Privacy Act of 1974; System of Records, 53734-53737 [2019-21768]

Download as PDF 53734 Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices participate via live streaming technology or webinar will be provided through an upcoming listserv notice and posted on the New Technology website at http://www.cms.gov/Medicare/ Medicare-Fee-for-Service-Payment/ AcuteInpatientPPS/newtech.html. Continue to check the website for updates. C. Disclaimer We cannot guarantee reliability for live streaming technology or a webinar. III. Registration Instructions The Division of Acute Care in CMS is coordinating the meeting registration for the Town Hall Meeting on substantial clinical improvement. While there is no registration fee, individuals planning to attend the Town Hall Meeting in person must register to attend. Registration may be completed online at the following web address: http://www.cms.gov/Medicare/ Medicare-Fee-for-Service-Payment/ AcuteInpatientPPS/newtech.html. Select the link at the bottom of the page ‘‘Register to Attend the New Technology Town Hall Meeting’’. After completing the registration, online registrants should print the confirmation page(s) and bring it with them to the meeting. If you are unable to register on-line, you may register by sending an email to newtech@cms.hhs.gov. Please include your name, address, telephone number, email address and fax number. If seating capacity has been reached, you will be notified that the meeting has reached capacity. IV. Security, Building, and Parking Guidelines jbell on DSK3GLQ082PROD with NOTICES Because this meeting will be located on Federal property, for security reasons, any persons wishing to attend the meeting must register by the date specified in the DATES section of this notice. Please allow sufficient time to go through the security checkpoints. If you are attending the Town Hall Meeting in person, we suggest that you arrive at 7500 Security Boulevard no later than 8:30 a.m. e.s.t. so that you will be able to arrive promptly for the meeting. Security measures include the following: • Presentation of government-issued photographic identification to the Federal Protective Service or Guard Service personnel. Note: The REAL ID Act established minimum security standards for license issuance and production and prohibits Federal agencies from accepting for certain purposes driver’s licenses and identification cards from states not meeting the Act’s minimum standards. We encourage the VerDate Sep<11>2014 21:50 Oct 07, 2019 Jkt 250001 public to visit the DHS website at https:// www.dhs.gov/real-id prior to the new technology town hall meeting for updated information. • All Foreign National visitor requests must be submitted 12 business days prior to the scheduled visitor to allow for processing. • Inspection of vehicle’s interior and exterior (this includes engine and trunk inspection) at the entrance to the grounds. Parking permits and instructions will be issued after the vehicle inspection. • Inspection, via metal detector or other applicable means of all persons entering the building. We note that all items brought to CMS, whether personal or for the purpose of presentation or to support a presentation, are subject to inspection. We cannot assume responsibility for coordinating the receipt, transfer, transport, storage, setup, safety, or timely arrival of any personal belongings or items used for presentation or to support a presentation. Note: Individuals who are not registered in advance will not be permitted to enter the building and will be unable to attend the meeting in person. The public may not enter the building earlier than 45 minutes prior to the convening of the meeting. All visitors must be escorted in all areas other than the lower level lobby and cafeteria area and first floor auditorium and conference areas in the Central Building. Seating capacity is limited to the first 250 registrants. Effective June 1, 2018, Federal Protective Services (FPS) has implemented new security screening procedures at all CMS Baltimore locations to align with national screening standards. Please allow extra time to clear security prior to the beginning of the meeting. Employees, contractors and visitors must place all items in bins for screening, including the following: • Any items in your pockets. • Belts, hats, jackets & coats (not suit jackets or sport coats). • Purses, laptop computers, and cell phones. • Larger items (for example computer bags) can be placed directly onto the conveyer. In the event the metal detector beeps when you walk through a security guard will run a hand-held metal detector over you— • If the metal detector does not alarm, you are cleared to enter; • If the hand-held metal detector alarms, the guard will pat down the area of the body where the metal detector alarmed; or PO 00000 Frm 00063 Fmt 4703 Sfmt 4703 • If footwear alarms, it will need to be removed and placed in a bin for x-ray screening. If you believe that you have a disability that will cause you to require reasonable accommodation to comply with the new process, please contact reasonableaccommodationprogram@ cms.hhs.gov as soon as possible. Dated: September 26, 2019. Seema Verma, Administrator, Centers for Medicare & Medicaid Services. [FR Doc. 2019–21750 Filed 10–4–19; 11:15 am] BILLING CODE 4120–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Medicare and Medicaid Services Privacy Act of 1974; System of Records Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS). ACTION: Notice of a modified system of records. AGENCY: In accordance with requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is updating an existing system of records maintained by the Centers for Medicare & Medicaid Services (CMS), system No. 09–70–0550, titled ‘‘Medicare Retiree Drug Subsidy Program’’ (RDSP), and renaming it ‘‘Retiree Drug Subsidy (RDS), HHS/CMS/CM.’’ This system collects and maintains information about individuals who are qualifying covered retirees so that accurate and timely subsidy payments may be made to plan sponsors who continue to offer actuarially equivalent prescription drug coverage to the qualifying covered retirees. SUMMARY: In accordance with 5 United States Code (U.S.C.) 552a(e)(4) and (11), this notice is applicable October 8, 2019, subject to a 30-day period in which to comment on the new and revised routine uses, described below. Please submit any comments by November 7, 2019. ADDRESSES: Written comments should be submitted by mail or email to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Information Technology, CMS, Location N1–14–56, 7500 Security Blvd., Baltimore, MD 21244–1870, or walter.stone@cms.hhs.gov. DATES: E:\FR\FM\08OCN1.SGM 08OCN1 Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices FOR FURTHER INFORMATION CONTACT: General questions may be submitted to: Ivan Iveljic, Health Insurance Specialist, Medicare Plan Payment Group, Center for Medicare, CMS, Mail Stop C1–13– 07, 7500 Security Boulevard, Baltimore, Maryland 21244. He can be reached at 410–786–3312 or via email at Ivan.Iveljic@cms.hhs.gov. SUPPLEMENTARY INFORMATION: jbell on DSK3GLQ082PROD with NOTICES I. Background on Records Covered by System of Records 09–70–0550 This system of records covers records about individual retirees which are used in administering the Retiree Drug Subsidy, which is a program that offers sponsors of qualified retiree prescription drug plans financial assistance with a portion of their prescription drug costs and thereby helps employers retain and enhance their prescription drug coverage so that the current erosion in coverage will plateau or even improve. The program makes a subsidy for 28 percent of allowable prescription drug costs available to qualified retiree prescription drug plans, which significantly reduces financial liabilities associated with employers’ retiree drug coverage and encourages employers to continue assisting their retirees with prescription drug coverage. II. Explanation of Modifications to the System of Records Notice (SORN) The modifications made to the system of records include the following substantive changes, in addition to reformatting the SORN to comply with OMB Circular A–108, issued December 23, 2016: • The name of the system of records has changed from ‘‘Medicare Retiree Drug Subsidy Program (RDSP), HHS/ CMS/CBC’’ to ‘‘Retiree Drug Subsidy (RDS), HHS/CMS/CM.’’ • Address information in the System Location and System Manager(s) sections has been updated. • The Security Classification section has been changed from ‘‘Level Three Privacy Act Sensitive Data’’ to ‘‘Unclassified.’’ • The Authorities section has been revised to include 31 U.S.C. 7701(c) as authority to collect Social Security Numbers from individuals with whom CMS is ‘‘doing business,’’ as defined by the statute. • The Purpose section has been revised to omit a summary of the routine uses; • The Categories of Records section has been revised to identify the record categories as enrollment, beneficiary, and financial or payment-related records. VerDate Sep<11>2014 21:50 Oct 07, 2019 Jkt 250001 • The list of data elements in the Categories of Records section has been modified to include the Medicare Beneficiary Identifier (MBI), which is a new individual identifier in addition to the Health Insurance Claim Number (HICN). • The Routine Uses section has been updated to revise three routine uses and add one new routine use: Æ Routine use 2, which authorizes disclosures to members of Congress and their staff for purposes of responding to their requests on behalf of constituents, has been revised to require that their requests be ‘‘written.’’ Æ Routine use 3, which authorizes disclosures to the Department of Justice (DOJ), court, or adjudicatory body, has been revised to omit unnecessary wording limiting the disclosures to uses ‘‘compatible with the purpose for which the agency collected the records.’’ (The wording is unnecessary because it restates the definition of a routine use.) Æ The fraud, waste, and abuse-related routine use added May 29, 2013 is now numbered as routine use 6. It has been revised to add ‘‘which are’’ before the words ‘‘defined for this purpose,’’ and to omit an unnecessary statement that ‘‘[d]isclosures may include provider and beneficiary-identifiable data.’’ Æ The two breach response-related routine uses added February 14, 2018 are now numbered as routine uses 7 and 8. Æ Routine use number 9 is new; it authorizes disclosures to the U.S. Department of Homeland Security (DHS) for cybersecurity monitoring purposes in the event that records from this system of records are captured in an intrusion detection system used by HHS and DHS. • A note at the end of the Routine Uses section has been shortened to remove a portion referring to ‘‘complaints’’ and ‘‘complainants’’ (which are not involved in this system of records) and to releases of ‘‘not directly identifiable [information], except pursuant to one of the routine uses or if required by law’’ (which could create the misimpression that a disclosure required by law need not be authorized by a routine use or another exception to the consent requirement in 5 U.S.C. 552a(b)). • The Retrieval section has been updated to include the Medicare Beneficiary Identifier (MBI) as an additional personal identifier used for retrieval, and to omit plan sponsor identifier and benefit option identifier, which are not personal identifiers. • The Records Retention section now cites the applicable disposition authorities, which were revised in 2015, PO 00000 Frm 00064 Fmt 4703 Sfmt 4703 53735 and corrects the retention period, which was previously 15 years and is now seven years (or longer) for enrollment records, ten years (or longer) for beneficiary records, and seven years (or longer) for financial or payment related records. • In the Access Procedures section, the text has been modified to state that any identifying particulars included in a request would be used to distinguish between subject individuals with the same name, and to include the MBI as an example of an identifying particular. Barbara Demopulos, Privacy Advisor, Division of Security, Privacy Policy and Governance, Information Security and Privacy Group, Office of Information Technology, Centers for Medicare & Medicaid Services. SYSTEM NAME AND NUMBER: Retiree Drug Subsidy (RDS), HHS/ CMS/CM, System No. 09–70–0550. SECURITY CLASSIFICATION: This system of records does not include classified information. SYSTEM LOCATION: The address of the agency component responsible for the system of records is: Medicare Plan Payment Group, Center for Medicare, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244– 1850. SYSTEM MANAGER: The System Manager for the system of records is: Director, Medicare Plan Payment Group, Center for Medicare, Centers for Medicare & Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786–7407. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Authority for maintenance of this system is given under section 1860D–22 of the Social Security Act (Title 42 United States Code (U.S.C.) sections 1302, 1395w–101 through 1395w–152, and 1395hh), as amended by section 101 of the Medicare Modernization Act (MMA). The collection of Social Security Numbers is authorized by 31 U.S.C. 7701(c). PURPOSE(S) OF THE SYSTEM: The purpose of this system is to collect and maintain information about individuals who are qualifying covered retirees so that accurate and timely subsidy payments may be made to plan sponsors who continue to offer actuarially equivalent prescription drug coverage to the retirees. E:\FR\FM\08OCN1.SGM 08OCN1 53736 Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Information in this system is maintained on qualifying covered retirees who are Medicare Part D eligible individuals covered under a qualified retiree prescription drug plan. CATEGORIES OF RECORDS IN THE SYSTEM: The records are enrollment, beneficiary, and financial or payment related records used to support and calculate the amount of subsidy payments to plan sponsors. They contain information such as the following about each retiree: Standard data for identification such as Plan Sponsor Identification Number, Application Identification Number, Benefit Option Identifier, Coverage Effective Date, Coverage Termination Date, Health Insurance Claim Number (HICN) or Medicare Beneficiary Identifier (MBI), Social Security Number (SSN), gender, first name, last name, middle initial, date of birth, relationship to member, and Medicare eligibility and enrollment status. RECORD SOURCE CATEGORIES: Records maintained in this system are derived from the Medicare Beneficiary Database (MBD) system of records, system No. 09–70–0536, and from plan sponsors. jbell on DSK3GLQ082PROD with NOTICES ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES: Records about an individual retiree may be disclosed from this system of records to parties outside the Department of Health and Human Services (HHS), without the individual’s prior written consent, for the purposes indicated in these routine uses: 1. To agency contractors or consultants who have been engaged by the agency to assist in the performance of a service related to this system and who need to have access to the records in order to perform the activity. 2. To a member of Congress or to a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. 3. To the Department of Justice (DOJ), court, or adjudicatory body when: a. the agency or any component thereof, or b. any employee of the agency in his or her official capacity, or c. any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or d. the United States Government, is a party to litigation or has an interest in VerDate Sep<11>2014 21:50 Oct 07, 2019 Jkt 250001 such litigation and, by careful review, CMS determines that the records are both relevant and necessary to the litigation. 4. To a CMS contractor (including, but not necessarily limited to fiscal intermediaries and carriers) that assists in the administration of a CMS administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program. 5. To another federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in, a health benefits program funded in whole or in part by federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs. 6. To disclose to health plans, which are defined for this purpose as plans or programs that provide health benefits, whether directly, through insurance, or otherwise, and include—(1) a policy of health insurance; (2) a contract of a service benefit organization; and (3) a membership agreement with a health maintenance organization or other prepaid health plan when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs. 7. To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 8. To another federal agency or federal entity, when HHS determines that information from this system of record is reasonably necessary to assist the PO 00000 Frm 00065 Fmt 4703 Sfmt 4703 recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach. 9. To the U.S. Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents. The disclosures authorized by publication of the above routine uses pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)–(11). ADDITIONAL PROVISIONS AFFECTING ROUTINE USE DISCLOSURES: This system contains protected health information as defined by Department of Health and Human Services (HHS) regulation ‘‘Standards for Privacy of Individually Identifiable Health Information’’ (45 Code of Federal Regulations (CFR) Parts 160 and 164, 65 Federal Register (FR) 82462 (12–28–00), Subparts A and E). Disclosures of Protected Health Information authorized by these routine uses may only be made if, and as, permitted or required by the ‘‘Standards for Privacy of Individually Identifiable Health Information.’’ POLICIES AND PRACTICES FOR STORAGE OF RECORDS: The records are stored in hard-copy files and/or electronic media. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Information is retrieved by the retiree’s Health Insurance Claim Number (HICN), Medicare Beneficiary Identifier (MBI), or Social Security Number. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: The records are retained and disposed of in accordance with the following disposition schedules, which were approved by the National Archives and Records Administration (NARA): • Financial or payment related records are governed by DAA–0440– 2015–0004–0001 (Bucket 3). The records retention schedule states: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized. E:\FR\FM\08OCN1.SGM 08OCN1 Federal Register / Vol. 84, No. 195 / Tuesday, October 8, 2019 / Notices • Enrollment Records are governed by DAA–0440–2015–0006 (Bucket 4). The records retention schedule states: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized. • Beneficiary Records are governed by DAA–0440–2015–0007–0001 (Bucket 5). The records retention schedule states: Cutoff at the end of the calendar year. Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Safeguards conform to the CMS Information Security and Privacy Program, https://www.cms.gov/ Research-Statistics-Data-and-Systems/ CMS-Information-Technology/ InformationSecurity/index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A–130, Managing Information as a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, requiring encryption for records stored on removable media, and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction are disposed of using secure destruction methods prescribed by NIST SP 800–88. jbell on DSK3GLQ082PROD with NOTICES RECORD ACCESS PROCEDURES: An individual seeking access to a record about him/her in this system of records must submit a written request to the System Manager indicated above. The request must contain the individual’s name and particulars necessary to distinguish between records on subject individuals with the same name, such as HICN, MBI or SSN, and should also reasonably specify the record(s) to which access is sought. To verify the requester’s identity, the signature must be notarized or the request must include the requester’s VerDate Sep<11>2014 21:50 Oct 07, 2019 Jkt 250001 written certification that he/she is the person he/she claims to be and that he/ she understands that the knowing and willful request for or acquisition of records pertaining to an individual from an agency under false pretenses is a criminal offense subject to a $5,000 fine. CONTESTING RECORD PROCEDURES: Any subject individual may request that his/her record be corrected or amended if he/she believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the-System Manager indicated, in writing, and must verify his/her identity in the same manner required for an access request. The subject individual shall specify in each request: (1) The system of records from which the record is retrieved; (2) The particular record and specific portion which he/she is seeking to correct or amend; (3) The corrective action sought (e.g., whether he/she is seeking an addition to or a deletion or substitution of the record); and, (4) His/her reasons for requesting correction or amendment of the record. The request should include any supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant. NOTIFICATION PROCEDURES: Individuals wishing to know if this system contains records about them should write to the System Manager indicated above and follow the same instructions under Record Access Procedures. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: 70 FR 41035 (July 15, 2005), 78 FR 32257 (May 29, 2013), 83 FR 6591 (Feb. 14, 2018) [FR Doc. 2019–21768 Filed 10–7–19; 8:45 am] BILLING CODE 4120–03–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Administration for Children and Families Submission for OMB Review; Head Start (HS) Connects: Individualizing and Connecting Families to Family Support Services (New Collection) Office of Planning, Research, and Evaluation; Administration for Children and Families; HHS. ACTION: Request for public comment. AGENCY: PO 00000 Frm 00066 Fmt 4703 Sfmt 4703 53737 The Administration for Children and Families (ACF) at the U.S. Department of Health and Human Services (HHS) seeks approval to conduct semi-structured, qualitative interviews with Head Start staff, parents/guardians, and community providers at six Head Start programs for case studies that explore case management and coordination of family support services. DATES: Comments due within 30 days of publication. OMB is required to make a decision concerning the collection of information between 30 and 60 days after publication of this document in the Federal Register. Therefore, a comment is best assured of having its full effect if OMB receives it within 30 days of publication. ADDRESSES: Written comments and recommendations for the proposed information collection should be sent directly to the following: Office of Management and Budget, Paperwork Reduction Project, Email: OIRA_ SUBMISSION@OMB.EOP.GOV, Attn: Desk Officer for the Administration for Children and Families. Copies of the proposed collection may be obtained by emailing OPREinfocollection@acf.hhs.gov. Alternatively, copies can also be obtained by writing to the Administration for Children and Families, Office of Planning, Research, and Evaluation, 330 C Street SW, Washington, DC 20201, Attn: OPRE Reports Clearance Officer. All requests, emailed or written, should be identified by the title of the information collection. SUPPLEMENTARY INFORMATION: Description: The case studies proposed as part of the Head Start (HS) Connects: Individualizing and Connecting Families to Family Support Services project are intended to build knowledge about how Head Start programs (Head Start or Early Head Start grantees, delegate agencies, and staff) across the country coordinate family well-being services for parents/ guardians and tailor coordination processes to individual family needs. The case studies will explore case management and coordination of family support services from multiple perspectives, including from the perspective of Head Start Administrators/Family and Community Partnerships Managers, Family Support Staff, Other Staff, Parents/Guardians, and Community Providers, at each of the six study sites during site visits. The case studies will further inform the development of design options for a large-scale descriptive study of Head Start programs nationally that is focused SUMMARY: E:\FR\FM\08OCN1.SGM 08OCN1

Agencies

[Federal Register Volume 84, Number 195 (Tuesday, October 8, 2019)]
[Notices]
[Pages 53734-53737]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21768]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare and Medicaid Services


Privacy Act of 1974; System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with requirements of the Privacy Act of 1974, as 
amended, the Department of Health and Human Services (HHS) is updating 
an existing system of records maintained by the Centers for Medicare & 
Medicaid Services (CMS), system No. 09-70-0550, titled ``Medicare 
Retiree Drug Subsidy Program'' (RDSP), and renaming it ``Retiree Drug 
Subsidy (RDS), HHS/CMS/CM.'' This system collects and maintains 
information about individuals who are qualifying covered retirees so 
that accurate and timely subsidy payments may be made to plan sponsors 
who continue to offer actuarially equivalent prescription drug coverage 
to the qualifying covered retirees.

DATES: In accordance with 5 United States Code (U.S.C.) 552a(e)(4) and 
(11), this notice is applicable October 8, 2019, subject to a 30-day 
period in which to comment on the new and revised routine uses, 
described below. Please submit any comments by November 7, 2019.

ADDRESSES: Written comments should be submitted by mail or email to: 
CMS Privacy Act Officer, Division of Security, Privacy Policy & 
Governance, Information Security & Privacy Group, Office of Information 
Technology, CMS, Location N1-14-56, 7500 Security Blvd., Baltimore, MD 
21244-1870, or [email protected].

[[Page 53735]]


FOR FURTHER INFORMATION CONTACT: General questions may be submitted to: 
Ivan Iveljic, Health Insurance Specialist, Medicare Plan Payment Group, 
Center for Medicare, CMS, Mail Stop C1-13-07, 7500 Security Boulevard, 
Baltimore, Maryland 21244. He can be reached at 410-786-3312 or via 
email at [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background on Records Covered by System of Records 09-70-0550

    This system of records covers records about individual retirees 
which are used in administering the Retiree Drug Subsidy, which is a 
program that offers sponsors of qualified retiree prescription drug 
plans financial assistance with a portion of their prescription drug 
costs and thereby helps employers retain and enhance their prescription 
drug coverage so that the current erosion in coverage will plateau or 
even improve. The program makes a subsidy for 28 percent of allowable 
prescription drug costs available to qualified retiree prescription 
drug plans, which significantly reduces financial liabilities 
associated with employers' retiree drug coverage and encourages 
employers to continue assisting their retirees with prescription drug 
coverage.

II. Explanation of Modifications to the System of Records Notice (SORN)

    The modifications made to the system of records include the 
following substantive changes, in addition to reformatting the SORN to 
comply with OMB Circular A-108, issued December 23, 2016:
     The name of the system of records has changed from 
``Medicare Retiree Drug Subsidy Program (RDSP), HHS/CMS/CBC'' to 
``Retiree Drug Subsidy (RDS), HHS/CMS/CM.''
     Address information in the System Location and System 
Manager(s) sections has been updated.
     The Security Classification section has been changed from 
``Level Three Privacy Act Sensitive Data'' to ``Unclassified.''
     The Authorities section has been revised to include 31 
U.S.C. 7701(c) as authority to collect Social Security Numbers from 
individuals with whom CMS is ``doing business,'' as defined by the 
statute.
     The Purpose section has been revised to omit a summary of 
the routine uses;
     The Categories of Records section has been revised to 
identify the record categories as enrollment, beneficiary, and 
financial or payment-related records.
     The list of data elements in the Categories of Records 
section has been modified to include the Medicare Beneficiary 
Identifier (MBI), which is a new individual identifier in addition to 
the Health Insurance Claim Number (HICN).
     The Routine Uses section has been updated to revise three 
routine uses and add one new routine use:
    [cir] Routine use 2, which authorizes disclosures to members of 
Congress and their staff for purposes of responding to their requests 
on behalf of constituents, has been revised to require that their 
requests be ``written.''
    [cir] Routine use 3, which authorizes disclosures to the Department 
of Justice (DOJ), court, or adjudicatory body, has been revised to omit 
unnecessary wording limiting the disclosures to uses ``compatible with 
the purpose for which the agency collected the records.'' (The wording 
is unnecessary because it restates the definition of a routine use.)
    [cir] The fraud, waste, and abuse-related routine use added May 29, 
2013 is now numbered as routine use 6. It has been revised to add 
``which are'' before the words ``defined for this purpose,'' and to 
omit an unnecessary statement that ``[d]isclosures may include provider 
and beneficiary-identifiable data.''
    [cir] The two breach response-related routine uses added February 
14, 2018 are now numbered as routine uses 7 and 8.
    [cir] Routine use number 9 is new; it authorizes disclosures to the 
U.S. Department of Homeland Security (DHS) for cybersecurity monitoring 
purposes in the event that records from this system of records are 
captured in an intrusion detection system used by HHS and DHS.
     A note at the end of the Routine Uses section has been 
shortened to remove a portion referring to ``complaints'' and 
``complainants'' (which are not involved in this system of records) and 
to releases of ``not directly identifiable [information], except 
pursuant to one of the routine uses or if required by law'' (which 
could create the misimpression that a disclosure required by law need 
not be authorized by a routine use or another exception to the consent 
requirement in 5 U.S.C. 552a(b)).
     The Retrieval section has been updated to include the 
Medicare Beneficiary Identifier (MBI) as an additional personal 
identifier used for retrieval, and to omit plan sponsor identifier and 
benefit option identifier, which are not personal identifiers.
     The Records Retention section now cites the applicable 
disposition authorities, which were revised in 2015, and corrects the 
retention period, which was previously 15 years and is now seven years 
(or longer) for enrollment records, ten years (or longer) for 
beneficiary records, and seven years (or longer) for financial or 
payment related records.
     In the Access Procedures section, the text has been 
modified to state that any identifying particulars included in a 
request would be used to distinguish between subject individuals with 
the same name, and to include the MBI as an example of an identifying 
particular.

Barbara Demopulos,
Privacy Advisor, Division of Security, Privacy Policy and Governance, 
Information Security and Privacy Group, Office of Information 
Technology, Centers for Medicare & Medicaid Services.

SYSTEM NAME AND NUMBER:
    Retiree Drug Subsidy (RDS), HHS/CMS/CM, System No. 09-70-0550.

SECURITY CLASSIFICATION:
    This system of records does not include classified information.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: Medicare Plan Payment Group, Center for Medicare, Centers 
for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, 
Maryland 21244-1850.

SYSTEM MANAGER:
    The System Manager for the system of records is: Director, Medicare 
Plan Payment Group, Center for Medicare, Centers for Medicare & 
Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-
7407.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for maintenance of this system is given under section 
1860D-22 of the Social Security Act (Title 42 United States Code 
(U.S.C.) sections 1302, 1395w-101 through 1395w-152, and 1395hh), as 
amended by section 101 of the Medicare Modernization Act (MMA). The 
collection of Social Security Numbers is authorized by 31 U.S.C. 
7701(c).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to collect and maintain information 
about individuals who are qualifying covered retirees so that accurate 
and timely subsidy payments may be made to plan sponsors who continue 
to offer actuarially equivalent prescription drug coverage to the 
retirees.

[[Page 53736]]

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Information in this system is maintained on qualifying covered 
retirees who are Medicare Part D eligible individuals covered under a 
qualified retiree prescription drug plan.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records are enrollment, beneficiary, and financial or payment 
related records used to support and calculate the amount of subsidy 
payments to plan sponsors. They contain information such as the 
following about each retiree: Standard data for identification such as 
Plan Sponsor Identification Number, Application Identification Number, 
Benefit Option Identifier, Coverage Effective Date, Coverage 
Termination Date, Health Insurance Claim Number (HICN) or Medicare 
Beneficiary Identifier (MBI), Social Security Number (SSN), gender, 
first name, last name, middle initial, date of birth, relationship to 
member, and Medicare eligibility and enrollment status.

RECORD SOURCE CATEGORIES:
    Records maintained in this system are derived from the Medicare 
Beneficiary Database (MBD) system of records, system No. 09-70-0536, 
and from plan sponsors.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    Records about an individual retiree may be disclosed from this 
system of records to parties outside the Department of Health and Human 
Services (HHS), without the individual's prior written consent, for the 
purposes indicated in these routine uses:
    1. To agency contractors or consultants who have been engaged by 
the agency to assist in the performance of a service related to this 
system and who need to have access to the records in order to perform 
the activity.
    2. To a member of Congress or to a congressional staff member in 
response to a written inquiry of the congressional office made at the 
written request of the constituent about whom the record is maintained.
    3. To the Department of Justice (DOJ), court, or adjudicatory body 
when:
    a. the agency or any component thereof, or
    b. any employee of the agency in his or her official capacity, or
    c. any employee of the agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    d. the United States Government, is a party to litigation or has an 
interest in such litigation and, by careful review, CMS determines that 
the records are both relevant and necessary to the litigation.
    4. To a CMS contractor (including, but not necessarily limited to 
fiscal intermediaries and carriers) that assists in the administration 
of a CMS administered health benefits program, or to a grantee of a 
CMS-administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud or abuse in such program.
    5. To another federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud 
or abuse in, a health benefits program funded in whole or in part by 
federal funds, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud or abuse in such programs.
    6. To disclose to health plans, which are defined for this purpose 
as plans or programs that provide health benefits, whether directly, 
through insurance, or otherwise, and include--(1) a policy of health 
insurance; (2) a contract of a service benefit organization; and (3) a 
membership agreement with a health maintenance organization or other 
prepaid health plan when disclosure is deemed reasonably necessary by 
CMS to prevent, deter, discover, detect, investigate, examine, 
prosecute, sue with respect to, defend against, correct, remedy, or 
otherwise combat fraud, waste, or abuse in such programs.
    7. To appropriate agencies, entities, and persons when (1) HHS 
suspects or has confirmed that there has been a breach of the system of 
records; (2) HHS has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HHS (including 
its information systems, programs, and operations), the federal 
government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HHS's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    8. To another federal agency or federal entity, when HHS determines 
that information from this system of record is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the federal 
government, or national security, resulting from a suspected or 
confirmed breach.
    9. To the U.S. Department of Homeland Security (DHS) if captured in 
an intrusion detection system used by HHS and DHS pursuant to a DHS 
cybersecurity program that monitors internet traffic to and from 
federal government computer networks to prevent a variety of types of 
cybersecurity incidents.
    The disclosures authorized by publication of the above routine uses 
pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and 
(b)(4)-(11).

ADDITIONAL PROVISIONS AFFECTING ROUTINE USE DISCLOSURES:
    This system contains protected health information as defined by 
Department of Health and Human Services (HHS) regulation ``Standards 
for Privacy of Individually Identifiable Health Information'' (45 Code 
of Federal Regulations (CFR) Parts 160 and 164, 65 Federal Register 
(FR) 82462 (12-28-00), Subparts A and E). Disclosures of Protected 
Health Information authorized by these routine uses may only be made 
if, and as, permitted or required by the ``Standards for Privacy of 
Individually Identifiable Health Information.''

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored in hard-copy files and/or electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information is retrieved by the retiree's Health Insurance Claim 
Number (HICN), Medicare Beneficiary Identifier (MBI), or Social 
Security Number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records are retained and disposed of in accordance with the 
following disposition schedules, which were approved by the National 
Archives and Records Administration (NARA):
     Financial or payment related records are governed by DAA-
0440-2015-0004-0001 (Bucket 3). The records retention schedule states: 
Destroy no sooner than 7 year(s) after cutoff but longer retention is 
authorized.

[[Page 53737]]

     Enrollment Records are governed by DAA-0440-2015-0006 
(Bucket 4). The records retention schedule states: Destroy no sooner 
than 7 year(s) after cutoff but longer retention is authorized.
     Beneficiary Records are governed by DAA-0440-2015-0007-
0001 (Bucket 5). The records retention schedule states: Cutoff at the 
end of the calendar year. Destroy no sooner than 10 year(s) after 
cutoff but longer retention is authorized.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the CMS Information Security and Privacy 
Program, https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html. Information is 
safeguarded in accordance with applicable laws, rules and policies, 
including the HHS Information Technology Security Program Handbook; all 
pertinent National Institutes of Standards and Technology (NIST) 
publications, and OMB Circular A-130, Managing Information as a 
Strategic Resource. Records are protected from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
These safeguards include protecting the facilities where records are 
stored or accessed with security guards, badges and cameras, securing 
hard-copy records in locked file cabinets, file rooms or offices during 
off-duty hours, limiting access to electronic databases to authorized 
users based on roles and two-factor authentication (user ID and 
password), using a secured operating system protected by encryption, 
firewalls, and intrusion detection systems, requiring encryption for 
records stored on removable media, and training personnel in Privacy 
Act and information security requirements. Records that are eligible 
for destruction are disposed of using secure destruction methods 
prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to a record about him/her in this 
system of records must submit a written request to the System Manager 
indicated above. The request must contain the individual's name and 
particulars necessary to distinguish between records on subject 
individuals with the same name, such as HICN, MBI or SSN, and should 
also reasonably specify the record(s) to which access is sought. To 
verify the requester's identity, the signature must be notarized or the 
request must include the requester's written certification that he/she 
is the person he/she claims to be and that he/she understands that the 
knowing and willful request for or acquisition of records pertaining to 
an individual from an agency under false pretenses is a criminal 
offense subject to a $5,000 fine.

CONTESTING RECORD PROCEDURES:
    Any subject individual may request that his/her record be corrected 
or amended if he/she believes that the record is not accurate, timely, 
complete, or relevant or necessary to accomplish a Department function. 
A subject individual making a request to amend or correct his record 
shall address his request to the-System Manager indicated, in writing, 
and must verify his/her identity in the same manner required for an 
access request. The subject individual shall specify in each request: 
(1) The system of records from which the record is retrieved; (2) The 
particular record and specific portion which he/she is seeking to 
correct or amend; (3) The corrective action sought (e.g., whether he/
she is seeking an addition to or a deletion or substitution of the 
record); and, (4) His/her reasons for requesting correction or 
amendment of the record. The request should include any supporting 
documentation to show how the record is inaccurate, incomplete, 
untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    Individuals wishing to know if this system contains records about 
them should write to the System Manager indicated above and follow the 
same instructions under Record Access Procedures.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    70 FR 41035 (July 15, 2005), 78 FR 32257 (May 29, 2013), 83 FR 6591 
(Feb. 14, 2018)
[FR Doc. 2019-21768 Filed 10-7-19; 8:45 am]
BILLING CODE 4120-03-P