Exemption of Certain Systems of Records Under the Privacy Act, 55772-55775 [E8-21909]
Download as PDF
<![CDATA[
55772
Federal Register / Vol. 73, No. 188 / Friday, September 26, 2008 / Rules and Regulations
(Catalog of Federal Domestic Assistance
Program No. 93.778, Medical Assistance
Program)
its terms. The contractor will not have
a right to a hearing or judicial review
regarding CMS’s renewal or nonrenewal decision.
§ 455.238
Conflict of Interest.
(a) Offerors for Medicaid integrity
audit program contracts, and Medicaid
integrity audit program contractors, are
subject to the following requirements:
(1) The conflict of interest standards
and requirements of the Federal
Acquisition Regulation organizational
conflict of interest guidance, found
under 48 CFR subpart 9.5.
(2) The standards and requirements
that are contained in each individual
contract awarded to perform activities
described under section 1936 of the Act.
(b) Post-award conflicts of interest:
CMS considers that a post-award
conflict of interest has developed if,
during the term of the contract, one of
the following occurs:
(1) The contractor or any of its
employees, agents, or subcontractors
received, solicited, or arranged to
receive any fee, compensation, gift
(defined at 5 CFR 2635.203(b)), payment
of expenses, offer of employment, or any
other thing of value from any entity that
is reviewed, audited, investigated, or
contacted during the normal course of
performing activities under the
Medicaid integrity audit program
contract.
(2) CMS determines that the
contractor’s activities are creating a
conflict of interest.
(c) If CMS determines that a conflict
of interest exists during the term of the
contract, among other actions, CMS
may:
(1) Not renew the contract for an
additional term.
(2) Modify the contract.
(3) Terminate the contract.
sroberts on PROD1PC70 with RULES
§ 435.240
Conflict of Interest Resolution.
(a) Review Board: CMS may establish
a Conflicts of Interest Review Board to
assist in resolving organizational
conflicts of interest.
(b) Resolution: Resolution of an
organizational conflict of interest is a
determination by the contracting officer
that:
(1) The conflict is mitigated.
(2) The conflict precludes award of a
contract to the offeror.
(3) The conflict requires that CMS
modify an existing contract.
(4) The conflict requires that CMS
terminate an existing contract.
(5) It is in the best interest of the
government to contract with the offeror
or contractor even though the conflict of
interest exists and a request for waiver
is approved in accordance with 48 CFR
9.503.
VerDate Aug<31>2005
17:40 Sep 25, 2008
Jkt 214001
Dated: June 18, 2008.
Kerry Weems,
Acting Administrator, Centers for Medicare
& Medicaid Services.
Approved: July 29, 2008.
Michael O. Leavitt,
Secretary.
[FR Doc. E8–22693 Filed 9–25–08; 8:45 am]
BILLING CODE 4120–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
45 CFR Part 5b
[CMS–0029–F]
RIN 0938–A069
Exemption of Certain Systems of
Records Under the Privacy Act
Office of the Secretary, HHS.
Final rule.
AGENCY:
ACTION:
SUMMARY: This final rule exempts four
systems of records (SORs) from
subsections (c)(3), (d)(1) through (d)(4),
(e)(4)(G) and (H), and (f) of the Privacy
Act pursuant to 5 U.S.C. 552a(k)(2): The
Automated Survey Processing
Environment (ASPEN) Complaint/
Incidents Tracking System (ACTS),
HHS/CMS, System No. 09–70–0565; the
Health Insurance Portability and
Accountability Act (HIPAA) Information
Tracking System (HITS), HHS/CMS,
System No. 09–70–0544; the Organ
Procurement Organizations System
(OPOS), HHS/CMS, System No. 09–70–
0575; and the Fraud Investigation
Database (FID), HHS/CMS, System No.
09–70–0527.
DATES: Effective Date: These regulations
are effective on October 27, 2008.
FOR FURTHER INFORMATION CONTACT:
Walter Stone, (410) 786–5357.
SUPPLEMENTARY INFORMATION:
I. Background
The four systems of records (SORs)
that are the subject of this final rule and
the May 25, 2007 proposed rule are as
follows:
A. The Automated Survey Processing
Environment Complaints/Incidents
Tracking System (ACTS), HHS/CMS,
System No. 09–70–0565
In the August 22, 2003 Federal
Register (68 FR 50795), we published a
notice announcing a new SOR titled
Automated Survey Processing
Environment (ASPEN) Complaint/
PO 00000
Frm 00090
Fmt 4700
Sfmt 4700
Incidents Tracking System (ACTS),
HHS/CMS, System No. 09–70–0565.
In the May 23, 2006 Federal Register
(71 FR 29643) we published a notice
that modified the ACTS SOR. This
notice included all modifications and
the full text of this system of records.
ACTS is a Windows-based program
whose primary purpose is to track and
process complaints and incidents
reported against health care facilities
regulated by CMS and State agencies.
These facilities include Clinical
Laboratory Improvement Amendment
(CLIA)-certified laboratories, skilled
nursing facilities (SNFs), nursing
facilities, hospitals, home health
agencies (HHAs), end stage renal disease
(ESRD) facilities, hospices, rural health
clinics (RHCs), comprehensive
outpatient rehabilitation facilities
(CORFs), outpatient physical therapy
services, community mental health
centers (CMHCs), ambulatory surgical
centers (ASCs), suppliers of portable
x-ray services, and intermediate care
facilities for persons with mental
retardation (ICF/MRs). ACTS contains
identifiable information on individuals,
who are complainants, residents,
patients, clients, contacts or witnesses.
It also may include alleged perpetrators,
survey team members, laboratory
directors, laboratory owners, and
employees and directors of the health
care facilities noted previously. ACTS is
designed to manage all operations
associated with complaint and incident
tracking and processing, from initial
intake and investigation through the
final disposition.
B. The Health Insurance Portability and
Accountability Act (HIPAA) Information
Tracking System (HITS), HHS/CMS,
System No. 09–70–0544.
In the July 6, 2005 Federal Register
(70 FR 38944), we published a notice
announcing a new SOR titled Health
Insurance Portability and
Accountability Act (HIPAA) Information
Tracking System (HITS), HHS/CMS,
System No. 09–70–0544
In general, HITS consists of an
electronic repository of information,
documents, and supplementary paper
document files resulting from
investigations of alleged violations of
the transactions and code sets, security,
and unique identifier provisions of
HIPAA. HITS’ purpose is to support
investigations of complainants,
determinations as to whether there were
violations as charged in the original
complaint, referral of violations to law
enforcement entities as necessary, and
maintenance and retrieval of records
that contain the results of the complaint
investigations. The system of records
E:\FR\FM\26SER1.SGM
26SER1
Federal Register / Vol. 73, No. 188 / Friday, September 26, 2008 / Rules and Regulations
recipients, over-used services, or
engaged in improper billing.) They are
persons whose activities have provided
a substantial basis for criminal or civil
prosecution, or who are identified as
defendants in criminal prosecution
cases.
C. The Organ Procurement
Organizations System (OPOS), HHS/
CMS, System No. 09–70–0575
In the May 22, 2006 Federal Register
(71 FR 29336), we published a notice
announcing a new SOR titled Organ
Procurement Organizations System
(OPOS), HHS/CMS, System No. 09–70–
0575. OPOS is a Windows based
program whose purpose is to track and
process complaints and incidents
reported against Organ Procurement
Organizations. Section 701 of the Organ
Procurement Organization System
Certification Act of 2000 (Pub. L. 106–
505) gave the Department the authority
to collect and maintain individually
identifiable information pertaining to
allegations filed by a complainant,
beneficiary, or provider of services
against Organ Procurement
Organizations. This information
includes information gathered during all
aspects of an investigation, including
initial complaints, findings, results,
disposition, and relevant
correspondence.
sroberts on PROD1PC70 with RULES
covers individuals who have submitted
complaints alleging violations of the
provisions of HIPAA. Investigative files
maintained in HITS are received either
as electronic documents or as paper
records that are compiled for law
enforcement purposes.
II. Provisions of the Proposed Rule
D. The Fraud Investigation Database
(FID), HHS/CMS, System No. 09–70–
0527
In the October 28, 2002 Federal
Register (70 FR 65795), we published a
notice that modified, among other
things, the name of a SOR entitled
‘‘CMS Utilization Review Investigatory
Files, System No. 09–70–0527’’ to ‘‘CMS
Fraud Investigation Database (FID).’’
The notice included the full text of the
FID system of records. The FID system
of records contains the name, work
address, work phone number, social
security number, Unique Provider
Identification Number (UPIN), and other
identifying demographics of individuals
alleged to have violated provisions of
the Social Security Act (the Act) related
to Medicare, Medicaid, HMO/Managed
Care, and the Children’s Health
Insurance Program. The FID system of
records also contains the contact
information and other identifying
demographics of individuals alleged to
have violated other criminal or civil
statutes connected with the Act and the
Act’s programs. Here, individuals are
persons alleged to have abused the Act’s
programs. (For example, an individual
could be a person alleged to have
rendered unnecessary services to
Medicare beneficiaries or Medicaid
VerDate Aug<31>2005
17:40 Sep 25, 2008
Jkt 214001
In the May 25, 2007 Federal Register
(72 FR 29289) we published a proposed
rule that would exempt the ACTS,
HITS, OPOS, and FID systems of records
from subsection (c)(3), (d)(1) through
(d)(4), (e)(4)(G) and (H), and (f) of the
Privacy Act pursuant to 5 U.S.C.
552a(k)(2). These exemptions would
apply only to the extent that
information in a record is subject to
exemption pursuant to 5 U.S.C.
552a(k)(2). We proposed that the ACTS,
HITS, OPOS, and FID systems of records
would be exempted from the following
subsections for the reasons set forth
below:
• Subsection (c)(3). Release of an
accounting of disclosures to an
individual who is the subject of an
investigation could reveal the nature
and scope of the investigation and could
result in the altering or destruction of
evidence, improper influencing of
witnesses, and other evasive actions that
could impede or compromise the
investigation.
• Subsection (d)(1). Release of
investigative records to an individual
who is the subject of an investigation
could interfere with pending or
prospective law enforcement
proceedings, constitute an unwarranted
invasion of the personal privacy of third
parties, reveal the identity of
confidential sources, or reveal sensitive
investigative techniques and
procedures.
• Subsections (d)(2) through (d)(4).
Amendment or correction of
investigative records could interfere
with pending or prospective law
enforcement proceedings, or could
impose an impossible administrative
and investigative burden by requiring us
to continuously retrograde our
investigations in an attempt to resolve
questions of accuracy, relevance,
timeliness, and completeness.
• Subsection (e)(4)(G) and (H).
Notifying an individual who is the
subject of an investigation or a witness
that a system of records contains
information about him or her could
reveal the nature and scope of the
investigation and could result in the
altering or destruction of evidence,
improper influencing of witnesses, and
other evasive actions that could impede
or compromise the investigation.
PO 00000
Frm 00091
Fmt 4700
Sfmt 4700
55773
• Subsection (f). Establishing
procedures for notification, inspection
or amendment of records, or appeals of
denials of access to records would
interfere with pending or prospective
law enforcement proceedings, constitute
an unwarranted invasion of the personal
privacy of third parties, reveal the
identity of confidential sources, or
reveal sensitive investigative
techniques. Furthermore, these actions
could impose an impossible
administrative and investigative burden
by requiring us to continuously
retrograde our investigations in an
attempt to resolve questions of accuracy,
relevance, timeliness, and
completeness.
Accordingly, we proposed to amend
45 CFR 5b.11(b)(2)(ii) of the Privacy Act
regulations by adding the following:
• A new paragraph (H) that exempts
investigative materials compiled for law
enforcement purposes from ACTS.
• A new paragraph (I) that exempts
investigative materials compiled for law
enforcement purposes from HITS.
• A new paragraph (J) that exempts
investigative materials compiled for law
enforcement purposes from OPOS.
• A new paragraph (K) that exempts
investigative materials compiled for law
enforcement purposes from FID.
III. Analysis of and Responses to Public
Comments
We solicited and received two timely
public comments on the May 25, 2007
proposed rule. The following is a
summary of the comments and our
responses.
Comment: One commenter believed
that 45 CFR 5b.11(d) seems to allow the
Department of Health and Human
Services to disclose identities of sources
who furnished information under an
express promise of confidentiality.
Response: We do not disclose
information that would reveal the
identities of sources who furnish
information under an express promise
of confidentiality because the promise
of confidentiality made to a witness is
an agreement with that individual, and
such disclosure would be both a
violation of that agreement and
counterproductive to law enforcement
efforts, as it would discourage
individuals from coming forward to
supply information about alleged
misconduct. 45 CFR 5b.11(b) gives the
responsible Department official
discretion to grant notification of access
to a record in a system of records which
is exempt under 45 CFR 5b.11(b), unless
disclosure to the general public is
otherwise prohibited by law. The
department does not intend to exercise
its discretion to disclose identifying
E:\FR\FM\26SER1.SGM
26SER1
55774
Federal Register / Vol. 73, No. 188 / Friday, September 26, 2008 / Rules and Regulations
information about sources who furnish
information under an express promise
of confidentiality.
Comment: Commenters requested that
the exemptions be narrowed or clarified
by defining the terms ‘‘investigative
materials’’ and ‘‘law enforcement
purposes,’’ including differentiating
among kinds of records within each
system that constitute ‘‘investigatory
materials,’’ as well as describing agency
uses that are not consistent with ‘‘law
enforcement purposes.’’ A commenter
suggested that CMS implement
regulatory definitions, criteria,
guidelines or other means to effectuate
a confidentiality promise to an
informant and to recognize whether or
not one has been effectuated for
purposes of compliance with subsection
(k)(2) of the Privacy Act.
Response: We believe that with
respect to clarifying what constitutes a
confidentiality promise, we continue to
rely upon the following language in
subsection (k)(2) of the Privacy Act (5
U.S.C 552a), which permits exemptions
from certain subsections of the Privacy
Act:
sroberts on PROD1PC70 with RULES
[I]nvestigatory material compiled for law
enforcement purposes, other than material
within the scope of subsection (j)(2) of this
section [the Privacy Act]: Provided, however,
That if any individual is denied any right,
privilege, or benefit that he would otherwise
be entitled by Federal law, or for which he
would otherwise be eligible, as a result of the
maintenance of such material, such material
shall be provided to such individual, except
to the extent that the disclosure of such
material would reveal the identity of a source
who furnished information to the
Government under an express promise that
the identity of the source would be held in
confidence, or, prior to the effective date of
this section, [September 27, 1975] under an
implied promise that the identity of the
source would be held in confidence;
The (k)(2) exemption covers: (1)
Material compiled for criminal
investigative law enforcement purposes
by an entity that does not have as its
principal function the enforcement of
criminal law and (2) investigative
material compiled for law enforcement
purposes that does not fall into the
scope of the exemption under 5 U.S.C.
552(j)(2). The material must be
investigative and compiled for some
‘‘law enforcement’’ purpose, such as a
civil investigation, or a criminal
investigation by an agency that does not
perform as its principal function the
enforcement of criminal law.
Further, since the information in the
SORs at issue was collected on or after
September 27, 1975, we believe that,
with respect to investigative material
that would reveal the identity of a
confidential source, only express
VerDate Aug<31>2005
17:40 Sep 25, 2008
Jkt 214001
promises to a source that his or her
identity would not be revealed will be
implicated here. An example of an
express promise could occur when a
source expressly requests that his or her
identity not be revealed as a condition
of furnishing the information, and CMS
agrees to that condition and documents
that promise in writing.
The four SORs at issue were
established after September 27, 1975,
the effective date of the Privacy Act, as
follows:
• The CMS Fraud Investigation
Database (FID) was published under its
previous name, ‘‘HCFA Utilization
Review Investigatory Files,’’ on
December 29, 1988 (53 FR 52792) and
republished under its current name on
October 28, 2002 (67 FR 65795 ).
• The Automated Survey Processing
Environment (ASPEN). Complaints/
Incidents Tracking System (ACTS) was
first established on August 22, 2003 (68
FR 50795).
• The Health Insurance Portability
and Accountability Act(HIPAA)
Information Tracking System (HITS)
was first established on July 6, 2005 (70
FR 38944).
• The Organ Procurement
Organizations System (OPOS) was first
established on May 22, 2006 (71 FR
29336).
Further information about this
exemption can be found in the Office of
Management and Budget’s Privacy Act
Guidelines, (see the July 9, 1975 Federal
Register (40 FR 28972 through 28973)).
IV. Provisions of the Final Rule
After review of the public comments,
we are finalizing the provisions of the
proposed rule with minor technical
changes. We are revising the paragraphs
in § 5b.11(b)(2)(ii) so that the SORs are
listed in chronological order by the date
established.
V. Collection of Information
Requirements
This final rule does not impose
information collection and
recordkeeping requirements.
Consequently, it need not be reviewed
by the Office of Management and
Budget under the authority of the
Paperwork Reduction Act of 1995 (44
U.S.C. 35).
VI. Regulatory Impact Statement
We have examined the impact of this
rule as required by Executive Order
12866 (September 1993, Regulatory
Planning and Review), the Regulatory
Flexibility Act (RFA) (September 19,
1980, Pub. L. 96–354), section 1102(b) of
the Social Security Act (the Act), the
Unfunded Mandates Reform Act of 1995
PO 00000
Frm 00092
Fmt 4700
Sfmt 4700
(Pub. L. 104–4), and Executive Order
13132.
Executive Order 12866 directs
agencies to assess all costs and benefits
of available regulatory alternatives and,
if regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health
and safety effects, distributive impacts,
and equity). A regulatory impact
analysis (RIA) must be prepared for
regulating actions with economically
significant effects ($100 million or more
in any one year or other substantial
adverse economic effects) known as
‘‘major rules’’. This rule does not meet
the ‘‘major rule’’ criteria therefore we
are not preparing an RIA.
The RFA requires agencies to analyze
options for regulatory relief of small
businesses. For purposes of the RFA,
small entities include small businesses,
nonprofit organizations, and small
governmental jurisdictions. Most
hospitals and most other providers and
suppliers are small entities, either by
nonprofit status or by having revenues
of $6 million to $29 million in any one
year. Individuals and States are not
included in the definition of a small
entity. We are not preparing an analysis
for the RFA because we have
determined that this rule will not have
a significant economic impact on a
substantial number of small entities.
In addition, section 1102(b) of the Act
requires us to prepare a regulatory
impact analysis if a rule may have a
significant impact on the operations of
a substantial number of small rural
hospitals. This analysis must conform to
the provisions of section 604 of the
RFA. For purposes of section 1102(b) of
the Act, we define a small rural hospital
as a hospital that is located outside of
a Metropolitan Statistical Area and has
fewer than 100 beds. We are not
preparing an analysis for section 1102(b)
of the Act because we have determined
that this rule will not have a significant
impact on the operations of a substantial
number of small rural hospitals.
Section 202 of the Unfunded
Mandates Reform Act of 1995 also
requires that agencies assess anticipated
costs and benefits before issuing any
rule whose mandates require spending
in any one year of $100 million in 1995
dollars, updated annually for inflation.
That threshold level is currently
approximately $120 million. This final
rule will have no consequential effect
on State, local, or tribal governments or
on the private sector.
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a
proposed rule (and subsequent final
E:\FR\FM\26SER1.SGM
26SER1
Federal Register / Vol. 73, No. 188 / Friday, September 26, 2008 / Rules and Regulations
rule) that imposes substantial direct
requirement costs on State and local
governments, preempts State law, or
otherwise has Federalism implications.
Since this regulation does not impose
any costs on State or local governments,
the requirements of Executive Order
13132 are not applicable.
In accordance with the provisions of
Executive Order 12866, this regulation
was reviewed by the Office of
Management and Budget.
Dated: November 20, 2007.
Kerry Weems,
Acting Administrator, Centers for Medicare
& Medicaid Services.
Approved: June 13, 2008.
Michael O. Leavitt,
Secretary.
List of Subjects for 45 CFR Part 5b
Privacy.
BILLING CODE 4120–01–P
For the reasons set forth in the
preamble, the Department of Health and
Human Services amends 45 CFR part 5b
as set forth below:
FEDERAL COMMUNICATIONS
COMMISSION
PART 5b—PRIVACY ACT
REGULATIONS
[WT Docket No. 00–19; RM–9418; FCC 02–
218]
1. The authority citation for part 5b
continues to read as follows:
Streamline Processing of Microwave
Applications in the Wireless
Telecommunications Services
■
■
Authority: 5 U.S.C. 301, 5 U.S.C. 552a.
2. Section 5b.11 is revised by adding
paragraphs (b)(2)(ii)(H), (I), (J), and (K)
to read as follows:
■
§ 5b.11
Exempt Systems
*
*
*
*
(b) * * *
(2) * * *
(ii) * * *
(H) Investigative materials compiled
for law enforcement purposes from the
CMS Fraud Investigation Database (FID),
HHS/CMS.
(I) Investigative materials compiled
for law enforcement purposes from the
Automated Survey Processing
Environment (ASPEN) Complaints/
Incidents Tracking System (ACTS),
HHS/CMS.
(J) Investigative materials compiled
for law enforcement purposes from the
Health Insurance Portability and
Accountability Act (HIPAA) Information
Tracking System (HITS), HHS/CMS.
(K) Investigative materials compiled
for law enforcement purposes from the
Organ Procurement Organizations
System (OPOS), HHS/CMS.
*
*
*
*
*
sroberts on PROD1PC70 with RULES
*
VerDate Aug<31>2005
18:25 Sep 25, 2008
Jkt 214001
Editorial Note: This document was
received at the Office of the Federal Register
on September 16, 2008.
[FR Doc. E8–21909 Filed 9–25–08; 8:45 am]
Federal Communications
Commission.
ACTION: Correcting amendment.
AGENCY:
SUMMARY: In this document, the Federal
Communications Commission corrects
an inadvertent error that occurred when
the Commission adopted final rules
pertaining to Streamline Processing of
Microwave Applications in the Wireless
Telecommunications Services and
Telecommunications Industry
Association Petition for Rulemaking.
These rules were published in the
Federal Register on Friday, January 31,
2003 (68 FR 4953). Specifically, the
error occurred in a table to the rules
concerning directional antennas and
compliance with antenna standards. As
a result of this correction, the table will
be amended as intended by the
Commission.
Effective September 26, 2008.
John
Schauble at 202–418–0797.
SUPPLEMENTARY INFORMATION: This is a
correction to a summary of the
Commission’s Report and Order in WT
DATES:
FOR FURTHER INFORMATION CONTACT:
Frm 00093
Fmt 4700
Docket No. 00–19, FCC 02–218, adopted
on July 18, 2002 and released on July
31, 2002. The Report and Order
streamlined, clarified and updated part
101 rules. These actions were to provide
increased flexibility to licensees, ensure
greater and more efficient use of
spectrum bands regulated under part
101, and ensure that our Rules are
consistent with international
agreements.
Need for Correction
47 CFR Part 101
PO 00000
55775
Sfmt 4700
As published, the final rules contain
an error in § 101.115 Directional
Antennas, Antenna Standards Table.
The Commission did not request that
the listed entry to the Antenna
Standards Table for the frequency of
10,550 to 10,680 5,7 MHz be omitted.
This correction removes the listing that
should have been omitted. The entry for
10,550 to 10,6807, which was adopted in
that proceeding, will remain.
List of Subjects in 47 CFR Part 101
Communications equipment, Marine
safety, Radio, Reporting and
recordkeeping requirements.
Accordingly, 47 CFR part 101 is
amended by making the following
correcting amendments:
■
PART 101—FIXED MICROWAVE
SERVICES
1. The authority citation for part 101
continues to read as follows:
■
Authority: 47 U.S.C. 154, 303 unless
otherwise noted.
§ 101.115
[Amended]
2. Section 101.115 is amended by
removing the entry ‘‘10,550 to
10,680 5,7’’ for both Category A and B in
the table following paragraph (b)(2).
■
Federal Communications Commission.
Marlene H. Dortch,
Secretary.
[FR Doc. E8–22721 Filed 9–25–08; 8:45 am]
BILLING CODE 6712–01–P
E:\FR\FM\26SER1.SGM
26SER1
]]>Agencies
[Federal Register Volume 73, Number 188 (Friday, September 26, 2008)]
[Rules and Regulations]
[Pages 55772-55775]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-21909]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 5b
[CMS-0029-F]
RIN 0938-A069
Exemption of Certain Systems of Records Under the Privacy Act
AGENCY: Office of the Secretary, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule exempts four systems of records (SORs) from
subsections (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f)
of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2): The Automated
Survey Processing Environment (ASPEN) Complaint/ Incidents Tracking
System (ACTS), HHS/CMS, System No. 09-70-0565; the Health Insurance
Portability and Accountability Act (HIPAA) Information Tracking System
(HITS), HHS/CMS, System No. 09-70-0544; the Organ Procurement
Organizations System (OPOS), HHS/CMS, System No. 09-70-0575; and the
Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-0527.
DATES: Effective Date: These regulations are effective on October 27,
2008.
FOR FURTHER INFORMATION CONTACT: Walter Stone, (410) 786-5357.
SUPPLEMENTARY INFORMATION:
I. Background
The four systems of records (SORs) that are the subject of this
final rule and the May 25, 2007 proposed rule are as follows:
A. The Automated Survey Processing Environment Complaints/Incidents
Tracking System (ACTS), HHS/CMS, System No. 09-70-0565
In the August 22, 2003 Federal Register (68 FR 50795), we published
a notice announcing a new SOR titled Automated Survey Processing
Environment (ASPEN) Complaint/Incidents Tracking System (ACTS), HHS/
CMS, System No. 09-70-0565.
In the May 23, 2006 Federal Register (71 FR 29643) we published a
notice that modified the ACTS SOR. This notice included all
modifications and the full text of this system of records. ACTS is a
Windows-based program whose primary purpose is to track and process
complaints and incidents reported against health care facilities
regulated by CMS and State agencies. These facilities include Clinical
Laboratory Improvement Amendment (CLIA)-certified laboratories, skilled
nursing facilities (SNFs), nursing facilities, hospitals, home health
agencies (HHAs), end stage renal disease (ESRD) facilities, hospices,
rural health clinics (RHCs), comprehensive outpatient rehabilitation
facilities (CORFs), outpatient physical therapy services, community
mental health centers (CMHCs), ambulatory surgical centers (ASCs),
suppliers of portable x-ray services, and intermediate care facilities
for persons with mental retardation (ICF/MRs). ACTS contains
identifiable information on individuals, who are complainants,
residents, patients, clients, contacts or witnesses. It also may
include alleged perpetrators, survey team members, laboratory
directors, laboratory owners, and employees and directors of the health
care facilities noted previously. ACTS is designed to manage all
operations associated with complaint and incident tracking and
processing, from initial intake and investigation through the final
disposition.
B. The Health Insurance Portability and Accountability Act (HIPAA)
Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544.
In the July 6, 2005 Federal Register (70 FR 38944), we published a
notice announcing a new SOR titled Health Insurance Portability and
Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS,
System No. 09-70-0544
In general, HITS consists of an electronic repository of
information, documents, and supplementary paper document files
resulting from investigations of alleged violations of the transactions
and code sets, security, and unique identifier provisions of HIPAA.
HITS' purpose is to support investigations of complainants,
determinations as to whether there were violations as charged in the
original complaint, referral of violations to law enforcement entities
as necessary, and maintenance and retrieval of records that contain the
results of the complaint investigations. The system of records
[[Page 55773]]
covers individuals who have submitted complaints alleging violations of
the provisions of HIPAA. Investigative files maintained in HITS are
received either as electronic documents or as paper records that are
compiled for law enforcement purposes.
C. The Organ Procurement Organizations System (OPOS), HHS/CMS, System
No. 09-70-0575
In the May 22, 2006 Federal Register (71 FR 29336), we published a
notice announcing a new SOR titled Organ Procurement Organizations
System (OPOS), HHS/CMS, System No. 09-70-0575. OPOS is a Windows based
program whose purpose is to track and process complaints and incidents
reported against Organ Procurement Organizations. Section 701 of the
Organ Procurement Organization System Certification Act of 2000 (Pub.
L. 106-505) gave the Department the authority to collect and maintain
individually identifiable information pertaining to allegations filed
by a complainant, beneficiary, or provider of services against Organ
Procurement Organizations. This information includes information
gathered during all aspects of an investigation, including initial
complaints, findings, results, disposition, and relevant
correspondence.
D. The Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-
0527
In the October 28, 2002 Federal Register (70 FR 65795), we
published a notice that modified, among other things, the name of a SOR
entitled ``CMS Utilization Review Investigatory Files, System No. 09-
70-0527'' to ``CMS Fraud Investigation Database (FID).'' The notice
included the full text of the FID system of records. The FID system of
records contains the name, work address, work phone number, social
security number, Unique Provider Identification Number (UPIN), and
other identifying demographics of individuals alleged to have violated
provisions of the Social Security Act (the Act) related to Medicare,
Medicaid, HMO/Managed Care, and the Children's Health Insurance
Program. The FID system of records also contains the contact
information and other identifying demographics of individuals alleged
to have violated other criminal or civil statutes connected with the
Act and the Act's programs. Here, individuals are persons alleged to
have abused the Act's programs. (For example, an individual could be a
person alleged to have rendered unnecessary services to Medicare
beneficiaries or Medicaid recipients, over-used services, or engaged in
improper billing.) They are persons whose activities have provided a
substantial basis for criminal or civil prosecution, or who are
identified as defendants in criminal prosecution cases.
II. Provisions of the Proposed Rule
In the May 25, 2007 Federal Register (72 FR 29289) we published a
proposed rule that would exempt the ACTS, HITS, OPOS, and FID systems
of records from subsection (c)(3), (d)(1) through (d)(4), (e)(4)(G) and
(H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). These
exemptions would apply only to the extent that information in a record
is subject to exemption pursuant to 5 U.S.C. 552a(k)(2). We proposed
that the ACTS, HITS, OPOS, and FID systems of records would be exempted
from the following subsections for the reasons set forth below:
Subsection (c)(3). Release of an accounting of disclosures
to an individual who is the subject of an investigation could reveal
the nature and scope of the investigation and could result in the
altering or destruction of evidence, improper influencing of witnesses,
and other evasive actions that could impede or compromise the
investigation.
Subsection (d)(1). Release of investigative records to an
individual who is the subject of an investigation could interfere with
pending or prospective law enforcement proceedings, constitute an
unwarranted invasion of the personal privacy of third parties, reveal
the identity of confidential sources, or reveal sensitive investigative
techniques and procedures.
Subsections (d)(2) through (d)(4). Amendment or correction
of investigative records could interfere with pending or prospective
law enforcement proceedings, or could impose an impossible
administrative and investigative burden by requiring us to continuously
retrograde our investigations in an attempt to resolve questions of
accuracy, relevance, timeliness, and completeness.
Subsection (e)(4)(G) and (H). Notifying an individual who
is the subject of an investigation or a witness that a system of
records contains information about him or her could reveal the nature
and scope of the investigation and could result in the altering or
destruction of evidence, improper influencing of witnesses, and other
evasive actions that could impede or compromise the investigation.
Subsection (f). Establishing procedures for notification,
inspection or amendment of records, or appeals of denials of access to
records would interfere with pending or prospective law enforcement
proceedings, constitute an unwarranted invasion of the personal privacy
of third parties, reveal the identity of confidential sources, or
reveal sensitive investigative techniques. Furthermore, these actions
could impose an impossible administrative and investigative burden by
requiring us to continuously retrograde our investigations in an
attempt to resolve questions of accuracy, relevance, timeliness, and
completeness.
Accordingly, we proposed to amend 45 CFR 5b.11(b)(2)(ii) of the
Privacy Act regulations by adding the following:
A new paragraph (H) that exempts investigative materials
compiled for law enforcement purposes from ACTS.
A new paragraph (I) that exempts investigative materials
compiled for law enforcement purposes from HITS.
A new paragraph (J) that exempts investigative materials
compiled for law enforcement purposes from OPOS.
A new paragraph (K) that exempts investigative materials
compiled for law enforcement purposes from FID.
III. Analysis of and Responses to Public Comments
We solicited and received two timely public comments on the May 25,
2007 proposed rule. The following is a summary of the comments and our
responses.
Comment: One commenter believed that 45 CFR 5b.11(d) seems to allow
the Department of Health and Human Services to disclose identities of
sources who furnished information under an express promise of
confidentiality.
Response: We do not disclose information that would reveal the
identities of sources who furnish information under an express promise
of confidentiality because the promise of confidentiality made to a
witness is an agreement with that individual, and such disclosure would
be both a violation of that agreement and counterproductive to law
enforcement efforts, as it would discourage individuals from coming
forward to supply information about alleged misconduct. 45 CFR 5b.11(b)
gives the responsible Department official discretion to grant
notification of access to a record in a system of records which is
exempt under 45 CFR 5b.11(b), unless disclosure to the general public
is otherwise prohibited by law. The department does not intend to
exercise its discretion to disclose identifying
[[Page 55774]]
information about sources who furnish information under an express
promise of confidentiality.
Comment: Commenters requested that the exemptions be narrowed or
clarified by defining the terms ``investigative materials'' and ``law
enforcement purposes,'' including differentiating among kinds of
records within each system that constitute ``investigatory materials,''
as well as describing agency uses that are not consistent with ``law
enforcement purposes.'' A commenter suggested that CMS implement
regulatory definitions, criteria, guidelines or other means to
effectuate a confidentiality promise to an informant and to recognize
whether or not one has been effectuated for purposes of compliance with
subsection (k)(2) of the Privacy Act.
Response: We believe that with respect to clarifying what
constitutes a confidentiality promise, we continue to rely upon the
following language in subsection (k)(2) of the Privacy Act (5 U.S.C
552a), which permits exemptions from certain subsections of the Privacy
Act:
[I]nvestigatory material compiled for law enforcement purposes,
other than material within the scope of subsection (j)(2) of this
section [the Privacy Act]: Provided, however, That if any individual
is denied any right, privilege, or benefit that he would otherwise
be entitled by Federal law, or for which he would otherwise be
eligible, as a result of the maintenance of such material, such
material shall be provided to such individual, except to the extent
that the disclosure of such material would reveal the identity of a
source who furnished information to the Government under an express
promise that the identity of the source would be held in confidence,
or, prior to the effective date of this section, [September 27,
1975] under an implied promise that the identity of the source would
be held in confidence;
The (k)(2) exemption covers: (1) Material compiled for criminal
investigative law enforcement purposes by an entity that does not have
as its principal function the enforcement of criminal law and (2)
investigative material compiled for law enforcement purposes that does
not fall into the scope of the exemption under 5 U.S.C. 552(j)(2). The
material must be investigative and compiled for some ``law
enforcement'' purpose, such as a civil investigation, or a criminal
investigation by an agency that does not perform as its principal
function the enforcement of criminal law.
Further, since the information in the SORs at issue was collected
on or after September 27, 1975, we believe that, with respect to
investigative material that would reveal the identity of a confidential
source, only express promises to a source that his or her identity
would not be revealed will be implicated here. An example of an express
promise could occur when a source expressly requests that his or her
identity not be revealed as a condition of furnishing the information,
and CMS agrees to that condition and documents that promise in writing.
The four SORs at issue were established after September 27, 1975,
the effective date of the Privacy Act, as follows:
The CMS Fraud Investigation Database (FID) was published
under its previous name, ``HCFA Utilization Review Investigatory
Files,'' on December 29, 1988 (53 FR 52792) and republished under its
current name on October 28, 2002 (67 FR 65795 ).
The Automated Survey Processing Environment (ASPEN).
Complaints/Incidents Tracking System (ACTS) was first established on
August 22, 2003 (68 FR 50795).
The Health Insurance Portability and Accountability
Act(HIPAA) Information Tracking System (HITS) was first established on
July 6, 2005 (70 FR 38944).
The Organ Procurement Organizations System (OPOS) was
first established on May 22, 2006 (71 FR 29336).
Further information about this exemption can be found in the Office
of Management and Budget's Privacy Act Guidelines, (see the July 9,
1975 Federal Register (40 FR 28972 through 28973)).
IV. Provisions of the Final Rule
After review of the public comments, we are finalizing the
provisions of the proposed rule with minor technical changes. We are
revising the paragraphs in Sec. 5b.11(b)(2)(ii) so that the SORs are
listed in chronological order by the date established.
V. Collection of Information Requirements
This final rule does not impose information collection and
recordkeeping requirements. Consequently, it need not be reviewed by
the Office of Management and Budget under the authority of the
Paperwork Reduction Act of 1995 (44 U.S.C. 35).
VI. Regulatory Impact Statement
We have examined the impact of this rule as required by Executive
Order 12866 (September 1993, Regulatory Planning and Review), the
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354),
section 1102(b) of the Social Security Act (the Act), the Unfunded
Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for regulating actions with
economically significant effects ($100 million or more in any one year
or other substantial adverse economic effects) known as ``major
rules''. This rule does not meet the ``major rule'' criteria therefore
we are not preparing an RIA.
The RFA requires agencies to analyze options for regulatory relief
of small businesses. For purposes of the RFA, small entities include
small businesses, nonprofit organizations, and small governmental
jurisdictions. Most hospitals and most other providers and suppliers
are small entities, either by nonprofit status or by having revenues of
$6 million to $29 million in any one year. Individuals and States are
not included in the definition of a small entity. We are not preparing
an analysis for the RFA because we have determined that this rule will
not have a significant economic impact on a substantial number of small
entities.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of section 604 of the RFA. For
purposes of section 1102(b) of the Act, we define a small rural
hospital as a hospital that is located outside of a Metropolitan
Statistical Area and has fewer than 100 beds. We are not preparing an
analysis for section 1102(b) of the Act because we have determined that
this rule will not have a significant impact on the operations of a
substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any one year of
$100 million in 1995 dollars, updated annually for inflation. That
threshold level is currently approximately $120 million. This final
rule will have no consequential effect on State, local, or tribal
governments or on the private sector.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final
[[Page 55775]]
rule) that imposes substantial direct requirement costs on State and
local governments, preempts State law, or otherwise has Federalism
implications. Since this regulation does not impose any costs on State
or local governments, the requirements of Executive Order 13132 are not
applicable.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
List of Subjects for 45 CFR Part 5b Privacy.
0
For the reasons set forth in the preamble, the Department of Health and
Human Services amends 45 CFR part 5b as set forth below:
PART 5b--PRIVACY ACT REGULATIONS
0
1. The authority citation for part 5b continues to read as follows:
Authority: 5 U.S.C. 301, 5 U.S.C. 552a.
0
2. Section 5b.11 is revised by adding paragraphs (b)(2)(ii)(H), (I),
(J), and (K) to read as follows:
Sec. 5b.11 Exempt Systems
* * * * *
(b) * * *
(2) * * *
(ii) * * *
(H) Investigative materials compiled for law enforcement purposes
from the CMS Fraud Investigation Database (FID), HHS/CMS.
(I) Investigative materials compiled for law enforcement purposes
from the Automated Survey Processing Environment (ASPEN) Complaints/
Incidents Tracking System (ACTS), HHS/CMS.
(J) Investigative materials compiled for law enforcement purposes
from the Health Insurance Portability and Accountability Act (HIPAA)
Information Tracking System (HITS), HHS/CMS.
(K) Investigative materials compiled for law enforcement purposes
from the Organ Procurement Organizations System (OPOS), HHS/CMS.
* * * * *
Dated: November 20, 2007.
Kerry Weems,
Acting Administrator, Centers for Medicare & Medicaid Services.
Approved: June 13, 2008.
Michael O. Leavitt,
Secretary.
Editorial Note: This document was received at the Office of the
Federal Register on September 16, 2008.
[FR Doc. E8-21909 Filed 9-25-08; 8:45 am]
BILLING CODE 4120-01-P
