Privacy Act of 1974; System of Records Notice, 32654-32657 [2013-12671]
Download as PDF
<![CDATA[
32654
Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices
EXHIBIT 2—ESTIMATED ANNUALIZED COST BURDEN
Number of
respondents
Form name
Total burden
hours
Average hourly
wage rate *
Total cost
burden
Pediatrician and Family Physician Survey ..............................
1,200
600
$85.26
$51,156
Total ..................................................................................
1,200
600
n/a
51,156
* Based upon the higher of the two means of the hourly wages general pediatricians, National Compensation Survey: ‘‘May 2011 National Occupational Employment and Wage Estimates, United States.’’ U.S. Department of Labor, Bureau of Labor Statistics.
Request for Comments
In accordance with the Paperwork
Reduction Act, comments on AHRQ’s
information collection are requested
with regard to any of the following: (a)
Whether the proposed collection of
information is necessary for the proper
performance of AHRQ health care
research and health care information
dissemination functions, including
whether the information will have
practical utility; (b) the accuracy of
AHRQ’s estimate of burden (including
hours and costs) of the proposed
collection(s) of information; (c) ways to
enhance the quality, utility, and clarity
of the information to be collected; and
(d) ways to minimize the burden of the
collection of information upon the
respondents, including the use of
automated collection techniques or
other forms of information technology.
Comments submitted in response to
this notice will be summarized and
included in the Agency’s subsequent
request for OMB approval of the
proposed information collection. All
comments will become a matter of
public record.
Dated: May 21, 2013.
Carolyn M. Clancy,
Director.
[FR Doc. 2013–12672 Filed 5–30–13; 8:45 am]
BILLING CODE 4160–90–M
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Agency for Healthcare Research and
Quality
Privacy Act of 1974; System of
Records Notice
Agency for Healthcare Research
and Quality (AHRQ), Department of
Health and Human Services (HHS).
ACTION: Notice to establish a new system
of records.
tkelley on DSK3SPTVN1PROD with NOTICES
AGENCY:
SUMMARY: In accordance with the
requirements of the Privacy Act of 1974
(5 USC 552a), the Agency for Healthcare
Research and Quality (AHRQ) within
the Department of Health and Human
Services is establishing a new system of
VerDate Mar<15>2010
17:40 May 30, 2013
Jkt 229001
records, ‘‘Online Application Ordering
for Products from the Healthcare Cost
and Utilization Project (HCUP).’’ This
online electronic ordering system will
streamline and facilitate the
dissemination of HCUP databases and
software to qualified researchers and
result in a more efficient process for
both the public and the Agency. The
HCUP program and the system of
records for the online application
ordering process are more thoroughly
described in the SUPPLEMENTARY
INFORMATION section and System of
Records Notice (SORN), below.
DATES: Effective 30 days after
publication. HHS/AHRQ may publish
an amended System of Records Notice
(SORN) in light of any comments
received.
ADDRESSES: Written comments should
be sent to: HCUP Project Officer, Agency
for Healthcare Research and Quality,
540 Gaither Rd., Rockville, MD 20852
OR to Email: HCUP@AHRQ.GOV.
FOR FURTHER INFORMATION CONTACT:
HCUP Project Officer, Agency for
Healthcare Research and Quality, 540
Gaither Rd., Rockville, MD 20852, 301–
427–1410, or HCUP@AHRQ.GOV,
SUPPLEMENTARY INFORMATION:
I. Background on New System of
Records, ‘‘Online Application Ordering
for HCUP Products From the
Healthcare Cost and Utilization Project
(HCUP)’’
AHRQ is establishing this new system
of records to cover personallyidentifiable information (PII) about
individuals who purchase HCUP
databases and software products for
scientific research purposes through a
new online ordering system. AHRQ’s
research mission, the HCUP databases,
and the online ordering process for
HCUP databases and software products
are explained in more detail below.
A. AHRQ’s Research Mission
The Healthcare Research and Quality
Act of 1999 (‘‘the Act’’), Public Law
106–129, amended Title IX of the Public
Health Service act to establish AHRQ.
The Act requires that AHRQ enhance
the quality, appropriateness, and
effectiveness of health services, and
PO 00000
Frm 00033
Fmt 4703
Sfmt 4703
enhance access to such services,
through the establishment of a broad
base of scientific research and through
the promotion of improvements in
clinical and health systems practices,
including the prevention of diseases and
other health conditions. AHRQ
promotes health care quality
improvement by conducting and
supporting:
(1) Research that develops and
presents scientific evidence regarding
all aspects of health care;
(2) Synthesis and dissemination of
available scientific evidence for use by
patients, consumers, practitioners,
providers, purchasers, policy makers,
and educato; and,
(3) Initiatives to advance private and
public efforts to improve health care
quality.
B. The HCUP Databases
AHRQ created a family of health care
databases and related software tools and
products known as the Healthcare Cost
and Utilization Project (HCUP,
pronounced ‘‘H-Cup’’) to conduct and
support its research activities. HCUP
was developed through a Federal-State
Industry partnership and sponsored by
AHRQ; it includes the largest collection
of longitudinal hospital care data in the
United States, with all-payer, encounterlevel information beginning in 1988.
The HCUP databases are annual files
that contain anonymous information
from hospital discharge records for
inpatient care and certain components
of outpatient care, such as emergency
care and ambulatory surgeries. The
project currently releases six types of
databases created for research use on a
broad range of health issues, including
cost and quality of health services,
medical practice patterns, access to
health care programs, and outcomes of
treatments at the national, state, and
local market levels. HCUP also produces
a large number of software tools to
enhance the use of administrative health
care data for research and public health
use. The software tools use information
available from a variety of sources to
create new data elements, often through
sophisticated algorithms, for use with
the HCUP databases.
E:\FR\FM\31MYN1.SGM
31MYN1
Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices
tkelley on DSK3SPTVN1PROD with NOTICES
C. The Ordering Process for HCUP
Databases and Software
To support AHRQ’s mission to
improve health care through scientific
research, HCUP databases and software
tools are disseminated to users outside
of HHS through a mechanism known as
the HCUP Central Distributor, which is
operated by a private contractor.
Databases and software disseminated
through the HCUP Central Distributor
are referred to as ‘‘restricted access
public release files;’’ they are publicly
available, but only under restricted
conditions. The HCUP Central
Distributor enables qualified researchers
to access uniform research data across
multiple states with the use of one
application process, consisting of the
following:
(1) HCUP Application. All persons
wanting access to the HCUP databases
must complete the application process.
For state databases, a description of the
individual’s planned use of the HCUP
data will be reviewed to confirm that it
is consistent with the data use
restrictions that apply to the data. As an
alternative to the online ordering form,
paper versions of application packages
will continue to be available for
download at https://www.HCUPus.AHRQ.gov/tech_assist/centdist.JSP.
(2) HCUP Data Use Agreement
Training. All persons wanting access to
the HCUP databases must complete this
online training course. The purpose of
the training is to emphasize the
importance of data protection, reduce
the risk of inadvertent violations, and
describe the individual’s responsibility
when using HCUP data. The training
course can be accessed and completed
online at https://www.HCUPus.AHRQ.
gov/tech_assist/dua.JSP.
(3) HCUP Data Use Agreement (DUA).
All persons wanting access to the HCUP
databases must sign a data use
agreement. Each database has a unique
DUA; an example DUA for the
Nationwide Inpatient Sample database
is available at https://www.HCUPus.AHRQ.gov/team/NISDUA.JSP.
HCUP databases are released to
researchers outside of AHRQ after the
completion of required training and
submission of an application that
includes a signed HCUP Data Use
Agreement (DUA). In addition, before
restricted access public release statelevel databases are released, the user is
asked for a brief description of their
research to ensure that the planned use
is consistent with HCUP policies and
with the HCUP data use requirements.
Fees are set for databases released
through the HCUP Central Distributor
depending on the type of database. The
VerDate Mar<15>2010
17:40 May 30, 2013
Jkt 229001
fees for sale of state-level data are
determined by each participating
Statewide Data Organization and
reimbursed to those organizations.
II. The Privacy Act
The Privacy Act (5 U.S.C. 552a)
governs the means by which the United
States Government collects, maintains,
and uses personally identifiable
information (PII) in a system of records.
A ‘‘system of records’’ is a group of any
records under the control of a Federal
agency from which information about
individuals is retrieved by name or
other personal identifier. The Privacy
Act requires each agency to publish in
the Federal Register a system of records
notice (SORN) identifying and
describing each system of records the
agency maintains, including the
purposes for which the agency uses PII
in the system, the routine uses for
which the agency discloses such
information outside the agency, and
how individual record subjects can
exercise their rights under the Privacy
Act (e.g., to determine if the system
contains information about them).
SYSTEM NUMBER: 09–35–0003.
SYSTEM NAME:
‘‘Online Application Ordering for
Products from the Healthcare Cost and
Utilization Project (HCUP)’’.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Servers: The servers hosting the
system will be housed at the Social &
Scientific Systems data center located in
Ashburn, VA.
Portals: This system will be accessed
via the Internet.
System Software: System software
will be maintained by Social &
Scientific Systems, Silver Spring, MD.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
The system will contain personally
identifiable information (PII) about
individual researchers who purchase
HCUP databases through use of an
HCUP online application that includes
payment of a fee and execution of a Data
Use Agreement placing restrictions on
use of the HCUP data.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system will contain the following
categories of records and PII data
elements:
(1) HCUP Application Form,
containing the individual’s contact
information (name, address, telephone
number and email address), a coded
PO 00000
Frm 00034
Fmt 4703
Sfmt 4703
32655
number indicating that the individual
completed the required HCUP Data Use
Agreement Training, and a description
of the individual’s planned use of the
HCUP data.
(2) Transaction Records, containing
information on the database and/or
software order and contact information
for purchaser. Credit card numbers or
bank account information from
electronic orders will not be stored in
the system after the transaction is
complete.
(3) HCUP Data Use Agreement (DUA),
containing the individual’s signature
and contact information.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
42 U.S.C. 299–299a; 42 U.S.C.
299c–2.
PURPOSE(S) OF THE SYSTEM:
HHS/AHRQ will use PII from this
system for the following purposes:
(1) Business Transaction: Contact
information will be used to
communicate with the individual and to
ship the data to the individual (e.g., on
a disk or other media). The description
of the individual’s planned use of the
HCUP data will be reviewed to confirm
that it is consistent with the data use
restrictions that apply to the data.
(2) Payment Transaction: Credit card
and bank account information will be
used to complete orders for HCUP
databases and software products. Credit
card and e-check transactions collected
by the HCUP information system will be
transmitted securely to a PCI-compliant
payment gateway for approval. The
payment gateway will process the
transaction and cause the funds to be
transferred when the order is
completed.
(3) Enforcement of the HCUP Data Use
Agreement (DUA): The individual’s
signature and contact information on
the HCUP DUA and the coded number
on the application form indicating
completion of HCUP Data Use
Agreement Training will be used in the
event that the individual violates the
DUA, to enforce the data use
restrictions. Most of these restrictions
have been put in place to safeguard the
privacy of individuals and
establishments represented in the data.
For example, data users can only use the
data for research, analysis, and aggregate
statistical reporting and are prohibited
from attempting to identify any persons
in the data.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES:
The system may disclose records
containing PII to parties outside HHS for
the following routine uses:
E:\FR\FM\31MYN1.SGM
31MYN1
32656
Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices
(1) Records may be disclosed to
agency contractors who have been
engaged by the agency to assist in
accomplishment of the HHS function
relating to the purposes of this system
of records and who need to have access
to the records in order to assist HHS.
(2) Records may be disclosed to the
Department of Justice (DOA a court, or
an adjudicatory body when:
• The agency or any component
thereof, or
• Any employee of the agency in his
or her official capacity, or
• Any employee of the agency in his
or her individual capacity where DOJ
has agreed to represent the employee, or
• The United States Government, is a
party to litigation or has an interest in
such litigation and, by careful review,
HHS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
(3) Records may be disclosed to
another federal agency or an
instrumentality of any governmental
jurisdiction within or under the control
of the United States (including any State
or local governmental agency), that
administers, or that has the authority to
investigate, potential fraud, waste or
abuse in federally funded programs,
when disclosure is deemed reasonably
necessary by HHS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud, waste or abuse in such
programs.
(4) Records may be disclosed to
appropriate federal agencies and
Department contractors that have a need
to know the information for the purpose
of assisting the Department’s efforts to
respond to a suspected or confirmed
breach of the security or confidentiality
of information maintained in this
system of records, when the information
disclosed is relevant and necessary for
that assistance.
The system may also disclose PII data
for any of the uses authorized directly
in the Privacy Act at 5 U.S.C. 552a(b)(2)
and (b)(4)–(11).
tkelley on DSK3SPTVN1PROD with NOTICES
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM—
STORAGE:
Information will be collected via the
online ordering application, fax, or
email. Electronic records are stored in
databases on magnetic tape, on magnetic
disk and in secure electronic files at the
contractor’s location (Social & Scientific
VerDate Mar<15>2010
17:40 May 30, 2013
Jkt 229001
Systems in Ashburn, VA) and at the
tape storage facility: Storage Village
White Flint, North Bethesda, MD.
Credit card or e-check information
will not be stored in the information
system’s database after the transaction is
completed. For those who cannot used
the online application, the transaction
can be completed with payments by
check, purchase order, or wire transfer
handled by fax or mail, and for these
transactions, credit card or e-check
information is destroyed when the order
is completed.
RETRIEVABILITY:
The application and HCUP Data Use
Agreement records will be retrieved by
registrant/user name or User ID number.
SAFEGUARDS:
The identifiable information collected
will be transmitted to the hosting server
via an encrypted Secure Socket Layer
(SSL) connection. Access to the
database housing the identifiable
information is accomplished through
individual authorized administrative
accounts. The server housing the
identifiable information is located in a
data center owned by Social & Scientific
Systems and is located in Ashburn, VA.
The data center is protected via 24/7
guards at all entrances, video
monitoring systems, biometric hand
readers, cage locks, and system
firewalls.
• The information stored is captured
and transmitted over an SSL connection
for secure encrypted transmission.
• Access to the database is only
permissible at the administrator level
and is done so either (a) in order to
fulfill the applicants request, (b) for
system maintenance, or (c) in the event
of a DUA violation.
• The server housing the system is
located in a secure facility with 24/7
guards at the entrance points, camera
monitoring systems, biometric hand
readers, and cage locks.
The information collected by the
electronic form will be stored in a SQL
Server 2008 database. Data stored in the
database will remain there indefinitely
until requested by AHRQ. SSS performs
nightly backups of the database. The
backups are encrypted and stored
offsite. At the conclusion of the
contract, the information system as well
as a current copy of the database can be
provided to AHRQ by request.
The information system uses a
defense-in-depth strategy when it comes
to user access. Users are assigned
individual credentials along with role
based least-privileged user account
(LUA). The LUA approach ensures that
users follow the principle of least
PO 00000
Frm 00035
Fmt 4703
Sfmt 4703
privilege and always log on with limited
user accounts. This strategy also aims to
limit the use of administrative
credentials to administrators, and then
only for administrative tasks.
RETENTION AND DISPOSAL:
Information in the application and
Data Use Agreement will be retained for
approximately twenty years, and may be
kept longer if needed for enforcement,
audit, legal, or other agency purposes.
Retention is necessary for enforcement
of data restrictions in the event of a Data
Use Agreement violation. Storage will
be in an electronic format that is
encrypted, backed up, and stored in two
secure locations.
PII related to the business transaction
will be retained for up to 90 days so that
a public user can return to their
password protected account and
complete their order. If a user forgets
his/her password, the system will reset
it and convey that information via
email.
Information related to the payment
process will not be retained after the
transaction has been completed.
Payment options will include credit
card, e-check, check, purchase order or
wire transfer. Information to complete
credit card and e-check transactions will
be collected by the information system
and transmitted securely to a PCIcompliant payment gateway for
approval. The payment gateway product
will process the transaction and cause
the funds to be transferred when the
transaction is captured at the time of
shipment. Credit card or e-check
information will not be stored in the
information system’s database.
Payments by check, purchase order, or
wire transfer will be handled by fax or
mail.
SYSTEM MANAGER AND ADDRESS:
HCUP Project Officer, Center for
Delivery, Organization, and Markets,
540 Gaither Road, Rockville, MD 20850,
Telephone: 301–427–1410,
HCUP@AHRQ.GOV.
Individuals wishing to know if this
system contains records about them
should write to the System Manager.
RECORD ACCESS PROCEDURE:
Individuals seeking access to records
about them in this system should follow
the same instructions indicated under
‘‘Notification Procedure’’ and indicate
the record(s) to which access is sought
(i.e., application form or HCUP Data Use
Agreement).
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest the
content of information about them in
E:\FR\FM\31MYN1.SGM
31MYN1
Federal Register / Vol. 78, No. 105 / Friday, May 31, 2013 / Notices
this system should follow the same
instructions indicated under
‘‘Notification Procedure.’’ The request
should reasonably identify the record,
specify the information contested, state
the corrective action sought, and
provide the reasons for the correction,
with supporting justification.
RECORD SOURCE CATEGORIES:
All information will be collected
directly from the individual applicants/
users of the Web site, when they
complete the online application forms.
EXEMPTIONS CLAIMED FOR THIS SYSTEM:
None.
Dated: May 21, 2013.
Carolyn M. Clancy,
AHRQ Director.
[FR Doc. 2013–12671 Filed 5–30–13; 8:45 am]
BILLING CODE 4160–90–M
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention (CDC)
tkelley on DSK3SPTVN1PROD with NOTICES
Board of Scientific Counselors,
National Center for Environmental
Health/Agency for Toxic Substances
and Disease Registry (BSC, NCEH/
ATSDR)
In accordance with section 10(a)(2) of
the Federal Advisory Committee Act
(Pub. L. 92–463), the Centers for Disease
Control and Prevention (CDC),
announces the following meeting of the
aforementioned committee:
Times and Dates: 8:30 a.m.–3:00 p.m.,
June 27, 2013; 8:30 a.m.–12:00 p.m.,
June 28, 2013.
Place: CDC, 4770 Buford Highway,
Atlanta, Georgia 30341.
Status: Open to the public, limited
only by the space available. The meeting
room accommodates approximately 60
people.
Purpose: The Secretary, Department
of Health and Human Services (HHS)
and by delegation, the Director, CDC
and Administrator, NCEH/ATSDR, are
authorized under Section 301(42 U.S.C.
241) and Section 311(42 U.S.C. 243) of
the Public Health Service Act, as
amended, to: (1) Conduct, encourage,
cooperate with, and assist other
appropriate public authorities, scientific
institutions, and scientists in the
conduct of research, investigations,
experiments, demonstrations, and
studies relating to the causes, diagnosis,
treatment, control, and prevention of
physical and mental diseases and other
impairments; (2) assist states and their
political subdivisions in the prevention
VerDate Mar<15>2010
17:40 May 30, 2013
Jkt 229001
of infectious diseases and other
preventable conditions and in the
promotion of health and well being; and
(3) train state and local personnel in
health work. The BSC, NCEH/ATSDR
provides advice and guidance to the
Secretary, HHS; the Director, CDC and
Administrator, ATSDR; and the
Director, NCEH/ATSDR, regarding
program goals, objectives, strategies, and
priorities in fulfillment of the agency’s
mission to protect and promote people’s
health. The board provides advice and
guidance that will assist NCEH/ATSDR
in ensuring scientific quality,
timeliness, utility, and dissemination of
results. The board also provides
guidance to help NCEH/ATSDR work
more efficiently and effectively with its
various constituents and to fulfill its
mission in protecting America’s health.
Matters To Be Discussed: The agenda
items for the BSC Meeting on June 27–
28, 2013 will include NCEH/ATSDR
Office of the Director updates:
Environmental Health Emergencies
updates, Lead Poisoning Prevention
Activities updates, Epi Aids at NCEH/
ATSDR update, Strategic Planning
updates; and updates by BSC Federal
Expert members on current activities at
the National Institute for Occupational
Safety and Health, U.S. Department of
Energy, National Institute for
Environmental Health Services and the
U.S. Environmental Protection Agency.
Agenda items are subject to change as
priorities dictate.
SUPPLEMENTARY INFORMATION: The
public comment period is scheduled on
Thursday, June 27, 2013 from 2:30 p.m.
until 2:45 p.m., and on Friday, June 28,
2013 from 10:00 a.m. until 10:15 a.m.
Contact Person for More Information:
Sandra Malcom, Committee
Management Specialist, NCEH/ATSDR,
CDC, 4770 Buford Highway, Mail Stop
F–61, Chamblee, Georgia 30345;
telephone 770/488–0575 or 770/488–
0755, Fax: 770/488–3377; Email:
smalcom@cdc.gov. The deadline for
notification of attendance is June 21,
2013.
The Director, Management Analysis
and Services Office, has been delegated
the authority to sign Federal Register
notices pertaining to announcements of
meetings and other committee
management activities for both the
Centers for Disease Control and
Prevention and the Agency for Toxic
Substances and Disease Registry.
Elaine L. Baker,
Director, Management Analysis and Services
Office, Centers for Disease Control and
Prevention (CDC).
[FR Doc. 2013–12912 Filed 5–30–13; 8:45 am]
BILLING CODE 4163–18–P
PO 00000
Frm 00036
Fmt 4703
Sfmt 4703
32657
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
[Document Identifiers: CMS–10302, CMS–
R–290 and CMS–10437]
Agency Information Collection
Activities: Submission for OMB
Review; Comment Request
Centers for Medicare &
Medicaid Services, HHS.
In compliance with the requirement
of section 3506(c)(2)(A) of the
Paperwork Reduction Act of 1995, the
Centers for Medicare & Medicaid
Services (CMS), Department of Health
and Human Services, is publishing the
following summary of proposed
collections for public comment.
Interested persons are invited to send
comments regarding this burden
estimate or any other aspect of this
collection of information, including any
of the following subjects: (1) The
necessity and utility of the proposed
information collection for the proper
performance of the Agency’s function;
(2) the accuracy of the estimated
burden; (3) ways to enhance the quality,
utility, and clarity of the information to
be collected; and (4) the use of
automated collection techniques or
other forms of information technology to
minimize the information collection
burden.
1. Type of Information Collection
Request: Extension of a currently
approved collection; Title of
Information Collection: Collection
Requirements for Compendia for
Determination of Medically-accepted
Indications for Off-label Uses of Drugs
and Biologicals in an Anti-cancer
Chemotherapeutic Regimen Use:
Section 182(b) of the Medicare
Improvement of Patients and Providers
Act (MIPPA) amended section
1861(t)(2)(B) of the Social Security Act
(42 U.S.C. 1395x(t)(2)(B)) by adding at
the end the following new sentence: ‘On
and after January 1, 2010, no compendia
may be included on the list of
compendia under this subparagraph
unless the compendia has a publicly
transparent process for evaluating
therapies and for identifying potential
conflicts of interest.’ We believe that the
implementation of this statutory
provision that compendia have a
‘‘publicly transparent process for
evaluating therapies and for identifying
potential conflicts of interests’’ is best
accomplished by amending 42 CFR
414.930 to include the MIPPA
requirements and by defining the key
components of publicly transparent
AGENCY:
E:\FR\FM\31MYN1.SGM
31MYN1
]]>Agencies
[Federal Register Volume 78, Number 105 (Friday, May 31, 2013)]
[Notices]
[Pages 32654-32657]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-12671]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Agency for Healthcare Research and Quality
Privacy Act of 1974; System of Records Notice
AGENCY: Agency for Healthcare Research and Quality (AHRQ), Department
of Health and Human Services (HHS).
ACTION: Notice to establish a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of 1974
(5 USC 552a), the Agency for Healthcare Research and Quality (AHRQ)
within the Department of Health and Human Services is establishing a
new system of records, ``Online Application Ordering for Products from
the Healthcare Cost and Utilization Project (HCUP).'' This online
electronic ordering system will streamline and facilitate the
dissemination of HCUP databases and software to qualified researchers
and result in a more efficient process for both the public and the
Agency. The HCUP program and the system of records for the online
application ordering process are more thoroughly described in the
Supplementary Information section and System of Records Notice (SORN),
below.
DATES: Effective 30 days after publication. HHS/AHRQ may publish an
amended System of Records Notice (SORN) in light of any comments
received.
ADDRESSES: Written comments should be sent to: HCUP Project Officer,
Agency for Healthcare Research and Quality, 540 Gaither Rd., Rockville,
MD 20852 OR to Email: HCUP@AHRQ.GOV.
FOR FURTHER INFORMATION CONTACT: HCUP Project Officer, Agency for
Healthcare Research and Quality, 540 Gaither Rd., Rockville, MD 20852,
301-427-1410, or HCUP@AHRQ.GOV,
SUPPLEMENTARY INFORMATION:
I. Background on New System of Records, ``Online Application Ordering
for HCUP Products From the Healthcare Cost and Utilization Project
(HCUP)''
AHRQ is establishing this new system of records to cover
personally-identifiable information (PII) about individuals who
purchase HCUP databases and software products for scientific research
purposes through a new online ordering system. AHRQ's research mission,
the HCUP databases, and the online ordering process for HCUP databases
and software products are explained in more detail below.
A. AHRQ's Research Mission
The Healthcare Research and Quality Act of 1999 (``the Act''),
Public Law 106-129, amended Title IX of the Public Health Service act
to establish AHRQ. The Act requires that AHRQ enhance the quality,
appropriateness, and effectiveness of health services, and enhance
access to such services, through the establishment of a broad base of
scientific research and through the promotion of improvements in
clinical and health systems practices, including the prevention of
diseases and other health conditions. AHRQ promotes health care quality
improvement by conducting and supporting:
(1) Research that develops and presents scientific evidence
regarding all aspects of health care;
(2) Synthesis and dissemination of available scientific evidence
for use by patients, consumers, practitioners, providers, purchasers,
policy makers, and educato; and,
(3) Initiatives to advance private and public efforts to improve
health care quality.
B. The HCUP Databases
AHRQ created a family of health care databases and related software
tools and products known as the Healthcare Cost and Utilization Project
(HCUP, pronounced ``H-Cup'') to conduct and support its research
activities. HCUP was developed through a Federal-State Industry
partnership and sponsored by AHRQ; it includes the largest collection
of longitudinal hospital care data in the United States, with all-
payer, encounter-level information beginning in 1988. The HCUP
databases are annual files that contain anonymous information from
hospital discharge records for inpatient care and certain components of
outpatient care, such as emergency care and ambulatory surgeries. The
project currently releases six types of databases created for research
use on a broad range of health issues, including cost and quality of
health services, medical practice patterns, access to health care
programs, and outcomes of treatments at the national, state, and local
market levels. HCUP also produces a large number of software tools to
enhance the use of administrative health care data for research and
public health use. The software tools use information available from a
variety of sources to create new data elements, often through
sophisticated algorithms, for use with the HCUP databases.
[[Page 32655]]
C. The Ordering Process for HCUP Databases and Software
To support AHRQ's mission to improve health care through scientific
research, HCUP databases and software tools are disseminated to users
outside of HHS through a mechanism known as the HCUP Central
Distributor, which is operated by a private contractor. Databases and
software disseminated through the HCUP Central Distributor are referred
to as ``restricted access public release files;'' they are publicly
available, but only under restricted conditions. The HCUP Central
Distributor enables qualified researchers to access uniform research
data across multiple states with the use of one application process,
consisting of the following:
(1) HCUP Application. All persons wanting access to the HCUP
databases must complete the application process. For state databases, a
description of the individual's planned use of the HCUP data will be
reviewed to confirm that it is consistent with the data use
restrictions that apply to the data. As an alternative to the online
ordering form, paper versions of application packages will continue to
be available for download at https://www.HCUP-us.AHRQ.gov/tech_assist/centdist.JSP.
(2) HCUP Data Use Agreement Training. All persons wanting access to
the HCUP databases must complete this online training course. The
purpose of the training is to emphasize the importance of data
protection, reduce the risk of inadvertent violations, and describe the
individual's responsibility when using HCUP data. The training course
can be accessed and completed online at https://www.HCUPus.AHRQ. gov/
tech_assist/dua.JSP.
(3) HCUP Data Use Agreement (DUA). All persons wanting access to
the HCUP databases must sign a data use agreement. Each database has a
unique DUA; an example DUA for the Nationwide Inpatient Sample database
is available at https://www.HCUP-us.AHRQ.gov/team/NISDUA.JSP.
HCUP databases are released to researchers outside of AHRQ after
the completion of required training and submission of an application
that includes a signed HCUP Data Use Agreement (DUA). In addition,
before restricted access public release state-level databases are
released, the user is asked for a brief description of their research
to ensure that the planned use is consistent with HCUP policies and
with the HCUP data use requirements. Fees are set for databases
released through the HCUP Central Distributor depending on the type of
database. The fees for sale of state-level data are determined by each
participating Statewide Data Organization and reimbursed to those
organizations.
II. The Privacy Act
The Privacy Act (5 U.S.C. 552a) governs the means by which the
United States Government collects, maintains, and uses personally
identifiable information (PII) in a system of records. A ``system of
records'' is a group of any records under the control of a Federal
agency from which information about individuals is retrieved by name or
other personal identifier. The Privacy Act requires each agency to
publish in the Federal Register a system of records notice (SORN)
identifying and describing each system of records the agency maintains,
including the purposes for which the agency uses PII in the system, the
routine uses for which the agency discloses such information outside
the agency, and how individual record subjects can exercise their
rights under the Privacy Act (e.g., to determine if the system contains
information about them).
SYSTEM NUMBER: 09-35-0003.
SYSTEM NAME:
``Online Application Ordering for Products from the Healthcare Cost
and Utilization Project (HCUP)''.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Servers: The servers hosting the system will be housed at the
Social & Scientific Systems data center located in Ashburn, VA.
Portals: This system will be accessed via the Internet.
System Software: System software will be maintained by Social &
Scientific Systems, Silver Spring, MD.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system will contain personally identifiable information (PII)
about individual researchers who purchase HCUP databases through use of
an HCUP online application that includes payment of a fee and execution
of a Data Use Agreement placing restrictions on use of the HCUP data.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system will contain the following categories of records and PII
data elements:
(1) HCUP Application Form, containing the individual's contact
information (name, address, telephone number and email address), a
coded number indicating that the individual completed the required HCUP
Data Use Agreement Training, and a description of the individual's
planned use of the HCUP data.
(2) Transaction Records, containing information on the database
and/or software order and contact information for purchaser. Credit
card numbers or bank account information from electronic orders will
not be stored in the system after the transaction is complete.
(3) HCUP Data Use Agreement (DUA), containing the individual's
signature and contact information.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
42 U.S.C. 299-299a; 42 U.S.C. 299c-2.
PURPOSE(S) OF THE SYSTEM:
HHS/AHRQ will use PII from this system for the following purposes:
(1) Business Transaction: Contact information will be used to
communicate with the individual and to ship the data to the individual
(e.g., on a disk or other media). The description of the individual's
planned use of the HCUP data will be reviewed to confirm that it is
consistent with the data use restrictions that apply to the data.
(2) Payment Transaction: Credit card and bank account information
will be used to complete orders for HCUP databases and software
products. Credit card and e-check transactions collected by the HCUP
information system will be transmitted securely to a PCI-compliant
payment gateway for approval. The payment gateway will process the
transaction and cause the funds to be transferred when the order is
completed.
(3) Enforcement of the HCUP Data Use Agreement (DUA): The
individual's signature and contact information on the HCUP DUA and the
coded number on the application form indicating completion of HCUP Data
Use Agreement Training will be used in the event that the individual
violates the DUA, to enforce the data use restrictions. Most of these
restrictions have been put in place to safeguard the privacy of
individuals and establishments represented in the data. For example,
data users can only use the data for research, analysis, and aggregate
statistical reporting and are prohibited from attempting to identify
any persons in the data.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
The system may disclose records containing PII to parties outside
HHS for the following routine uses:
[[Page 32656]]
(1) Records may be disclosed to agency contractors who have been
engaged by the agency to assist in accomplishment of the HHS function
relating to the purposes of this system of records and who need to have
access to the records in order to assist HHS.
(2) Records may be disclosed to the Department of Justice (DOA a
court, or an adjudicatory body when:
The agency or any component thereof, or
Any employee of the agency in his or her official
capacity, or
Any employee of the agency in his or her individual
capacity where DOJ has agreed to represent the employee, or
The United States Government, is a party to litigation or
has an interest in such litigation and, by careful review, HHS
determines that the records are both relevant and necessary to the
litigation and that the use of such records by the DOJ, court or
adjudicatory body is compatible with the purpose for which the agency
collected the records.
(3) Records may be disclosed to another federal agency or an
instrumentality of any governmental jurisdiction within or under the
control of the United States (including any State or local governmental
agency), that administers, or that has the authority to investigate,
potential fraud, waste or abuse in federally funded programs, when
disclosure is deemed reasonably necessary by HHS to prevent, deter,
discover, detect, investigate, examine, prosecute, sue with respect to,
defend against, correct, remedy, or otherwise combat fraud, waste or
abuse in such programs.
(4) Records may be disclosed to appropriate federal agencies and
Department contractors that have a need to know the information for the
purpose of assisting the Department's efforts to respond to a suspected
or confirmed breach of the security or confidentiality of information
maintained in this system of records, when the information disclosed is
relevant and necessary for that assistance.
The system may also disclose PII data for any of the uses
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and
(b)(4)-(11).
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
Information will be collected via the online ordering application,
fax, or email. Electronic records are stored in databases on magnetic
tape, on magnetic disk and in secure electronic files at the
contractor's location (Social & Scientific Systems in Ashburn, VA) and
at the tape storage facility: Storage Village White Flint, North
Bethesda, MD.
Credit card or e-check information will not be stored in the
information system's database after the transaction is completed. For
those who cannot used the online application, the transaction can be
completed with payments by check, purchase order, or wire transfer
handled by fax or mail, and for these transactions, credit card or e-
check information is destroyed when the order is completed.
RETRIEVABILITY:
The application and HCUP Data Use Agreement records will be
retrieved by registrant/user name or User ID number.
SAFEGUARDS:
The identifiable information collected will be transmitted to the
hosting server via an encrypted Secure Socket Layer (SSL) connection.
Access to the database housing the identifiable information is
accomplished through individual authorized administrative accounts. The
server housing the identifiable information is located in a data center
owned by Social & Scientific Systems and is located in Ashburn, VA. The
data center is protected via 24/7 guards at all entrances, video
monitoring systems, biometric hand readers, cage locks, and system
firewalls.
The information stored is captured and transmitted over an
SSL connection for secure encrypted transmission.
Access to the database is only permissible at the
administrator level and is done so either (a) in order to fulfill the
applicants request, (b) for system maintenance, or (c) in the event of
a DUA violation.
The server housing the system is located in a secure
facility with 24/7 guards at the entrance points, camera monitoring
systems, biometric hand readers, and cage locks.
The information collected by the electronic form will be stored in
a SQL Server 2008 database. Data stored in the database will remain
there indefinitely until requested by AHRQ. SSS performs nightly
backups of the database. The backups are encrypted and stored offsite.
At the conclusion of the contract, the information system as well as a
current copy of the database can be provided to AHRQ by request.
The information system uses a defense-in-depth strategy when it
comes to user access. Users are assigned individual credentials along
with role based least-privileged user account (LUA). The LUA approach
ensures that users follow the principle of least privilege and always
log on with limited user accounts. This strategy also aims to limit the
use of administrative credentials to administrators, and then only for
administrative tasks.
RETENTION AND DISPOSAL:
Information in the application and Data Use Agreement will be
retained for approximately twenty years, and may be kept longer if
needed for enforcement, audit, legal, or other agency purposes.
Retention is necessary for enforcement of data restrictions in the
event of a Data Use Agreement violation. Storage will be in an
electronic format that is encrypted, backed up, and stored in two
secure locations.
PII related to the business transaction will be retained for up to
90 days so that a public user can return to their password protected
account and complete their order. If a user forgets his/her password,
the system will reset it and convey that information via email.
Information related to the payment process will not be retained
after the transaction has been completed. Payment options will include
credit card, e-check, check, purchase order or wire transfer.
Information to complete credit card and e-check transactions will be
collected by the information system and transmitted securely to a PCI-
compliant payment gateway for approval. The payment gateway product
will process the transaction and cause the funds to be transferred when
the transaction is captured at the time of shipment. Credit card or e-
check information will not be stored in the information system's
database. Payments by check, purchase order, or wire transfer will be
handled by fax or mail.
SYSTEM MANAGER AND ADDRESS:
HCUP Project Officer, Center for Delivery, Organization, and
Markets, 540 Gaither Road, Rockville, MD 20850, Telephone: 301-427-
1410, HCUP@AHRQ.GOV.
Individuals wishing to know if this system contains records about
them should write to the System Manager.
RECORD ACCESS PROCEDURE:
Individuals seeking access to records about them in this system
should follow the same instructions indicated under ``Notification
Procedure'' and indicate the record(s) to which access is sought (i.e.,
application form or HCUP Data Use Agreement).
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest the content of information about
them in
[[Page 32657]]
this system should follow the same instructions indicated under
``Notification Procedure.'' The request should reasonably identify the
record, specify the information contested, state the corrective action
sought, and provide the reasons for the correction, with supporting
justification.
RECORD SOURCE CATEGORIES:
All information will be collected directly from the individual
applicants/users of the Web site, when they complete the online
application forms.
EXEMPTIONS CLAIMED FOR THIS SYSTEM:
None.
Dated: May 21, 2013.
Carolyn M. Clancy,
AHRQ Director.
[FR Doc. 2013-12671 Filed 5-30-13; 8:45 am]
BILLING CODE 4160-90-M
