Privacy Act of 1974; System of Records, 33151-33156 [2023-10835]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Indian Health Service

[Federal Register Volume 88, Number 99 (Tuesday, May 23, 2023)]
[Notices]
[Pages 33151-33156]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-10835]



[[Page 33151]]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Indian Health Service


Privacy Act of 1974; System of Records

AGENCY: Indian Health Service, Department of Health and Human Services.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of Health and Human Services (HHS) is 
modifying a system of records maintained by the Indian Health Service 
(IHS), System No. 09-17-0003, Indian Health Service Medical Staff 
Credentials and Privileges Records. The system of records covers 
records about individuals who request credentialing and privileging to 
serve as IHS medical or health care professionals.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this Notice is 
applicable upon publication, subject to a 30-day period in which to 
comment on the new and revised routine uses, described below. Please 
submit any comments by June 22, 2023.

ADDRESSES: The public should address written comments by mail or email 
to: Heather H. McClane, Senior Official for Privacy, Indian Health 
Service, 5600 Fishers Lane--MAIL STOP: 09E70, Rockville, MD 20857, or 
[email protected].

FOR FURTHER INFORMATION CONTACT: General questions about this system of 
records should be submitted by mail or email to CAPT Jana Towne, Acting 
Director, Office of Quality, 5600 Fishers Lane--MAIL STOP: 08N70A, 
Rockville, MD 20857, or [email protected]; telephone (301) 273-4152.

SUPPLEMENTARY INFORMATION: The following modifications have been made 
to the System of Records Notice (SORN) for System No. 09-17-0003, 
Indian Health Service Medical Staff Credentials and Privileges Records:
     The System Name no longer includes ``HHS/IHS/OCPS,'' 
because the agency component responsible for the system of records is 
now identified in the System Location section.
     The Security Classification has been changed from ``None'' 
to ``Unclassified'' because the information in the system of records is 
not classified.
     The System Location section now provides the name and 
address of the agency component responsible for the system of records, 
instead describing physical records locations.
     The System Manager(s) section has been amended to include 
address and contact information for the official serving as the 
``overall'' System Manager and for the Area and Clinical Directors 
serving as the System Managers for purposes of receiving Privacy Act 
requests. A lengthy list of IHS Service Unit addresses which was 
included in an Appendix to the SORN (and which did not include email 
addresses or telephone numbers) has been removed.
     The Authority section no longer cites the Indian Self 
Determination and Education and Assistance Act (25 U.S.C. 450), because 
Tribal Health Programs credential and privilege their own providers 
using separate records; and no longer cites the Federal Records Act and 
the Privacy Act, because those are not sufficiently specific 
authorities for the maintenance of the records in this system of 
records.
     In the Purpose(s) section, which contains four purpose 
descriptions:
    (1) The first purpose description has been revised to change 
``medical staff members'' to ``medical and health care professionals'' 
and to insert ``having their identity confirmed'', as well as inserted 
the terms ``where required'' and ``education.''
    (2) The second purpose description now includes ``sexual 
misconduct'' and ``medical malpractice'' as examples of information 
indicative of an individual's professional competence, character, and 
ethical qualifications.
    (3) The third purpose description has been revised to remove 
references to the Health Care Quality Improvement Act of 1986 and the 
Health Insurance Portability and Accountability Act of 1996; to replace 
the citation to the Public Law governing the National Practitioner Data 
Bank (NPDB) with the U.S. Code cite; and to change ``information 
concerning current or former IHS medical staff members whose 
professional health care activity failed to conform to generally-
accepted standards of professional medical practice'' to ``information 
on certain adverse events and medical malpractice payments concerning 
current or former IHS medical staff members so that IHS and other 
health care entities may make informed decisions regarding hiring and 
privileging of those medical staff members.''
     The Categories of Individuals section has been revised to 
describe the category of individuals as applicants who request 
credentialing and privileging to serve as IHS medical or health care 
professionals (instead of as prospective, current, and former IHS 
medical staff members). In addition, the term ``IHS medical or health 
care professionals'' used in the revised category description is now 
explained as including two sub-types: (1) licensed practitioners; and 
(2) licensed staff members who neither maintain clinical privileges nor 
are governed by the medical staff bylaws but whose position requires a 
license to perform duties that need to be verified and tracked (instead 
of four sub-types: Provisional, Active, Temporary, and Courtesy or 
Associate).
     The Categories of Records section has been revised to 
describe the records as ``IHS medical staff membership and privilege 
applications and associated forms, as well as additional information to 
track credentials'' followed by an updated list of types of information 
included. Two information types have been changed (i.e., ``performance 
awards'' has been changed to ``performance status,'' and ``adverse or 
disciplinary actions'' has been changed to ``adverse or disciplinary 
actions regarding professional competence and personal 
characteristics''); ``evaluations and approvals completed by IHS 
medical staff reviewers'' has been removed; and these information types 
have been added: addresses, date of birth, National Provider Identifier 
number, health and immunization status, peer references, training, 
Medical Quality Assurance Records protected by 25 U.S.C. 1675, and 
records protected by 42 CFR part 2, Confidentiality of Substance Use 
Disorder Patient Records.
     The Record Source Categories section has been revised to 
include an additional source, i.e., ``other sources of professional 
information.''
     In the Routine Uses section, an introduction and one new 
routine use have been added and six routine uses have been revised, as 
follows:
    (1) The introduction states: ``In addition to the disclosures 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and 
(b)(2) and (b)(4) through (b)(11), these routine uses specify 
circumstances under which the agency may disclose information from this 
system of records to a non-HHS officer or employee without the consent 
of the subject individual.''
    (2) In routine use 1, which authorizes disclosures to organizations 
conducting studies of IHS health care delivery, ``The Joint Commission 
on the Accreditation of Healthcare Organizations'' is now followed by 
the abbreviation ``(The Joint Commission).''
    (3) Routine use 2, which authorizes disclosures to entities that 
maintain license and registration issuance, retention, and revocation 
records, has been revised to add ``Social Security number'' and 
``personal characteristics that fail to conform to social norms

[[Page 33152]]

concerning lawful behaviors'' as items of information authorized to be 
disclosed; to add ``direct contract'' as a type of medical staff member 
about whom information is authorized to be disclosed; and to refer to 
``the NPDB'' instead of to ``the NPDB-HIPDB established under title IV 
of Public Law 99-660 and section 221(a) of Public Law 104-191.''
    (4) In routine use 3 (which authorizes disclosures of an 
applicant's biographic data to verify with third parties that the 
applicant's claimed background and employment data and credentials are 
valid), ``potential applicant'' has been changed to ``applicant''; 
``IHS medical staff and/or privileges applications'' has been changed 
to ``IHS medical staff membership and privileges applications''; 
``personal characteristics'' has been added to the description of 
qualifications evaluated; ``State or local government health profession 
licensing board'' has been changed to ``Federal, State, or local 
government health profession licensing or certification board''; 
``health related professional organization'' has been changed to 
``health care oversight or professional monitoring organization or 
program,'' and the examples of same now include ``The Joint 
Commission'' and now refer to ``the National Practitioner Data Bank'' 
instead of to ``the NPDB-HIPDB established under Title IV of Public Law 
99-660 and section 221(a) of Public Law 104-191''; and ``all claimed 
background'' has been changed to ``a clinician's claimed background.''
    (5) In routine use 4 (which authorizes disclosures to enable 
government agencies and private sector organizations to which the 
subject individual applies for clinical privileges, membership, or 
licensure to document information about the individual's professional 
performance while employed by the IHS), the words ``enabling them'' 
have been added to clarify that the disclosures aid the recipients' 
(not IHS's) documentation; ``Federal agencies'' has been changed to 
``Federal agencies or organizations'' in the description of disclosure 
recipients; the Office of Personnel Management has been removed as an 
example of a Federal agency recipient; and ``character'' has been added 
as a type of performance information that may be disclosed for the 
recipient's documentation purposes.
    (6) Routine use 5, which authorizes disclosures in litigation and 
similar proceedings, has been reorganized and reworded. A requirement 
that the disclosures be ``compatible with the purpose for which the 
records were collected'' has been removed as redundant, because it 
repeats part of the definition of a routine use.
    (7) Routine use 7 is new; it authorizes medical quality assurance 
records about the subject of a quality assurance action to be disclosed 
for any purposes authorized by 25 U.S.C. 1675(d) and (e)(2) to the 
recipients described in 25 U.S.C. 1675(d)(1) and (e)(2).
    (8) Routine use 8 (formerly numbered as 7), which currently 
authorizes disclosures of relevant records from this system of records 
to the appropriate enforcement agency when a ``system of records'' 
maintained by IHS indicates a violation or potential violation of law, 
has been revised to authorize disclosures of relevant records from this 
system of records to the appropriate enforcement agency when ``a record 
in this system of records, on its face, or in conjunction with other 
records'' indicates a violation or potential violation of law.
     The Storage section, which currently states that records 
are stored in ``file folders and computer-based or electronic files,'' 
has been revised to add that the file folders are ``stored at the IHS 
facilities or the Federal Record Center'' and the computer-based or 
electronic records are ``located at the IHS Albuquerque Data Center in 
Albuquerque, NM.''
     The Retrieval section has been revised to change ``numbers 
necessary to establish the identity of an individual whose record is 
maintained in the system of records'' to ``numbers necessary to ensure 
that the records retrieved are about the intended individual.''
     The Retention and Disposal section contains the 
description of the retention periods previously included at the end of 
the Safeguards section, and now cites the applicable National Archives 
and Records Administration (NARA)-approved disposition schedule.
     The Safeguards section has been revised to mention 
applicable laws, rules, and policies at the start, instead of in a 
numbered paragraph near the end; to remove a numbered paragraph 
addressing retention and disposal practices; to describe additional 
authorized users (i.e., Credentialist; and IHS Chief Medical Officer 
and Quality Assurance Risk Management Committee members and their 
designees); to update the physical safeguards description to include 
paper records; to add a paragraph describing technical safeguards; and 
to update the administrative safeguards description to include a 
statement that security controls are reviewed and assessed on an 
ongoing basis and a description of the training and rules of behavior 
requirements that users must meet prior to being granted system access 
and periodically thereafter.
     The sections describing procedures for making Privacy Act 
requests have been reorganized to outline the required contents of any 
Privacy Act request in the Access Request Procedures section, to 
incorporate those requirements by reference in the Contesting Record 
and Notification procedures sections, and to include additional 
requirements specific to amendment requests in the Contesting Record 
procedures section. The required contents for any Privacy Act request 
include these new items: telephone number and/or email address, and 
date and place of birth. The procedures now explain how to verify 
identity, instead of merely requiring identity to be verified in 
accordance with the HHS Privacy Act regulations. Instead of indicating 
that an individual may make a request in person, unannounced, the 
procedures now state that an individual may request an appointment to 
review the records in person. A note has been added at the end of the 
Access Request Procedures section about access limitations in 25 U.S.C. 
1675 that apply to any records that are Medical Quality Assurance 
records.
    Because some of these changes are significant, a report on the 
modified system of records was sent to the Office of Management and 
Budget (OMB) and the Congressional committees that oversee privacy, in 
accordance with 5 U.S.C. 552a(r).

Roselyn Tso,
Director, Indian Health Service.

SYSTEM NAME AND NUMBER:
    Indian Health Service Medical Staff Credentials and Privileges 
Records, 09-17-0003.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: Office of Chief Medical Officer (CMO), Indian Health 
Service, 5600 Fishers Lane--MAIL STOP: 08E37A, Rockville, MD 20857.

SYSTEM MANAGER(S):
    The System Manager for the overall system of records (also known as 
the Policy Coordinating Official) is: Director, Office of CMO, IHS, 
5600 Fishers Lane--MAIL STOP: 08E37A, Rockville, MD 20857, 
[email protected], (732) 740-6702.

[[Page 33153]]

    The Area Director, together with the Clinical Director of the IHS 
Service Unit where the individual applied for credentialing and 
privileging, is the System Manager who the individual must contact to 
make a Privacy Act request. Requests must be addressed to ``Area and 
Clinical Directors'' at the applicable Area Office address listed 
below:
     Alaska Area: Alaska Area Native Health Service, 4141 
Ambassador Drive--Suite 300, Anchorage, AK 99508-5928, (907) 729-3686.
     Albuquerque Area: Albuquerque Area Office, Indian Health 
Service, 4101 Indian School Rd. NE--Suite 225, Albuquerque, NM 87110-
3988, (505) 256-6800.
     Bemidji Area: Bemidji Area Office, Indian Health Service, 
Bemidji Technology Park, 2225 Cooperative Ct. NW, Bemidji, MN 56601, 
(218) 444-0452.
     Billings Area: Billings Area Office, Indian Health 
Service, 2900 4th Avenue North, Billings, MT 59101 (or Billings Area 
Office, P.O. Box 36600, Billings, MT 59107), (406) 247-7106.
     California Area: Indian Health Service, California Area 
Office, John E. Moss Federal Building, 650 Capitol Mall--Suite 7-100, 
Sacramento, CA 95814, (916) 930-3927.
     Great Plains Area: Great Plains Area Indian Health 
Service, 115 4th Avenue SW--Room 309, Aberdeen, SD 57401, (605) 226-
7581.
     Nashville Area: Nashville Area Indian Health Service, 711 
Stewarts Ferry Pike, Nashville, TN, 37214, (615) 467-1500.
     Navajo Area: Navajo Area Indian Health Service (NAIHS), 
272 Hwy 264, Window Rock, AZ 86515-9020 (or Navajo Area Indian Health 
Service (NAIHS), P.O. Box 9020, Window Rock, AZ 86515), (928) 871-5812, 
(928) 871-5813, or (928) 871-5801.
     Oklahoma City Area: Oklahoma City Area Indian Health 
Service, 701 Market Drive, Oklahoma City, OK 73114, (405) 951-3820.
     Phoenix Area: Phoenix Area Office, Indian Health Service, 
Two Renaissance Square, 40 N. Central Avenue--Suite 504, Phoenix, AZ 
85004, (602) 364-5039.
     Portland Area: Portland Area Indian Health Service, 1414 
NW Northrup Street--Suite 800, Portland, OR 97209, (503) 414-5555.
     Tucson Area: Tucson Area Indian Health Service, 7900 South 
J Stock Road, Tucson, AZ 85746, (520) 295-2405.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Snyder Act (25 U.S.C. 13); Indian Health Care Improvement Act, as 
amended (25 U.S.C. 1601 et seq.); and Transfer Act of 1954 (42 U.S.C. 
2001 through 2004).

PURPOSE(S) OF THE SYSTEM:
    The records in this system of records are used for these purposes:
    1. To ensure that IHS medical and health care professionals are 
qualified, their identity confirmed, are competent, and capable of 
delivering quality health services consistent with those of the medical 
community at large and that, where required, they are granted 
privileges commensurate with their education, training, and competence 
and with the ability of the facility to provide adequate support, 
equipment, services, and staff.
    2. To inform health care practitioner(s) and staff of health care 
facilities, State or county health professional societies, or licensing 
boards to whom the subject individual may apply for clinical 
privileges, membership, or licensure, of the subject individual's 
professional competence, character, and ethical qualifications. This 
may include information regarding drug or alcohol abuse or dependency, 
sexual misconduct, or medical malpractice.
    3. To provide adverse health care practice information to the 
National Practitioner Data Bank (NPDB) established under 42 U.S.C. 
11101 through 11152. The purpose of such a release is to provide 
information on certain adverse events and medical malpractice payments 
concerning current or former IHS medical staff members so that the IHS 
and other health care entities may make informed decisions regarding 
hiring and privileging of those medical staff members.
    4. To provide health care practice information concerning current 
or former members of the IHS medical staff with Commissioned Corps 
status to the Division of Commissioned Personnel, U.S. Public Health 
Service, so that an informed decision may be made concerning the 
promotion, retention, or reassignment of the subject individual.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records are about applicants who request credentialing and 
privileging to serve as IHS medical or health care professionals, 
including both initial and renewing applicants and regardless of 
whether the application is successful.
    IHS medical or health care professionals include:
    1. Licensed Practitioners (LPs). This refers to a fully licensed, 
registered, or certified individual permitted by law to independently 
provide patient care services within the scope of his or her license, 
registration, or certification, and in accordance with individually 
granted clinical privileges when the individual is a credentialed 
member of the IHS medical staff.
    2. Licensed staff members. This refers to licensed staff who 
neither maintain clinical privileges nor are governed by the medical 
staff bylaws, but whose position requires a license to perform duties 
that need to be verified and tracked.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records are IHS medical staff membership and privilege 
applications and associated forms, as well as additional information to 
track credentials, which include the applicant's name, Social Security 
number, addresses, other identifying number(s) e.g., date of birth, 
National Provider Identifier number, and self-attestations about and 
documents evidencing the following, as applicable: applicant's 
employment history; health and immunization status; liability insurance 
coverage; peer references; credentialing history (if the applicant is a 
licensed health professional); personal, educational, and demographic 
background information; professional performance summary information; 
continuing education, training, performance status; adverse or 
disciplinary actions regarding professional competence and personal 
characteristics; Medical Quality Assurance Records protected by 25 
U.S.C. 1675; and records protected by 42 CFR part 2, Confidentiality of 
Substance Use Disorder Patient Records.

RECORD SOURCE CATEGORIES:
    The information in the records is provided directly by the subject 
individual or by IHS health care personnel or other sources of 
professional information, including: references supplied by the subject 
individual; professional societies or associations; specialty boards; 
colleges and universities attended by the subject individual; former 
employers; health facilities or health providers with which the subject 
individual has been associated; liability insurance carriers; 
organizations providing cardiopulmonary resuscitation (CPR) training to 
the subject individual; State and local health and health care 
licensing or certifying organizations; and organizations that serve as 
repositories of information on health care professionals.

[[Page 33154]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to the disclosures authorized directly in the Privacy 
Act at 5 U.S.C. 552a(b)(1), (b)(2), and (b)(4) through (b)(11), these 
routine uses specify circumstances under which the agency may disclose 
information from this system of records to a non-HHS officer or 
employee without the consent of the subject individual.
    1. Records may be disclosed to organizations authorized to conduct 
evaluation studies concerning the delivery of health care services by 
the IHS (e.g., The Joint Commission on the Accreditation of Healthcare 
Organizations (The Joint Commission)).
    2. The IHS may disclose records consisting of name, Social Security 
number, employment history, and any professional qualification 
information concerning medical staff membership and privileges, 
professional competence, clinical judgment, and personal character to a 
State or local government health professional licensing board, to the 
Federation of State Medical Boards, to the NPDB, and/or to a similar 
entity which has the authority to maintain records concerning the 
issuance, retention, or revocation of licenses or registrations 
necessary to practice a health professional occupation or specialty. 
The purpose of this disclosure is to inform medical profession 
licensing boards and appropriate entities about the health care 
practices of a current, terminated, resigned, or retired IHS or direct 
contract medical staff members whose professional health care activity 
significantly failed to conform to generally accepted standards of 
professional medical practice or personal characteristics that fail to 
conform to social norms concerning lawful behaviors. This will be done 
within the guidelines for notice, hearing, and review as delineated in 
the medical staff bylaws for the IHS facility and/or within other HHS 
or IHS regulations or policies.
    3. The IHS may disclose biographic data and information supplied by 
an applicant to (a) references listed on the IHS medical staff 
membership and/or privileges applications and associated forms for the 
purpose of evaluating the applicant's professional qualifications, 
personal characteristics, experience, and suitability, (b) a Federal, 
State, or local government health profession licensing or certification 
board, or (c) a health care oversight or professional monitoring 
organization or program (e.g., the Federation of State Medical Boards, 
The Joint Commission, or the National Practitioner Data Bank) for the 
purpose of verifying that a clinician's claimed background and 
employment data are valid and all claimed credentials are current and 
in good standing.
    4. Records may be disclosed to other Federal agencies or 
organizations, to State and local governmental agencies, and to 
organizations in the private sector to which the subject individual 
applies for clinical privileges, membership, or licensure for the 
purpose of enabling them to document the qualifications, character, and 
competency of the individual to provide health services in his/her 
health profession based on his/her professional performance while 
employed by the IHS.
    5. HHS may disclose records to the Department of Justice (DOJ), or 
to a court or other tribunal, when any of the following is a party to 
litigation or similar proceedings or has an interest in such 
proceedings: (1) HHS, or any component thereof; (2) any HHS employee in 
his/her official capacity; (3) any HHS employee in his/her individual 
capacity when the DOJ (or HHS, where it is authorized to do so) has 
agreed to represent the employee; or (4) the United States or any 
agency thereof, where HHS determines that the litigation is likely to 
affect HHS or any of its components. In order to disclose information 
in these circumstances, HHS must determine that the use of the records 
by the DOJ, court, or other tribunal is relevant and necessary to the 
proceedings and would help in the effective representation of the 
governmental party.
    6. Records may be disclosed to a congressional office from the 
record of an individual in response to a verified inquiry from the 
congressional office made at the written request of that individual.
    7. Medical quality assurance records about the subject of a quality 
assurance action may be disclosed for any purposes authorized by 25 
U.S.C. 1675(d) and (e)(2), to the recipients described in 25 U.S.C. 
1675(d)(1) and (e)(2).
    8. In the event that a record in this system of records, on its 
face, or in conjunction with other records, indicates a violation or 
potential violation of law, whether civil, criminal, or regulatory in 
nature, and whether arising by general statute or particular program 
statute, or by regulation, rule, or order issued pursuant thereto, the 
relevant records in this system of records may be referred to the 
appropriate agency, whether Federal, State, local, Tribal, or foreign, 
charged with enforcing or implementing the statute or rule, regulation, 
or order issued pursuant thereto.
    9. Records may be disclosed to appropriate agencies, entities, and 
persons when (1) HHS suspects or has confirmed that there has been a 
breach of the system of records; (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    10. Records may be disclosed to another Federal agency or Federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored in two ways: records stored in file folders 
are stored at the IHS facilities or the Federal Record Center, and 
computer-based or electronic records are located at the IHS Albuquerque 
Data Center in Albuquerque, NM.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The records are indexed and retrieved by name, Social Security 
number, and any other identifying numbers necessary to ensure that the 
records retrieved are about the intended individual.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    In accordance with NARA-approved schedule DAA-0513-2018-0002, items 
1.1 and 1.2, records about successful applicants are maintained by the 
IHS for 10 years after the individual's termination of employment or 
association with IHS, and records about unsuccessful applicants are 
retained for 3 years after the individual's non-selection or rejection. 
After these periods of retention expire, paper records are destroyed by 
shredding or

[[Page 33155]]

burning and electronic records are destroyed by deleting and purging.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The records are protected from unauthorized access by the following 
safeguards. All safeguards conform to applicable laws, rules, and 
policies, including the HHS Information Security and Privacy Program, 
https://www.hhs.gov/ocio/securityprivacy/, the E-Government Act of 
2002, as amended (44 U.S.C. ch. 35), pertinent National Institutes of 
Standards and Technology (NIST) publications, and OMB Circular A-130, 
Managing Information as a Strategic Resource.
     Authorized Users: Access to the records is limited to 
authorized personnel for use in the performance of their official 
duties. Authorized personnel include: Credentialist (Medical Staff 
Professionals), Physician Recruitment and other Health Professions 
Branch Staff and Area Governing Board Members at IHS Area Offices, and 
Service Unit Directors, Clinical Directors, and members of the 
Credentials and Privilege Committee of each IHS Service Unit. The IHS 
CMO and the Quality Assurance Risk Management Committee members or 
their designees are authorized users for purposes of review under the 
protection of 25 U.S.C. 1675. At each location where records in this 
system of records are maintained, a list of personnel or categories of 
personnel having an official need-to-know has been developed and is 
maintained.
     Physical Safeguards: Paper records are kept in locked 
metal filing cabinets or in locked desk drawers in secured rooms at all 
times when not in use during working hours and at all times during non-
working hours. Record storage areas, including file cabinets and desks, 
are not left unattended or unlocked during office hours, including 
lunch hours. When copying records for authorized purposes, care is 
taken to ensure that any imperfect pages are not left in the 
reproduction room where they can be read but are destroyed or 
obliterated.
     Technical Safeguards: Technical security measures are in 
place on all devices used on the IHS network. Any attempts by 
unauthorized individuals to gain access are automatically logged and 
immediately reviewed. The individuals permitted to access these records 
will be limited to employees and contractors with responsibility for 
conducting regulatory oversight who have security clearances at the T3 
level (Non-Critical Sensitive positions requiring Secret clearance) or 
T4 level (Non-Sensitive High Risk-Public Trust).
    Protection for electronic records include programmed verification 
of valid user personal identification verification (PIV) code and 
password prior to logging on to the system; mandatory password changes; 
limited log-ins; virus protection; encryption; firewalls and intrusion 
detection systems; and user rights/file attribute restrictions. The 
password protection imposes username and password log-in requirements 
to prevent unauthorized access. Each username is assigned limited 
access rights to files and directories at varying levels to control 
file sharing and ensure a separation of duties. There are routine daily 
backup procedures, and backup files are securely stored off-site.
    Administrative Safeguards: Security controls are reviewed and 
assessed on an ongoing basis. All IHS system users are required to 
complete role-based training, IHS rules of behavior agreements, and 
records management and information system security and privacy 
awareness training courses before being granted access and annually 
thereafter. Only persons who have an official need-to-know are 
entrusted with records from this system of records, and they are 
instructed to safeguard the confidentiality of these records on an 
ongoing basis and to destroy (if authorized for destruction) or return 
any copies entrusted to them when the need to know has expired. Proper 
charge-out procedures are followed for the removal of paper records 
from the area in which they are maintained. Before an employee who will 
control disclosure of records can work with the records (i.e., 
employees who report to the system manager) the system manager or 
designee ensures that the employee has received training in the 
safeguards applicable to the records and is aware of the actions to 
take to restrict disclosure. The Identity Access Management supervisors 
are responsible for submitting appropriate access requests for IHS 
system users on their team and for reviewing their team members' 
access.

RECORD ACCESS PROCEDURES:
    To request access to records about you in this system of records, 
submit a written access request addressed to ``Area and Clinical 
Directors'' at the applicable Area Office address listed in the 
``System Manager(s)'' section of this SORN. The request must:
     Reasonably describe the records sought;
     Include the name of the IHS Service Unit where you applied 
for credentialing and privileging and either the date when the 
application was submitted (if the application was unsuccessful) or the 
dates and locations where you served;
     Include if you are a current or former IHS medical or 
health care professional, a direct contractor or a licensed staff 
member; and
     Include (for contact purposes and identity verification 
purposes) your full name, current address, telephone number and/or 
email address, date and place of birth, signature, evidence of other 
names used (if seeking records retrieved by a name other than your 
current name), and, if needed by the agency, sufficient particulars 
contained in the records (such as, your Social Security number or other 
identifying numbers) to enable the agency to locate the records and 
distinguish between records on subject individuals with the same name.
    In addition, to verify your identity, your signature on the request 
must be notarized or the request must include, above your signature, 
your written certification that you are the individual who you claim to 
be and that you understand that the knowing and willful request for or 
acquisition of a record pertaining to an individual under false 
pretenses is a criminal offense subject to a fine of up to $5,000. We 
may request additional identification when we hold records for 
different persons with the same name or where an apparent discrepancy 
exists between information contained in the record and that provided by 
the individual requesting access to the record.
    In your written request, you may request that copies of the records 
be sent to you or you may request an appointment to review the records 
in person (including with a person of your choosing, if you provide 
written authorization for agency personnel to discuss the records in 
that person's presence), at a specific IHS location (e.g., where you 
currently work or formerly worked). If you make an appointment to 
review the records in person, you must bring to the appointment at 
least one piece of tangible photo identification, such as a driver's 
license or passport, that is current and not expired. You may also 
request an accounting of disclosures that have been made of records 
about you, if any. Requests by telephone will not be accepted.
    To the extent the records are Medical Quality Assurance records 
protected by 25 U.S.C. 1675, the records may be disclosed only in 
accordance with the exceptions in 25 U.S.C. 1675(d), because the 
Privacy Act right of access

[[Page 33156]]

provisions are superseded by the confidentiality provisions protecting 
Medical Quality Assurance Records. Accordingly, Medical Quality 
Assurance Records will only be released pursuant to the Privacy Act 
when the Agency has decided to release the records in accordance with 
25 U.S.C. 1675(d).

CONTESTING RECORD PROCEDURES:
    To request correction of a record about you in this system of 
records, submit a written amendment request addressed to ``Area and 
Clinical Directors'' at the applicable Area Office address listed in 
the ``System Manager(s)'' section of this SORN. The request must 
contain the same information required for an access request and include 
verification of your identity in the same manner required for an access 
request. In addition, the request must reasonably identify the record 
and specify the information contested, the corrective action sought, 
and the reasons for requesting the correction; and should include 
supporting information to show how the record is inaccurate, 
incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    To find out if the system of records contains a record about you, 
submit a written notification request addressed to ``Area and Clinical 
Directors'' at the applicable Area Office address listed in the 
``System Manager(s)'' section of this SORN. The request must identify 
this system of records, contain the same information required for an 
access request, and include verification of your identity in the same 
manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    74 FR 46436 (Sept. 9, 2009); 74 FR 50981 (Oct. 2, 2009); 83 FR 6591 
(Feb. 14, 2018).

[FR Doc. 2023-10835 Filed 5-22-23; 8:45 am]
BILLING CODE 4165-16-P