the recipient agrees to 
implement appropriate management, operational and technical safeguards 
that will protect the confidentiality, integrity, and availability of 
the information and information systems.
    This system would follow all applicable Federal laws and 
regulations, and Federal, HHS, and CMS security and data privacy 
policies and standards. These laws and regulations include but are not 
limited to: the Privacy Act of 1974; the Federal Information Security 
Management Act of 2002 (when applicable); the Computer Fraud and Abuse 
Act of 1986; the Health Insurance Portability and Accountability Act of 
1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the 
Medicare Modernization Act of 2003, and the corresponding implementing 
regulations. OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and CMS policies and standards include but are 
not limited to all pertinent National Institute of Standards and 
Technology publications, the HHS Information Systems Program Handbook, 
and the CMS Information Security Handbook.

V. Effects on Individual Rights

    CMS does not anticipate a negative effect on individual privacy as 
a result of giving out personal information from this system. CMS 
established this system in accordance with the principles and 
requirements of the Privacy Act and would collect, use, and disclose 
information that follow these requirements. CMS would only give out the 
minimum amount of personal data to achieve the purpose of the system. 
Use and disclosure of information from the system will be approved only 
to the extent necessary to accomplish the purpose of releasing the 
data. CMS has assigned a higher level of security clearance for the 
information maintained in this system in an effort to provide added 
security and protection of individuals' personal information and, if 
feasible, ask that once the information is no longer needed that it be 
returned or destroyed.
    CMS would take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy, or other personal or property rights. CMS would collect only 
information necessary to perform the system's functions. In addition, 
CMS would only give out information if the individual, or his or her 
legal representative has given approval, or if allowed by one of the 
exceptions noted in the Privacy Act.

    Dated: May 22, 2008.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare & Medicaid Services.
SYSTEM NO.
    09-70-0553.

SYSTEM NAME:
    Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC.

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system collects and maintains individually identifiable 
information on all people with Medicare who have enrolled into a 
Medicare Part D plan and individually identifiable data on prescribing 
health care professional, referring/servicing physician, and providers.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The data includes, but is not limited to, summary prescription drug 
claim data and individually identifiable beneficiary information such 
as: Beneficiary name, address, city, state, ZIP code, card holder 
identification number, date of service, gender, demographic, other 
identifying data, and optionally, the patient's date of birth. 
Identifying information of prescribing health care professional and 
providers of services and referring/servicing physician include 
provider/physician name, title, address, city, state, ZIP code, e-mail 
address, telephone numbers, fax number, state licensure number, Social 
Security Numbers, Federal tax identification numbers, prescriber 
identification number, assigned provider number (facility, referring/
servicing physician), Drug Enforcement Agency (DEA) assigned 
identification number, and numerous other data elements related to the 
processing of the prescription drug claim.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    This system is mandated under provisions of the Medicare 
Prescription Drug, Improvement, and Modernization Act, amending the 
Social Security Act by adding Part D under Title XVIII (Sec. Sec.  
1860D-15(c)(1)(C) and (d)(2)), as described in Title 42, Code of 
Federal Regulations (CFR) 423.301 et seq. as well as1860D-12(b)(3)(D) 
and 1106 of the Act, as described in 42 CFR 423.505(b)(8), (f), (l), 
and (m).

PURPOSE(S) OF THE SYSTEM:
    The primary purpose of this system is to collect, maintain, and 
process information on all Medicare covered, and as many non-covered 
drug events as possible, for people with Medicare who have enrolled 
into a Medicare Part D plan. The system will help CMS determine 
appropriate payment of covered drugs. It will also provide for 
processing, storing, and maintaining drug transaction data in a large-
scale database, while putting data into data marts to support payment 
analysis. CMS would allow the expanded release of information in this 
system to: (1) Support regulatory, analysis, oversight, reimbursement, 
operational and policy functions performed within the agency or by a 
contractor, consultant, or a CMS grantee; (2) help another Federal and/
or state agency, agency of a state government, an agency established by 
state law, or its fiscal agent; (3) assist Medicare Part D sponsors; 
(4) support an individual or organization with projects that provide 
transparency in health care on a broad-scale enabling consumers to 
compare the quality and price of health care services or for a 
research, evaluation, or epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, the restoration or maintenance of health, or for payment 
related purposes; (5) assist Quality Improvement Organizations; (6) 
support lawsuits involving the agency; and (7) combat fraud, waste, and 
abuse in certain Federally funded health benefits programs.

[[Page 30948]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
A. Entities Who May Receive Disclosures Under Routine Use:
    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which CMS may use 
and disclose information from the DDPS without the consent of the 
individual to whom such information pertains. Each proposed disclosure 
of information under these routine uses will be evaluated to ensure 
that the disclosure is legally permissible, including but not limited 
to ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish or modify the following routine use disclosures of 
information maintained in the system:
    1. To support Agency contractors, consultants, or CMS grantees who 
have been engaged by the Agency to assist in accomplishment of a CMS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist CMS.
    2. To assist another Federal or state agency, agency of a state 
government, an agency established by state law, or its fiscal agent 
pursuant to agreements with CMS to:
    a. Contribute to the accuracy of CMS's payment of Medicare 
benefits;
    b. Administer a Federal health benefits program, or as necessary to 
enable such agency to fulfill a requirement of a Federal statute or 
regulation that implements a health benefits program funded in whole or 
in part with Federal funds; and/or
    c. Access data required for Federal/state Medicaid programs.
    3. To support Part D Prescription Drug sponsors, pharmacy benefit 
managers, claims processors, and other Prescription Drug Event 
submitters, in protecting their own members (and former members for the 
periods enrolled in a given plan) against medical expenses of their 
enrollees without the beneficiary's authorization, and having knowledge 
of the occurrence of any event affecting (a) an individual's right to 
any such benefit or payment, or (b) the initial right to any such 
benefit or payment, for the purpose of coordination of benefits with 
the Medicare program and implementation of the Medicare Secondary Payer 
provision at 42 U.S.C. 1395y(b). Information to be disclosed shall be 
limited to Medicare utilization data necessary to perform that specific 
function. In order to receive the information, they must agree to:
    a. Certify that the individual about whom the information is being 
provided is one of its insured or employees, or is insured and/or 
employed by another entity for whom they serve as a Third Party 
Administrator;
    b. Utilize the information solely for the purpose of processing the 
individual's insurance claims; and
    c. Safeguard the confidentiality of the data and prevent 
unauthorized access.
    4. To assist an individual or organization with research, an 
evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, restoration or maintenance of health, or for payment 
related purposes. This includes projects that provide transparency in 
health care on a broad-scale enabling consumers to compare the quality 
and price of health care services. CMS must:
    a. Determine if the use or disclosure of data violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determine that the purpose for the use or disclosure of 
information:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect or risk on 
the privacy of the individual; and
    (3) Meets the objectives of the project;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
protections to prevent unauthorized use or disclosure of information;
    (2) Remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the project, unless the 
recipient presents an adequate justification for retaining such 
information; and
    (3) No longer use or disclose information except:
    (a) In emergency circumstances affecting the health or safety of 
any individual;
    (b) For use in another research project, under these same 
conditions and with written CMS approval;
    (c) For an audit related to the research;
    (d) For disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit; or
    (e) When required by Federal law.
    d. Get signed, written statements from the entity receiving the 
information that they understand and will follow all provisions in this 
notice.
    e. Complete and submit a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    5. To support Quality Improvement Organization (QIO) with claims 
review process or with studies or other review activities performed in 
accordance with Part B of Title XI of the Social Security Act. QIOs can 
also use the data for outreach activities to individuals for the 
purpose of establishing and maintaining their entitlement to Medicare 
benefits or health insurance plans.
    6. To assist the Department of Justice (DOJ), court, or 
adjudicatory body when there is a lawsuit in which the Agency, any 
employee of the Agency in his or her official capacity or individuals 
capacity (if the DOJ agrees to represent the employee), or the United 
States Government is a part of CMS' policies or operations could be 
affected by the outcome. The information must be both relevant and 
necessary to the lawsuit, and the use of records is for a purpose that 
is compatible with the purpose for which CMS collected records.
    7. To support a CMS contractor that assists in the administration 
of a CMS health benefits program, or a grantee of a CMS-administered 
grant program, if the information is necessary, in any capacity, to 
combat fraud, waste, or abuse in such program. CMS will only provide 
this information if CMS can enter into a contract or grant for this 
purpose.
    8. To support another Federal agency or any United States 
government jurisdiction (including any state, or local governmental 
agency), if the information is necessary, in any capacity to combat 
fraud, waste or abuse in a health benefits program funded in whole or 
in part by Federal funds.

B. Additional Circumstances Affecting Routine Use Disclosures:
    To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 FR 82462 (12-28-00) release of information 
that are otherwise allowed by these routine uses may only be made if, 
and as, permitted or required by the ``Standards for Privacy of 
Individually Identifiable Health Information.'' (See 45 CFR 164-512 
(a)(1).)
    In addition, CMS will not give out information that is not directly 
identifiable if there is a possibility that

[[Page 30949]]

a person with Medicare could be identified because the sample is small 
enough to identify participants. CMS would make exceptions if the 
information is needed for one of the routine uses or if it's required 
by law.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored on both tape cartridges (magnetic storage media) 
and in a DB2 relational database management environment (DASD data 
storage media).

RETRIEVABILITY:
    Information is most frequently retrieved by HICN, provider number 
(facility, physician, IDs), service dates, and beneficiary state code.

SAFEGUARDS AND PROTECTIONS:
    CMS has protections in place for authorized users to make sure they 
are properly using the data and there is no unauthorized use. Personnel 
having access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system cannot use or disclose data until the recipient agrees to 
implement appropriate management, operational and technical safeguards 
that will protect the confidentiality, integrity, and availability of 
the information and information systems.
    This system would follow all applicable Federal laws and 
regulations, and Federal, HHS, and CMS security and data privacy 
policies and standards. These laws and regulations include but are not 
limited to: the Privacy Act of 1974; the Federal Information Security 
Management Act of 2002 (when applicable); the Computer Fraud and Abuse 
Act of 1986; the Health Insurance Portability and Accountability Act of 
1996; the E-Government Act of 2002, the Clinger-Cohen Act of 1996; the 
Medicare Modernization Act of 2003, and the corresponding implementing 
regulations. OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and CMS policies and standards include but are 
not limited to all pertinent National Institute of Standards and 
Technology publications, the HHS Information Systems Program Handbook, 
and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers for all transactions after 
they are entered into the system for a period of 20 years. Records are 
housed in both active and archival files. All claims-related records 
are encompassed by the document preservation order and will be retained 
until notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    Director, Centers for Beneficiary Choices, CMS, Mail stop C5-19-07, 
7500 Security Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write to 
the system manager who will require the system name, and the retrieval 
selection criteria (e.g., HICN, facility/pharmacy number, service 
dates, etc.).

RECORD ACCESS PROCEDURE:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5 (a)(2).)

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    Summary prescription drug claim information contained in this 
system is obtained from the Part D Sponsor daily and monthly drug event 
transaction reports, Medicare Beneficiary Database (09-70-0530), and 
other payer information to be provided by the TROOP Facilitator.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. E8-11949 Filed 5-28-08; 8:45 am]
BILLING CODE 4120-03-P