Privacy Act of 1974; System of Records, 53734-53737 [2019-21768]
Download as PDF
<![CDATA[
53734
Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices
participate via live streaming
technology or webinar will be provided
through an upcoming listserv notice and
posted on the New Technology website
at https://www.cms.gov/Medicare/
Medicare-Fee-for-Service-Payment/
AcuteInpatientPPS/newtech.html.
Continue to check the website for
updates.
C. Disclaimer
We cannot guarantee reliability for
live streaming technology or a webinar.
III. Registration Instructions
The Division of Acute Care in CMS is
coordinating the meeting registration for
the Town Hall Meeting on substantial
clinical improvement. While there is no
registration fee, individuals planning to
attend the Town Hall Meeting in person
must register to attend.
Registration may be completed online at the following web address:
https://www.cms.gov/Medicare/
Medicare-Fee-for-Service-Payment/
AcuteInpatientPPS/newtech.html.
Select the link at the bottom of the page
‘‘Register to Attend the New Technology
Town Hall Meeting’’. After completing
the registration, online registrants
should print the confirmation page(s)
and bring it with them to the meeting.
If you are unable to register on-line,
you may register by sending an email to
newtech@cms.hhs.gov. Please include
your name, address, telephone number,
email address and fax number. If seating
capacity has been reached, you will be
notified that the meeting has reached
capacity.
IV. Security, Building, and Parking
Guidelines
jbell on DSK3GLQ082PROD with NOTICES
Because this meeting will be located
on Federal property, for security
reasons, any persons wishing to attend
the meeting must register by the date
specified in the DATES section of this
notice. Please allow sufficient time to go
through the security checkpoints. If you
are attending the Town Hall Meeting in
person, we suggest that you arrive at
7500 Security Boulevard no later than
8:30 a.m. e.s.t. so that you will be able
to arrive promptly for the meeting.
Security measures include the
following:
• Presentation of government-issued
photographic identification to the
Federal Protective Service or Guard
Service personnel.
Note: The REAL ID Act established
minimum security standards for license
issuance and production and prohibits
Federal agencies from accepting for certain
purposes driver’s licenses and identification
cards from states not meeting the Act’s
minimum standards. We encourage the
VerDate Sep<11>2014
21:50 Oct 07, 2019
Jkt 250001
public to visit the DHS website at https://
www.dhs.gov/real-id prior to the new
technology town hall meeting for updated
information.
• All Foreign National visitor
requests must be submitted 12 business
days prior to the scheduled visitor to
allow for processing.
• Inspection of vehicle’s interior and
exterior (this includes engine and trunk
inspection) at the entrance to the
grounds. Parking permits and
instructions will be issued after the
vehicle inspection.
• Inspection, via metal detector or
other applicable means of all persons
entering the building. We note that all
items brought to CMS, whether personal
or for the purpose of presentation or to
support a presentation, are subject to
inspection. We cannot assume
responsibility for coordinating the
receipt, transfer, transport, storage, setup, safety, or timely arrival of any
personal belongings or items used for
presentation or to support a
presentation.
Note: Individuals who are not registered in
advance will not be permitted to enter the
building and will be unable to attend the
meeting in person. The public may not enter
the building earlier than 45 minutes prior to
the convening of the meeting.
All visitors must be escorted in all
areas other than the lower level lobby
and cafeteria area and first floor
auditorium and conference areas in the
Central Building. Seating capacity is
limited to the first 250 registrants.
Effective June 1, 2018, Federal
Protective Services (FPS) has
implemented new security screening
procedures at all CMS Baltimore
locations to align with national
screening standards. Please allow extra
time to clear security prior to the
beginning of the meeting. Employees,
contractors and visitors must place all
items in bins for screening, including
the following:
• Any items in your pockets.
• Belts, hats, jackets & coats (not suit
jackets or sport coats).
• Purses, laptop computers, and cell
phones.
• Larger items (for example computer
bags) can be placed directly onto the
conveyer.
In the event the metal detector beeps
when you walk through a security guard
will run a hand-held metal detector over
you—
• If the metal detector does not alarm,
you are cleared to enter;
• If the hand-held metal detector
alarms, the guard will pat down the area
of the body where the metal detector
alarmed; or
PO 00000
Frm 00063
Fmt 4703
Sfmt 4703
• If footwear alarms, it will need to be
removed and placed in a bin for x-ray
screening.
If you believe that you have a
disability that will cause you to require
reasonable accommodation to comply
with the new process, please contact
reasonableaccommodationprogram@
cms.hhs.gov as soon as possible.
Dated: September 26, 2019.
Seema Verma,
Administrator, Centers for Medicare &
Medicaid Services.
[FR Doc. 2019–21750 Filed 10–4–19; 11:15 am]
BILLING CODE 4120–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare and Medicaid
Services
Privacy Act of 1974; System of
Records
Centers for Medicare &
Medicaid Services (CMS), Department
of Health and Human Services (HHS).
ACTION: Notice of a modified system of
records.
AGENCY:
In accordance with
requirements of the Privacy Act of 1974,
as amended, the Department of Health
and Human Services (HHS) is updating
an existing system of records
maintained by the Centers for Medicare
& Medicaid Services (CMS), system No.
09–70–0550, titled ‘‘Medicare Retiree
Drug Subsidy Program’’ (RDSP), and
renaming it ‘‘Retiree Drug Subsidy
(RDS), HHS/CMS/CM.’’ This system
collects and maintains information
about individuals who are qualifying
covered retirees so that accurate and
timely subsidy payments may be made
to plan sponsors who continue to offer
actuarially equivalent prescription drug
coverage to the qualifying covered
retirees.
SUMMARY:
In accordance with 5 United
States Code (U.S.C.) 552a(e)(4) and (11),
this notice is applicable October 8,
2019, subject to a 30-day period in
which to comment on the new and
revised routine uses, described below.
Please submit any comments by
November 7, 2019.
ADDRESSES: Written comments should
be submitted by mail or email to: CMS
Privacy Act Officer, Division of
Security, Privacy Policy & Governance,
Information Security & Privacy Group,
Office of Information Technology, CMS,
Location N1–14–56, 7500 Security
Blvd., Baltimore, MD 21244–1870, or
walter.stone@cms.hhs.gov.
DATES:
E:\FR\FM\08OCN1.SGM
08OCN1
Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices
FOR FURTHER INFORMATION CONTACT:
General questions may be submitted to:
Ivan Iveljic, Health Insurance Specialist,
Medicare Plan Payment Group, Center
for Medicare, CMS, Mail Stop C1–13–
07, 7500 Security Boulevard, Baltimore,
Maryland 21244. He can be reached at
410–786–3312 or via email at
Ivan.Iveljic@cms.hhs.gov.
SUPPLEMENTARY INFORMATION:
jbell on DSK3GLQ082PROD with NOTICES
I. Background on Records Covered by
System of Records 09–70–0550
This system of records covers records
about individual retirees which are used
in administering the Retiree Drug
Subsidy, which is a program that offers
sponsors of qualified retiree
prescription drug plans financial
assistance with a portion of their
prescription drug costs and thereby
helps employers retain and enhance
their prescription drug coverage so that
the current erosion in coverage will
plateau or even improve. The program
makes a subsidy for 28 percent of
allowable prescription drug costs
available to qualified retiree
prescription drug plans, which
significantly reduces financial liabilities
associated with employers’ retiree drug
coverage and encourages employers to
continue assisting their retirees with
prescription drug coverage.
II. Explanation of Modifications to the
System of Records Notice (SORN)
The modifications made to the system
of records include the following
substantive changes, in addition to
reformatting the SORN to comply with
OMB Circular A–108, issued December
23, 2016:
• The name of the system of records
has changed from ‘‘Medicare Retiree
Drug Subsidy Program (RDSP), HHS/
CMS/CBC’’ to ‘‘Retiree Drug Subsidy
(RDS), HHS/CMS/CM.’’
• Address information in the System
Location and System Manager(s)
sections has been updated.
• The Security Classification section
has been changed from ‘‘Level Three
Privacy Act Sensitive Data’’ to
‘‘Unclassified.’’
• The Authorities section has been
revised to include 31 U.S.C. 7701(c) as
authority to collect Social Security
Numbers from individuals with whom
CMS is ‘‘doing business,’’ as defined by
the statute.
• The Purpose section has been
revised to omit a summary of the
routine uses;
• The Categories of Records section
has been revised to identify the record
categories as enrollment, beneficiary,
and financial or payment-related
records.
VerDate Sep<11>2014
21:50 Oct 07, 2019
Jkt 250001
• The list of data elements in the
Categories of Records section has been
modified to include the Medicare
Beneficiary Identifier (MBI), which is a
new individual identifier in addition to
the Health Insurance Claim Number
(HICN).
• The Routine Uses section has been
updated to revise three routine uses and
add one new routine use:
Æ Routine use 2, which authorizes
disclosures to members of Congress and
their staff for purposes of responding to
their requests on behalf of constituents,
has been revised to require that their
requests be ‘‘written.’’
Æ Routine use 3, which authorizes
disclosures to the Department of Justice
(DOJ), court, or adjudicatory body, has
been revised to omit unnecessary
wording limiting the disclosures to uses
‘‘compatible with the purpose for which
the agency collected the records.’’ (The
wording is unnecessary because it
restates the definition of a routine use.)
Æ The fraud, waste, and abuse-related
routine use added May 29, 2013 is now
numbered as routine use 6. It has been
revised to add ‘‘which are’’ before the
words ‘‘defined for this purpose,’’ and
to omit an unnecessary statement that
‘‘[d]isclosures may include provider and
beneficiary-identifiable data.’’
Æ The two breach response-related
routine uses added February 14, 2018
are now numbered as routine uses 7 and
8.
Æ Routine use number 9 is new; it
authorizes disclosures to the U.S.
Department of Homeland Security
(DHS) for cybersecurity monitoring
purposes in the event that records from
this system of records are captured in an
intrusion detection system used by HHS
and DHS.
• A note at the end of the Routine
Uses section has been shortened to
remove a portion referring to
‘‘complaints’’ and ‘‘complainants’’
(which are not involved in this system
of records) and to releases of ‘‘not
directly identifiable [information],
except pursuant to one of the routine
uses or if required by law’’ (which could
create the misimpression that a
disclosure required by law need not be
authorized by a routine use or another
exception to the consent requirement in
5 U.S.C. 552a(b)).
• The Retrieval section has been
updated to include the Medicare
Beneficiary Identifier (MBI) as an
additional personal identifier used for
retrieval, and to omit plan sponsor
identifier and benefit option identifier,
which are not personal identifiers.
• The Records Retention section now
cites the applicable disposition
authorities, which were revised in 2015,
PO 00000
Frm 00064
Fmt 4703
Sfmt 4703
53735
and corrects the retention period, which
was previously 15 years and is now
seven years (or longer) for enrollment
records, ten years (or longer) for
beneficiary records, and seven years (or
longer) for financial or payment related
records.
• In the Access Procedures section,
the text has been modified to state that
any identifying particulars included in
a request would be used to distinguish
between subject individuals with the
same name, and to include the MBI as
an example of an identifying particular.
Barbara Demopulos,
Privacy Advisor, Division of Security, Privacy
Policy and Governance, Information Security
and Privacy Group, Office of Information
Technology, Centers for Medicare & Medicaid
Services.
SYSTEM NAME AND NUMBER:
Retiree Drug Subsidy (RDS), HHS/
CMS/CM, System No. 09–70–0550.
SECURITY CLASSIFICATION:
This system of records does not
include classified information.
SYSTEM LOCATION:
The address of the agency component
responsible for the system of records is:
Medicare Plan Payment Group, Center
for Medicare, Centers for Medicare &
Medicaid Services, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850.
SYSTEM MANAGER:
The System Manager for the system of
records is: Director, Medicare Plan
Payment Group, Center for Medicare,
Centers for Medicare & Medicaid
Services, 7500 Security Blvd.,
Baltimore, MD 21244, (410) 786–7407.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of this
system is given under section 1860D–22
of the Social Security Act (Title 42
United States Code (U.S.C.) sections
1302, 1395w–101 through 1395w–152,
and 1395hh), as amended by section 101
of the Medicare Modernization Act
(MMA). The collection of Social
Security Numbers is authorized by 31
U.S.C. 7701(c).
PURPOSE(S) OF THE SYSTEM:
The purpose of this system is to
collect and maintain information about
individuals who are qualifying covered
retirees so that accurate and timely
subsidy payments may be made to plan
sponsors who continue to offer
actuarially equivalent prescription drug
coverage to the retirees.
E:\FR\FM\08OCN1.SGM
08OCN1
53736
Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
Information in this system is
maintained on qualifying covered
retirees who are Medicare Part D eligible
individuals covered under a qualified
retiree prescription drug plan.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records are enrollment,
beneficiary, and financial or payment
related records used to support and
calculate the amount of subsidy
payments to plan sponsors. They
contain information such as the
following about each retiree: Standard
data for identification such as Plan
Sponsor Identification Number,
Application Identification Number,
Benefit Option Identifier, Coverage
Effective Date, Coverage Termination
Date, Health Insurance Claim Number
(HICN) or Medicare Beneficiary
Identifier (MBI), Social Security Number
(SSN), gender, first name, last name,
middle initial, date of birth, relationship
to member, and Medicare eligibility and
enrollment status.
RECORD SOURCE CATEGORIES:
Records maintained in this system are
derived from the Medicare Beneficiary
Database (MBD) system of records,
system No. 09–70–0536, and from plan
sponsors.
jbell on DSK3GLQ082PROD with NOTICES
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OR USERS AND
THE PURPOSES OF SUCH USES:
Records about an individual retiree
may be disclosed from this system of
records to parties outside the
Department of Health and Human
Services (HHS), without the individual’s
prior written consent, for the purposes
indicated in these routine uses:
1. To agency contractors or
consultants who have been engaged by
the agency to assist in the performance
of a service related to this system and
who need to have access to the records
in order to perform the activity.
2. To a member of Congress or to a
congressional staff member in response
to a written inquiry of the congressional
office made at the written request of the
constituent about whom the record is
maintained.
3. To the Department of Justice (DOJ),
court, or adjudicatory body when:
a. the agency or any component
thereof, or
b. any employee of the agency in his
or her official capacity, or
c. any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. the United States Government, is a
party to litigation or has an interest in
VerDate Sep<11>2014
21:50 Oct 07, 2019
Jkt 250001
such litigation and, by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation.
4. To a CMS contractor (including, but
not necessarily limited to fiscal
intermediaries and carriers) that assists
in the administration of a CMS
administered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such program.
5. To another federal agency or to an
instrumentality of any governmental
jurisdiction within or under the control
of the United States (including any state
or local governmental agency), that
administers, or that has the authority to
investigate potential fraud or abuse in,
a health benefits program funded in
whole or in part by federal funds, when
disclosure is deemed reasonably
necessary by CMS to prevent, deter,
discover, detect, investigate, examine,
prosecute, sue with respect to, defend
against, correct, remedy, or otherwise
combat fraud or abuse in such programs.
6. To disclose to health plans, which
are defined for this purpose as plans or
programs that provide health benefits,
whether directly, through insurance, or
otherwise, and include—(1) a policy of
health insurance; (2) a contract of a
service benefit organization; and (3) a
membership agreement with a health
maintenance organization or other
prepaid health plan when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud,
waste, or abuse in such programs.
7. To appropriate agencies, entities,
and persons when (1) HHS suspects or
has confirmed that there has been a
breach of the system of records; (2) HHS
has determined that as a result of the
suspected or confirmed breach there is
a risk of harm to individuals, HHS
(including its information systems,
programs, and operations), the federal
government, or national security; and
(3) the disclosure made to such
agencies, entities, and persons is
reasonably necessary to assist in
connection with HHS’s efforts to
respond to the suspected or confirmed
breach or to prevent, minimize, or
remedy such harm.
8. To another federal agency or federal
entity, when HHS determines that
information from this system of record
is reasonably necessary to assist the
PO 00000
Frm 00065
Fmt 4703
Sfmt 4703
recipient agency or entity in (1)
responding to a suspected or confirmed
breach or (2) preventing, minimizing, or
remedying the risk of harm to
individuals, the recipient agency or
entity (including its information
systems, programs, and operations), the
federal government, or national security,
resulting from a suspected or confirmed
breach.
9. To the U.S. Department of
Homeland Security (DHS) if captured in
an intrusion detection system used by
HHS and DHS pursuant to a DHS
cybersecurity program that monitors
internet traffic to and from federal
government computer networks to
prevent a variety of types of
cybersecurity incidents.
The disclosures authorized by
publication of the above routine uses
pursuant to 5 U.S.C. 552a(b)(3) are in
addition to other disclosures authorized
directly in the Privacy Act at 5 U.S.C.
552a(b)(2) and (b)(4)–(11).
ADDITIONAL PROVISIONS AFFECTING ROUTINE USE
DISCLOSURES:
This system contains protected health
information as defined by Department of
Health and Human Services (HHS)
regulation ‘‘Standards for Privacy of
Individually Identifiable Health
Information’’ (45 Code of Federal
Regulations (CFR) Parts 160 and 164, 65
Federal Register (FR) 82462 (12–28–00),
Subparts A and E). Disclosures of
Protected Health Information authorized
by these routine uses may only be made
if, and as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’
POLICIES AND PRACTICES FOR STORAGE OF
RECORDS:
The records are stored in hard-copy
files and/or electronic media.
POLICIES AND PRACTICES FOR RETRIEVAL OF
RECORDS:
Information is retrieved by the
retiree’s Health Insurance Claim
Number (HICN), Medicare Beneficiary
Identifier (MBI), or Social Security
Number.
POLICIES AND PRACTICES FOR RETENTION AND
DISPOSAL OF RECORDS:
The records are retained and disposed
of in accordance with the following
disposition schedules, which were
approved by the National Archives and
Records Administration (NARA):
• Financial or payment related
records are governed by DAA–0440–
2015–0004–0001 (Bucket 3). The
records retention schedule states:
Destroy no sooner than 7 year(s) after
cutoff but longer retention is authorized.
E:\FR\FM\08OCN1.SGM
08OCN1
Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices
• Enrollment Records are governed by
DAA–0440–2015–0006 (Bucket 4). The
records retention schedule states:
Destroy no sooner than 7 year(s) after
cutoff but longer retention is authorized.
• Beneficiary Records are governed
by DAA–0440–2015–0007–0001 (Bucket
5). The records retention schedule
states: Cutoff at the end of the calendar
year. Destroy no sooner than 10 year(s)
after cutoff but longer retention is
authorized.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
Safeguards conform to the CMS
Information Security and Privacy
Program, https://www.cms.gov/
Research-Statistics-Data-and-Systems/
CMS-Information-Technology/
InformationSecurity/.
Information is safeguarded in
accordance with applicable laws, rules
and policies, including the HHS
Information Technology Security
Program Handbook; all pertinent
National Institutes of Standards and
Technology (NIST) publications, and
OMB Circular A–130, Managing
Information as a Strategic Resource.
Records are protected from
unauthorized access through
appropriate administrative, physical,
and technical safeguards. These
safeguards include protecting the
facilities where records are stored or
accessed with security guards, badges
and cameras, securing hard-copy
records in locked file cabinets, file
rooms or offices during off-duty hours,
limiting access to electronic databases to
authorized users based on roles and
two-factor authentication (user ID and
password), using a secured operating
system protected by encryption,
firewalls, and intrusion detection
systems, requiring encryption for
records stored on removable media, and
training personnel in Privacy Act and
information security requirements.
Records that are eligible for destruction
are disposed of using secure destruction
methods prescribed by NIST SP 800–88.
jbell on DSK3GLQ082PROD with NOTICES
RECORD ACCESS PROCEDURES:
An individual seeking access to a
record about him/her in this system of
records must submit a written request to
the System Manager indicated above.
The request must contain the
individual’s name and particulars
necessary to distinguish between
records on subject individuals with the
same name, such as HICN, MBI or SSN,
and should also reasonably specify the
record(s) to which access is sought. To
verify the requester’s identity, the
signature must be notarized or the
request must include the requester’s
VerDate Sep<11>2014
21:50 Oct 07, 2019
Jkt 250001
written certification that he/she is the
person he/she claims to be and that he/
she understands that the knowing and
willful request for or acquisition of
records pertaining to an individual from
an agency under false pretenses is a
criminal offense subject to a $5,000 fine.
CONTESTING RECORD PROCEDURES:
Any subject individual may request
that his/her record be corrected or
amended if he/she believes that the
record is not accurate, timely, complete,
or relevant or necessary to accomplish
a Department function. A subject
individual making a request to amend or
correct his record shall address his
request to the-System Manager
indicated, in writing, and must verify
his/her identity in the same manner
required for an access request. The
subject individual shall specify in each
request: (1) The system of records from
which the record is retrieved; (2) The
particular record and specific portion
which he/she is seeking to correct or
amend; (3) The corrective action sought
(e.g., whether he/she is seeking an
addition to or a deletion or substitution
of the record); and, (4) His/her reasons
for requesting correction or amendment
of the record. The request should
include any supporting documentation
to show how the record is inaccurate,
incomplete, untimely, or irrelevant.
NOTIFICATION PROCEDURES:
Individuals wishing to know if this
system contains records about them
should write to the System Manager
indicated above and follow the same
instructions under Record Access
Procedures.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
70 FR 41035 (July 15, 2005), 78 FR
32257 (May 29, 2013), 83 FR 6591 (Feb.
14, 2018)
[FR Doc. 2019–21768 Filed 10–7–19; 8:45 am]
BILLING CODE 4120–03–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Submission for OMB Review; Head
Start (HS) Connects: Individualizing
and Connecting Families to Family
Support Services (New Collection)
Office of Planning, Research,
and Evaluation; Administration for
Children and Families; HHS.
ACTION: Request for public comment.
AGENCY:
PO 00000
Frm 00066
Fmt 4703
Sfmt 4703
53737
The Administration for
Children and Families (ACF) at the U.S.
Department of Health and Human
Services (HHS) seeks approval to
conduct semi-structured, qualitative
interviews with Head Start staff,
parents/guardians, and community
providers at six Head Start programs for
case studies that explore case
management and coordination of family
support services.
DATES: Comments due within 30 days of
publication. OMB is required to make a
decision concerning the collection of
information between 30 and 60 days
after publication of this document in the
Federal Register. Therefore, a comment
is best assured of having its full effect
if OMB receives it within 30 days of
publication.
ADDRESSES: Written comments and
recommendations for the proposed
information collection should be sent
directly to the following: Office of
Management and Budget, Paperwork
Reduction Project, Email: OIRA_
SUBMISSION@OMB.EOP.GOV, Attn:
Desk Officer for the Administration for
Children and Families.
Copies of the proposed collection may
be obtained by emailing
OPREinfocollection@acf.hhs.gov.
Alternatively, copies can also be
obtained by writing to the
Administration for Children and
Families, Office of Planning, Research,
and Evaluation, 330 C Street SW,
Washington, DC 20201, Attn: OPRE
Reports Clearance Officer. All requests,
emailed or written, should be identified
by the title of the information collection.
SUPPLEMENTARY INFORMATION:
Description: The case studies
proposed as part of the Head Start (HS)
Connects: Individualizing and
Connecting Families to Family Support
Services project are intended to build
knowledge about how Head Start
programs (Head Start or Early Head
Start grantees, delegate agencies, and
staff) across the country coordinate
family well-being services for parents/
guardians and tailor coordination
processes to individual family needs.
The case studies will explore case
management and coordination of family
support services from multiple
perspectives, including from the
perspective of Head Start
Administrators/Family and Community
Partnerships Managers, Family Support
Staff, Other Staff, Parents/Guardians,
and Community Providers, at each of
the six study sites during site visits. The
case studies will further inform the
development of design options for a
large-scale descriptive study of Head
Start programs nationally that is focused
SUMMARY:
E:\FR\FM\08OCN1.SGM
08OCN1
]]>Agencies
[Federal Register Volume 84, Number 195 (Tuesday, October 8, 2019)]
[Notices]
[Pages 53734-53737]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21768]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare and Medicaid Services
Privacy Act of 1974; System of Records
AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of
Health and Human Services (HHS).
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with requirements of the Privacy Act of 1974, as
amended, the Department of Health and Human Services (HHS) is updating
an existing system of records maintained by the Centers for Medicare &
Medicaid Services (CMS), system No. 09-70-0550, titled ``Medicare
Retiree Drug Subsidy Program'' (RDSP), and renaming it ``Retiree Drug
Subsidy (RDS), HHS/CMS/CM.'' This system collects and maintains
information about individuals who are qualifying covered retirees so
that accurate and timely subsidy payments may be made to plan sponsors
who continue to offer actuarially equivalent prescription drug coverage
to the qualifying covered retirees.
DATES: In accordance with 5 United States Code (U.S.C.) 552a(e)(4) and
(11), this notice is applicable October 8, 2019, subject to a 30-day
period in which to comment on the new and revised routine uses,
described below. Please submit any comments by November 7, 2019.
ADDRESSES: Written comments should be submitted by mail or email to:
CMS Privacy Act Officer, Division of Security, Privacy Policy &
Governance, Information Security & Privacy Group, Office of Information
Technology, CMS, Location N1-14-56, 7500 Security Blvd., Baltimore, MD
21244-1870, or [email protected].
[[Page 53735]]
FOR FURTHER INFORMATION CONTACT: General questions may be submitted to:
Ivan Iveljic, Health Insurance Specialist, Medicare Plan Payment Group,
Center for Medicare, CMS, Mail Stop C1-13-07, 7500 Security Boulevard,
Baltimore, Maryland 21244. He can be reached at 410-786-3312 or via
email at [email protected].
SUPPLEMENTARY INFORMATION:
I. Background on Records Covered by System of Records 09-70-0550
This system of records covers records about individual retirees
which are used in administering the Retiree Drug Subsidy, which is a
program that offers sponsors of qualified retiree prescription drug
plans financial assistance with a portion of their prescription drug
costs and thereby helps employers retain and enhance their prescription
drug coverage so that the current erosion in coverage will plateau or
even improve. The program makes a subsidy for 28 percent of allowable
prescription drug costs available to qualified retiree prescription
drug plans, which significantly reduces financial liabilities
associated with employers' retiree drug coverage and encourages
employers to continue assisting their retirees with prescription drug
coverage.
II. Explanation of Modifications to the System of Records Notice (SORN)
The modifications made to the system of records include the
following substantive changes, in addition to reformatting the SORN to
comply with OMB Circular A-108, issued December 23, 2016:
The name of the system of records has changed from
``Medicare Retiree Drug Subsidy Program (RDSP), HHS/CMS/CBC'' to
``Retiree Drug Subsidy (RDS), HHS/CMS/CM.''
Address information in the System Location and System
Manager(s) sections has been updated.
The Security Classification section has been changed from
``Level Three Privacy Act Sensitive Data'' to ``Unclassified.''
The Authorities section has been revised to include 31
U.S.C. 7701(c) as authority to collect Social Security Numbers from
individuals with whom CMS is ``doing business,'' as defined by the
statute.
The Purpose section has been revised to omit a summary of
the routine uses;
The Categories of Records section has been revised to
identify the record categories as enrollment, beneficiary, and
financial or payment-related records.
The list of data elements in the Categories of Records
section has been modified to include the Medicare Beneficiary
Identifier (MBI), which is a new individual identifier in addition to
the Health Insurance Claim Number (HICN).
The Routine Uses section has been updated to revise three
routine uses and add one new routine use:
[cir] Routine use 2, which authorizes disclosures to members of
Congress and their staff for purposes of responding to their requests
on behalf of constituents, has been revised to require that their
requests be ``written.''
[cir] Routine use 3, which authorizes disclosures to the Department
of Justice (DOJ), court, or adjudicatory body, has been revised to omit
unnecessary wording limiting the disclosures to uses ``compatible with
the purpose for which the agency collected the records.'' (The wording
is unnecessary because it restates the definition of a routine use.)
[cir] The fraud, waste, and abuse-related routine use added May 29,
2013 is now numbered as routine use 6. It has been revised to add
``which are'' before the words ``defined for this purpose,'' and to
omit an unnecessary statement that ``[d]isclosures may include provider
and beneficiary-identifiable data.''
[cir] The two breach response-related routine uses added February
14, 2018 are now numbered as routine uses 7 and 8.
[cir] Routine use number 9 is new; it authorizes disclosures to the
U.S. Department of Homeland Security (DHS) for cybersecurity monitoring
purposes in the event that records from this system of records are
captured in an intrusion detection system used by HHS and DHS.
A note at the end of the Routine Uses section has been
shortened to remove a portion referring to ``complaints'' and
``complainants'' (which are not involved in this system of records) and
to releases of ``not directly identifiable [information], except
pursuant to one of the routine uses or if required by law'' (which
could create the misimpression that a disclosure required by law need
not be authorized by a routine use or another exception to the consent
requirement in 5 U.S.C. 552a(b)).
The Retrieval section has been updated to include the
Medicare Beneficiary Identifier (MBI) as an additional personal
identifier used for retrieval, and to omit plan sponsor identifier and
benefit option identifier, which are not personal identifiers.
The Records Retention section now cites the applicable
disposition authorities, which were revised in 2015, and corrects the
retention period, which was previously 15 years and is now seven years
(or longer) for enrollment records, ten years (or longer) for
beneficiary records, and seven years (or longer) for financial or
payment related records.
In the Access Procedures section, the text has been
modified to state that any identifying particulars included in a
request would be used to distinguish between subject individuals with
the same name, and to include the MBI as an example of an identifying
particular.
Barbara Demopulos,
Privacy Advisor, Division of Security, Privacy Policy and Governance,
Information Security and Privacy Group, Office of Information
Technology, Centers for Medicare & Medicaid Services.
SYSTEM NAME AND NUMBER:
Retiree Drug Subsidy (RDS), HHS/CMS/CM, System No. 09-70-0550.
SECURITY CLASSIFICATION:
This system of records does not include classified information.
SYSTEM LOCATION:
The address of the agency component responsible for the system of
records is: Medicare Plan Payment Group, Center for Medicare, Centers
for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore,
Maryland 21244-1850.
SYSTEM MANAGER:
The System Manager for the system of records is: Director, Medicare
Plan Payment Group, Center for Medicare, Centers for Medicare &
Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-
7407.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for maintenance of this system is given under section
1860D-22 of the Social Security Act (Title 42 United States Code
(U.S.C.) sections 1302, 1395w-101 through 1395w-152, and 1395hh), as
amended by section 101 of the Medicare Modernization Act (MMA). The
collection of Social Security Numbers is authorized by 31 U.S.C.
7701(c).
PURPOSE(S) OF THE SYSTEM:
The purpose of this system is to collect and maintain information
about individuals who are qualifying covered retirees so that accurate
and timely subsidy payments may be made to plan sponsors who continue
to offer actuarially equivalent prescription drug coverage to the
retirees.
[[Page 53736]]
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Information in this system is maintained on qualifying covered
retirees who are Medicare Part D eligible individuals covered under a
qualified retiree prescription drug plan.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records are enrollment, beneficiary, and financial or payment
related records used to support and calculate the amount of subsidy
payments to plan sponsors. They contain information such as the
following about each retiree: Standard data for identification such as
Plan Sponsor Identification Number, Application Identification Number,
Benefit Option Identifier, Coverage Effective Date, Coverage
Termination Date, Health Insurance Claim Number (HICN) or Medicare
Beneficiary Identifier (MBI), Social Security Number (SSN), gender,
first name, last name, middle initial, date of birth, relationship to
member, and Medicare eligibility and enrollment status.
RECORD SOURCE CATEGORIES:
Records maintained in this system are derived from the Medicare
Beneficiary Database (MBD) system of records, system No. 09-70-0536,
and from plan sponsors.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
Records about an individual retiree may be disclosed from this
system of records to parties outside the Department of Health and Human
Services (HHS), without the individual's prior written consent, for the
purposes indicated in these routine uses:
1. To agency contractors or consultants who have been engaged by
the agency to assist in the performance of a service related to this
system and who need to have access to the records in order to perform
the activity.
2. To a member of Congress or to a congressional staff member in
response to a written inquiry of the congressional office made at the
written request of the constituent about whom the record is maintained.
3. To the Department of Justice (DOJ), court, or adjudicatory body
when:
a. the agency or any component thereof, or
b. any employee of the agency in his or her official capacity, or
c. any employee of the agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
d. the United States Government, is a party to litigation or has an
interest in such litigation and, by careful review, CMS determines that
the records are both relevant and necessary to the litigation.
4. To a CMS contractor (including, but not necessarily limited to
fiscal intermediaries and carriers) that assists in the administration
of a CMS administered health benefits program, or to a grantee of a
CMS-administered grant program, when disclosure is deemed reasonably
necessary by CMS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud or abuse in such program.
5. To another federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers, or that has the authority to investigate potential fraud
or abuse in, a health benefits program funded in whole or in part by
federal funds, when disclosure is deemed reasonably necessary by CMS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud or abuse in such programs.
6. To disclose to health plans, which are defined for this purpose
as plans or programs that provide health benefits, whether directly,
through insurance, or otherwise, and include--(1) a policy of health
insurance; (2) a contract of a service benefit organization; and (3) a
membership agreement with a health maintenance organization or other
prepaid health plan when disclosure is deemed reasonably necessary by
CMS to prevent, deter, discover, detect, investigate, examine,
prosecute, sue with respect to, defend against, correct, remedy, or
otherwise combat fraud, waste, or abuse in such programs.
7. To appropriate agencies, entities, and persons when (1) HHS
suspects or has confirmed that there has been a breach of the system of
records; (2) HHS has determined that as a result of the suspected or
confirmed breach there is a risk of harm to individuals, HHS (including
its information systems, programs, and operations), the federal
government, or national security; and (3) the disclosure made to such
agencies, entities, and persons is reasonably necessary to assist in
connection with HHS's efforts to respond to the suspected or confirmed
breach or to prevent, minimize, or remedy such harm.
8. To another federal agency or federal entity, when HHS determines
that information from this system of record is reasonably necessary to
assist the recipient agency or entity in (1) responding to a suspected
or confirmed breach or (2) preventing, minimizing, or remedying the
risk of harm to individuals, the recipient agency or entity (including
its information systems, programs, and operations), the federal
government, or national security, resulting from a suspected or
confirmed breach.
9. To the U.S. Department of Homeland Security (DHS) if captured in
an intrusion detection system used by HHS and DHS pursuant to a DHS
cybersecurity program that monitors internet traffic to and from
federal government computer networks to prevent a variety of types of
cybersecurity incidents.
The disclosures authorized by publication of the above routine uses
pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and
(b)(4)-(11).
ADDITIONAL PROVISIONS AFFECTING ROUTINE USE DISCLOSURES:
This system contains protected health information as defined by
Department of Health and Human Services (HHS) regulation ``Standards
for Privacy of Individually Identifiable Health Information'' (45 Code
of Federal Regulations (CFR) Parts 160 and 164, 65 Federal Register
(FR) 82462 (12-28-00), Subparts A and E). Disclosures of Protected
Health Information authorized by these routine uses may only be made
if, and as, permitted or required by the ``Standards for Privacy of
Individually Identifiable Health Information.''
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
The records are stored in hard-copy files and/or electronic media.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Information is retrieved by the retiree's Health Insurance Claim
Number (HICN), Medicare Beneficiary Identifier (MBI), or Social
Security Number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
The records are retained and disposed of in accordance with the
following disposition schedules, which were approved by the National
Archives and Records Administration (NARA):
Financial or payment related records are governed by DAA-
0440-2015-0004-0001 (Bucket 3). The records retention schedule states:
Destroy no sooner than 7 year(s) after cutoff but longer retention is
authorized.
[[Page 53737]]
Enrollment Records are governed by DAA-0440-2015-0006
(Bucket 4). The records retention schedule states: Destroy no sooner
than 7 year(s) after cutoff but longer retention is authorized.
Beneficiary Records are governed by DAA-0440-2015-0007-
0001 (Bucket 5). The records retention schedule states: Cutoff at the
end of the calendar year. Destroy no sooner than 10 year(s) after
cutoff but longer retention is authorized.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Safeguards conform to the CMS Information Security and Privacy
Program, https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/. Information is
safeguarded in accordance with applicable laws, rules and policies,
including the HHS Information Technology Security Program Handbook; all
pertinent National Institutes of Standards and Technology (NIST)
publications, and OMB Circular A-130, Managing Information as a
Strategic Resource. Records are protected from unauthorized access
through appropriate administrative, physical, and technical safeguards.
These safeguards include protecting the facilities where records are
stored or accessed with security guards, badges and cameras, securing
hard-copy records in locked file cabinets, file rooms or offices during
off-duty hours, limiting access to electronic databases to authorized
users based on roles and two-factor authentication (user ID and
password), using a secured operating system protected by encryption,
firewalls, and intrusion detection systems, requiring encryption for
records stored on removable media, and training personnel in Privacy
Act and information security requirements. Records that are eligible
for destruction are disposed of using secure destruction methods
prescribed by NIST SP 800-88.
RECORD ACCESS PROCEDURES:
An individual seeking access to a record about him/her in this
system of records must submit a written request to the System Manager
indicated above. The request must contain the individual's name and
particulars necessary to distinguish between records on subject
individuals with the same name, such as HICN, MBI or SSN, and should
also reasonably specify the record(s) to which access is sought. To
verify the requester's identity, the signature must be notarized or the
request must include the requester's written certification that he/she
is the person he/she claims to be and that he/she understands that the
knowing and willful request for or acquisition of records pertaining to
an individual from an agency under false pretenses is a criminal
offense subject to a $5,000 fine.
CONTESTING RECORD PROCEDURES:
Any subject individual may request that his/her record be corrected
or amended if he/she believes that the record is not accurate, timely,
complete, or relevant or necessary to accomplish a Department function.
A subject individual making a request to amend or correct his record
shall address his request to the-System Manager indicated, in writing,
and must verify his/her identity in the same manner required for an
access request. The subject individual shall specify in each request:
(1) The system of records from which the record is retrieved; (2) The
particular record and specific portion which he/she is seeking to
correct or amend; (3) The corrective action sought (e.g., whether he/
she is seeking an addition to or a deletion or substitution of the
record); and, (4) His/her reasons for requesting correction or
amendment of the record. The request should include any supporting
documentation to show how the record is inaccurate, incomplete,
untimely, or irrelevant.
NOTIFICATION PROCEDURES:
Individuals wishing to know if this system contains records about
them should write to the System Manager indicated above and follow the
same instructions under Record Access Procedures.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
70 FR 41035 (July 15, 2005), 78 FR 32257 (May 29, 2013), 83 FR 6591
(Feb. 14, 2018)
[FR Doc. 2019-21768 Filed 10-7-19; 8:45 am]
BILLING CODE 4120-03-P
