[Federal Register Volume 73, Number 188 (Friday, September 26, 2008)]
[Rules and Regulations]
[Pages 55772-55775]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-21909]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 5b
[CMS-0029-F]
RIN 0938-A069
Exemption of Certain Systems of Records Under the Privacy Act
AGENCY: Office of the Secretary, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule exempts four systems of records (SORs) from
subsections (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f)
of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2): The Automated
Survey Processing Environment (ASPEN) Complaint/ Incidents Tracking
System (ACTS), HHS/CMS, System No. 09-70-0565; the Health Insurance
Portability and Accountability Act (HIPAA) Information Tracking System
(HITS), HHS/CMS, System No. 09-70-0544; the Organ Procurement
Organizations System (OPOS), HHS/CMS, System No. 09-70-0575; and the
Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-0527.
DATES: Effective Date: These regulations are effective on October 27,
2008.
FOR FURTHER INFORMATION CONTACT: Walter Stone, (410) 786-5357.
SUPPLEMENTARY INFORMATION:
I. Background
The four systems of records (SORs) that are the subject of this
final rule and the May 25, 2007 proposed rule are as follows:
A. The Automated Survey Processing Environment Complaints/Incidents
Tracking System (ACTS), HHS/CMS, System No. 09-70-0565
In the August 22, 2003 Federal Register (68 FR 50795), we published
a notice announcing a new SOR titled Automated Survey Processing
Environment (ASPEN) Complaint/Incidents Tracking System (ACTS), HHS/
CMS, System No. 09-70-0565.
In the May 23, 2006 Federal Register (71 FR 29643) we published a
notice that modified the ACTS SOR. This notice included all
modifications and the full text of this system of records. ACTS is a
Windows-based program whose primary purpose is to track and process
complaints and incidents reported against health care facilities
regulated by CMS and State agencies. These facilities include Clinical
Laboratory Improvement Amendment (CLIA)-certified laboratories, skilled
nursing facilities (SNFs), nursing facilities, hospitals, home health
agencies (HHAs), end stage renal disease (ESRD) facilities, hospices,
rural health clinics (RHCs), comprehensive outpatient rehabilitation
facilities (CORFs), outpatient physical therapy services, community
mental health centers (CMHCs), ambulatory surgical centers (ASCs),
suppliers of portable x-ray services, and intermediate care facilities
for persons with mental retardation (ICF/MRs). ACTS contains
identifiable information on individuals, who are complainants,
residents, patients, clients, contacts or witnesses. It also may
include alleged perpetrators, survey team members, laboratory
directors, laboratory owners, and employees and directors of the health
care facilities noted previously. ACTS is designed to manage all
operations associated with complaint and incident tracking and
processing, from initial intake and investigation through the final
disposition.
B. The Health Insurance Portability and Accountability Act (HIPAA)
Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544.
In the July 6, 2005 Federal Register (70 FR 38944), we published a
notice announcing a new SOR titled Health Insurance Portability and
Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS,
System No. 09-70-0544
In general, HITS consists of an electronic repository of
information, documents, and supplementary paper document files
resulting from investigations of alleged violations of the transactions
and code sets, security, and unique identifier provisions of HIPAA.
HITS' purpose is to support investigations of complainants,
determinations as to whether there were violations as charged in the
original complaint, referral of violations to law enforcement entities
as necessary, and maintenance and retrieval of records that contain the
results of the complaint investigations. The system of records
[[Page 55773]]
covers individuals who have submitted complaints alleging violations of
the provisions of HIPAA. Investigative files maintained in HITS are
received either as electronic documents or as paper records that are
compiled for law enforcement purposes.
C. The Organ Procurement Organizations System (OPOS), HHS/CMS, System
No. 09-70-0575
In the May 22, 2006 Federal Register (71 FR 29336), we published a
notice announcing a new SOR titled Organ Procurement Organizations
System (OPOS), HHS/CMS, System No. 09-70-0575. OPOS is a Windows based
program whose purpose is to track and process complaints and incidents
reported against Organ Procurement Organizations. Section 701 of the
Organ Procurement Organization System Certification Act of 2000 (Pub.
L. 106-505) gave the Department the authority to collect and maintain
individually identifiable information pertaining to allegations filed
by a complainant, beneficiary, or provider of services against Organ
Procurement Organizations. This information includes information
gathered during all aspects of an investigation, including initial
complaints, findings, results, disposition, and relevant
correspondence.
D. The Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-
0527
In the October 28, 2002 Federal Register (70 FR 65795), we
published a notice that modified, among other things, the name of a SOR
entitled ``CMS Utilization Review Investigatory Files, System No. 09-
70-0527'' to ``CMS Fraud Investigation Database (FID).'' The notice
included the full text of the FID system of records. The FID system of
records contains the name, work address, work phone number, social
security number, Unique Provider Identification Number (UPIN), and
other identifying demographics of individuals alleged to have violated
provisions of the Social Security Act (the Act) related to Medicare,
Medicaid, HMO/Managed Care, and the Children's Health Insurance
Program. The FID system of records also contains the contact
information and other identifying demographics of individuals alleged
to have violated other criminal or civil statutes connected with the
Act and the Act's programs. Here, individuals are persons alleged to
have abused the Act's programs. (For example, an individual could be a
person alleged to have rendered unnecessary services to Medicare
beneficiaries or Medicaid recipients, over-used services, or engaged in
improper billing.) They are persons whose activities have provided a
substantial basis for criminal or civil prosecution, or who are
identified as defendants in criminal prosecution cases.
II. Provisions of the Proposed Rule
In the May 25, 2007 Federal Register (72 FR 29289) we published a
proposed rule that would exempt the ACTS, HITS, OPOS, and FID systems
of records from subsection (c)(3), (d)(1) through (d)(4), (e)(4)(G) and
(H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). These
exemptions would apply only to the extent that information in a record
is subject to exemption pursuant to 5 U.S.C. 552a(k)(2). We proposed
that the ACTS, HITS, OPOS, and FID systems of records would be exempted
from the following subsections for the reasons set forth below:
Subsection (c)(3). Release of an accounting of disclosures
to an individual who is the subject of an investigation could reveal
the nature and scope of the investigation and could result in the
altering or destruction of evidence, improper influencing of witnesses,
and other evasive actions that could impede or compromise the
investigation.
Subsection (d)(1). Release of investigative records to an
individual who is the subject of an investigation could interfere with
pending or prospective law enforcement proceedings, constitute an
unwarranted invasion of the personal privacy of third parties, reveal
the identity of confidential sources, or reveal sensitive investigative
techniques and procedures.
Subsections (d)(2) through (d)(4). Amendment or correction
of investigative records could interfere with pending or prospective
law enforcement proceedings, or could impose an impossible
administrative and investigative burden by requiring us to continuously
retrograde our investigations in an attempt to resolve questions of
accuracy, relevance, timeliness, and completeness.
Subsection (e)(4)(G) and (H). Notifying an individual who
is the subject of an investigation or a witness that a system of
records contains information about him or her could reveal the nature
and scope of the investigation and could result in the altering or
destruction of evidence, improper influencing of witnesses, and other
evasive actions that could impede or compromise the investigation.
Subsection (f). Establishing procedures for notification,
inspection or amendment of records, or appeals of denials of access to
records would interfere with pending or prospective law enforcement
proceedings, constitute an unwarranted invasion of the personal privacy
of third parties, reveal the identity of confidential sources, or
reveal sensitive investigative techniques. Furthermore, these actions
could impose an impossible administrative and investigative burden by
requiring us to continuously retrograde our investigations in an
attempt to resolve questions of accuracy, relevance, timeliness, and
completeness.
Accordingly, we proposed to amend 45 CFR 5b.11(b)(2)(ii) of the
Privacy Act regulations by adding the following:
A new paragraph (H) that exempts investigative materials
compiled for law enforcement purposes from ACTS.
A new paragraph (I) that exempts investigative materials
compiled for law enforcement purposes from HITS.
A new paragraph (J) that exempts investigative materials
compiled for law enforcement purposes from OPOS.
A new paragraph (K) that exempts investigative materials
compiled for law enforcement purposes from FID.
III. Analysis of and Responses to Public Comments
We solicited and received two timely public comments on the May 25,
2007 proposed rule. The following is a summary of the comments and our
responses.
Comment: One commenter believed that 45 CFR 5b.11(d) seems to allow
the Department of Health and Human Services to disclose identities of
sources who furnished information under an express promise of
confidentiality.
Response: We do not disclose information that would reveal the
identities of sources who furnish information under an express promise
of confidentiality because the promise of confidentiality made to a
witness is an agreement with that individual, and such disclosure would
be both a violation of that agreement and counterproductive to law
enforcement efforts, as it would discourage individuals from coming
forward to supply information about alleged misconduct. 45 CFR 5b.11(b)
gives the responsible Department official discretion to grant
notification of access to a record in a system of records which is
exempt under 45 CFR 5b.11(b), unless disclosure to the general public
is otherwise prohibited by law. The department does not intend to
exercise its discretion to disclose identifying
[[Page 55774]]
information about sources who furnish information under an express
promise of confidentiality.
Comment: Commenters requested that the exemptions be narrowed or
clarified by defining the terms ``investigative materials'' and ``law
enforcement purposes,'' including differentiating among kinds of
records within each system that constitute ``investigatory materials,''
as well as describing agency uses that are not consistent with ``law
enforcement purposes.'' A commenter suggested that CMS implement
regulatory definitions, criteria, guidelines or other means to
effectuate a confidentiality promise to an informant and to recognize
whether or not one has been effectuated for purposes of compliance with
subsection (k)(2) of the Privacy Act.
Response: We believe that with respect to clarifying what
constitutes a confidentiality promise, we continue to rely upon the
following language in subsection (k)(2) of the Privacy Act (5 U.S.C
552a), which permits exemptions from certain subsections of the Privacy
Act:
[I]nvestigatory material compiled for law enforcement purposes,
other than material within the scope of subsection (j)(2) of this
section [the Privacy Act]: Provided, however, That if any individual
is denied any right, privilege, or benefit that he would otherwise
be entitled by Federal law, or for which he would otherwise be
eligible, as a result of the maintenance of such material, such
material shall be provided to such individual, except to the extent
that the disclosure of such material would reveal the identity of a
source who furnished information to the Government under an express
promise that the identity of the source would be held in confidence,
or, prior to the effective date of this section, [September 27,
1975] under an implied promise that the identity of the source would
be held in confidence;
The (k)(2) exemption covers: (1) Material compiled for criminal
investigative law enforcement purposes by an entity that does not have
as its principal function the enforcement of criminal law and (2)
investigative material compiled for law enforcement purposes that does
not fall into the scope of the exemption under 5 U.S.C. 552(j)(2). The
material must be investigative and compiled for some ``law
enforcement'' purpose, such as a civil investigation, or a criminal
investigation by an agency that does not perform as its principal
function the enforcement of criminal law.
Further, since the information in the SORs at issue was collected
on or after September 27, 1975, we believe that, with respect to
investigative material that would reveal the identity of a confidential
source, only express promises to a source that his or her identity
would not be revealed will be implicated here. An example of an express
promise could occur when a source expressly requests that his or her
identity not be revealed as a condition of furnishing the information,
and CMS agrees to that condition and documents that promise in writing.
The four SORs at issue were established after September 27, 1975,
the effective date of the Privacy Act, as follows:
The CMS Fraud Investigation Database (FID) was published
under its previous name, ``HCFA Utilization Review Investigatory
Files,'' on December 29, 1988 (53 FR 52792) and republished under its
current name on October 28, 2002 (67 FR 65795 ).
The Automated Survey Processing Environment (ASPEN).
Complaints/Incidents Tracking System (ACTS) was first established on
August 22, 2003 (68 FR 50795).
The Health Insurance Portability and Accountability
Act(HIPAA) Information Tracking System (HITS) was first established on
July 6, 2005 (70 FR 38944).
The Organ Procurement Organizations System (OPOS) was
first established on May 22, 2006 (71 FR 29336).
Further information about this exemption can be found in the Office
of Management and Budget's Privacy Act Guidelines, (see the July 9,
1975 Federal Register (40 FR 28972 through 28973)).
IV. Provisions of the Final Rule
After review of the public comments, we are finalizing the
provisions of the proposed rule with minor technical changes. We are
revising the paragraphs in Sec. 5b.11(b)(2)(ii) so that the SORs are
listed in chronological order by the date established.
V. Collection of Information Requirements
This final rule does not impose information collection and
recordkeeping requirements. Consequently, it need not be reviewed by
the Office of Management and Budget under the authority of the
Paperwork Reduction Act of 1995 (44 U.S.C. 35).
VI. Regulatory Impact Statement
We have examined the impact of this rule as required by Executive
Order 12866 (September 1993, Regulatory Planning and Review), the
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354),
section 1102(b) of the Social Security Act (the Act), the Unfunded
Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for regulating actions with
economically significant effects ($100 million or more in any one year
or other substantial adverse economic effects) known as ``major
rules''. This rule does not meet the ``major rule'' criteria therefore
we are not preparing an RIA.
The RFA requires agencies to analyze options for regulatory relief
of small businesses. For purposes of the RFA, small entities include
small businesses, nonprofit organizations, and small governmental
jurisdictions. Most hospitals and most other providers and suppliers
are small entities, either by nonprofit status or by having revenues of
$6 million to $29 million in any one year. Individuals and States are
not included in the definition of a small entity. We are not preparing
an analysis for the RFA because we have determined that this rule will
not have a significant economic impact on a substantial number of small
entities.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of section 604 of the RFA. For
purposes of section 1102(b) of the Act, we define a small rural
hospital as a hospital that is located outside of a Metropolitan
Statistical Area and has fewer than 100 beds. We are not preparing an
analysis for section 1102(b) of the Act because we have determined that
this rule will not have a significant impact on the operations of a
substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any one year of
$100 million in 1995 dollars, updated annually for inflation. That
threshold level is currently approximately $120 million. This final
rule will have no consequential effect on State, local, or tribal
governments or on the private sector.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final
[[Page 55775]]
rule) that imposes substantial direct requirement costs on State and
local governments, preempts State law, or otherwise has Federalism
implications. Since this regulation does not impose any costs on State
or local governments, the requirements of Executive Order 13132 are not
applicable.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
List of Subjects for 45 CFR Part 5b Privacy.
0
For the reasons set forth in the preamble, the Department of Health and
Human Services amends 45 CFR part 5b as set forth below:
PART 5b--PRIVACY ACT REGULATIONS
0
1. The authority citation for part 5b continues to read as follows:
Authority: 5 U.S.C. 301, 5 U.S.C. 552a.
0
2. Section 5b.11 is revised by adding paragraphs (b)(2)(ii)(H), (I),
(J), and (K) to read as follows:
Sec. 5b.11 Exempt Systems
* * * * *
(b) * * *
(2) * * *
(ii) * * *
(H) Investigative materials compiled for law enforcement purposes
from the CMS Fraud Investigation Database (FID), HHS/CMS.
(I) Investigative materials compiled for law enforcement purposes
from the Automated Survey Processing Environment (ASPEN) Complaints/
Incidents Tracking System (ACTS), HHS/CMS.
(J) Investigative materials compiled for law enforcement purposes
from the Health Insurance Portability and Accountability Act (HIPAA)
Information Tracking System (HITS), HHS/CMS.
(K) Investigative materials compiled for law enforcement purposes
from the Organ Procurement Organizations System (OPOS), HHS/CMS.
* * * * *
Dated: November 20, 2007.
Kerry Weems,
Acting Administrator, Centers for Medicare & Medicaid Services.
Approved: June 13, 2008.
Michael O. Leavitt,
Secretary.
Editorial Note: This document was received at the Office of the
Federal Register on September 16, 2008.
[FR Doc. E8-21909 Filed 9-25-08; 8:45 am]
BILLING CODE 4120-01-P