Privacy Act of 1974; New OIG Privacy Act System of Records: Consolidated Data Repository, 66648-66651 [E8-26725]

Download as PDF jlentini on PROD1PC65 with NOTICES 66648 Federal Register / Vol. 73, No. 218 / Monday, November 10, 2008 / Notices products, the testing phase begins when the exemption to permit the clinical investigations of the human drug product becomes effective and runs until the approval phase begins. The approval phase starts with the initial submission of an application to market the human drug product and continues until FDA grants permission to market the drug product. Although only a portion of a regulatory review period may count toward the actual amount of extension that the Director of Patents and Trademarks may award (for example, half the testing phase must be subtracted as well as any time that may have occurred before the patent was issued), FDA’s determination of the length of a regulatory review period for a human drug product will include all of the testing phase and approval phase as specified in 35 U.S.C. 156(g)(1)(B). FDA recently approved for marketing the human drug product TYKERB (lapatinib). TYKERB is indicated in combination with capecitabine, for the treatment of patients with advanced or metastatic breast cancer whose tumors overexpress HER2 and who have received prior therapy including an anthracycline, a taxane, and trastuzumab. Subsequent to this approval, the Patent and Trademark Office received a patent term restoration application for TYKERB (U.S. Patent No. 6,713,485) from SmithKline Beecham Corp. (doing business as GlaxoSmithKline), and the Patent and Trademark Office requested FDA’s assistance in determining this patent’s eligibility for patent term restoration. In a letter dated April 28, 2008, FDA advised the Patent and Trademark Office that this human drug product had undergone a regulatory review period and that the approval of TYKERB represented the first permitted commercial marketing or use of the product. Thereafter, the Patent and Trademark Office requested that FDA determine the product’s regulatory review period. FDA has determined that the applicable regulatory review period for TYKERB is 2,260 days. Of this time, 2,078 days occurred during the testing phase of the regulatory review period, while 182 days occurred during the approval phase. These periods of time were derived from the following dates: 1. The date an exemption under section 505(i) of the Federal Food, Drug, and Cosmetic Act (the act) (21 U.S.C. 355(i)) became effective: January 5, 2001. FDA has verified the applicant’s claim that the date the investigational new drug application became effective was on January 5, 2001. VerDate Aug<31>2005 16:09 Nov 07, 2008 Jkt 217001 2. The date the application was initially submitted with respect to the human drug product under section 505(b) of the act: September 13, 2006. FDA has verified the applicant’s claim that the new drug application (NDA) for TYKERB (NDA 22–059) was initially submitted on September 13, 2006. 3. The date the application was approved: March 13, 2007. FDA has verified the applicant’s claim that NDA 22–059 was approved on March 13, 2007. This determination of the regulatory review period establishes the maximum potential length of a patent extension. However, the U.S. Patent and Trademark Office applies several statutory limitations in its calculations of the actual period for patent extension. In its application for patent extension, this applicant seeks 628 days of patent term extension. Anyone with knowledge that any of the dates as published are incorrect may submit to the Division of Dockets Management (see ADDRESSES) written or electronic comments and ask for a redetermination by January 9, 2009. Furthermore, any interested person may petition FDA for a determination regarding whether the applicant for extension acted with due diligence during the regulatory review period by May 11, 2009. To meet its burden, the petition must contain sufficient facts to merit an FDA investigation. (See H. Rept. 857, part 1, 98th Cong., 2d sess., pp. 41–42, 1984.) Petitions should be in the format specified in 21 CFR 10.30. Comments and petitions should be submitted to the Division of Dockets Management. Three copies of any mailed information are to be submitted, except that individuals may submit one copy. Comments are to be identified with the docket number found in brackets in the heading of this document. Comments and petitions may be seen in the Division of Dockets Management between 9 a.m. and 4 p.m., Monday through Friday. Please note that on January 15, 2008, the FDA Division of Dockets Management Web site transitioned to the Federal Dockets Management System (FDMS). FDMS is a Government-wide, electronic docket management system. Electronic comments or submissions will be accepted by FDA only through FDMS at http://www.regulations.gov. Dated: October 20, 2008. Jane A. Axelrad, Associate Director for Policy, Center for Drug Evaluation and Research. [FR Doc. E8–26679 Filed 11–7–08; 8:45 am] BILLING CODE 4160–01–S PO 00000 Frm 00059 Fmt 4703 Sfmt 4703 DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of Inspector General Privacy Act of 1974; New OIG Privacy Act System of Records: Consolidated Data Repository Office of Inspector General (OIG), HHS. ACTION: Notice of proposed new Privacy Act System of Records. AGENCY: SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all agencies publish in the Federal Register a notice of the existence and character of their system of records. Notice is hereby given that OIG is adding a new system of records entitled ‘‘Consolidated Data Repository—HHS– OIG’’ (09–90–1000). DATES: Effective Date: This system of records will become effective without further notice on December 22, 2008, unless comments received on or before that date result in a contrary determination. Comment Date: Comments on this new system of records will be considered if we receive them at the addresses provided below no later than 5 p.m. Eastern Standard Time on December 10, 2008. ADDRESSES: In commenting, please reference file code 09–90–1000. Because of staff and resource limitations, we cannot accept comments by facsimile (fax) transmission. However, you may submit comments using one of the following three ways (no duplicates, please): 1. Electronically. You may submit electronically through the Federal eRulemaking Portal at http:// www.regulations.gov. (Attachments should be in Microsoft Word, if possible.) 2. By regular, express, or overnight mail. You may mail your printed or written submissions to the following address: Office of Inspector General, Department of Health and Human Services, Attention: Marco Villagrana, Room 5541, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201. Please allow sufficient time for mailed comments to be received before the close of the comment period. 3. By hand or courier. You may deliver, by hand or courier, before the close of the comment period, your printed or written comments to the Office of Inspector General, Department of Health and Human Services, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201. Because E:\FR\FM\10NON1.SGM 10NON1 Federal Register / Vol. 73, No. 218 / Monday, November 10, 2008 / Notices jlentini on PROD1PC65 with NOTICES access to the interior of the Cohen Building is not readily available to persons without Federal Government identification, commenters are encouraged to schedule their delivery with one of our staff members at (202) 619–1343. Inspection of Public Comments: All comments received before the end of the comment period will be posted on http://www.regulations.gov for public viewing. Hard copies will also be available for public inspection at the Office of Inspector General, Department of Health and Human Services, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201, Monday through Friday, from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, phone (202) 401– 2206. FOR FURTHER INFORMATION CONTACT: Marco Villagrana, Department of Health & Human Services, Office of Inspector General, Office of External Affairs, (202) 401–2206; or Stephen Conway, Department of Health & Human Services, Office of Inspector General, Office of Audit Services, (617) 565– 2946. SUPPLEMENTARY INFORMATION: Under Section 2 of the Inspector General Act of 1978, as amended, OIG is required to conduct audits and investigations relating to programs and operations of the Department. In performing these required functions, OIG must collect, collate, and analyze claims information relating to services rendered to Medicare beneficiaries and Medicaid recipients. For this reason, OIG is establishing a new system of records which combines information from several existing HHS systems of records with information from State sources. This combined system of records is necessary for OIG to perform timely and independent audits, evaluations and inspections, and investigations of the Medicare and Medicaid programs. In addition, in compliance with the ‘‘Incident Reporting and Handling Requirements’’ set forth in the Office of Management and Budget Memoranda 07–16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OIG is incorporating the routine use language into this new system of records as part of our normal System of Records Notice (SORN) review development process. Description of the Proposed System of Records Records from the Centers for Medicare & Medicaid Services and State Medicaid agencies will be incorporated into this new system of records. The new system VerDate Aug<31>2005 16:09 Nov 07, 2008 Jkt 217001 of records will be created by including Medicare and Medicaid enrollment, eligibility, and claims data records on all beneficiaries and recipients. Data in the system of records will include names; Social Security numbers (SSNs); health insurance identification numbers; and claims information relating to inpatient, outpatient, physician/supplier, skilled nursing facilities, nursing home, hospice, home health, durable medical equipment, dental, prescription drug, and managed care. Agency Policies, Procedures and Restrictions on the Routine Use The Privacy Act permits OIG to disclose information outside HHS without an individual’s consent if the information is to be used for a purpose that is compatible with the purposes for which the information was collected. Any such disclosure of data is known as a routine use. Accordingly, we are proposing to establish the following routine use disclosures of records maintained in the system: 1. Disclosure may be made to Federal, State, and local agencies for the purpose of better identifying the total current health care usage of the Medicare and Medicaid patient population. 2. Disclosure may be made to Federal, State, and local government agencies and national health organizations to assist in the development of programs that will be beneficial to claimants and to protect their rights under law and assure that they are receiving all benefits to which they are entitled. 3. Disclosure may be made to a Federal department or agency or to a contractor of a Federal department or agency in order to conduct Federal audits, evaluations and inspections, or investigations necessary to accomplish a statutory purpose of an agency. OIG must be able to disclose information for purposes needed to accomplish a statutory purpose of a Federal agency. 4. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. 5. In the event of litigation, information from the system of records may be disclosed to the Department of Justice, to a judicial or administrative tribunal, opposing counsel, and witnesses in the course of proceedings involving HHS, any HHS employee (where the matter pertains to the employee’s official duties), or the United States, or any agency thereof where the litigation is likely to affect HHS, or HHS is a party or has an interest in the litigation and the use of PO 00000 Frm 00060 Fmt 4703 Sfmt 4703 66649 the information is relevant and necessary to the litigation. 6. In the event that a system of records maintained by OIG to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto. 7. In the event the that Department deems it desirable or necessary in determining whether particular records are required to be disclosed under the Freedom of Information Act, disclosure may be made to the Department of Justice for the purpose of obtaining its advice. 8. A record from this system of records may be disclosed to a Federal agency in response to its request in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency’s decision on the matter. 9. The system of records may be disclosed to student volunteers and other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records to perform their assigned agency functions. 10. A record may be disclosed to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department’s efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance. Safeguards OIG has safeguards in place for authorized users and monitors users to ensure against unauthorized use. The system will conform to all applicable Federal laws and regulations and Federal, HHS, and OIG policies and standards as they relate to information security and data privacy. E:\FR\FM\10NON1.SGM 10NON1 66650 Federal Register / Vol. 73, No. 218 / Monday, November 10, 2008 / Notices Effects of the Proposed System of Records on Individual Rights This system is established in accordance with the principles and requirements of the Privacy Act and will collect, use, and disseminate information only as prescribed therein. Data in this system will be subject to the authorized releases in accordance with the routine uses identified in this system of records notice. OIG will take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other personal or property rights of beneficiaries and recipients whose data are maintained in the system. OIG will make disclosures from the proposed system in accordance with the Privacy Act. OIG does not anticipate an unfavorable effect on individual privacy as a result of the disclosure of information relating to individuals. This proposed change will not otherwise increase access to these records. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records include information concerning Medicare beneficiaries and Medicaid recipients. CATEGORIES OF RECORDS IN THE SYSTEM: 09–90–1000 The categories of records in the system will include Medicare beneficiaries’ names, addresses, dates of birth, Medicare HIC numbers, SSNs, enrollment information and eligibility information, and claims information relating to the following types of services: Inpatient, skilled nursing facility, outpatient, physician/supplier, home health, hospice, durable medical equipment, prescription drug, and Medicare Advantage. The records will also include names, addresses, dates of birth, and SSNs on Medicaid recipients from State enrollment and eligibility files and claims information relating to the following types of services: Inpatient, long-term care, professional, dental, pharmacy, and Medicare crossover. The National Provider Identification database and the Unique Provider Identification Number (UPIN) directory will be stored in this system of records. SYSTEM NAME: AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Consolidated Data Repository–HHS– OIG. Inspector General Act of 1978 (5 U.S.C. App.). SYSTEM LOCATION(S): PURPOSE(S): Records will be maintained at the following computer site locations: • HHS–OIG, 330 Independence Avenue, SW., Washington, DC 20201. • HHS–OIG, N2–01–02, 7500 Security Boulevard, Baltimore, MD 21244. And the following HHS–OIG Regional/Field Office locations: • JFK Federal Building, Boston, MA 02203. • J.K. Javits Federal Building, 26 Federal Plaza, New York, NY 10278. • 150 South Independence Mall West, Public Ledger Building, Philadelphia, PA 19106. • Atlanta Federal Center, Forsyth Street South, Atlanta, GA 30303. • 8659 Baypine Road, Suite 203 Jacksonville, FL 32256. • 233 North Michigan Avenue, Room 1360, Chicago, IL 60601. • 3815 West Street, Joseph Hwy, Lansing, MI 48917. • Galtier Plaza, 380 Jackson Street, Suite 727, St. Paul, MN 55101. • 1124 Rickard Road, Suite C, Springfield, IL 62704. • 1100 Commerce Street, Dallas, TX 75242. • 1201 Walnut Street, Kansas City, MO 64106. • 90 7th Street, San Francisco, CA 94103. The purpose of this system of records is to conduct audits, evaluations and inspections, and investigations of the Medicare and Medicaid programs. jlentini on PROD1PC65 with NOTICES Dated: October 28, 2008. Daniel R. Levinson, Inspector General. VerDate Aug<31>2005 16:09 Nov 07, 2008 Jkt 217001 ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSE OF SUCH USES: The Privacy Act permits OIG to disclose information outside HHS without an individual’s consent if the information is to be used for a purpose that is compatible with the purposes for which the information was collected. Any such disclosure of data is known as a routine use. Accordingly, we are proposing to establish the following routine use disclosures of records maintained in the system: a. Disclosure may be made to Federal, State, and local agencies for the purpose of better identifying the total current health care usage of the Medicare and Medicaid patient population. b. Disclosure may be made to Federal, State, and local government agencies and national health care organizations to assist in the development of programs that will be beneficial to claimants and to protect their rights under law and assure that they are receiving all benefits to which they are entitled. PO 00000 Frm 00061 Fmt 4703 Sfmt 4703 c. Disclosure may be made to a Federal department or agency or to a contractor of a Federal department or agency to permit it to conduct Federal audits, evaluations and inspections, or investigations necessary to accomplish a statutory purpose of an agency. OIG must be able to disclose information for purposes needed to accomplish a statutory purpose of a Federal agency. d. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. e. In the event of litigation, information from the system of records may be disclosed to the Department of Justice, to a judicial or administrative tribunal, opposing counsel, and witnesses, in the course of proceedings involving HHS, any HHS employee (where the matter pertains to the employee’s official duties), or the United States, or any agency thereof where the litigation is likely to affect HHS, or HHS is a party or has an interest in the litigation and the use of the information is relevant and necessary to the litigation. f. In the event that a system of records maintained by OIG to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto. g. In the event that the Department deems it desirable or necessary, in determining whether particular records are required to be disclosed under the Freedom of Information Act, disclosure may be made to the Department of Justice for the purpose of obtaining its advice. h. A record from this system of records may be disclosed to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency’s decision on the matter. E:\FR\FM\10NON1.SGM 10NON1 Federal Register / Vol. 73, No. 218 / Monday, November 10, 2008 / Notices i. The system of records may be disclosed to student volunteers and other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records to perform their assigned agency functions. j. A record may be disclosed to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department’s efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: Data are maintained on magnetic tape, disk, or laser optical media. RETRIEVABILITY: Records may be retrieved by name, name and one or more criteria (e.g., dates of birth, death, and service), SSN, Medicare HIC number, Medicaid Identification Number. jlentini on PROD1PC65 with NOTICES SAFEGUARDS: The computers that process these data are protected by technical, managerial, and operational controls that follow Federal policies and guidelines. The computers are protected by a combination of physical security by being located in Federal offices; access controls such as passwords and identification numbers; and technical protections such as encryption, firewalls, and anti-virus software. These controls allow only authorized users to access the data. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational, and technical safeguards sufficient to protect the confidentiality, integrity, and availability of the information and information systems and to prevent unauthorized access. This system will conform to all applicable Federal laws and regulations and Federal, HHS, and OIG policies and standards as they relate to information security and data privacy. These laws and regulations may apply but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the Health Insurance Portability and Accountability Act of 1996; the eGovernment Act of 2002, the Clinger- 16:09 Nov 07, 2008 Jkt 217001 RETENTION AND DISPOSAL: These records may be maintained for an indefinite duration. SYSTEM MANAGER AND ADDRESS: STORAGE: VerDate Aug<31>2005 Cohen Act of 1996; the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, and the corresponding implementing regulations; and OMB Circular A–130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal, HHS, and OIG policies and standards include but are not limited to: All pertinent National Institute of Standards and Technology publications; the HHS Information Systems Program Handbook; and OIG Information Security Handbooks. The agency official responsible for the system policies and practices outlined above is: The Chief Information Officer, Office of Management and Policy, Office of Inspector General, Department of Health and Human Services, Wilbur J. Cohen Building, Room 5230, 330 Independence Avenue, SW., Washington, DC 20201. NOTIFICATION PROCEDURE: Any inquiries regarding these systems of records should be addressed to the System Manager. An individual who requests notification of or access to a medical record shall, at the time the request is made, designate in writing a responsible representative who will be willing to review the record and inform the subject individual of its contents at the representative’s discretion. (These notification and access procedures are in accordance with Department regulations (45 CFR 5b.6).) RECORDS ACCESS PROCEDURES: Same as notification procedures. Requesters should also reasonably specify the record contents being sought. (These access procedures are in accordance with Department regulations (45 CFR 5b.5(a)(2).) CONTESTING RECORD PROCEDURES: Contact the official at the address in the System Manager and Address section above, and reasonably identify the record and specify the information to be contested and the corrective action sought with supporting justification. (These procedures are in accordance with Department Regulations (45 CFR 5b.7).) RECORD SOURCE CATEGORIES: Information may be obtained from the Centers for Medicare & Medicaid Services National Claims History (inpatient, outpatient, physician PO 00000 Frm 00062 Fmt 4703 Sfmt 4703 66651 supplier, nursing home, hospice, home care, and durable medical equipment), Drug Data Processing System, Medicare Advantage and Prescription Drug system and State Medicaid claims and enrollment databases. SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: None. [FR Doc. E8–26725 Filed 11–7–08; 8:45 am] BILLING CODE 4152–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES National Institutes of Health Submission for OMB Review; Comment Request; California Health Interview Survey Cancer Control Module (CHIS–CCM) 2009 (NCI) SUMMARY: Under the provisions of Section 3507(a)(1)(D) of the Paperwork Reduction Act of 1995, the National Cancer Institute (NCI), the National Institutes of Health (NIH), has submitted to the Office of Management and Budget (OMB) a request for review and approval of the information collection listed below. This proposed information collection was previously published in the Federal Register on August 22, 2008 (Volume 73, No. 164, p. 49685) and allowed 60 days for public comment. No public comments were received. The purpose of this notice is to allow an additional 30 days for public comment. The National Institutes of Health may not conduct or sponsor, and the respondent is not required to respond to, an information collection that has been extended, revised, or implemented on or after October 1, 1995, unless it displays a currently valid OMB control number. Proposed Collection: Title: California Health Interview Survey Cancer Control Module (CHIS–CCM) 2009. Type of Information Collection Request: New. Need and Use of Information Collection: The NCI has sponsored four Cancer Control Modules in the California Health Interview Survey (CHIS), and will be sponsoring a fifth to be administered in 2009. CHIS is a telephone survey that collects population-based, standardized healthrelated data to assess California’s progress in meeting Healthy People 2010 objectives for the nation and the state. The CHIS sample is designed to provide statistically reliable estimates statewide, for California counties, and for California’s ethnically and racially diverse population. Initiated by the UCLA Center for Health Policy E:\FR\FM\10NON1.SGM 10NON1

Agencies

[Federal Register Volume 73, Number 218 (Monday, November 10, 2008)]
[Notices]
[Pages 66648-66651]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-26725]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Privacy Act of 1974; New OIG Privacy Act System of Records: 
Consolidated Data Repository

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice of proposed new Privacy Act System of Records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (5 U.S.C. 552(e)(4)) requires that all 
agencies publish in the Federal Register a notice of the existence and 
character of their system of records. Notice is hereby given that OIG 
is adding a new system of records entitled ``Consolidated Data 
Repository--HHS-OIG'' (09-90-1000).

DATES: Effective Date: This system of records will become effective 
without further notice on December 22, 2008, unless comments received 
on or before that date result in a contrary determination.
    Comment Date: Comments on this new system of records will be 
considered if we receive them at the addresses provided below no later 
than 5 p.m. Eastern Standard Time on December 10, 2008.

ADDRESSES: In commenting, please reference file code 09-90-1000. 
Because of staff and resource limitations, we cannot accept comments by 
facsimile (fax) transmission. However, you may submit comments using 
one of the following three ways (no duplicates, please):
    1. Electronically. You may submit electronically through the 
Federal eRulemaking Portal at http://www.regulations.gov. (Attachments 
should be in Microsoft Word, if possible.)
    2. By regular, express, or overnight mail. You may mail your 
printed or written submissions to the following address: Office of 
Inspector General, Department of Health and Human Services, Attention: 
Marco Villagrana, Room 5541, Cohen Building, 330 Independence Avenue, 
SW., Washington, DC 20201. Please allow sufficient time for mailed 
comments to be received before the close of the comment period.
    3. By hand or courier. You may deliver, by hand or courier, before 
the close of the comment period, your printed or written comments to 
the Office of Inspector General, Department of Health and Human 
Services, Cohen Building, 330 Independence Avenue, SW., Washington, DC 
20201. Because

[[Page 66649]]

access to the interior of the Cohen Building is not readily available 
to persons without Federal Government identification, commenters are 
encouraged to schedule their delivery with one of our staff members at 
(202) 619-1343.
    Inspection of Public Comments: All comments received before the end 
of the comment period will be posted on http://www.regulations.gov for 
public viewing. Hard copies will also be available for public 
inspection at the Office of Inspector General, Department of Health and 
Human Services, Cohen Building, 330 Independence Avenue, SW., 
Washington, DC 20201, Monday through Friday, from 8:30 a.m. to 4 p.m. 
To schedule an appointment to view public comments, phone (202) 401-
2206.

FOR FURTHER INFORMATION CONTACT: Marco Villagrana, Department of Health 
& Human Services, Office of Inspector General, Office of External 
Affairs, (202) 401-2206; or Stephen Conway, Department of Health & 
Human Services, Office of Inspector General, Office of Audit Services, 
(617) 565-2946.

SUPPLEMENTARY INFORMATION: Under Section 2 of the Inspector General Act 
of 1978, as amended, OIG is required to conduct audits and 
investigations relating to programs and operations of the Department. 
In performing these required functions, OIG must collect, collate, and 
analyze claims information relating to services rendered to Medicare 
beneficiaries and Medicaid recipients. For this reason, OIG is 
establishing a new system of records which combines information from 
several existing HHS systems of records with information from State 
sources. This combined system of records is necessary for OIG to 
perform timely and independent audits, evaluations and inspections, and 
investigations of the Medicare and Medicaid programs.
    In addition, in compliance with the ``Incident Reporting and 
Handling Requirements'' set forth in the Office of Management and 
Budget Memoranda 07-16, Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information, OIG is incorporating the 
routine use language into this new system of records as part of our 
normal System of Records Notice (SORN) review development process.

Description of the Proposed System of Records

    Records from the Centers for Medicare & Medicaid Services and State 
Medicaid agencies will be incorporated into this new system of records. 
The new system of records will be created by including Medicare and 
Medicaid enrollment, eligibility, and claims data records on all 
beneficiaries and recipients. Data in the system of records will 
include names; Social Security numbers (SSNs); health insurance 
identification numbers; and claims information relating to inpatient, 
outpatient, physician/supplier, skilled nursing facilities, nursing 
home, hospice, home health, durable medical equipment, dental, 
prescription drug, and managed care.

Agency Policies, Procedures and Restrictions on the Routine Use

    The Privacy Act permits OIG to disclose information outside HHS 
without an individual's consent if the information is to be used for a 
purpose that is compatible with the purposes for which the information 
was collected. Any such disclosure of data is known as a routine use. 
Accordingly, we are proposing to establish the following routine use 
disclosures of records maintained in the system:
    1. Disclosure may be made to Federal, State, and local agencies for 
the purpose of better identifying the total current health care usage 
of the Medicare and Medicaid patient population.
    2. Disclosure may be made to Federal, State, and local government 
agencies and national health organizations to assist in the development 
of programs that will be beneficial to claimants and to protect their 
rights under law and assure that they are receiving all benefits to 
which they are entitled.
    3. Disclosure may be made to a Federal department or agency or to a 
contractor of a Federal department or agency in order to conduct 
Federal audits, evaluations and inspections, or investigations 
necessary to accomplish a statutory purpose of an agency. OIG must be 
able to disclose information for purposes needed to accomplish a 
statutory purpose of a Federal agency.
    4. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    5. In the event of litigation, information from the system of 
records may be disclosed to the Department of Justice, to a judicial or 
administrative tribunal, opposing counsel, and witnesses in the course 
of proceedings involving HHS, any HHS employee (where the matter 
pertains to the employee's official duties), or the United States, or 
any agency thereof where the litigation is likely to affect HHS, or HHS 
is a party or has an interest in the litigation and the use of the 
information is relevant and necessary to the litigation.
    6. In the event that a system of records maintained by OIG to carry 
out its functions indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general statute or particular program statute, or by regulation, 
rule, or order issued pursuant thereto, the relevant records in the 
system of records may be referred, as a routine use, to the appropriate 
agency, whether Federal, State, local, or foreign, charged with the 
responsibility of investigating or prosecuting such violation or 
charged with enforcing or implementing the statute, rule, regulation, 
or order issued pursuant thereto.
    7. In the event the that Department deems it desirable or necessary 
in determining whether particular records are required to be disclosed 
under the Freedom of Information Act, disclosure may be made to the 
Department of Justice for the purpose of obtaining its advice.
    8. A record from this system of records may be disclosed to a 
Federal agency in response to its request in connection with the hiring 
or retention of an employee, the issuance of a security clearance, the 
reporting of an investigation of an employee, the letting of a 
contract, or the issuance of a license, grant, or other benefit by the 
requesting agency, to the extent that the record is relevant and 
necessary to the requesting agency's decision on the matter.
    9. The system of records may be disclosed to student volunteers and 
other individuals performing functions for the Department but 
technically not having the status of agency employees, if they need 
access to the records to perform their assigned agency functions.
    10. A record may be disclosed to appropriate Federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and necessary for that assistance.

Safeguards

    OIG has safeguards in place for authorized users and monitors users 
to ensure against unauthorized use. The system will conform to all 
applicable Federal laws and regulations and Federal, HHS, and OIG 
policies and standards as they relate to information security and data 
privacy.

[[Page 66650]]

Effects of the Proposed System of Records on Individual Rights

    This system is established in accordance with the principles and 
requirements of the Privacy Act and will collect, use, and disseminate 
information only as prescribed therein. Data in this system will be 
subject to the authorized releases in accordance with the routine uses 
identified in this system of records notice.
    OIG will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights of beneficiaries and 
recipients whose data are maintained in the system. OIG will make 
disclosures from the proposed system in accordance with the Privacy 
Act. OIG does not anticipate an unfavorable effect on individual 
privacy as a result of the disclosure of information relating to 
individuals. This proposed change will not otherwise increase access to 
these records.

    Dated: October 28, 2008.
Daniel R. Levinson,
Inspector General.
09-90-1000

SYSTEM NAME:
    Consolidated Data Repository-HHS-OIG.

SYSTEM LOCATION(S):
    Records will be maintained at the following computer site 
locations:
     HHS-OIG, 330 Independence Avenue, SW., Washington, DC 
20201.
     HHS-OIG, N2-01-02, 7500 Security Boulevard, Baltimore, MD 
21244.
    And the following HHS-OIG Regional/Field Office locations:
     JFK Federal Building, Boston, MA 02203.
     J.K. Javits Federal Building, 26 Federal Plaza, New York, 
NY 10278.
     150 South Independence Mall West, Public Ledger Building, 
Philadelphia, PA 19106.
     Atlanta Federal Center, Forsyth Street South, Atlanta, GA 
30303.
     8659 Baypine Road, Suite 203 Jacksonville, FL 32256.
     233 North Michigan Avenue, Room 1360, Chicago, IL 60601.
     3815 West Street, Joseph Hwy, Lansing, MI 48917.
     Galtier Plaza, 380 Jackson Street, Suite 727, St. Paul, MN 
55101.
     1124 Rickard Road, Suite C, Springfield, IL 62704.
     1100 Commerce Street, Dallas, TX 75242.
     1201 Walnut Street, Kansas City, MO 64106.
     90 7th Street, San Francisco, CA 94103.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records include information concerning Medicare beneficiaries 
and Medicaid recipients.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records in the system will include Medicare 
beneficiaries' names, addresses, dates of birth, Medicare HIC numbers, 
SSNs, enrollment information and eligibility information, and claims 
information relating to the following types of services: Inpatient, 
skilled nursing facility, outpatient, physician/supplier, home health, 
hospice, durable medical equipment, prescription drug, and Medicare 
Advantage. The records will also include names, addresses, dates of 
birth, and SSNs on Medicaid recipients from State enrollment and 
eligibility files and claims information relating to the following 
types of services: Inpatient, long-term care, professional, dental, 
pharmacy, and Medicare cross-over. The National Provider Identification 
database and the Unique Provider Identification Number (UPIN) directory 
will be stored in this system of records.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Inspector General Act of 1978 (5 U.S.C. App.).

PURPOSE(S):
    The purpose of this system of records is to conduct audits, 
evaluations and inspections, and investigations of the Medicare and 
Medicaid programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSE OF SUCH USES:
    The Privacy Act permits OIG to disclose information outside HHS 
without an individual's consent if the information is to be used for a 
purpose that is compatible with the purposes for which the information 
was collected. Any such disclosure of data is known as a routine use. 
Accordingly, we are proposing to establish the following routine use 
disclosures of records maintained in the system:
    a. Disclosure may be made to Federal, State, and local agencies for 
the purpose of better identifying the total current health care usage 
of the Medicare and Medicaid patient population.
    b. Disclosure may be made to Federal, State, and local government 
agencies and national health care organizations to assist in the 
development of programs that will be beneficial to claimants and to 
protect their rights under law and assure that they are receiving all 
benefits to which they are entitled.
    c. Disclosure may be made to a Federal department or agency or to a 
contractor of a Federal department or agency to permit it to conduct 
Federal audits, evaluations and inspections, or investigations 
necessary to accomplish a statutory purpose of an agency. OIG must be 
able to disclose information for purposes needed to accomplish a 
statutory purpose of a Federal agency.
    d. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    e. In the event of litigation, information from the system of 
records may be disclosed to the Department of Justice, to a judicial or 
administrative tribunal, opposing counsel, and witnesses, in the course 
of proceedings involving HHS, any HHS employee (where the matter 
pertains to the employee's official duties), or the United States, or 
any agency thereof where the litigation is likely to affect HHS, or HHS 
is a party or has an interest in the litigation and the use of the 
information is relevant and necessary to the litigation.
    f. In the event that a system of records maintained by OIG to carry 
out its functions indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general statute or particular program statute, or by regulation, 
rule or order issued pursuant thereto, the relevant records in the 
system of records may be referred, as a routine use, to the appropriate 
agency, whether Federal, State, local, or foreign, charged with the 
responsibility of investigating or prosecuting such violation or 
charged with enforcing or implementing the statute, or rule, regulation 
or order issued pursuant thereto.
    g. In the event that the Department deems it desirable or 
necessary, in determining whether particular records are required to be 
disclosed under the Freedom of Information Act, disclosure may be made 
to the Department of Justice for the purpose of obtaining its advice.
    h. A record from this system of records may be disclosed to a 
Federal agency, in response to its request, in connection with the 
hiring or retention of an employee, the issuance of a security 
clearance, the reporting of an investigation of an employee, the 
letting of a contract, or the issuance of a license, grant, or other 
benefit by the requesting agency, to the extent that the record is 
relevant and necessary to the requesting agency's decision on the 
matter.

[[Page 66651]]

    i. The system of records may be disclosed to student volunteers and 
other individuals performing functions for the Department but 
technically not having the status of agency employees, if they need 
access to the records to perform their assigned agency functions.
    j. A record may be disclosed to appropriate Federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and necessary for that assistance.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Data are maintained on magnetic tape, disk, or laser optical media.

RETRIEVABILITY:
    Records may be retrieved by name, name and one or more criteria 
(e.g., dates of birth, death, and service), SSN, Medicare HIC number, 
Medicaid Identification Number.

SAFEGUARDS:
    The computers that process these data are protected by technical, 
managerial, and operational controls that follow Federal policies and 
guidelines. The computers are protected by a combination of physical 
security by being located in Federal offices; access controls such as 
passwords and identification numbers; and technical protections such as 
encryption, firewalls, and anti-virus software. These controls allow 
only authorized users to access the data.
    Employees who maintain records in this system are instructed not to 
release data until the intended recipient agrees to implement 
appropriate management, operational, and technical safeguards 
sufficient to protect the confidentiality, integrity, and availability 
of the information and information systems and to prevent unauthorized 
access. This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and OIG policies and standards as they 
relate to information security and data privacy. These laws and 
regulations may apply but are not limited to: The Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the Health Insurance Portability and 
Accountability Act of 1996; the eGovernment Act of 2002, the Clinger-
Cohen Act of 1996; the Medicare Prescription Drug, Improvement, and 
Modernization Act of 2003, and the corresponding implementing 
regulations; and OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and OIG policies and standards include but are 
not limited to: All pertinent National Institute of Standards and 
Technology publications; the HHS Information Systems Program Handbook; 
and OIG Information Security Handbooks.

RETENTION AND DISPOSAL:
    These records may be maintained for an indefinite duration.

SYSTEM MANAGER AND ADDRESS:
    The agency official responsible for the system policies and 
practices outlined above is: The Chief Information Officer, Office of 
Management and Policy, Office of Inspector General, Department of 
Health and Human Services, Wilbur J. Cohen Building, Room 5230, 330 
Independence Avenue, SW., Washington, DC 20201.

NOTIFICATION PROCEDURE:
    Any inquiries regarding these systems of records should be 
addressed to the System Manager. An individual who requests 
notification of or access to a medical record shall, at the time the 
request is made, designate in writing a responsible representative who 
will be willing to review the record and inform the subject individual 
of its contents at the representative's discretion. (These notification 
and access procedures are in accordance with Department regulations (45 
CFR 5b.6).)

RECORDS ACCESS PROCEDURES:
    Same as notification procedures. Requesters should also reasonably 
specify the record contents being sought. (These access procedures are 
in accordance with Department regulations (45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    Contact the official at the address in the System Manager and 
Address section above, and reasonably identify the record and specify 
the information to be contested and the corrective action sought with 
supporting justification. (These procedures are in accordance with 
Department Regulations (45 CFR 5b.7).)

RECORD SOURCE CATEGORIES:
    Information may be obtained from the Centers for Medicare & 
Medicaid Services National Claims History (inpatient, outpatient, 
physician supplier, nursing home, hospice, home care, and durable 
medical equipment), Drug Data Processing System, Medicare Advantage and 
Prescription Drug system and State Medicaid claims and enrollment 
databases.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

    None.
[FR Doc. E8-26725 Filed 11-7-08; 8:45 am]
BILLING CODE 4152-01-P