[Federal Register: June 26, 2009 (Volume 74, Number 122)]
[Notices]
[Page 30606-30608]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr26jn09-119]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
Privacy Act of 1974; Addition of a New Routine Use
AGENCY: Department of Health and Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice to add a new routine use to all CMS systems of records
(SOR).
-----------------------------------------------------------------------
SUMMARY: CMS proposes to add a new routine use to its inventory of SOR
subject to the Privacy Act of 1974 (Title 5 United States Code (U.S.C.)
552a) authorizing disclosure of individually identifiable information
to assist in efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in these
systems of records. The new routine use will be prioritized in the next
consecutive numbered order of routine uses in each system notice and
will be included in the next published notice as part of our normal SOR
review process. The new routine use will read as follows:
1. To appropriate Federal agencies, Department officials and Agency
contractors that need access to identifiable information to provide
assistance to the Department's efforts to respond to a suspected or
confirmed breach of the security or confidentiality of information. In
order to receive the information, CMS must:
a. Determines that the use or disclosure does not violate legal
[[Page 30607]]
limitations under which the record was provided, collected, or
obtained;
b. Determines that the purpose for which the disclosure is to be
made:
(1) Cannot be reasonably accomplished unless the record is provided
in individually identifiable form,
(2) is of sufficient importance to warrant the effect and/or risk
on the privacy of the individual that additional exposure of the record
might bring, and
(3) there is reasonable probability that the objective for the use
would be accomplished;
c. Requires the recipient of the information to:
(1) Establish reasonable administrative, technical, and physical
safeguards to prevent unauthorized use or disclosure of the record, and
(2) remove or destroy the information that allows the individual to
be identified at the earliest time at which removal or destruction can
be accomplished consistent with the purpose of the disclosure, and
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of
any individual, or
(b) When required by law.
d. Secures a written statement attesting to the information
recipient's understanding of and willingness to abide by these
provisions and complete a Data Use Agreement (CMS Form 0235) in
accordance with current CMS policies.
The reason for this routine use is as follows:
Other Federal agencies, Department officials and contractors, as
well as CMS contractors may need access to identifiable information
that is both relevant and necessary to provide assistance to all
efforts to respond to a suspected or confirmed breach of the security
or confidentiality of information maintained in these systems of
records.
DATES: Effective Date: The new routine use will be effective on < DATE
.
ADDRESSES: The public should address comments to: CMS Privacy Officer,
Division of Privacy Compliance, Enterprise Architecture and Strategy
Group, Office of Information Services, CMS, Room N2-04-27, 7500
Security Boulevard, Baltimore, Maryland 21244-1850. The telephone
number is (410) 786-5357. Comments received will be available for
review at this location, by appointment, during regular business hours,
Monday through Friday from 9 a.m.-3 p.m., Eastern Time zone.
SUPPLEMENTARY INFORMATION: On May 22, 2007, the Office of Management
and Budget (OMB) released Memoranda (M) 07-16, Safeguarding Against and
Responding to the Breach of Personally Identifiable Information. HHS
convened a leadership committee composed of members from the Office of
the Chief Information Officer (OICO), the Office of Assistant Secretary
for Public Affairs (ASPA), and the Office of the Assistant Secretary
for Planning and Evaluation (ASPE) in order to formulate a response
plan for the newly established requirements. The final response plan
was signed by the HHS Chief Information Officer (CIO), Mike Carleton
and submitted to OMB on September 19, 2007. As required by the
memoranda, to comply with the ``Incident Reporting and Handling
Requirements,'' all Operations and Staff Divisions are instructed to
incorporate the suggested routine use language as part of their normal
SOR review process.
Dated: June 16, 2009.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid
Services.
Attachment A
------------------------------------------------------------------------
SOR No. Title FR published
------------------------------------------------------------------------
09-70-0500.......... Health Plan 71 FR 60718, 10/16/2006
Management
System (HPMS).
09-70-0501.......... Medicare Multi- 71 FR 64968, 11/06/2006
Carrier Claims
Systems (MCS).
09-70-0502.......... Enrollment Data 73 FR 10249, 02/26/2008
Base (EDB).
09-70-0503.......... Fiscal 71 FR 64961, 11/06/2006
Intermediary
Shared System
(FISS).
09-70-0514.......... Medicare 71 FR 17470, 04/06/2006
Provider
Analysis and
Review
(MEDPAR).
09-70-0519.......... Medicare 71 FR 60722, 10/16/2006
Current
Beneficiary
Survey (MCBS).
09-70-0520.......... ESRD Program 72 FR 26126, 5/8/2007
Management and
Medical
Information
System (PMMIS).
09-70-0521.......... Inpatient 71 FR 67143, 11/20/2006
Rehabilitation
Facilities--Pa
tient
Assessment
Instrument
(IRF-PAI).
09-70-0522.......... Home Health 72 FR 63906, 11/13/2007
Agency Outcome
and Assessment
Information
Set (OASIS).
09-70-0526.......... Common Working 71 FR 64955, 11/06/2006
File (CWF).
09-70-0528.......... Long Term Care- 72 FR 12801, 3/19/2007
Minimum Data
Set (LTC MDS).
09-70-0532.......... Provider 71 FR 60536, 10/13/2006
Enrollment
Chain and
Ownership
System (PECOS).
09-70-0536.......... Medicare 71 FR 11420, 03/07/2006
Beneficiary
Database (MBD).
09-70-0538.......... Individuals 72 FR 63902, 11/13/2007
Authorized
Access to the
CMS Computer
Services
(IACS).
09-70-0541.......... Medicaid 71 FR 65527, 11/08/2006
Statistical
Information
System (MSIS).
09-70-0550.......... Retiree Drug 70 FR 41035, 7/15/2005
Subsidy
Program (RDSP).
09-70-0553.......... Medicare Drug 70 FR 58436, 10/06/2005
Data
Processing
System (DDPS).
09-70-0558.......... National Claims 71 FR 67137, 11/20/2006
History File
(NCH).
09-70-0568.......... One Program 71 FR64530, 11/02/2006
Integrity Data
Repository
(ODR).
09-70-0569.......... Post Acute Care 72 FR 55225, 09/28/2007
Payment Reform/
Continuity
Assessment
Report
Demonstration
and Evaluation
(PAC-CARE).
09-70-0571.......... Medicare 71 FR 64530, 11/02/2006
Integrated
Data
Repository
(IDR).
09-70-0573.......... Chronic 71 FR 54495, 09/15/2006
Condition Data
Repository
(CCDR).
09-70-4001.......... Medicare 70 FR 60530, 10/18/2005
Advantage
Prescription
Drug (MARx).
09-70-0575.......... Organ 71 FR 29336, 05/22/2006
Procurement
Organizations
System (OPOS).
09-70-0594.......... Minimum Data 72 FR 72733, 12/21/2007
Set (MDS) for
Home and
Community
Based
Alternatives
(CBA) to
Psychiatric
Residential
Treatment)
Facilities
(PRTF) (CBA-
PRTF).
------------------------------------------------------------------------
[[Page 30608]]
[FR Doc. E9-15192 Filed 6-25-09; 8:45 am]
BILLING CODE 4120-03-P