Privacy Act of 1974; System of Records, 43243-43246 [2020-15380]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 85, Number 137 (Thursday, July 16, 2020)]
[Notices]
[Pages 43243-43246]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-15380]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: Office of the Assistant Secretary for Health, Department of 
Health and Human Services (HHS).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of Health and Human Services (HHS) is 
establishing a new system of records, 09-90-2002, ``COVID-19 Insights 
Collaboration Records.'' HHS will use the records in this system of 
records to create and maintain a new database to be used by HHS to 
understand, track, and respond to the novel coronavirus known as SARS-
CoV-2 and the outbreak of COVID-19 (the disease caused by SARS-CoV-2) 
which the Secretary of Health and Human Services declared a public 
health emergency effective January 27, 2020, and the World Health 
Organization (WHO) declared a pandemic on March 11, 2020. Creating and 
maintaining the new database may include retrieving identifiable 
records about patients by the patients' personal identifiers in order 
to connect, combine, or de-duplicate records that are about the same 
individual; however, at this time, HHS does not plan to retrieve 
records by personal identifier when using the resulting database for 
research, analysis, or other public health activities.

DATES: The new system of records is applicable July 16, 2020, subject 
to a 30-day period in which to comment on the routine uses.

ADDRESSES: The public should address written comments by email to 
[email protected] or by mail to Beth Kramer, HHS Privacy Act Officer, 
FOIA/Privacy Act Division, Office of the Assistant Secretary for Public 
Affairs, 200 Independence Ave. SW, Washington, DC 20201.

FOR FURTHER INFORMATION CONTACT: General questions about the new system 
of records may be submitted by email to [email protected] or by mail 
to Beth Kramer, HHS Privacy Act Officer, FOIA/Privacy Act Division, 
Office of the Assistant Secretary for Public Affairs, 200 Independence 
Ave. SW, Washington, DC 20201, (202) 690-6941.

SUPPLEMENTARY INFORMATION: The new system of records will cover any 
identifiable records about patients that are retrieved by personal 
identifier for the purpose of creating and maintaining a new database 
that HHS will use for research, analysis, or other public health 
activities to understand, track, and respond to the novel coronavirus, 
SARS-CoV-2, which causes the disease known as COVID-19. The Department 
of Energy (DOE) will create and maintain the database for HHS at DOE's 
Oak Ridge National Laboratory (ORNL).
    HHS will create the new database using certain existing patient 
records at federal agencies, and potentially at state agencies and 
private sector entities, about patients who have and, for control 
purposes, have not, tested positive for COVID-19 or antibodies to same. 
The new database will also include geospatial records, population 
density records, and other types of existing records that are not 
individually identifiable but that HHS determines are useful to 
include. However, the Privacy Act system of records only governs 
individually identifiable records that are retrieved by a personal 
identifier.
    Custodians of the records that HHS, as a public health authority, 
determines are useful for COVID-19-related public health activities 
will donate data to ORNL for inclusion in the new database. At the time 
of publication, HHS anticipates that the COVID Insights Collaboration 
Database will include records from the Department of Veterans Affairs' 
(DVA) Veterans Health Administration (VHA) Corporate Data Warehouse and 
from the Department of Defense's (DoD) Military Health Information 
System. Other sources of records may be added later.
    HHS is relying on its status as a public health authority under 42 
U.S.C. 241 and 247d to obtain, compile, and analyze these data. In the 
course of creating and maintaining the database, ORNL may retrieve 
identifiable records by patients' personal identifiers in order to 
connect, combine, or de-duplicate records that are about the same 
individual. At this time, HHS does not plan to retrieve records by 
personal identifier when using the resulting database for research, 
analysis, or other public health activities.
    HHS provided advance notice of the new system of records to the 
Office of Management and Budget and Congress as required by 5 U.S.C. 
552a(r) and OMB Circular A-108.

Beth Kramer,
HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the 
Assistant Secretary for Public Affairs.

SYSTEM NAME AND NUMBER:
    COVID-19 Insights Collaboration Records, 09-90-2002.

[[Page 43244]]

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the HHS component responsible for this system of 
records is:
     Office of the Assistant Secretary for Health (OASH), 200 
Independence Ave. SW, Washington, DC 20201.
    The address of the service provider that will create and maintain 
the database for HHS is:
     Oak Ridge National Laboratory, P.O. Box 2008, Oak Ridge, 
TN 37831.

SYSTEM MANAGER(S):
    The System Manager is:
     Deputy Chief Information Officer, Office of the Assistant 
Secretary for Health (OASH), 200 Independence Ave. SW, Washington, DC 
20201, (202) 821-5116, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 241, 247d.

PURPOSE(S) OF THE SYSTEM:
    The purpose of the system of records is to create and maintain a 
single database for HHS to use for analysis, research, and other public 
health activities related to the study of COVID-19. The system of 
records will be composed of certain existing records about patients who 
have tested positive for the novel coronavirus, SARS-CoV-2, which 
causes the disease known as COVID-19, or for antibodies to same; and, 
for control purposes, about patients who have not tested positive for 
same. The Department of Energy (DOE) will create and maintain the 
database for HHS at DOE's Oak Ridge National Laboratory (ORNL). In the 
course of creating and maintaining the database, ORNL may retrieve 
identifiable records by patients' personal identifiers in order to 
connect, combine, or de-duplicate records from contributed datasets 
that are about the same individual. At this time, HHS does not plan to 
retrieve records from the resulting database by personal identifier 
when using the database for research, analysis, or other public health 
activities.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records are about patients identified as having tested positive 
for COVID-19 or antibodies to same, and, for control purposes, about 
patients who have not tested positive for same, in existing records at 
DVA, DoD, and other federal, state, local or tribal agencies or private 
sector entities which those custodians donate to HHS for inclusion in 
the COVID Insights Collaboration Database. Examples of such patients 
include:
     Veterans and others who received care at VA facilities or 
through VA community care programs.
     Uniformed service medical beneficiaries who received care 
at DoD facilities.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records are existing datasets containing patient 
medical records and related records, which may include any of the 
following information about each patient, as applicable:
     Patient identifying information (e.g., name, address, date 
of birth, social security number, medical record number) and family 
information (e.g., next of kin; family medical history information).
     Service information (e.g., dates, branch and character of 
service, service number).
     Occupational and environmental exposure data.
     Medical and dental resources data.
     Sociological, diagnostic, counseling, rehabilitation, drug 
and alcohol, dietetic, medical, surgical, dental, psychological, and/or 
psychiatric information compiled by health care providers.
     Information pertaining to the individual's medical, 
surgical, psychiatric, dental, and/or psychological examination, 
evaluation, and/or treatment (e.g., diagnostic, therapeutic special 
examinations; clinical laboratory, pathology and x-ray findings; 
operations; medications; allergies; consultations), including COVID-19 
illness or antibody status.

RECORD SOURCE CATEGORIES:
    HHS will obtain the donated datasets from federal, state, and local 
agencies, and private sector entities. The datasets will contain 
patient data which the donating agencies and entities may have 
originally collected from the patient; a representative of the patient; 
the patient's treating physicians and other health care providers, 
laboratories, and treatment facilities; and program personnel at the 
donating agency or entity or at another agency.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to other disclosures authorized directly in the Privacy 
Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), HHS may 
disclose records about an individual from this system of records to 
parties outside HHS as described in these routine uses, without the 
subject individual's prior written consent.
    1. To HHS contractors, consultants, agents, or others (including 
DOE or another federal agency) engaged by HHS to assist with creating 
and maintaining the COVID-19 Insights Collaboration Database and who 
need to have access to the records to provide that assistance. Records 
that HHS discloses to another federal agency under this routine use may 
also be re-disclosed to contractors and others engaged by that agency 
that are assisting that agency with creating and maintaining the COVID-
19 Insights Collaboration Database.
    2. To student volunteers, individuals working under a personal 
services contract, and other individuals performing functions for HHS 
or its agent, DOE, who do not technically have the status of agency 
employees, if they are assisting HHS or DOE with creating and 
maintaining the COVID-19 Insights Collaboration Database and need 
access to the records to perform those agency functions.
    3. To the Department of Justice (DOJ) or to a court or other 
adjudicative body in litigation or other proceedings when:
    a. HHS or any of its component thereof, or
    b. any employee of HHS acting in the employee's official capacity, 
or
    c. any employee of HHS acting in the employee's individual capacity 
where the DOJ or HHS has agreed to represent the employee, or
    d. the United States Government, is a party to the proceeding or 
has an interest in such proceeding and, by careful review, HHS 
determines that the records are both relevant and necessary to the 
proceeding.
    4. To representatives of the National Archives and Records 
Administration in records management inspections conducted pursuant to 
44 U.S.C. 2904 and 2906.
    5. To appropriate agencies, entities, and persons when (1) HHS 
suspects or has confirmed that there has been a breach of the system of 
records, (2) HHS has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HHS (including 
its information systems, programs, and operations), the federal 
government, or national security, and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HHS's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    6. To another federal agency or federal entity, when HHS determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1)

[[Page 43245]]

responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the federal government, or national security, resulting 
from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records will be stored on electronic media, but paper printouts 
may be generated.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The records will be retrieved by the patient's name, Social 
Security number, or other assigned identification number, if any, or 
combination of identifiers, to disaggregate duplicate records and to 
combine records that are about the same individual.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The datasets used to create and maintain the COVID-19 Insights 
Collaboration Database will be retained in accordance with N1-514-92-
001, Item 26, which provides for records of OASH program activities 
having significant historical and/or research value and relating to 
matters such as studies to be permanently retained.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards will conform to the HHS Information Security and Privacy 
Program, https://www.hhs.gov/ocio/securityprivacy/, the HHS 
Information Security and Privacy Policy (IS2P), and security and 
privacy requirements specified in a services agreement between HHS and 
DOE. Agreements governing the data will ensure that information is 
safeguarded in accordance with applicable federal laws, rules, and 
policies, including: The E-Government Act of 2002, which includes the 
Federal Information Security Management Act of 2002 (FISMA); 44 U.S.C. 
3541-3549, as amended by the Federal Information Security Modernization 
Act of 2014, 44 U.S.C. 3551-3558; all pertinent National Institutes of 
Standards and Technology (NIST) publications; and OMB Circular A-130, 
Managing Information as a Strategic Resource.
    HHS and DOE will protect the records from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
These safeguards will include protecting the facilities where records 
are stored or accessed with security guards, badges and cameras; 
securing any hard-copy records in locked file cabinets, file rooms or 
offices during off-duty hours; controlling access to physical locations 
where records are maintained and used by means of combination locks and 
identification badges issued only to authorized users; requiring 
contractors to maintain appropriate safeguards and comply with the 
Privacy Act with respect to the records; limiting authorized users' 
access to electronic records based on roles and either two-factor 
authentication or password protection; requiring passwords to be 
complex and to be changed frequently; using a secured operating system 
protected by encryption, firewalls, and intrusion detection systems; 
maintaining an activity log of users' access; requiring encryption for 
records stored on removable media; training personnel in Privacy Act 
and information security requirements; and reviewing security controls 
on an ongoing basis.

RECORD ACCESS PROCEDURES:
    The records in this system of records will be used solely to create 
and maintain a database from which records will not be retrieved by 
personal identifiers but will be used to study patients' 
characteristics; therefore, no Privacy Act purpose would be served by 
allowing subject individuals access rights with respect to the records 
in this system of records. Nevertheless, an individual may request 
access to records about that individual in this system of records by 
submitting a written access request to the System Manager identified in 
the ``System Manager'' section of this SORN. The request must contain 
the requester's full name, address, and signature, and should also 
include helpful identifying particulars that may be in the records, 
such as: The requester's date of birth and any assigned identification 
number (if known). To verify the requester's identity, the signature 
must be notarized or the request must include the requester's written 
certification that the requester is the individual who the requester 
claims to be and that the requester understands that the knowing and 
willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense subject to a 
fine of up to $5,000. HHS will direct any access request that HHS 
receives to the agency or entity that provided the extract to HHS, for 
consultation purposes; and HHS will respond to the request as the 
providing agency directs.

CONTESTING RECORD PROCEDURES:
    The records in this system of records will be used solely to create 
and maintain a database from which records will not be retrieved by 
personal identifiers but will be used to study patients' 
characteristics; therefore, no Privacy Act purpose would be served by 
allowing subject individuals amendment rights with respect to the 
records in this system of records. Nevertheless, an individual may seek 
to amend a record about that individual in this system of records by 
submitting an amendment request to the System Manager identified in the 
``System Manager'' section of this SORN, containing the same 
information required for an access request. The request must include 
verification of the requester's identity in the same manner required 
for an access request; must reasonably identify the record and specify 
the information contested, the corrective action sought, and the 
reasons for requesting the correction; and should include supporting 
information to show how the record is inaccurate, incomplete, untimely, 
or irrelevant. HHS will direct any amendment request that HHS receives 
to the agency or entity that provided the extract to HHS, for 
consultation purposes; and HHS will respond to the request as the 
providing agency directs.

NOTIFICATION PROCEDURES:
    The records in this system of records will be used solely to create 
and maintain a database from which records will not be retrieved by 
personal identifiers but will be used to study patients' 
characteristics; therefore, no Privacy Act purpose would be served by 
allowing subject notification rights with respect to the records in 
this system of records. Nevertheless, an individual who wishes to know 
if this system of records contains records about that individual should 
submit a notification request to the System Manager identified in the 
``System Manager'' section of this SORN. The request must contain the 
same information required for an access request, and must include 
verification of the requester's identity in the same manner required 
for an access request. HHS will direct any notification request that 
HHS receives to the agency or entity that provided the extract to HHS, 
for consultation purposes; and HHS will respond to the request as the 
providing agency directs.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

[[Page 43246]]

HISTORY:
    None.
[FR Doc. 2020-15380 Filed 7-15-20; 8:45 am]
BILLING CODE 4150-28-P