Privacy Act of 1974; System of Records Notice, 32654-32657 [2013-12671]

Download as PDF 32654 Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices EXHIBIT 2—ESTIMATED ANNUALIZED COST BURDEN Number of respondents Form name Total burden hours Average hourly wage rate * Total cost burden Pediatrician and Family Physician Survey .............................. 1,200 600 $85.26 $51,156 Total .................................................................................. 1,200 600 n/a 51,156 * Based upon the higher of the two means of the hourly wages general pediatricians, National Compensation Survey: ‘‘May 2011 National Occupational Employment and Wage Estimates, United States.’’ U.S. Department of Labor, Bureau of Labor Statistics. Request for Comments In accordance with the Paperwork Reduction Act, comments on AHRQ’s information collection are requested with regard to any of the following: (a) Whether the proposed collection of information is necessary for the proper performance of AHRQ health care research and health care information dissemination functions, including whether the information will have practical utility; (b) the accuracy of AHRQ’s estimate of burden (including hours and costs) of the proposed collection(s) of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the collection of information upon the respondents, including the use of automated collection techniques or other forms of information technology. Comments submitted in response to this notice will be summarized and included in the Agency’s subsequent request for OMB approval of the proposed information collection. All comments will become a matter of public record. Dated: May 21, 2013. Carolyn M. Clancy, Director. [FR Doc. 2013–12672 Filed 5–30–13; 8:45 am] BILLING CODE 4160–90–M DEPARTMENT OF HEALTH AND HUMAN SERVICES Agency for Healthcare Research and Quality Privacy Act of 1974; System of Records Notice Agency for Healthcare Research and Quality (AHRQ), Department of Health and Human Services (HHS). ACTION: Notice to establish a new system of records. tkelley on DSK3SPTVN1PROD with NOTICES AGENCY: SUMMARY: In accordance with the requirements of the Privacy Act of 1974 (5 USC 552a), the Agency for Healthcare Research and Quality (AHRQ) within the Department of Health and Human Services is establishing a new system of VerDate Mar<15>2010 17:40 May 30, 2013 Jkt 229001 records, ‘‘Online Application Ordering for Products from the Healthcare Cost and Utilization Project (HCUP).’’ This online electronic ordering system will streamline and facilitate the dissemination of HCUP databases and software to qualified researchers and result in a more efficient process for both the public and the Agency. The HCUP program and the system of records for the online application ordering process are more thoroughly described in the SUPPLEMENTARY INFORMATION section and System of Records Notice (SORN), below. DATES: Effective 30 days after publication. HHS/AHRQ may publish an amended System of Records Notice (SORN) in light of any comments received. ADDRESSES: Written comments should be sent to: HCUP Project Officer, Agency for Healthcare Research and Quality, 540 Gaither Rd., Rockville, MD 20852 OR to Email: HCUP@AHRQ.GOV. FOR FURTHER INFORMATION CONTACT: HCUP Project Officer, Agency for Healthcare Research and Quality, 540 Gaither Rd., Rockville, MD 20852, 301– 427–1410, or HCUP@AHRQ.GOV, SUPPLEMENTARY INFORMATION: I. Background on New System of Records, ‘‘Online Application Ordering for HCUP Products From the Healthcare Cost and Utilization Project (HCUP)’’ AHRQ is establishing this new system of records to cover personallyidentifiable information (PII) about individuals who purchase HCUP databases and software products for scientific research purposes through a new online ordering system. AHRQ’s research mission, the HCUP databases, and the online ordering process for HCUP databases and software products are explained in more detail below. A. AHRQ’s Research Mission The Healthcare Research and Quality Act of 1999 (‘‘the Act’’), Public Law 106–129, amended Title IX of the Public Health Service act to establish AHRQ. The Act requires that AHRQ enhance the quality, appropriateness, and effectiveness of health services, and PO 00000 Frm 00033 Fmt 4703 Sfmt 4703 enhance access to such services, through the establishment of a broad base of scientific research and through the promotion of improvements in clinical and health systems practices, including the prevention of diseases and other health conditions. AHRQ promotes health care quality improvement by conducting and supporting: (1) Research that develops and presents scientific evidence regarding all aspects of health care; (2) Synthesis and dissemination of available scientific evidence for use by patients, consumers, practitioners, providers, purchasers, policy makers, and educato; and, (3) Initiatives to advance private and public efforts to improve health care quality. B. The HCUP Databases AHRQ created a family of health care databases and related software tools and products known as the Healthcare Cost and Utilization Project (HCUP, pronounced ‘‘H-Cup’’) to conduct and support its research activities. HCUP was developed through a Federal-State Industry partnership and sponsored by AHRQ; it includes the largest collection of longitudinal hospital care data in the United States, with all-payer, encounterlevel information beginning in 1988. The HCUP databases are annual files that contain anonymous information from hospital discharge records for inpatient care and certain components of outpatient care, such as emergency care and ambulatory surgeries. The project currently releases six types of databases created for research use on a broad range of health issues, including cost and quality of health services, medical practice patterns, access to health care programs, and outcomes of treatments at the national, state, and local market levels. HCUP also produces a large number of software tools to enhance the use of administrative health care data for research and public health use. The software tools use information available from a variety of sources to create new data elements, often through sophisticated algorithms, for use with the HCUP databases. E:\FR\FM\31MYN1.SGM 31MYN1 Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices tkelley on DSK3SPTVN1PROD with NOTICES C. The Ordering Process for HCUP Databases and Software To support AHRQ’s mission to improve health care through scientific research, HCUP databases and software tools are disseminated to users outside of HHS through a mechanism known as the HCUP Central Distributor, which is operated by a private contractor. Databases and software disseminated through the HCUP Central Distributor are referred to as ‘‘restricted access public release files;’’ they are publicly available, but only under restricted conditions. The HCUP Central Distributor enables qualified researchers to access uniform research data across multiple states with the use of one application process, consisting of the following: (1) HCUP Application. All persons wanting access to the HCUP databases must complete the application process. For state databases, a description of the individual’s planned use of the HCUP data will be reviewed to confirm that it is consistent with the data use restrictions that apply to the data. As an alternative to the online ordering form, paper versions of application packages will continue to be available for download at http://www.HCUPus.AHRQ.gov/tech_assist/centdist.JSP. (2) HCUP Data Use Agreement Training. All persons wanting access to the HCUP databases must complete this online training course. The purpose of the training is to emphasize the importance of data protection, reduce the risk of inadvertent violations, and describe the individual’s responsibility when using HCUP data. The training course can be accessed and completed online at http://www.HCUPus.AHRQ. gov/tech_assist/dua.JSP. (3) HCUP Data Use Agreement (DUA). All persons wanting access to the HCUP databases must sign a data use agreement. Each database has a unique DUA; an example DUA for the Nationwide Inpatient Sample database is available at http://www.HCUPus.AHRQ.gov/team/NISDUA.JSP. HCUP databases are released to researchers outside of AHRQ after the completion of required training and submission of an application that includes a signed HCUP Data Use Agreement (DUA). In addition, before restricted access public release statelevel databases are released, the user is asked for a brief description of their research to ensure that the planned use is consistent with HCUP policies and with the HCUP data use requirements. Fees are set for databases released through the HCUP Central Distributor depending on the type of database. The VerDate Mar<15>2010 17:40 May 30, 2013 Jkt 229001 fees for sale of state-level data are determined by each participating Statewide Data Organization and reimbursed to those organizations. II. The Privacy Act The Privacy Act (5 U.S.C. 552a) governs the means by which the United States Government collects, maintains, and uses personally identifiable information (PII) in a system of records. A ‘‘system of records’’ is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them). SYSTEM NUMBER: 09–35–0003. SYSTEM NAME: ‘‘Online Application Ordering for Products from the Healthcare Cost and Utilization Project (HCUP)’’. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: Servers: The servers hosting the system will be housed at the Social & Scientific Systems data center located in Ashburn, VA. Portals: This system will be accessed via the Internet. System Software: System software will be maintained by Social & Scientific Systems, Silver Spring, MD. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The system will contain personally identifiable information (PII) about individual researchers who purchase HCUP databases through use of an HCUP online application that includes payment of a fee and execution of a Data Use Agreement placing restrictions on use of the HCUP data. CATEGORIES OF RECORDS IN THE SYSTEM: The system will contain the following categories of records and PII data elements: (1) HCUP Application Form, containing the individual’s contact information (name, address, telephone number and email address), a coded PO 00000 Frm 00034 Fmt 4703 Sfmt 4703 32655 number indicating that the individual completed the required HCUP Data Use Agreement Training, and a description of the individual’s planned use of the HCUP data. (2) Transaction Records, containing information on the database and/or software order and contact information for purchaser. Credit card numbers or bank account information from electronic orders will not be stored in the system after the transaction is complete. (3) HCUP Data Use Agreement (DUA), containing the individual’s signature and contact information. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 42 U.S.C. 299–299a; 42 U.S.C. 299c–2. PURPOSE(S) OF THE SYSTEM: HHS/AHRQ will use PII from this system for the following purposes: (1) Business Transaction: Contact information will be used to communicate with the individual and to ship the data to the individual (e.g., on a disk or other media). The description of the individual’s planned use of the HCUP data will be reviewed to confirm that it is consistent with the data use restrictions that apply to the data. (2) Payment Transaction: Credit card and bank account information will be used to complete orders for HCUP databases and software products. Credit card and e-check transactions collected by the HCUP information system will be transmitted securely to a PCI-compliant payment gateway for approval. The payment gateway will process the transaction and cause the funds to be transferred when the order is completed. (3) Enforcement of the HCUP Data Use Agreement (DUA): The individual’s signature and contact information on the HCUP DUA and the coded number on the application form indicating completion of HCUP Data Use Agreement Training will be used in the event that the individual violates the DUA, to enforce the data use restrictions. Most of these restrictions have been put in place to safeguard the privacy of individuals and establishments represented in the data. For example, data users can only use the data for research, analysis, and aggregate statistical reporting and are prohibited from attempting to identify any persons in the data. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: The system may disclose records containing PII to parties outside HHS for the following routine uses: E:\FR\FM\31MYN1.SGM 31MYN1 32656 Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices (1) Records may be disclosed to agency contractors who have been engaged by the agency to assist in accomplishment of the HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS. (2) Records may be disclosed to the Department of Justice (DOA a court, or an adjudicatory body when: • The agency or any component thereof, or • Any employee of the agency in his or her official capacity, or • Any employee of the agency in his or her individual capacity where DOJ has agreed to represent the employee, or • The United States Government, is a party to litigation or has an interest in such litigation and, by careful review, HHS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records. (3) Records may be disclosed to another federal agency or an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers, or that has the authority to investigate, potential fraud, waste or abuse in federally funded programs, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs. (4) Records may be disclosed to appropriate federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department’s efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, when the information disclosed is relevant and necessary for that assistance. The system may also disclose PII data for any of the uses authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)–(11). tkelley on DSK3SPTVN1PROD with NOTICES POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM— STORAGE: Information will be collected via the online ordering application, fax, or email. Electronic records are stored in databases on magnetic tape, on magnetic disk and in secure electronic files at the contractor’s location (Social & Scientific VerDate Mar<15>2010 17:40 May 30, 2013 Jkt 229001 Systems in Ashburn, VA) and at the tape storage facility: Storage Village White Flint, North Bethesda, MD. Credit card or e-check information will not be stored in the information system’s database after the transaction is completed. For those who cannot used the online application, the transaction can be completed with payments by check, purchase order, or wire transfer handled by fax or mail, and for these transactions, credit card or e-check information is destroyed when the order is completed. RETRIEVABILITY: The application and HCUP Data Use Agreement records will be retrieved by registrant/user name or User ID number. SAFEGUARDS: The identifiable information collected will be transmitted to the hosting server via an encrypted Secure Socket Layer (SSL) connection. Access to the database housing the identifiable information is accomplished through individual authorized administrative accounts. The server housing the identifiable information is located in a data center owned by Social & Scientific Systems and is located in Ashburn, VA. The data center is protected via 24/7 guards at all entrances, video monitoring systems, biometric hand readers, cage locks, and system firewalls. • The information stored is captured and transmitted over an SSL connection for secure encrypted transmission. • Access to the database is only permissible at the administrator level and is done so either (a) in order to fulfill the applicants request, (b) for system maintenance, or (c) in the event of a DUA violation. • The server housing the system is located in a secure facility with 24/7 guards at the entrance points, camera monitoring systems, biometric hand readers, and cage locks. The information collected by the electronic form will be stored in a SQL Server 2008 database. Data stored in the database will remain there indefinitely until requested by AHRQ. SSS performs nightly backups of the database. The backups are encrypted and stored offsite. At the conclusion of the contract, the information system as well as a current copy of the database can be provided to AHRQ by request. The information system uses a defense-in-depth strategy when it comes to user access. Users are assigned individual credentials along with role based least-privileged user account (LUA). The LUA approach ensures that users follow the principle of least PO 00000 Frm 00035 Fmt 4703 Sfmt 4703 privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks. RETENTION AND DISPOSAL: Information in the application and Data Use Agreement will be retained for approximately twenty years, and may be kept longer if needed for enforcement, audit, legal, or other agency purposes. Retention is necessary for enforcement of data restrictions in the event of a Data Use Agreement violation. Storage will be in an electronic format that is encrypted, backed up, and stored in two secure locations. PII related to the business transaction will be retained for up to 90 days so that a public user can return to their password protected account and complete their order. If a user forgets his/her password, the system will reset it and convey that information via email. Information related to the payment process will not be retained after the transaction has been completed. Payment options will include credit card, e-check, check, purchase order or wire transfer. Information to complete credit card and e-check transactions will be collected by the information system and transmitted securely to a PCIcompliant payment gateway for approval. The payment gateway product will process the transaction and cause the funds to be transferred when the transaction is captured at the time of shipment. Credit card or e-check information will not be stored in the information system’s database. Payments by check, purchase order, or wire transfer will be handled by fax or mail. SYSTEM MANAGER AND ADDRESS: HCUP Project Officer, Center for Delivery, Organization, and Markets, 540 Gaither Road, Rockville, MD 20850, Telephone: 301–427–1410, HCUP@AHRQ.GOV. Individuals wishing to know if this system contains records about them should write to the System Manager. RECORD ACCESS PROCEDURE: Individuals seeking access to records about them in this system should follow the same instructions indicated under ‘‘Notification Procedure’’ and indicate the record(s) to which access is sought (i.e., application form or HCUP Data Use Agreement). CONTESTING RECORD PROCEDURES: Individuals seeking to contest the content of information about them in E:\FR\FM\31MYN1.SGM 31MYN1 Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices this system should follow the same instructions indicated under ‘‘Notification Procedure.’’ The request should reasonably identify the record, specify the information contested, state the corrective action sought, and provide the reasons for the correction, with supporting justification. RECORD SOURCE CATEGORIES: All information will be collected directly from the individual applicants/ users of the Web site, when they complete the online application forms. EXEMPTIONS CLAIMED FOR THIS SYSTEM: None. Dated: May 21, 2013. Carolyn M. Clancy, AHRQ Director. [FR Doc. 2013–12671 Filed 5–30–13; 8:45 am] BILLING CODE 4160–90–M DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention (CDC) tkelley on DSK3SPTVN1PROD with NOTICES Board of Scientific Counselors, National Center for Environmental Health/Agency for Toxic Substances and Disease Registry (BSC, NCEH/ ATSDR) In accordance with section 10(a)(2) of the Federal Advisory Committee Act (Pub. L. 92–463), the Centers for Disease Control and Prevention (CDC), announces the following meeting of the aforementioned committee: Times and Dates: 8:30 a.m.–3:00 p.m., June 27, 2013; 8:30 a.m.–12:00 p.m., June 28, 2013. Place: CDC, 4770 Buford Highway, Atlanta, Georgia 30341. Status: Open to the public, limited only by the space available. The meeting room accommodates approximately 60 people. Purpose: The Secretary, Department of Health and Human Services (HHS) and by delegation, the Director, CDC and Administrator, NCEH/ATSDR, are authorized under Section 301(42 U.S.C. 241) and Section 311(42 U.S.C. 243) of the Public Health Service Act, as amended, to: (1) Conduct, encourage, cooperate with, and assist other appropriate public authorities, scientific institutions, and scientists in the conduct of research, investigations, experiments, demonstrations, and studies relating to the causes, diagnosis, treatment, control, and prevention of physical and mental diseases and other impairments; (2) assist states and their political subdivisions in the prevention VerDate Mar<15>2010 17:40 May 30, 2013 Jkt 229001 of infectious diseases and other preventable conditions and in the promotion of health and well being; and (3) train state and local personnel in health work. The BSC, NCEH/ATSDR provides advice and guidance to the Secretary, HHS; the Director, CDC and Administrator, ATSDR; and the Director, NCEH/ATSDR, regarding program goals, objectives, strategies, and priorities in fulfillment of the agency’s mission to protect and promote people’s health. The board provides advice and guidance that will assist NCEH/ATSDR in ensuring scientific quality, timeliness, utility, and dissemination of results. The board also provides guidance to help NCEH/ATSDR work more efficiently and effectively with its various constituents and to fulfill its mission in protecting America’s health. Matters To Be Discussed: The agenda items for the BSC Meeting on June 27– 28, 2013 will include NCEH/ATSDR Office of the Director updates: Environmental Health Emergencies updates, Lead Poisoning Prevention Activities updates, Epi Aids at NCEH/ ATSDR update, Strategic Planning updates; and updates by BSC Federal Expert members on current activities at the National Institute for Occupational Safety and Health, U.S. Department of Energy, National Institute for Environmental Health Services and the U.S. Environmental Protection Agency. Agenda items are subject to change as priorities dictate. SUPPLEMENTARY INFORMATION: The public comment period is scheduled on Thursday, June 27, 2013 from 2:30 p.m. until 2:45 p.m., and on Friday, June 28, 2013 from 10:00 a.m. until 10:15 a.m. Contact Person for More Information: Sandra Malcom, Committee Management Specialist, NCEH/ATSDR, CDC, 4770 Buford Highway, Mail Stop F–61, Chamblee, Georgia 30345; telephone 770/488–0575 or 770/488– 0755, Fax: 770/488–3377; Email: smalcom@cdc.gov. The deadline for notification of attendance is June 21, 2013. The Director, Management Analysis and Services Office, has been delegated the authority to sign Federal Register notices pertaining to announcements of meetings and other committee management activities for both the Centers for Disease Control and Prevention and the Agency for Toxic Substances and Disease Registry. Elaine L. Baker, Director, Management Analysis and Services Office, Centers for Disease Control and Prevention (CDC). [FR Doc. 2013–12912 Filed 5–30–13; 8:45 am] BILLING CODE 4163–18–P PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 32657 DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare & Medicaid Services [Document Identifiers: CMS–10302, CMS– R–290 and CMS–10437] Agency Information Collection Activities: Submission for OMB Review; Comment Request Centers for Medicare & Medicaid Services, HHS. In compliance with the requirement of section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, the Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services, is publishing the following summary of proposed collections for public comment. Interested persons are invited to send comments regarding this burden estimate or any other aspect of this collection of information, including any of the following subjects: (1) The necessity and utility of the proposed information collection for the proper performance of the Agency’s function; (2) the accuracy of the estimated burden; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden. 1. Type of Information Collection Request: Extension of a currently approved collection; Title of Information Collection: Collection Requirements for Compendia for Determination of Medically-accepted Indications for Off-label Uses of Drugs and Biologicals in an Anti-cancer Chemotherapeutic Regimen Use: Section 182(b) of the Medicare Improvement of Patients and Providers Act (MIPPA) amended section 1861(t)(2)(B) of the Social Security Act (42 U.S.C. 1395x(t)(2)(B)) by adding at the end the following new sentence: ‘On and after January 1, 2010, no compendia may be included on the list of compendia under this subparagraph unless the compendia has a publicly transparent process for evaluating therapies and for identifying potential conflicts of interest.’ We believe that the implementation of this statutory provision that compendia have a ‘‘publicly transparent process for evaluating therapies and for identifying potential conflicts of interests’’ is best accomplished by amending 42 CFR 414.930 to include the MIPPA requirements and by defining the key components of publicly transparent AGENCY: E:\FR\FM\31MYN1.SGM 31MYN1

Agencies

[Federal Register Volume 78, Number 105 (Friday, May 31, 2013)]
[Notices]
[Pages 32654-32657]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-12671]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Agency for Healthcare Research and Quality


Privacy Act of 1974; System of Records Notice

AGENCY: Agency for Healthcare Research and Quality (AHRQ), Department 
of Health and Human Services (HHS).

ACTION: Notice to establish a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
(5 USC 552a), the Agency for Healthcare Research and Quality (AHRQ) 
within the Department of Health and Human Services is establishing a 
new system of records, ``Online Application Ordering for Products from 
the Healthcare Cost and Utilization Project (HCUP).'' This online 
electronic ordering system will streamline and facilitate the 
dissemination of HCUP databases and software to qualified researchers 
and result in a more efficient process for both the public and the 
Agency. The HCUP program and the system of records for the online 
application ordering process are more thoroughly described in the 
Supplementary Information section and System of Records Notice (SORN), 
below.

DATES: Effective 30 days after publication. HHS/AHRQ may publish an 
amended System of Records Notice (SORN) in light of any comments 
received.

ADDRESSES: Written comments should be sent to: HCUP Project Officer, 
Agency for Healthcare Research and Quality, 540 Gaither Rd., Rockville, 
MD 20852 OR to Email: HCUP@AHRQ.GOV.

FOR FURTHER INFORMATION CONTACT: HCUP Project Officer, Agency for 
Healthcare Research and Quality, 540 Gaither Rd., Rockville, MD 20852, 
301-427-1410, or HCUP@AHRQ.GOV,

SUPPLEMENTARY INFORMATION:

I. Background on New System of Records, ``Online Application Ordering 
for HCUP Products From the Healthcare Cost and Utilization Project 
(HCUP)''

    AHRQ is establishing this new system of records to cover 
personally-identifiable information (PII) about individuals who 
purchase HCUP databases and software products for scientific research 
purposes through a new online ordering system. AHRQ's research mission, 
the HCUP databases, and the online ordering process for HCUP databases 
and software products are explained in more detail below.

A. AHRQ's Research Mission

    The Healthcare Research and Quality Act of 1999 (``the Act''), 
Public Law 106-129, amended Title IX of the Public Health Service act 
to establish AHRQ. The Act requires that AHRQ enhance the quality, 
appropriateness, and effectiveness of health services, and enhance 
access to such services, through the establishment of a broad base of 
scientific research and through the promotion of improvements in 
clinical and health systems practices, including the prevention of 
diseases and other health conditions. AHRQ promotes health care quality 
improvement by conducting and supporting:
    (1) Research that develops and presents scientific evidence 
regarding all aspects of health care;
    (2) Synthesis and dissemination of available scientific evidence 
for use by patients, consumers, practitioners, providers, purchasers, 
policy makers, and educato; and,
    (3) Initiatives to advance private and public efforts to improve 
health care quality.

B. The HCUP Databases

    AHRQ created a family of health care databases and related software 
tools and products known as the Healthcare Cost and Utilization Project 
(HCUP, pronounced ``H-Cup'') to conduct and support its research 
activities. HCUP was developed through a Federal-State Industry 
partnership and sponsored by AHRQ; it includes the largest collection 
of longitudinal hospital care data in the United States, with all-
payer, encounter-level information beginning in 1988. The HCUP 
databases are annual files that contain anonymous information from 
hospital discharge records for inpatient care and certain components of 
outpatient care, such as emergency care and ambulatory surgeries. The 
project currently releases six types of databases created for research 
use on a broad range of health issues, including cost and quality of 
health services, medical practice patterns, access to health care 
programs, and outcomes of treatments at the national, state, and local 
market levels. HCUP also produces a large number of software tools to 
enhance the use of administrative health care data for research and 
public health use. The software tools use information available from a 
variety of sources to create new data elements, often through 
sophisticated algorithms, for use with the HCUP databases.

[[Page 32655]]

C. The Ordering Process for HCUP Databases and Software

    To support AHRQ's mission to improve health care through scientific 
research, HCUP databases and software tools are disseminated to users 
outside of HHS through a mechanism known as the HCUP Central 
Distributor, which is operated by a private contractor. Databases and 
software disseminated through the HCUP Central Distributor are referred 
to as ``restricted access public release files;'' they are publicly 
available, but only under restricted conditions. The HCUP Central 
Distributor enables qualified researchers to access uniform research 
data across multiple states with the use of one application process, 
consisting of the following:
    (1) HCUP Application. All persons wanting access to the HCUP 
databases must complete the application process. For state databases, a 
description of the individual's planned use of the HCUP data will be 
reviewed to confirm that it is consistent with the data use 
restrictions that apply to the data. As an alternative to the online 
ordering form, paper versions of application packages will continue to 
be available for download at http://www.HCUP-us.AHRQ.gov/tech_assist/centdist.JSP.
    (2) HCUP Data Use Agreement Training. All persons wanting access to 
the HCUP databases must complete this online training course. The 
purpose of the training is to emphasize the importance of data 
protection, reduce the risk of inadvertent violations, and describe the 
individual's responsibility when using HCUP data. The training course 
can be accessed and completed online at http://www.HCUPus.AHRQ. gov/
tech_assist/dua.JSP.
    (3) HCUP Data Use Agreement (DUA). All persons wanting access to 
the HCUP databases must sign a data use agreement. Each database has a 
unique DUA; an example DUA for the Nationwide Inpatient Sample database 
is available at http://www.HCUP-us.AHRQ.gov/team/NISDUA.JSP.
    HCUP databases are released to researchers outside of AHRQ after 
the completion of required training and submission of an application 
that includes a signed HCUP Data Use Agreement (DUA). In addition, 
before restricted access public release state-level databases are 
released, the user is asked for a brief description of their research 
to ensure that the planned use is consistent with HCUP policies and 
with the HCUP data use requirements. Fees are set for databases 
released through the HCUP Central Distributor depending on the type of 
database. The fees for sale of state-level data are determined by each 
participating Statewide Data Organization and reimbursed to those 
organizations.

II. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
United States Government collects, maintains, and uses personally 
identifiable information (PII) in a system of records. A ``system of 
records'' is a group of any records under the control of a Federal 
agency from which information about individuals is retrieved by name or 
other personal identifier. The Privacy Act requires each agency to 
publish in the Federal Register a system of records notice (SORN) 
identifying and describing each system of records the agency maintains, 
including the purposes for which the agency uses PII in the system, the 
routine uses for which the agency discloses such information outside 
the agency, and how individual record subjects can exercise their 
rights under the Privacy Act (e.g., to determine if the system contains 
information about them).
SYSTEM NUMBER: 09-35-0003.

SYSTEM NAME:
    ``Online Application Ordering for Products from the Healthcare Cost 
and Utilization Project (HCUP)''.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Servers: The servers hosting the system will be housed at the 
Social & Scientific Systems data center located in Ashburn, VA.
    Portals: This system will be accessed via the Internet.
    System Software: System software will be maintained by Social & 
Scientific Systems, Silver Spring, MD.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will contain personally identifiable information (PII) 
about individual researchers who purchase HCUP databases through use of 
an HCUP online application that includes payment of a fee and execution 
of a Data Use Agreement placing restrictions on use of the HCUP data.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system will contain the following categories of records and PII 
data elements:
    (1) HCUP Application Form, containing the individual's contact 
information (name, address, telephone number and email address), a 
coded number indicating that the individual completed the required HCUP 
Data Use Agreement Training, and a description of the individual's 
planned use of the HCUP data.
    (2) Transaction Records, containing information on the database 
and/or software order and contact information for purchaser. Credit 
card numbers or bank account information from electronic orders will 
not be stored in the system after the transaction is complete.
    (3) HCUP Data Use Agreement (DUA), containing the individual's 
signature and contact information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 299-299a; 42 U.S.C. 299c-2.

PURPOSE(S) OF THE SYSTEM:
    HHS/AHRQ will use PII from this system for the following purposes:
    (1) Business Transaction: Contact information will be used to 
communicate with the individual and to ship the data to the individual 
(e.g., on a disk or other media). The description of the individual's 
planned use of the HCUP data will be reviewed to confirm that it is 
consistent with the data use restrictions that apply to the data.
    (2) Payment Transaction: Credit card and bank account information 
will be used to complete orders for HCUP databases and software 
products. Credit card and e-check transactions collected by the HCUP 
information system will be transmitted securely to a PCI-compliant 
payment gateway for approval. The payment gateway will process the 
transaction and cause the funds to be transferred when the order is 
completed.
    (3) Enforcement of the HCUP Data Use Agreement (DUA): The 
individual's signature and contact information on the HCUP DUA and the 
coded number on the application form indicating completion of HCUP Data 
Use Agreement Training will be used in the event that the individual 
violates the DUA, to enforce the data use restrictions. Most of these 
restrictions have been put in place to safeguard the privacy of 
individuals and establishments represented in the data. For example, 
data users can only use the data for research, analysis, and aggregate 
statistical reporting and are prohibited from attempting to identify 
any persons in the data.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The system may disclose records containing PII to parties outside 
HHS for the following routine uses:

[[Page 32656]]

    (1) Records may be disclosed to agency contractors who have been 
engaged by the agency to assist in accomplishment of the HHS function 
relating to the purposes of this system of records and who need to have 
access to the records in order to assist HHS.
    (2) Records may be disclosed to the Department of Justice (DOA a 
court, or an adjudicatory body when:
     The agency or any component thereof, or
     Any employee of the agency in his or her official 
capacity, or
     Any employee of the agency in his or her individual 
capacity where DOJ has agreed to represent the employee, or
     The United States Government, is a party to litigation or 
has an interest in such litigation and, by careful review, HHS 
determines that the records are both relevant and necessary to the 
litigation and that the use of such records by the DOJ, court or 
adjudicatory body is compatible with the purpose for which the agency 
collected the records.
    (3) Records may be disclosed to another federal agency or an 
instrumentality of any governmental jurisdiction within or under the 
control of the United States (including any State or local governmental 
agency), that administers, or that has the authority to investigate, 
potential fraud, waste or abuse in federally funded programs, when 
disclosure is deemed reasonably necessary by HHS to prevent, deter, 
discover, detect, investigate, examine, prosecute, sue with respect to, 
defend against, correct, remedy, or otherwise combat fraud, waste or 
abuse in such programs.
    (4) Records may be disclosed to appropriate federal agencies and 
Department contractors that have a need to know the information for the 
purpose of assisting the Department's efforts to respond to a suspected 
or confirmed breach of the security or confidentiality of information 
maintained in this system of records, when the information disclosed is 
relevant and necessary for that assistance.
    The system may also disclose PII data for any of the uses 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and 
(b)(4)-(11).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
    Information will be collected via the online ordering application, 
fax, or email. Electronic records are stored in databases on magnetic 
tape, on magnetic disk and in secure electronic files at the 
contractor's location (Social & Scientific Systems in Ashburn, VA) and 
at the tape storage facility: Storage Village White Flint, North 
Bethesda, MD.
    Credit card or e-check information will not be stored in the 
information system's database after the transaction is completed. For 
those who cannot used the online application, the transaction can be 
completed with payments by check, purchase order, or wire transfer 
handled by fax or mail, and for these transactions, credit card or e-
check information is destroyed when the order is completed.

RETRIEVABILITY:
    The application and HCUP Data Use Agreement records will be 
retrieved by registrant/user name or User ID number.

SAFEGUARDS:
    The identifiable information collected will be transmitted to the 
hosting server via an encrypted Secure Socket Layer (SSL) connection. 
Access to the database housing the identifiable information is 
accomplished through individual authorized administrative accounts. The 
server housing the identifiable information is located in a data center 
owned by Social & Scientific Systems and is located in Ashburn, VA. The 
data center is protected via 24/7 guards at all entrances, video 
monitoring systems, biometric hand readers, cage locks, and system 
firewalls.
     The information stored is captured and transmitted over an 
SSL connection for secure encrypted transmission.
     Access to the database is only permissible at the 
administrator level and is done so either (a) in order to fulfill the 
applicants request, (b) for system maintenance, or (c) in the event of 
a DUA violation.
     The server housing the system is located in a secure 
facility with 24/7 guards at the entrance points, camera monitoring 
systems, biometric hand readers, and cage locks.
    The information collected by the electronic form will be stored in 
a SQL Server 2008 database. Data stored in the database will remain 
there indefinitely until requested by AHRQ. SSS performs nightly 
backups of the database. The backups are encrypted and stored offsite. 
At the conclusion of the contract, the information system as well as a 
current copy of the database can be provided to AHRQ by request.
    The information system uses a defense-in-depth strategy when it 
comes to user access. Users are assigned individual credentials along 
with role based least-privileged user account (LUA). The LUA approach 
ensures that users follow the principle of least privilege and always 
log on with limited user accounts. This strategy also aims to limit the 
use of administrative credentials to administrators, and then only for 
administrative tasks.

RETENTION AND DISPOSAL:
    Information in the application and Data Use Agreement will be 
retained for approximately twenty years, and may be kept longer if 
needed for enforcement, audit, legal, or other agency purposes. 
Retention is necessary for enforcement of data restrictions in the 
event of a Data Use Agreement violation. Storage will be in an 
electronic format that is encrypted, backed up, and stored in two 
secure locations.
    PII related to the business transaction will be retained for up to 
90 days so that a public user can return to their password protected 
account and complete their order. If a user forgets his/her password, 
the system will reset it and convey that information via email.
    Information related to the payment process will not be retained 
after the transaction has been completed. Payment options will include 
credit card, e-check, check, purchase order or wire transfer. 
Information to complete credit card and e-check transactions will be 
collected by the information system and transmitted securely to a PCI-
compliant payment gateway for approval. The payment gateway product 
will process the transaction and cause the funds to be transferred when 
the transaction is captured at the time of shipment. Credit card or e-
check information will not be stored in the information system's 
database. Payments by check, purchase order, or wire transfer will be 
handled by fax or mail.

SYSTEM MANAGER AND ADDRESS:
    HCUP Project Officer, Center for Delivery, Organization, and 
Markets, 540 Gaither Road, Rockville, MD 20850, Telephone: 301-427-
1410, HCUP@AHRQ.GOV.
    Individuals wishing to know if this system contains records about 
them should write to the System Manager.

RECORD ACCESS PROCEDURE:
    Individuals seeking access to records about them in this system 
should follow the same instructions indicated under ``Notification 
Procedure'' and indicate the record(s) to which access is sought (i.e., 
application form or HCUP Data Use Agreement).

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest the content of information about 
them in

[[Page 32657]]

this system should follow the same instructions indicated under 
``Notification Procedure.'' The request should reasonably identify the 
record, specify the information contested, state the corrective action 
sought, and provide the reasons for the correction, with supporting 
justification.

RECORD SOURCE CATEGORIES:
    All information will be collected directly from the individual 
applicants/users of the Web site, when they complete the online 
application forms.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:
    None.

    Dated: May 21, 2013.
Carolyn M. Clancy,
AHRQ Director.
[FR Doc. 2013-12671 Filed 5-30-13; 8:45 am]
BILLING CODE 4160-90-M