Privacy Act of 1974; System of Records, 33151-33156 [2023-10835]
Download as PDF
Federal Register / Vol. 88, No. 99 / Tuesday, May 23, 2023 / Notices
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Indian Health Service
Privacy Act of 1974; System of
Records
Indian Health Service,
Department of Health and Human
Services.
ACTION: Notice of a modified system of
records.
AGENCY:
In accordance with the
requirements of the Privacy Act of 1974,
as amended, the Department of Health
and Human Services (HHS) is modifying
a system of records maintained by the
Indian Health Service (IHS), System No.
09–17–0003, Indian Health Service
Medical Staff Credentials and Privileges
Records. The system of records covers
records about individuals who request
credentialing and privileging to serve as
IHS medical or health care
professionals.
DATES: In accordance with 5 U.S.C.
552a(e)(4) and (11), this Notice is
applicable upon publication, subject to
a 30-day period in which to comment
on the new and revised routine uses,
described below. Please submit any
comments by June 22, 2023.
ADDRESSES: The public should address
written comments by mail or email to:
Heather H. McClane, Senior Official for
Privacy, Indian Health Service, 5600
Fishers Lane—MAIL STOP: 09E70,
Rockville, MD 20857, or
Heather.Mcclane@ihs.gov.
FOR FURTHER INFORMATION CONTACT:
General questions about this system of
records should be submitted by mail or
email to CAPT Jana Towne, Acting
Director, Office of Quality, 5600 Fishers
Lane—MAIL STOP: 08N70A, Rockville,
MD 20857, or Jana.Towne@ihs.gov;
telephone (301) 273–4152.
SUPPLEMENTARY INFORMATION: The
following modifications have been made
to the System of Records Notice (SORN)
for System No. 09–17–0003, Indian
Health Service Medical Staff Credentials
and Privileges Records:
• The System Name no longer
includes ‘‘HHS/IHS/OCPS,’’ because the
agency component responsible for the
system of records is now identified in
the System Location section.
• The Security Classification has been
changed from ‘‘None’’ to ‘‘Unclassified’’
because the information in the system of
records is not classified.
• The System Location section now
provides the name and address of the
agency component responsible for the
system of records, instead describing
physical records locations.
lotter on DSK11XQN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
17:24 May 22, 2023
Jkt 259001
• The System Manager(s) section has
been amended to include address and
contact information for the official
serving as the ‘‘overall’’ System Manager
and for the Area and Clinical Directors
serving as the System Managers for
purposes of receiving Privacy Act
requests. A lengthy list of IHS Service
Unit addresses which was included in
an Appendix to the SORN (and which
did not include email addresses or
telephone numbers) has been removed.
• The Authority section no longer
cites the Indian Self Determination and
Education and Assistance Act (25 U.S.C.
450), because Tribal Health Programs
credential and privilege their own
providers using separate records; and no
longer cites the Federal Records Act and
the Privacy Act, because those are not
sufficiently specific authorities for the
maintenance of the records in this
system of records.
• In the Purpose(s) section, which
contains four purpose descriptions:
(1) The first purpose description has
been revised to change ‘‘medical staff
members’’ to ‘‘medical and health care
professionals’’ and to insert ‘‘having
their identity confirmed’’, as well as
inserted the terms ‘‘where required’’ and
‘‘education.’’
(2) The second purpose description
now includes ‘‘sexual misconduct’’ and
‘‘medical malpractice’’ as examples of
information indicative of an
individual’s professional competence,
character, and ethical qualifications.
(3) The third purpose description has
been revised to remove references to the
Health Care Quality Improvement Act of
1986 and the Health Insurance
Portability and Accountability Act of
1996; to replace the citation to the
Public Law governing the National
Practitioner Data Bank (NPDB) with the
U.S. Code cite; and to change
‘‘information concerning current or
former IHS medical staff members
whose professional health care activity
failed to conform to generally-accepted
standards of professional medical
practice’’ to ‘‘information on certain
adverse events and medical malpractice
payments concerning current or former
IHS medical staff members so that IHS
and other health care entities may make
informed decisions regarding hiring and
privileging of those medical staff
members.’’
• The Categories of Individuals
section has been revised to describe the
category of individuals as applicants
who request credentialing and
privileging to serve as IHS medical or
health care professionals (instead of as
prospective, current, and former IHS
medical staff members). In addition, the
term ‘‘IHS medical or health care
PO 00000
Frm 00072
Fmt 4703
Sfmt 4703
33151
professionals’’ used in the revised
category description is now explained
as including two sub-types: (1) licensed
practitioners; and (2) licensed staff
members who neither maintain clinical
privileges nor are governed by the
medical staff bylaws but whose position
requires a license to perform duties that
need to be verified and tracked (instead
of four sub-types: Provisional, Active,
Temporary, and Courtesy or Associate).
• The Categories of Records section
has been revised to describe the records
as ‘‘IHS medical staff membership and
privilege applications and associated
forms, as well as additional information
to track credentials’’ followed by an
updated list of types of information
included. Two information types have
been changed (i.e., ‘‘performance
awards’’ has been changed to
‘‘performance status,’’ and ‘‘adverse or
disciplinary actions’’ has been changed
to ‘‘adverse or disciplinary actions
regarding professional competence and
personal characteristics’’); ‘‘evaluations
and approvals completed by IHS
medical staff reviewers’’ has been
removed; and these information types
have been added: addresses, date of
birth, National Provider Identifier
number, health and immunization
status, peer references, training, Medical
Quality Assurance Records protected by
25 U.S.C. 1675, and records protected
by 42 CFR part 2, Confidentiality of
Substance Use Disorder Patient Records.
• The Record Source Categories
section has been revised to include an
additional source, i.e., ‘‘other sources of
professional information.’’
• In the Routine Uses section, an
introduction and one new routine use
have been added and six routine uses
have been revised, as follows:
(1) The introduction states: ‘‘In
addition to the disclosures authorized
directly in the Privacy Act at 5 U.S.C.
552a(b)(1) and (b)(2) and (b)(4) through
(b)(11), these routine uses specify
circumstances under which the agency
may disclose information from this
system of records to a non-HHS officer
or employee without the consent of the
subject individual.’’
(2) In routine use 1, which authorizes
disclosures to organizations conducting
studies of IHS health care delivery,
‘‘The Joint Commission on the
Accreditation of Healthcare
Organizations’’ is now followed by the
abbreviation ‘‘(The Joint Commission).’’
(3) Routine use 2, which authorizes
disclosures to entities that maintain
license and registration issuance,
retention, and revocation records, has
been revised to add ‘‘Social Security
number’’ and ‘‘personal characteristics
that fail to conform to social norms
E:\FR\FM\23MYN1.SGM
23MYN1
lotter on DSK11XQN23PROD with NOTICES1
33152
Federal Register / Vol. 88, No. 99 / Tuesday, May 23, 2023 / Notices
concerning lawful behaviors’’ as items
of information authorized to be
disclosed; to add ‘‘direct contract’’ as a
type of medical staff member about
whom information is authorized to be
disclosed; and to refer to ‘‘the NPDB’’
instead of to ‘‘the NPDB–HIPDB
established under title IV of Public Law
99–660 and section 221(a) of Public Law
104–191.’’
(4) In routine use 3 (which authorizes
disclosures of an applicant’s biographic
data to verify with third parties that the
applicant’s claimed background and
employment data and credentials are
valid), ‘‘potential applicant’’ has been
changed to ‘‘applicant’’; ‘‘IHS medical
staff and/or privileges applications’’ has
been changed to ‘‘IHS medical staff
membership and privileges
applications’’; ‘‘personal
characteristics’’ has been added to the
description of qualifications evaluated;
‘‘State or local government health
profession licensing board’’ has been
changed to ‘‘Federal, State, or local
government health profession licensing
or certification board’’; ‘‘health related
professional organization’’ has been
changed to ‘‘health care oversight or
professional monitoring organization or
program,’’ and the examples of same
now include ‘‘The Joint Commission’’
and now refer to ‘‘the National
Practitioner Data Bank’’ instead of to
‘‘the NPDB–HIPDB established under
Title IV of Public Law 99–660 and
section 221(a) of Public Law 104–191’’;
and ‘‘all claimed background’’ has been
changed to ‘‘a clinician’s claimed
background.’’
(5) In routine use 4 (which authorizes
disclosures to enable government
agencies and private sector
organizations to which the subject
individual applies for clinical
privileges, membership, or licensure to
document information about the
individual’s professional performance
while employed by the IHS), the words
‘‘enabling them’’ have been added to
clarify that the disclosures aid the
recipients’ (not IHS’s) documentation;
‘‘Federal agencies’’ has been changed to
‘‘Federal agencies or organizations’’ in
the description of disclosure recipients;
the Office of Personnel Management has
been removed as an example of a
Federal agency recipient; and
‘‘character’’ has been added as a type of
performance information that may be
disclosed for the recipient’s
documentation purposes.
(6) Routine use 5, which authorizes
disclosures in litigation and similar
proceedings, has been reorganized and
reworded. A requirement that the
disclosures be ‘‘compatible with the
purpose for which the records were
VerDate Sep<11>2014
17:24 May 22, 2023
Jkt 259001
collected’’ has been removed as
redundant, because it repeats part of the
definition of a routine use.
(7) Routine use 7 is new; it authorizes
medical quality assurance records about
the subject of a quality assurance action
to be disclosed for any purposes
authorized by 25 U.S.C. 1675(d) and
(e)(2) to the recipients described in 25
U.S.C. 1675(d)(1) and (e)(2).
(8) Routine use 8 (formerly numbered
as 7), which currently authorizes
disclosures of relevant records from this
system of records to the appropriate
enforcement agency when a ‘‘system of
records’’ maintained by IHS indicates a
violation or potential violation of law,
has been revised to authorize
disclosures of relevant records from this
system of records to the appropriate
enforcement agency when ‘‘a record in
this system of records, on its face, or in
conjunction with other records’’
indicates a violation or potential
violation of law.
• The Storage section, which
currently states that records are stored
in ‘‘file folders and computer-based or
electronic files,’’ has been revised to add
that the file folders are ‘‘stored at the
IHS facilities or the Federal Record
Center’’ and the computer-based or
electronic records are ‘‘located at the
IHS Albuquerque Data Center in
Albuquerque, NM.’’
• The Retrieval section has been
revised to change ‘‘numbers necessary
to establish the identity of an individual
whose record is maintained in the
system of records’’ to ‘‘numbers
necessary to ensure that the records
retrieved are about the intended
individual.’’
• The Retention and Disposal section
contains the description of the retention
periods previously included at the end
of the Safeguards section, and now cites
the applicable National Archives and
Records Administration (NARA)approved disposition schedule.
• The Safeguards section has been
revised to mention applicable laws,
rules, and policies at the start, instead
of in a numbered paragraph near the
end; to remove a numbered paragraph
addressing retention and disposal
practices; to describe additional
authorized users (i.e., Credentialist; and
IHS Chief Medical Officer and Quality
Assurance Risk Management Committee
members and their designees); to update
the physical safeguards description to
include paper records; to add a
paragraph describing technical
safeguards; and to update the
administrative safeguards description to
include a statement that security
controls are reviewed and assessed on
an ongoing basis and a description of
PO 00000
Frm 00073
Fmt 4703
Sfmt 4703
the training and rules of behavior
requirements that users must meet prior
to being granted system access and
periodically thereafter.
• The sections describing procedures
for making Privacy Act requests have
been reorganized to outline the required
contents of any Privacy Act request in
the Access Request Procedures section,
to incorporate those requirements by
reference in the Contesting Record and
Notification procedures sections, and to
include additional requirements specific
to amendment requests in the
Contesting Record procedures section.
The required contents for any Privacy
Act request include these new items:
telephone number and/or email address,
and date and place of birth. The
procedures now explain how to verify
identity, instead of merely requiring
identity to be verified in accordance
with the HHS Privacy Act regulations.
Instead of indicating that an individual
may make a request in person,
unannounced, the procedures now state
that an individual may request an
appointment to review the records in
person. A note has been added at the
end of the Access Request Procedures
section about access limitations in 25
U.S.C. 1675 that apply to any records
that are Medical Quality Assurance
records.
Because some of these changes are
significant, a report on the modified
system of records was sent to the Office
of Management and Budget (OMB) and
the Congressional committees that
oversee privacy, in accordance with 5
U.S.C. 552a(r).
Roselyn Tso,
Director, Indian Health Service.
SYSTEM NAME AND NUMBER:
Indian Health Service Medical Staff
Credentials and Privileges Records, 09–
17–0003.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The address of the agency component
responsible for the system of records is:
Office of Chief Medical Officer (CMO),
Indian Health Service, 5600 Fishers
Lane—MAIL STOP: 08E37A, Rockville,
MD 20857.
SYSTEM MANAGER(S):
The System Manager for the overall
system of records (also known as the
Policy Coordinating Official) is:
Director, Office of CMO, IHS, 5600
Fishers Lane—MAIL STOP: 08E37A,
Rockville, MD 20857,
loretta.christensen@ihs.gov, (732) 740–
6702.
E:\FR\FM\23MYN1.SGM
23MYN1
lotter on DSK11XQN23PROD with NOTICES1
Federal Register / Vol. 88, No. 99 / Tuesday, May 23, 2023 / Notices
The Area Director, together with the
Clinical Director of the IHS Service Unit
where the individual applied for
credentialing and privileging, is the
System Manager who the individual
must contact to make a Privacy Act
request. Requests must be addressed to
‘‘Area and Clinical Directors’’ at the
applicable Area Office address listed
below:
• Alaska Area: Alaska Area Native
Health Service, 4141 Ambassador
Drive—Suite 300, Anchorage, AK
99508–5928, (907) 729–3686.
• Albuquerque Area: Albuquerque
Area Office, Indian Health Service, 4101
Indian School Rd. NE—Suite 225,
Albuquerque, NM 87110–3988, (505)
256–6800.
• Bemidji Area: Bemidji Area Office,
Indian Health Service, Bemidji
Technology Park, 2225 Cooperative Ct.
NW, Bemidji, MN 56601, (218) 444–
0452.
• Billings Area: Billings Area Office,
Indian Health Service, 2900 4th Avenue
North, Billings, MT 59101 (or Billings
Area Office, P.O. Box 36600, Billings,
MT 59107), (406) 247–7106.
• California Area: Indian Health
Service, California Area Office, John E.
Moss Federal Building, 650 Capitol
Mall—Suite 7–100, Sacramento, CA
95814, (916) 930–3927.
• Great Plains Area: Great Plains Area
Indian Health Service, 115 4th Avenue
SW—Room 309, Aberdeen, SD 57401,
(605) 226–7581.
• Nashville Area: Nashville Area
Indian Health Service, 711 Stewarts
Ferry Pike, Nashville, TN, 37214, (615)
467–1500.
• Navajo Area: Navajo Area Indian
Health Service (NAIHS), 272 Hwy 264,
Window Rock, AZ 86515–9020 (or
Navajo Area Indian Health Service
(NAIHS), P.O. Box 9020, Window Rock,
AZ 86515), (928) 871–5812, (928) 871–
5813, or (928) 871–5801.
• Oklahoma City Area: Oklahoma
City Area Indian Health Service, 701
Market Drive, Oklahoma City, OK
73114, (405) 951–3820.
• Phoenix Area: Phoenix Area Office,
Indian Health Service, Two Renaissance
Square, 40 N. Central Avenue—Suite
504, Phoenix, AZ 85004, (602) 364–
5039.
• Portland Area: Portland Area
Indian Health Service, 1414 NW
Northrup Street—Suite 800, Portland,
OR 97209, (503) 414–5555.
• Tucson Area: Tucson Area Indian
Health Service, 7900 South J Stock
Road, Tucson, AZ 85746, (520) 295–
2405.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Snyder Act (25 U.S.C. 13); Indian
Health Care Improvement Act, as
VerDate Sep<11>2014
17:24 May 22, 2023
Jkt 259001
amended (25 U.S.C. 1601 et seq.); and
Transfer Act of 1954 (42 U.S.C. 2001
through 2004).
PURPOSE(S) OF THE SYSTEM:
The records in this system of records
are used for these purposes:
1. To ensure that IHS medical and
health care professionals are qualified,
their identity confirmed, are competent,
and capable of delivering quality health
services consistent with those of the
medical community at large and that,
where required, they are granted
privileges commensurate with their
education, training, and competence
and with the ability of the facility to
provide adequate support, equipment,
services, and staff.
2. To inform health care
practitioner(s) and staff of health care
facilities, State or county health
professional societies, or licensing
boards to whom the subject individual
may apply for clinical privileges,
membership, or licensure, of the subject
individual’s professional competence,
character, and ethical qualifications.
This may include information regarding
drug or alcohol abuse or dependency,
sexual misconduct, or medical
malpractice.
3. To provide adverse health care
practice information to the National
Practitioner Data Bank (NPDB)
established under 42 U.S.C. 11101
through 11152. The purpose of such a
release is to provide information on
certain adverse events and medical
malpractice payments concerning
current or former IHS medical staff
members so that the IHS and other
health care entities may make informed
decisions regarding hiring and
privileging of those medical staff
members.
4. To provide health care practice
information concerning current or
former members of the IHS medical staff
with Commissioned Corps status to the
Division of Commissioned Personnel,
U.S. Public Health Service, so that an
informed decision may be made
concerning the promotion, retention, or
reassignment of the subject individual.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
The records are about applicants who
request credentialing and privileging to
serve as IHS medical or health care
professionals, including both initial and
renewing applicants and regardless of
whether the application is successful.
IHS medical or health care
professionals include:
1. Licensed Practitioners (LPs). This
refers to a fully licensed, registered, or
certified individual permitted by law to
PO 00000
Frm 00074
Fmt 4703
Sfmt 4703
33153
independently provide patient care
services within the scope of his or her
license, registration, or certification, and
in accordance with individually granted
clinical privileges when the individual
is a credentialed member of the IHS
medical staff.
2. Licensed staff members. This refers
to licensed staff who neither maintain
clinical privileges nor are governed by
the medical staff bylaws, but whose
position requires a license to perform
duties that need to be verified and
tracked.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records are IHS medical staff
membership and privilege applications
and associated forms, as well as
additional information to track
credentials, which include the
applicant’s name, Social Security
number, addresses, other identifying
number(s) e.g., date of birth, National
Provider Identifier number, and selfattestations about and documents
evidencing the following, as applicable:
applicant’s employment history; health
and immunization status; liability
insurance coverage; peer references;
credentialing history (if the applicant is
a licensed health professional);
personal, educational, and demographic
background information; professional
performance summary information;
continuing education, training,
performance status; adverse or
disciplinary actions regarding
professional competence and personal
characteristics; Medical Quality
Assurance Records protected by 25
U.S.C. 1675; and records protected by
42 CFR part 2, Confidentiality of
Substance Use Disorder Patient Records.
RECORD SOURCE CATEGORIES:
The information in the records is
provided directly by the subject
individual or by IHS health care
personnel or other sources of
professional information, including:
references supplied by the subject
individual; professional societies or
associations; specialty boards; colleges
and universities attended by the subject
individual; former employers; health
facilities or health providers with which
the subject individual has been
associated; liability insurance carriers;
organizations providing
cardiopulmonary resuscitation (CPR)
training to the subject individual; State
and local health and health care
licensing or certifying organizations;
and organizations that serve as
repositories of information on health
care professionals.
E:\FR\FM\23MYN1.SGM
23MYN1
33154
Federal Register / Vol. 88, No. 99 / Tuesday, May 23, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES1
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES:
In addition to the disclosures
authorized directly in the Privacy Act at
5 U.S.C. 552a(b)(1), (b)(2), and (b)(4)
through (b)(11), these routine uses
specify circumstances under which the
agency may disclose information from
this system of records to a non-HHS
officer or employee without the consent
of the subject individual.
1. Records may be disclosed to
organizations authorized to conduct
evaluation studies concerning the
delivery of health care services by the
IHS (e.g., The Joint Commission on the
Accreditation of Healthcare
Organizations (The Joint Commission)).
2. The IHS may disclose records
consisting of name, Social Security
number, employment history, and any
professional qualification information
concerning medical staff membership
and privileges, professional
competence, clinical judgment, and
personal character to a State or local
government health professional
licensing board, to the Federation of
State Medical Boards, to the NPDB, and/
or to a similar entity which has the
authority to maintain records
concerning the issuance, retention, or
revocation of licenses or registrations
necessary to practice a health
professional occupation or specialty.
The purpose of this disclosure is to
inform medical profession licensing
boards and appropriate entities about
the health care practices of a current,
terminated, resigned, or retired IHS or
direct contract medical staff members
whose professional health care activity
significantly failed to conform to
generally accepted standards of
professional medical practice or
personal characteristics that fail to
conform to social norms concerning
lawful behaviors. This will be done
within the guidelines for notice,
hearing, and review as delineated in the
medical staff bylaws for the IHS facility
and/or within other HHS or IHS
regulations or policies.
3. The IHS may disclose biographic
data and information supplied by an
applicant to (a) references listed on the
IHS medical staff membership and/or
privileges applications and associated
forms for the purpose of evaluating the
applicant’s professional qualifications,
personal characteristics, experience, and
suitability, (b) a Federal, State, or local
government health profession licensing
or certification board, or (c) a health
care oversight or professional
monitoring organization or program
(e.g., the Federation of State Medical
Boards, The Joint Commission, or the
VerDate Sep<11>2014
17:24 May 22, 2023
Jkt 259001
National Practitioner Data Bank) for the
purpose of verifying that a clinician’s
claimed background and employment
data are valid and all claimed
credentials are current and in good
standing.
4. Records may be disclosed to other
Federal agencies or organizations, to
State and local governmental agencies,
and to organizations in the private
sector to which the subject individual
applies for clinical privileges,
membership, or licensure for the
purpose of enabling them to document
the qualifications, character, and
competency of the individual to provide
health services in his/her health
profession based on his/her professional
performance while employed by the
IHS.
5. HHS may disclose records to the
Department of Justice (DOJ), or to a
court or other tribunal, when any of the
following is a party to litigation or
similar proceedings or has an interest in
such proceedings: (1) HHS, or any
component thereof; (2) any HHS
employee in his/her official capacity; (3)
any HHS employee in his/her
individual capacity when the DOJ (or
HHS, where it is authorized to do so)
has agreed to represent the employee; or
(4) the United States or any agency
thereof, where HHS determines that the
litigation is likely to affect HHS or any
of its components. In order to disclose
information in these circumstances,
HHS must determine that the use of the
records by the DOJ, court, or other
tribunal is relevant and necessary to the
proceedings and would help in the
effective representation of the
governmental party.
6. Records may be disclosed to a
congressional office from the record of
an individual in response to a verified
inquiry from the congressional office
made at the written request of that
individual.
7. Medical quality assurance records
about the subject of a quality assurance
action may be disclosed for any
purposes authorized by 25 U.S.C.
1675(d) and (e)(2), to the recipients
described in 25 U.S.C. 1675(d)(1) and
(e)(2).
8. In the event that a record in this
system of records, on its face, or in
conjunction with other records,
indicates a violation or potential
violation of law, whether civil, criminal,
or regulatory in nature, and whether
arising by general statute or particular
program statute, or by regulation, rule,
or order issued pursuant thereto, the
relevant records in this system of
records may be referred to the
appropriate agency, whether Federal,
State, local, Tribal, or foreign, charged
PO 00000
Frm 00075
Fmt 4703
Sfmt 4703
with enforcing or implementing the
statute or rule, regulation, or order
issued pursuant thereto.
9. Records may be disclosed to
appropriate agencies, entities, and
persons when (1) HHS suspects or has
confirmed that there has been a breach
of the system of records; (2) HHS has
determined that as a result of the
suspected or confirmed breach there is
a risk of harm to individuals, HHS
(including its information systems,
programs, and operations), the Federal
Government, or national security; and
(3) the disclosure made to such
agencies, entities, and persons is
reasonably necessary to assist in
connection with HHS’s efforts to
respond to the suspected or confirmed
breach or to prevent, minimize, or
remedy such harm.
10. Records may be disclosed to
another Federal agency or Federal
entity, when HHS determines that
information from this system of records
is reasonably necessary to assist the
recipient agency or entity in (1)
responding to a suspected or confirmed
breach or (2) preventing, minimizing, or
remedying the risk of harm to
individuals, the recipient agency or
entity (including its information
systems, programs, and operations), the
Federal Government, or national
security, resulting from a suspected or
confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF
RECORDS:
The records are stored in two ways:
records stored in file folders are stored
at the IHS facilities or the Federal
Record Center, and computer-based or
electronic records are located at the IHS
Albuquerque Data Center in
Albuquerque, NM.
POLICIES AND PRACTICES FOR RETRIEVAL OF
RECORDS:
The records are indexed and retrieved
by name, Social Security number, and
any other identifying numbers necessary
to ensure that the records retrieved are
about the intended individual.
POLICIES AND PRACTICES FOR RETENTION AND
DISPOSAL OF RECORDS:
In accordance with NARA-approved
schedule DAA–0513–2018–0002, items
1.1 and 1.2, records about successful
applicants are maintained by the IHS for
10 years after the individual’s
termination of employment or
association with IHS, and records about
unsuccessful applicants are retained for
3 years after the individual’s nonselection or rejection. After these
periods of retention expire, paper
records are destroyed by shredding or
E:\FR\FM\23MYN1.SGM
23MYN1
Federal Register / Vol. 88, No. 99 / Tuesday, May 23, 2023 / Notices
burning and electronic records are
destroyed by deleting and purging.
lotter on DSK11XQN23PROD with NOTICES1
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
The records are protected from
unauthorized access by the following
safeguards. All safeguards conform to
applicable laws, rules, and policies,
including the HHS Information Security
and Privacy Program, https://
www.hhs.gov/ocio/securityprivacy/, the
E-Government Act of 2002, as amended
(44 U.S.C. ch. 35), pertinent National
Institutes of Standards and Technology
(NIST) publications, and OMB Circular
A–130, Managing Information as a
Strategic Resource.
• Authorized Users: Access to the
records is limited to authorized
personnel for use in the performance of
their official duties. Authorized
personnel include: Credentialist
(Medical Staff Professionals), Physician
Recruitment and other Health
Professions Branch Staff and Area
Governing Board Members at IHS Area
Offices, and Service Unit Directors,
Clinical Directors, and members of the
Credentials and Privilege Committee of
each IHS Service Unit. The IHS CMO
and the Quality Assurance Risk
Management Committee members or
their designees are authorized users for
purposes of review under the protection
of 25 U.S.C. 1675. At each location
where records in this system of records
are maintained, a list of personnel or
categories of personnel having an
official need-to-know has been
developed and is maintained.
• Physical Safeguards: Paper records
are kept in locked metal filing cabinets
or in locked desk drawers in secured
rooms at all times when not in use
during working hours and at all times
during non-working hours. Record
storage areas, including file cabinets and
desks, are not left unattended or
unlocked during office hours, including
lunch hours. When copying records for
authorized purposes, care is taken to
ensure that any imperfect pages are not
left in the reproduction room where
they can be read but are destroyed or
obliterated.
• Technical Safeguards: Technical
security measures are in place on all
devices used on the IHS network. Any
attempts by unauthorized individuals to
gain access are automatically logged and
immediately reviewed. The individuals
permitted to access these records will be
limited to employees and contractors
with responsibility for conducting
regulatory oversight who have security
clearances at the T3 level (Non-Critical
Sensitive positions requiring Secret
VerDate Sep<11>2014
17:24 May 22, 2023
Jkt 259001
clearance) or T4 level (Non-Sensitive
High Risk-Public Trust).
Protection for electronic records
include programmed verification of
valid user personal identification
verification (PIV) code and password
prior to logging on to the system;
mandatory password changes; limited
log-ins; virus protection; encryption;
firewalls and intrusion detection
systems; and user rights/file attribute
restrictions. The password protection
imposes username and password log-in
requirements to prevent unauthorized
access. Each username is assigned
limited access rights to files and
directories at varying levels to control
file sharing and ensure a separation of
duties. There are routine daily backup
procedures, and backup files are
securely stored off-site.
Administrative Safeguards: Security
controls are reviewed and assessed on
an ongoing basis. All IHS system users
are required to complete role-based
training, IHS rules of behavior
agreements, and records management
and information system security and
privacy awareness training courses
before being granted access and
annually thereafter. Only persons who
have an official need-to-know are
entrusted with records from this system
of records, and they are instructed to
safeguard the confidentiality of these
records on an ongoing basis and to
destroy (if authorized for destruction) or
return any copies entrusted to them
when the need to know has expired.
Proper charge-out procedures are
followed for the removal of paper
records from the area in which they are
maintained. Before an employee who
will control disclosure of records can
work with the records (i.e., employees
who report to the system manager) the
system manager or designee ensures that
the employee has received training in
the safeguards applicable to the records
and is aware of the actions to take to
restrict disclosure. The Identity Access
Management supervisors are responsible
for submitting appropriate access
requests for IHS system users on their
team and for reviewing their team
members’ access.
RECORD ACCESS PROCEDURES:
To request access to records about you
in this system of records, submit a
written access request addressed to
‘‘Area and Clinical Directors’’ at the
applicable Area Office address listed in
the ‘‘System Manager(s)’’ section of this
SORN. The request must:
• Reasonably describe the records
sought;
• Include the name of the IHS Service
Unit where you applied for
PO 00000
Frm 00076
Fmt 4703
Sfmt 4703
33155
credentialing and privileging and either
the date when the application was
submitted (if the application was
unsuccessful) or the dates and locations
where you served;
• Include if you are a current or
former IHS medical or health care
professional, a direct contractor or a
licensed staff member; and
• Include (for contact purposes and
identity verification purposes) your full
name, current address, telephone
number and/or email address, date and
place of birth, signature, evidence of
other names used (if seeking records
retrieved by a name other than your
current name), and, if needed by the
agency, sufficient particulars contained
in the records (such as, your Social
Security number or other identifying
numbers) to enable the agency to locate
the records and distinguish between
records on subject individuals with the
same name.
In addition, to verify your identity,
your signature on the request must be
notarized or the request must include,
above your signature, your written
certification that you are the individual
who you claim to be and that you
understand that the knowing and willful
request for or acquisition of a record
pertaining to an individual under false
pretenses is a criminal offense subject to
a fine of up to $5,000. We may request
additional identification when we hold
records for different persons with the
same name or where an apparent
discrepancy exists between information
contained in the record and that
provided by the individual requesting
access to the record.
In your written request, you may
request that copies of the records be sent
to you or you may request an
appointment to review the records in
person (including with a person of your
choosing, if you provide written
authorization for agency personnel to
discuss the records in that person’s
presence), at a specific IHS location
(e.g., where you currently work or
formerly worked). If you make an
appointment to review the records in
person, you must bring to the
appointment at least one piece of
tangible photo identification, such as a
driver’s license or passport, that is
current and not expired. You may also
request an accounting of disclosures
that have been made of records about
you, if any. Requests by telephone will
not be accepted.
To the extent the records are Medical
Quality Assurance records protected by
25 U.S.C. 1675, the records may be
disclosed only in accordance with the
exceptions in 25 U.S.C. 1675(d), because
the Privacy Act right of access
E:\FR\FM\23MYN1.SGM
23MYN1
33156
Federal Register / Vol. 88, No. 99 / Tuesday, May 23, 2023 / Notices
provisions are superseded by the
confidentiality provisions protecting
Medical Quality Assurance Records.
Accordingly, Medical Quality
Assurance Records will only be released
pursuant to the Privacy Act when the
Agency has decided to release the
records in accordance with 25 U.S.C.
1675(d).
CONTESTING RECORD PROCEDURES:
To request correction of a record
about you in this system of records,
submit a written amendment request
addressed to ‘‘Area and Clinical
Directors’’ at the applicable Area Office
address listed in the ‘‘System
Manager(s)’’ section of this SORN. The
request must contain the same
information required for an access
request and include verification of your
identity in the same manner required for
an access request. In addition, the
request must reasonably identify the
record and specify the information
contested, the corrective action sought,
and the reasons for requesting the
correction; and should include
supporting information to show how the
record is inaccurate, incomplete,
untimely, or irrelevant.
NOTIFICATION PROCEDURES:
To find out if the system of records
contains a record about you, submit a
written notification request addressed to
‘‘Area and Clinical Directors’’ at the
applicable Area Office address listed in
the ‘‘System Manager(s)’’ section of this
SORN. The request must identify this
system of records, contain the same
information required for an access
request, and include verification of your
identity in the same manner required for
an access request.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
74 FR 46436 (Sept. 9, 2009); 74 FR
50981 (Oct. 2, 2009); 83 FR 6591 (Feb.
14, 2018).
[FR Doc. 2023–10835 Filed 5–22–23; 8:45 am]
BILLING CODE 4165–16–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
lotter on DSK11XQN23PROD with NOTICES1
National Institutes of Health
Center for Scientific Review; Notice of
Closed Meetings
Pursuant to section 1009 of the
Federal Advisory Committee Act, as
amended, notice is hereby given of a
meeting of the NIH Clinical Center
Research Hospital Board.
VerDate Sep<11>2014
17:24 May 22, 2023
Jkt 259001
The meetings will be closed to the
public in accordance with the
provisions set forth in sections
552b(c)(4) and 552b(c)(6), Title 5 U.S.C.,
as amended. The grant applications and
the discussions could disclose
confidential trade secrets or commercial
property such as patentable material,
and personal information concerning
individuals associated with the grant
applications, the disclosure of which
would constitute a clearly unwarranted
invasion of personal privacy.
Name of Committee: Center for Scientific
Review Special Emphasis Panel PAR Panel;
Research on Current Topics in Alzheimer’s
Disease and its Related Dementias.
Date: June 20–21, 2023.
Time: 8:00 a.m. to 8:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Holiday Inn Capitol, 550 C Street
SW, Washington, DC 20024.
Contact Person: Mei Qin, MD, Ph.D.,
Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 5213,
Bethesda, MD 20892, 301–875–2215,
qinmei@csr.nih.gov.
Name of Committee: Center for Scientific
Review Special Emphasis Panel; RFA Panel:
Tobacco Regulatory Science A.
Date: June 21, 2023.
Time: 10:00 a.m. to 6:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: National Institutes of Health,
Rockledge II, 6701 Rockledge Drive,
Bethesda, MD 20892 (Virtual Meeting).
Contact Person: Sepandarmaz Aschrafi,
Ph.D., Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 4040D,
Bethesda, MD 20892, (301) 451.4251,
Armaz.aschrafi@nih.gov.
Name of Committee: Center for Scientific
Review Special Emphasis Panel; Maximizing
Investigators’ Research Award F.
Date: June 21–22, 2023.
Time: 10:00 a.m. to 8:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: National Institutes of Health,
Rockledge II, 6701 Rockledge Drive,
Bethesda, MD 20892 (Virtual Meeting).
Contact Person: Brian Paul Chadwick,
Ph.D., Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Bethesda, MD
20892, (301) 594–3586, chadwickbp@
csr.nih.gov.
Name of Committee: Center for Scientific
Review Special Emphasis Panel;
Fellowships: Brain Disorders and Related
Neurosciences.
Date: June 22–23, 2023.
Time: 8:00 a.m. to 6:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Bethesda North Marriott Hotel &
Conference Center, Montgomery County
Conference Center Facility, 5701 Marinelli
Road, North Bethesda, MD 20852.
PO 00000
Frm 00077
Fmt 4703
Sfmt 4703
Contact Person: Vilen A. Movsesyan,
Ph.D., Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 4040M,
MSC 7806, Bethesda, MD 20892, 301–402–
7278, movsesyanv@csr.nih.gov.
Name of Committee: Biological Chemistry
and Macromolecular Biophysics Integrated
Review Group; Chemical Biology and Probes
Study Section (CBP).
Date: June 22–23, 2023.
Time: 8:00 a.m. to 8:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Residence Inn Bethesda, 7335
Wisconsin Avenue, Bethesda, MD 20814.
Contact Person: Michael Eissenstat, Ph.D.,
Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 4166,
MSC 7806, Bethesda, MD 20892, 301–435–
1722, eissenstatma@csr.nih.gov.
Name of Committee: Brain Disorders and
Clinical Neuroscience Integrated Review
Group; Acute Neural Injury and Epilepsy
Study Section.
Date: June 22–23, 2023.
Time: 8:00 a.m. to 7:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: The Watergate, 2650 Virginia
Avenue NW, Washington, DC 20037.
Contact Person: Paula Elyse Schauwecker,
Ph.D., Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 5201,
Bethesda, MD 20892, 301–760–8207,
schauweckerpe@csr.nih.gov.
Name of Committee: Cardiovascular and
Respiratory Sciences Integrated Review
Group Lung; Injury, Repair, and Remodeling
Study Section.
Date: June 22–23, 2023.
Time: 8:00 a.m. to 6:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Embassy Suites at the Chevy Chase
Pavilion, 4300 Military Road NW,
Washington, DC 20015.
Contact Person: Ghenima Dirami, Ph.D.,
Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 4122,
MSC 7814, Bethesda, MD 20892, 240–498–
7546, diramig@csr.nih.gov.
Name of Committee: Oncology 1-Basic
Translational Integrated Review Group; Gene
Regulation in Cancer Study Section.
Date: June 22–23, 2023.
Time: 8:00 a.m. to 8:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Gaithersburg Marriott
Washingtonian Center, 9751 Washingtonian
Blvd., Gaithersburg, MD 20878.
Contact Person: Manzoor A. Zarger, Ph.D.,
Scientific Review Officer, Center for
Scientific Review, National Institutes of
Health, 6701 Rockledge Drive, Room 6208,
MSC 7804, Bethesda, MD 20892, (301) 435–
2477, zargerma@csr.nih.gov.
(Catalogue of Federal Domestic Assistance
Program Nos. 93.306, Comparative Medicine;
93.333, Clinical Research, 93.306, 93.333,
93.337, 93.393–93.396, 93.837–93.844,
E:\FR\FM\23MYN1.SGM
23MYN1
Agencies
[Federal Register Volume 88, Number 99 (Tuesday, May 23, 2023)]
[Notices]
[Pages 33151-33156]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-10835]
[[Page 33151]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Indian Health Service
Privacy Act of 1974; System of Records
AGENCY: Indian Health Service, Department of Health and Human Services.
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, as amended, the Department of Health and Human Services (HHS) is
modifying a system of records maintained by the Indian Health Service
(IHS), System No. 09-17-0003, Indian Health Service Medical Staff
Credentials and Privileges Records. The system of records covers
records about individuals who request credentialing and privileging to
serve as IHS medical or health care professionals.
DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this Notice is
applicable upon publication, subject to a 30-day period in which to
comment on the new and revised routine uses, described below. Please
submit any comments by June 22, 2023.
ADDRESSES: The public should address written comments by mail or email
to: Heather H. McClane, Senior Official for Privacy, Indian Health
Service, 5600 Fishers Lane--MAIL STOP: 09E70, Rockville, MD 20857, or
[email protected].
FOR FURTHER INFORMATION CONTACT: General questions about this system of
records should be submitted by mail or email to CAPT Jana Towne, Acting
Director, Office of Quality, 5600 Fishers Lane--MAIL STOP: 08N70A,
Rockville, MD 20857, or [email protected]; telephone (301) 273-4152.
SUPPLEMENTARY INFORMATION: The following modifications have been made
to the System of Records Notice (SORN) for System No. 09-17-0003,
Indian Health Service Medical Staff Credentials and Privileges Records:
The System Name no longer includes ``HHS/IHS/OCPS,''
because the agency component responsible for the system of records is
now identified in the System Location section.
The Security Classification has been changed from ``None''
to ``Unclassified'' because the information in the system of records is
not classified.
The System Location section now provides the name and
address of the agency component responsible for the system of records,
instead describing physical records locations.
The System Manager(s) section has been amended to include
address and contact information for the official serving as the
``overall'' System Manager and for the Area and Clinical Directors
serving as the System Managers for purposes of receiving Privacy Act
requests. A lengthy list of IHS Service Unit addresses which was
included in an Appendix to the SORN (and which did not include email
addresses or telephone numbers) has been removed.
The Authority section no longer cites the Indian Self
Determination and Education and Assistance Act (25 U.S.C. 450), because
Tribal Health Programs credential and privilege their own providers
using separate records; and no longer cites the Federal Records Act and
the Privacy Act, because those are not sufficiently specific
authorities for the maintenance of the records in this system of
records.
In the Purpose(s) section, which contains four purpose
descriptions:
(1) The first purpose description has been revised to change
``medical staff members'' to ``medical and health care professionals''
and to insert ``having their identity confirmed'', as well as inserted
the terms ``where required'' and ``education.''
(2) The second purpose description now includes ``sexual
misconduct'' and ``medical malpractice'' as examples of information
indicative of an individual's professional competence, character, and
ethical qualifications.
(3) The third purpose description has been revised to remove
references to the Health Care Quality Improvement Act of 1986 and the
Health Insurance Portability and Accountability Act of 1996; to replace
the citation to the Public Law governing the National Practitioner Data
Bank (NPDB) with the U.S. Code cite; and to change ``information
concerning current or former IHS medical staff members whose
professional health care activity failed to conform to generally-
accepted standards of professional medical practice'' to ``information
on certain adverse events and medical malpractice payments concerning
current or former IHS medical staff members so that IHS and other
health care entities may make informed decisions regarding hiring and
privileging of those medical staff members.''
The Categories of Individuals section has been revised to
describe the category of individuals as applicants who request
credentialing and privileging to serve as IHS medical or health care
professionals (instead of as prospective, current, and former IHS
medical staff members). In addition, the term ``IHS medical or health
care professionals'' used in the revised category description is now
explained as including two sub-types: (1) licensed practitioners; and
(2) licensed staff members who neither maintain clinical privileges nor
are governed by the medical staff bylaws but whose position requires a
license to perform duties that need to be verified and tracked (instead
of four sub-types: Provisional, Active, Temporary, and Courtesy or
Associate).
The Categories of Records section has been revised to
describe the records as ``IHS medical staff membership and privilege
applications and associated forms, as well as additional information to
track credentials'' followed by an updated list of types of information
included. Two information types have been changed (i.e., ``performance
awards'' has been changed to ``performance status,'' and ``adverse or
disciplinary actions'' has been changed to ``adverse or disciplinary
actions regarding professional competence and personal
characteristics''); ``evaluations and approvals completed by IHS
medical staff reviewers'' has been removed; and these information types
have been added: addresses, date of birth, National Provider Identifier
number, health and immunization status, peer references, training,
Medical Quality Assurance Records protected by 25 U.S.C. 1675, and
records protected by 42 CFR part 2, Confidentiality of Substance Use
Disorder Patient Records.
The Record Source Categories section has been revised to
include an additional source, i.e., ``other sources of professional
information.''
In the Routine Uses section, an introduction and one new
routine use have been added and six routine uses have been revised, as
follows:
(1) The introduction states: ``In addition to the disclosures
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and
(b)(2) and (b)(4) through (b)(11), these routine uses specify
circumstances under which the agency may disclose information from this
system of records to a non-HHS officer or employee without the consent
of the subject individual.''
(2) In routine use 1, which authorizes disclosures to organizations
conducting studies of IHS health care delivery, ``The Joint Commission
on the Accreditation of Healthcare Organizations'' is now followed by
the abbreviation ``(The Joint Commission).''
(3) Routine use 2, which authorizes disclosures to entities that
maintain license and registration issuance, retention, and revocation
records, has been revised to add ``Social Security number'' and
``personal characteristics that fail to conform to social norms
[[Page 33152]]
concerning lawful behaviors'' as items of information authorized to be
disclosed; to add ``direct contract'' as a type of medical staff member
about whom information is authorized to be disclosed; and to refer to
``the NPDB'' instead of to ``the NPDB-HIPDB established under title IV
of Public Law 99-660 and section 221(a) of Public Law 104-191.''
(4) In routine use 3 (which authorizes disclosures of an
applicant's biographic data to verify with third parties that the
applicant's claimed background and employment data and credentials are
valid), ``potential applicant'' has been changed to ``applicant'';
``IHS medical staff and/or privileges applications'' has been changed
to ``IHS medical staff membership and privileges applications'';
``personal characteristics'' has been added to the description of
qualifications evaluated; ``State or local government health profession
licensing board'' has been changed to ``Federal, State, or local
government health profession licensing or certification board'';
``health related professional organization'' has been changed to
``health care oversight or professional monitoring organization or
program,'' and the examples of same now include ``The Joint
Commission'' and now refer to ``the National Practitioner Data Bank''
instead of to ``the NPDB-HIPDB established under Title IV of Public Law
99-660 and section 221(a) of Public Law 104-191''; and ``all claimed
background'' has been changed to ``a clinician's claimed background.''
(5) In routine use 4 (which authorizes disclosures to enable
government agencies and private sector organizations to which the
subject individual applies for clinical privileges, membership, or
licensure to document information about the individual's professional
performance while employed by the IHS), the words ``enabling them''
have been added to clarify that the disclosures aid the recipients'
(not IHS's) documentation; ``Federal agencies'' has been changed to
``Federal agencies or organizations'' in the description of disclosure
recipients; the Office of Personnel Management has been removed as an
example of a Federal agency recipient; and ``character'' has been added
as a type of performance information that may be disclosed for the
recipient's documentation purposes.
(6) Routine use 5, which authorizes disclosures in litigation and
similar proceedings, has been reorganized and reworded. A requirement
that the disclosures be ``compatible with the purpose for which the
records were collected'' has been removed as redundant, because it
repeats part of the definition of a routine use.
(7) Routine use 7 is new; it authorizes medical quality assurance
records about the subject of a quality assurance action to be disclosed
for any purposes authorized by 25 U.S.C. 1675(d) and (e)(2) to the
recipients described in 25 U.S.C. 1675(d)(1) and (e)(2).
(8) Routine use 8 (formerly numbered as 7), which currently
authorizes disclosures of relevant records from this system of records
to the appropriate enforcement agency when a ``system of records''
maintained by IHS indicates a violation or potential violation of law,
has been revised to authorize disclosures of relevant records from this
system of records to the appropriate enforcement agency when ``a record
in this system of records, on its face, or in conjunction with other
records'' indicates a violation or potential violation of law.
The Storage section, which currently states that records
are stored in ``file folders and computer-based or electronic files,''
has been revised to add that the file folders are ``stored at the IHS
facilities or the Federal Record Center'' and the computer-based or
electronic records are ``located at the IHS Albuquerque Data Center in
Albuquerque, NM.''
The Retrieval section has been revised to change ``numbers
necessary to establish the identity of an individual whose record is
maintained in the system of records'' to ``numbers necessary to ensure
that the records retrieved are about the intended individual.''
The Retention and Disposal section contains the
description of the retention periods previously included at the end of
the Safeguards section, and now cites the applicable National Archives
and Records Administration (NARA)-approved disposition schedule.
The Safeguards section has been revised to mention
applicable laws, rules, and policies at the start, instead of in a
numbered paragraph near the end; to remove a numbered paragraph
addressing retention and disposal practices; to describe additional
authorized users (i.e., Credentialist; and IHS Chief Medical Officer
and Quality Assurance Risk Management Committee members and their
designees); to update the physical safeguards description to include
paper records; to add a paragraph describing technical safeguards; and
to update the administrative safeguards description to include a
statement that security controls are reviewed and assessed on an
ongoing basis and a description of the training and rules of behavior
requirements that users must meet prior to being granted system access
and periodically thereafter.
The sections describing procedures for making Privacy Act
requests have been reorganized to outline the required contents of any
Privacy Act request in the Access Request Procedures section, to
incorporate those requirements by reference in the Contesting Record
and Notification procedures sections, and to include additional
requirements specific to amendment requests in the Contesting Record
procedures section. The required contents for any Privacy Act request
include these new items: telephone number and/or email address, and
date and place of birth. The procedures now explain how to verify
identity, instead of merely requiring identity to be verified in
accordance with the HHS Privacy Act regulations. Instead of indicating
that an individual may make a request in person, unannounced, the
procedures now state that an individual may request an appointment to
review the records in person. A note has been added at the end of the
Access Request Procedures section about access limitations in 25 U.S.C.
1675 that apply to any records that are Medical Quality Assurance
records.
Because some of these changes are significant, a report on the
modified system of records was sent to the Office of Management and
Budget (OMB) and the Congressional committees that oversee privacy, in
accordance with 5 U.S.C. 552a(r).
Roselyn Tso,
Director, Indian Health Service.
SYSTEM NAME AND NUMBER:
Indian Health Service Medical Staff Credentials and Privileges
Records, 09-17-0003.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The address of the agency component responsible for the system of
records is: Office of Chief Medical Officer (CMO), Indian Health
Service, 5600 Fishers Lane--MAIL STOP: 08E37A, Rockville, MD 20857.
SYSTEM MANAGER(S):
The System Manager for the overall system of records (also known as
the Policy Coordinating Official) is: Director, Office of CMO, IHS,
5600 Fishers Lane--MAIL STOP: 08E37A, Rockville, MD 20857,
[email protected], (732) 740-6702.
[[Page 33153]]
The Area Director, together with the Clinical Director of the IHS
Service Unit where the individual applied for credentialing and
privileging, is the System Manager who the individual must contact to
make a Privacy Act request. Requests must be addressed to ``Area and
Clinical Directors'' at the applicable Area Office address listed
below:
Alaska Area: Alaska Area Native Health Service, 4141
Ambassador Drive--Suite 300, Anchorage, AK 99508-5928, (907) 729-3686.
Albuquerque Area: Albuquerque Area Office, Indian Health
Service, 4101 Indian School Rd. NE--Suite 225, Albuquerque, NM 87110-
3988, (505) 256-6800.
Bemidji Area: Bemidji Area Office, Indian Health Service,
Bemidji Technology Park, 2225 Cooperative Ct. NW, Bemidji, MN 56601,
(218) 444-0452.
Billings Area: Billings Area Office, Indian Health
Service, 2900 4th Avenue North, Billings, MT 59101 (or Billings Area
Office, P.O. Box 36600, Billings, MT 59107), (406) 247-7106.
California Area: Indian Health Service, California Area
Office, John E. Moss Federal Building, 650 Capitol Mall--Suite 7-100,
Sacramento, CA 95814, (916) 930-3927.
Great Plains Area: Great Plains Area Indian Health
Service, 115 4th Avenue SW--Room 309, Aberdeen, SD 57401, (605) 226-
7581.
Nashville Area: Nashville Area Indian Health Service, 711
Stewarts Ferry Pike, Nashville, TN, 37214, (615) 467-1500.
Navajo Area: Navajo Area Indian Health Service (NAIHS),
272 Hwy 264, Window Rock, AZ 86515-9020 (or Navajo Area Indian Health
Service (NAIHS), P.O. Box 9020, Window Rock, AZ 86515), (928) 871-5812,
(928) 871-5813, or (928) 871-5801.
Oklahoma City Area: Oklahoma City Area Indian Health
Service, 701 Market Drive, Oklahoma City, OK 73114, (405) 951-3820.
Phoenix Area: Phoenix Area Office, Indian Health Service,
Two Renaissance Square, 40 N. Central Avenue--Suite 504, Phoenix, AZ
85004, (602) 364-5039.
Portland Area: Portland Area Indian Health Service, 1414
NW Northrup Street--Suite 800, Portland, OR 97209, (503) 414-5555.
Tucson Area: Tucson Area Indian Health Service, 7900 South
J Stock Road, Tucson, AZ 85746, (520) 295-2405.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Snyder Act (25 U.S.C. 13); Indian Health Care Improvement Act, as
amended (25 U.S.C. 1601 et seq.); and Transfer Act of 1954 (42 U.S.C.
2001 through 2004).
PURPOSE(S) OF THE SYSTEM:
The records in this system of records are used for these purposes:
1. To ensure that IHS medical and health care professionals are
qualified, their identity confirmed, are competent, and capable of
delivering quality health services consistent with those of the medical
community at large and that, where required, they are granted
privileges commensurate with their education, training, and competence
and with the ability of the facility to provide adequate support,
equipment, services, and staff.
2. To inform health care practitioner(s) and staff of health care
facilities, State or county health professional societies, or licensing
boards to whom the subject individual may apply for clinical
privileges, membership, or licensure, of the subject individual's
professional competence, character, and ethical qualifications. This
may include information regarding drug or alcohol abuse or dependency,
sexual misconduct, or medical malpractice.
3. To provide adverse health care practice information to the
National Practitioner Data Bank (NPDB) established under 42 U.S.C.
11101 through 11152. The purpose of such a release is to provide
information on certain adverse events and medical malpractice payments
concerning current or former IHS medical staff members so that the IHS
and other health care entities may make informed decisions regarding
hiring and privileging of those medical staff members.
4. To provide health care practice information concerning current
or former members of the IHS medical staff with Commissioned Corps
status to the Division of Commissioned Personnel, U.S. Public Health
Service, so that an informed decision may be made concerning the
promotion, retention, or reassignment of the subject individual.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The records are about applicants who request credentialing and
privileging to serve as IHS medical or health care professionals,
including both initial and renewing applicants and regardless of
whether the application is successful.
IHS medical or health care professionals include:
1. Licensed Practitioners (LPs). This refers to a fully licensed,
registered, or certified individual permitted by law to independently
provide patient care services within the scope of his or her license,
registration, or certification, and in accordance with individually
granted clinical privileges when the individual is a credentialed
member of the IHS medical staff.
2. Licensed staff members. This refers to licensed staff who
neither maintain clinical privileges nor are governed by the medical
staff bylaws, but whose position requires a license to perform duties
that need to be verified and tracked.
CATEGORIES OF RECORDS IN THE SYSTEM:
The records are IHS medical staff membership and privilege
applications and associated forms, as well as additional information to
track credentials, which include the applicant's name, Social Security
number, addresses, other identifying number(s) e.g., date of birth,
National Provider Identifier number, and self-attestations about and
documents evidencing the following, as applicable: applicant's
employment history; health and immunization status; liability insurance
coverage; peer references; credentialing history (if the applicant is a
licensed health professional); personal, educational, and demographic
background information; professional performance summary information;
continuing education, training, performance status; adverse or
disciplinary actions regarding professional competence and personal
characteristics; Medical Quality Assurance Records protected by 25
U.S.C. 1675; and records protected by 42 CFR part 2, Confidentiality of
Substance Use Disorder Patient Records.
RECORD SOURCE CATEGORIES:
The information in the records is provided directly by the subject
individual or by IHS health care personnel or other sources of
professional information, including: references supplied by the subject
individual; professional societies or associations; specialty boards;
colleges and universities attended by the subject individual; former
employers; health facilities or health providers with which the subject
individual has been associated; liability insurance carriers;
organizations providing cardiopulmonary resuscitation (CPR) training to
the subject individual; State and local health and health care
licensing or certifying organizations; and organizations that serve as
repositories of information on health care professionals.
[[Page 33154]]
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
In addition to the disclosures authorized directly in the Privacy
Act at 5 U.S.C. 552a(b)(1), (b)(2), and (b)(4) through (b)(11), these
routine uses specify circumstances under which the agency may disclose
information from this system of records to a non-HHS officer or
employee without the consent of the subject individual.
1. Records may be disclosed to organizations authorized to conduct
evaluation studies concerning the delivery of health care services by
the IHS (e.g., The Joint Commission on the Accreditation of Healthcare
Organizations (The Joint Commission)).
2. The IHS may disclose records consisting of name, Social Security
number, employment history, and any professional qualification
information concerning medical staff membership and privileges,
professional competence, clinical judgment, and personal character to a
State or local government health professional licensing board, to the
Federation of State Medical Boards, to the NPDB, and/or to a similar
entity which has the authority to maintain records concerning the
issuance, retention, or revocation of licenses or registrations
necessary to practice a health professional occupation or specialty.
The purpose of this disclosure is to inform medical profession
licensing boards and appropriate entities about the health care
practices of a current, terminated, resigned, or retired IHS or direct
contract medical staff members whose professional health care activity
significantly failed to conform to generally accepted standards of
professional medical practice or personal characteristics that fail to
conform to social norms concerning lawful behaviors. This will be done
within the guidelines for notice, hearing, and review as delineated in
the medical staff bylaws for the IHS facility and/or within other HHS
or IHS regulations or policies.
3. The IHS may disclose biographic data and information supplied by
an applicant to (a) references listed on the IHS medical staff
membership and/or privileges applications and associated forms for the
purpose of evaluating the applicant's professional qualifications,
personal characteristics, experience, and suitability, (b) a Federal,
State, or local government health profession licensing or certification
board, or (c) a health care oversight or professional monitoring
organization or program (e.g., the Federation of State Medical Boards,
The Joint Commission, or the National Practitioner Data Bank) for the
purpose of verifying that a clinician's claimed background and
employment data are valid and all claimed credentials are current and
in good standing.
4. Records may be disclosed to other Federal agencies or
organizations, to State and local governmental agencies, and to
organizations in the private sector to which the subject individual
applies for clinical privileges, membership, or licensure for the
purpose of enabling them to document the qualifications, character, and
competency of the individual to provide health services in his/her
health profession based on his/her professional performance while
employed by the IHS.
5. HHS may disclose records to the Department of Justice (DOJ), or
to a court or other tribunal, when any of the following is a party to
litigation or similar proceedings or has an interest in such
proceedings: (1) HHS, or any component thereof; (2) any HHS employee in
his/her official capacity; (3) any HHS employee in his/her individual
capacity when the DOJ (or HHS, where it is authorized to do so) has
agreed to represent the employee; or (4) the United States or any
agency thereof, where HHS determines that the litigation is likely to
affect HHS or any of its components. In order to disclose information
in these circumstances, HHS must determine that the use of the records
by the DOJ, court, or other tribunal is relevant and necessary to the
proceedings and would help in the effective representation of the
governmental party.
6. Records may be disclosed to a congressional office from the
record of an individual in response to a verified inquiry from the
congressional office made at the written request of that individual.
7. Medical quality assurance records about the subject of a quality
assurance action may be disclosed for any purposes authorized by 25
U.S.C. 1675(d) and (e)(2), to the recipients described in 25 U.S.C.
1675(d)(1) and (e)(2).
8. In the event that a record in this system of records, on its
face, or in conjunction with other records, indicates a violation or
potential violation of law, whether civil, criminal, or regulatory in
nature, and whether arising by general statute or particular program
statute, or by regulation, rule, or order issued pursuant thereto, the
relevant records in this system of records may be referred to the
appropriate agency, whether Federal, State, local, Tribal, or foreign,
charged with enforcing or implementing the statute or rule, regulation,
or order issued pursuant thereto.
9. Records may be disclosed to appropriate agencies, entities, and
persons when (1) HHS suspects or has confirmed that there has been a
breach of the system of records; (2) HHS has determined that as a
result of the suspected or confirmed breach there is a risk of harm to
individuals, HHS (including its information systems, programs, and
operations), the Federal Government, or national security; and (3) the
disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with HHS's efforts to respond to the
suspected or confirmed breach or to prevent, minimize, or remedy such
harm.
10. Records may be disclosed to another Federal agency or Federal
entity, when HHS determines that information from this system of
records is reasonably necessary to assist the recipient agency or
entity in (1) responding to a suspected or confirmed breach or (2)
preventing, minimizing, or remedying the risk of harm to individuals,
the recipient agency or entity (including its information systems,
programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
The records are stored in two ways: records stored in file folders
are stored at the IHS facilities or the Federal Record Center, and
computer-based or electronic records are located at the IHS Albuquerque
Data Center in Albuquerque, NM.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
The records are indexed and retrieved by name, Social Security
number, and any other identifying numbers necessary to ensure that the
records retrieved are about the intended individual.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
In accordance with NARA-approved schedule DAA-0513-2018-0002, items
1.1 and 1.2, records about successful applicants are maintained by the
IHS for 10 years after the individual's termination of employment or
association with IHS, and records about unsuccessful applicants are
retained for 3 years after the individual's non-selection or rejection.
After these periods of retention expire, paper records are destroyed by
shredding or
[[Page 33155]]
burning and electronic records are destroyed by deleting and purging.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
The records are protected from unauthorized access by the following
safeguards. All safeguards conform to applicable laws, rules, and
policies, including the HHS Information Security and Privacy Program,
https://www.hhs.gov/ocio/securityprivacy/, the E-Government Act of
2002, as amended (44 U.S.C. ch. 35), pertinent National Institutes of
Standards and Technology (NIST) publications, and OMB Circular A-130,
Managing Information as a Strategic Resource.
Authorized Users: Access to the records is limited to
authorized personnel for use in the performance of their official
duties. Authorized personnel include: Credentialist (Medical Staff
Professionals), Physician Recruitment and other Health Professions
Branch Staff and Area Governing Board Members at IHS Area Offices, and
Service Unit Directors, Clinical Directors, and members of the
Credentials and Privilege Committee of each IHS Service Unit. The IHS
CMO and the Quality Assurance Risk Management Committee members or
their designees are authorized users for purposes of review under the
protection of 25 U.S.C. 1675. At each location where records in this
system of records are maintained, a list of personnel or categories of
personnel having an official need-to-know has been developed and is
maintained.
Physical Safeguards: Paper records are kept in locked
metal filing cabinets or in locked desk drawers in secured rooms at all
times when not in use during working hours and at all times during non-
working hours. Record storage areas, including file cabinets and desks,
are not left unattended or unlocked during office hours, including
lunch hours. When copying records for authorized purposes, care is
taken to ensure that any imperfect pages are not left in the
reproduction room where they can be read but are destroyed or
obliterated.
Technical Safeguards: Technical security measures are in
place on all devices used on the IHS network. Any attempts by
unauthorized individuals to gain access are automatically logged and
immediately reviewed. The individuals permitted to access these records
will be limited to employees and contractors with responsibility for
conducting regulatory oversight who have security clearances at the T3
level (Non-Critical Sensitive positions requiring Secret clearance) or
T4 level (Non-Sensitive High Risk-Public Trust).
Protection for electronic records include programmed verification
of valid user personal identification verification (PIV) code and
password prior to logging on to the system; mandatory password changes;
limited log-ins; virus protection; encryption; firewalls and intrusion
detection systems; and user rights/file attribute restrictions. The
password protection imposes username and password log-in requirements
to prevent unauthorized access. Each username is assigned limited
access rights to files and directories at varying levels to control
file sharing and ensure a separation of duties. There are routine daily
backup procedures, and backup files are securely stored off-site.
Administrative Safeguards: Security controls are reviewed and
assessed on an ongoing basis. All IHS system users are required to
complete role-based training, IHS rules of behavior agreements, and
records management and information system security and privacy
awareness training courses before being granted access and annually
thereafter. Only persons who have an official need-to-know are
entrusted with records from this system of records, and they are
instructed to safeguard the confidentiality of these records on an
ongoing basis and to destroy (if authorized for destruction) or return
any copies entrusted to them when the need to know has expired. Proper
charge-out procedures are followed for the removal of paper records
from the area in which they are maintained. Before an employee who will
control disclosure of records can work with the records (i.e.,
employees who report to the system manager) the system manager or
designee ensures that the employee has received training in the
safeguards applicable to the records and is aware of the actions to
take to restrict disclosure. The Identity Access Management supervisors
are responsible for submitting appropriate access requests for IHS
system users on their team and for reviewing their team members'
access.
RECORD ACCESS PROCEDURES:
To request access to records about you in this system of records,
submit a written access request addressed to ``Area and Clinical
Directors'' at the applicable Area Office address listed in the
``System Manager(s)'' section of this SORN. The request must:
Reasonably describe the records sought;
Include the name of the IHS Service Unit where you applied
for credentialing and privileging and either the date when the
application was submitted (if the application was unsuccessful) or the
dates and locations where you served;
Include if you are a current or former IHS medical or
health care professional, a direct contractor or a licensed staff
member; and
Include (for contact purposes and identity verification
purposes) your full name, current address, telephone number and/or
email address, date and place of birth, signature, evidence of other
names used (if seeking records retrieved by a name other than your
current name), and, if needed by the agency, sufficient particulars
contained in the records (such as, your Social Security number or other
identifying numbers) to enable the agency to locate the records and
distinguish between records on subject individuals with the same name.
In addition, to verify your identity, your signature on the request
must be notarized or the request must include, above your signature,
your written certification that you are the individual who you claim to
be and that you understand that the knowing and willful request for or
acquisition of a record pertaining to an individual under false
pretenses is a criminal offense subject to a fine of up to $5,000. We
may request additional identification when we hold records for
different persons with the same name or where an apparent discrepancy
exists between information contained in the record and that provided by
the individual requesting access to the record.
In your written request, you may request that copies of the records
be sent to you or you may request an appointment to review the records
in person (including with a person of your choosing, if you provide
written authorization for agency personnel to discuss the records in
that person's presence), at a specific IHS location (e.g., where you
currently work or formerly worked). If you make an appointment to
review the records in person, you must bring to the appointment at
least one piece of tangible photo identification, such as a driver's
license or passport, that is current and not expired. You may also
request an accounting of disclosures that have been made of records
about you, if any. Requests by telephone will not be accepted.
To the extent the records are Medical Quality Assurance records
protected by 25 U.S.C. 1675, the records may be disclosed only in
accordance with the exceptions in 25 U.S.C. 1675(d), because the
Privacy Act right of access
[[Page 33156]]
provisions are superseded by the confidentiality provisions protecting
Medical Quality Assurance Records. Accordingly, Medical Quality
Assurance Records will only be released pursuant to the Privacy Act
when the Agency has decided to release the records in accordance with
25 U.S.C. 1675(d).
CONTESTING RECORD PROCEDURES:
To request correction of a record about you in this system of
records, submit a written amendment request addressed to ``Area and
Clinical Directors'' at the applicable Area Office address listed in
the ``System Manager(s)'' section of this SORN. The request must
contain the same information required for an access request and include
verification of your identity in the same manner required for an access
request. In addition, the request must reasonably identify the record
and specify the information contested, the corrective action sought,
and the reasons for requesting the correction; and should include
supporting information to show how the record is inaccurate,
incomplete, untimely, or irrelevant.
NOTIFICATION PROCEDURES:
To find out if the system of records contains a record about you,
submit a written notification request addressed to ``Area and Clinical
Directors'' at the applicable Area Office address listed in the
``System Manager(s)'' section of this SORN. The request must identify
this system of records, contain the same information required for an
access request, and include verification of your identity in the same
manner required for an access request.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
74 FR 46436 (Sept. 9, 2009); 74 FR 50981 (Oct. 2, 2009); 83 FR 6591
(Feb. 14, 2018).
[FR Doc. 2023-10835 Filed 5-22-23; 8:45 am]
BILLING CODE 4165-16-P