[Federal Register Volume 75, Number 106 (Thursday, June 3, 2010)]
[Notices]
[Pages 31440-31445]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-13178]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Privacy Act of 1974; Report of a New System of Records
AGENCY: Department of Health and Human Services (HHS).
ACTION: Notice of a New System of Records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, the U.S. Department of Health & Human Services (HHS) is proposing
to establish a new system of records (SOR) titled ``Early Retirement
Reinsurance Program (ERRP),'' System No. 09-90-0250. Under authority of
Section 1102 of the Patient Protection and Affordable Care Act (the
Affordable Care Act) (Pub. L. 111-148) the Early Retiree Reinsurance
Program is established. The program provides reimbursement to
participating employment-based plans for a portion of the cost of
health benefits for early retirees and their spouses, surviving spouses
and dependents. The system will collect and maintain information on
individuals associated with plan sponsors who perform key tasks on
behalf of the sponsor in order for the sponsor to participate in and
receive reimbursement under the program. The system will also collect
and maintain information on early retirees, and their spouses, etc., so
that sponsors' eligibility to receive reimbursement for the claims of
such specific individuals can be verified. The system will also collect
and maintain information related to the documentation of actual medical
costs of claims for health benefits submitted to the Department, to
ensure accurate reimbursement under the program.
The purpose of this system is to collect and maintain information
on individuals who are early retirees (and spouses, etc.) such that
sponsors' eligibility to receive reimbursement for the claims of such
specific individuals can be verified, to collect and maintain
information on individuals who are associated with plan sponsors who
perform key tasks on behalf of the sponsor, so that the sponsor can
participate in and get reimbursement under the program, and to collect
and maintain documentation of the actual costs of medical claims, so
that accurate and timely reimbursements may be made to plan sponsors
who continue to offer qualifying health benefits to early retirees (and
spouses, etc.). Information
[[Page 31441]]
maintained in this system will also be disclosed to: (1) Support
regulatory, reimbursement, and policy functions performed by an HHS
contractor, consultant or grantee; (2) assist another Federal or State
agency, agency of a State government, an agency established by State
law, or its fiscal agent; (3) support litigation involving the
Department; (4) combat fraud and abuse in certain health benefits
programs; and (5) assist efforts to respond to a suspected or confirmed
breach of the security or confidentiality of information maintained in
this system of records. We have provided background information about
the modified system in the ``Supplementary Information'' section below.
Although the Privacy Act requires only that HHS provide an opportunity
for interested persons to comment on the proposed routine uses, HHS
invites comments on all portions of this notice. See ``Effective
Dates'' section for comment period.
DATES: Effective Dates: HHS filed a new system report with the Chair of
the House Committee on Government Reform and Oversight, the Chair of
the Senate Committee on Homeland Security & Governmental Affairs, and
the Administrator, Office of Information and Regulatory Affairs, Office
of Management and Budget (OMB) on May 19, 2010. To ensure that all
parties have adequate time in which to comment, the new system,
including routine uses, will become effective 30 days from the
publication of the notice, or 40 days from the date it was submitted to
OMB and Congress, whichever is later, unless HHS receives comments that
require alterations to this notice.
ADDRESSES: The public should address comments to: HHS Privacy Officer,
Office of the Secretary, Office of the Assistant Secretary for Public
Affairs (ASPA), Freedom of Information/Privacy Acts Division, 330 ``C''
Street, SW., Washington, DC 20201. Telephone number: (202) 690-7453.
Comments received will be available for review at this location, by
appointment, during regular business hours, Monday through Friday from
9 a.m.-3 p.m., Eastern Time zone.
FOR FURTHER INFORMATION CONTACT: David Mlawsky, Office of Consumer
Information and Insurance Oversight (OCIIO), Office of the Secretary,
Department of Health and Human Services. He can be reached at (410)
786-6851, or contact via e-mail at [email protected].
SUPPLEMENTARY INFORMATION: Rising costs have made it more difficult for
employers to provide quality, affordable health insurance for workers
and retirees. People in the early retiree age group often face
difficulties obtaining insurance in the individual market because of
age or chronic conditions that make coverage unaffordable and
inaccessible. The program provides needed financial help for employer-
based plans to continue to provide valuable coverage to plan
participants.
Section 1102(a)(2)(B) of the Affordable Care Act defines
``employment-based plan'' to include a group benefits plan providing
health benefits that is maintained by private employers, State or local
governments, employee organizations, voluntary employees' beneficiary
association, a committee or board of individuals appointed to
administer such plan, or a multiemployer plan (as defined by Employee
Retirement Income Security Act, or ERISA). Section 1102 does not
differentiate between health benefits provided by self-funded plans or
through the purchase of insurance.
The statute at section 1102(a)(2)(C) defines ``early retirees'' as
individuals who are age 55 and older but are not eligible for coverage
under Medicare, and who are not active employees of an employer
maintaining, or currently contributing to, the employment-based plan or
of any employer that has made substantial contributions to fund such
plan. The definition of early retiree in the program's implementing
regulation at 45 CFR 149.2 clarifies that spouses, surviving spouses,
and dependents are also included in the definition of early retiree.
This definition accommodates the language in section 1102(a)(1) of the
statute, which states that reimbursement under the program is made to
cover a portion of the costs of providing health coverage to early
retirees and to the eligible spouses, surviving spouses, and dependents
of such retirees. Reimbursement can be made under the program for the
health benefit costs of eligible spouses, surviving spouses, and
dependents of such retirees, even if they are under the age of 55, and/
or are eligible for Medicare.
When submitting claims for reimbursement, employment-based plans
(or their insurers) will submit documentation of the actual costs of
the medical claims, indicating the health benefit provided, the
provider or supplier, the incurred date, the individual for whom the
health benefit was provided, the date and amount of payment net any
known negotiated price concessions, and the employment-based plan and
benefit option under which the health benefit was provided.
The Congress appropriated funding of $5 billion for the temporary
program. The Secretary will reimburse plans 80 percent of the costs for
health benefits for valid claims between $15,000 and $90,000 (with
those amounts being indexed for plan years starting on or after October
1, 2011). Section 1102(a)(1) required the Secretary to establish this
temporary program not later than 90 days after enactment of the
statute, which is June 21, 2010. The Secretary has established an
effective date of June 1, 2010. The program ends no later than January
1, 2014.
I. Description of the Proposed System of Records
A. Statutory and Regulatory Basis for System
Authority for the collection, maintenance, and disclosures from
this system is given under provisions of Sec. 1102 of the Affordable
Care Act and its implementing regulations codified at Title 45 Code of
Federal Regulations (CFR) Part 149.
B. Collection and Maintenance of Data in the System
Information in this system is maintained on early retirees and
their spouses, surviving spouses, and dependents that are enrolled in
employment-based plans that participate in the program. Information
maintained in this system includes, but is not limited to, first name,
last name, middle initial, date of birth, Social Security Number (SSN),
gender, standard data for identification such as Plan Sponsor
Identification Number, Application Identification Number, Benefit
Option Identifier, and relationship to early retiree.
Information in this system is also maintained on individuals
associated with plan sponsors who perform key tasks on behalf of the
sponsor, so that the sponsor can participate in and get reimbursement
under the program. Information maintained in the system regarding these
individuals includes, but is not limited to, standard data for
identification such as Plan Sponsor Identification Number, Application
Identification Number, Benefit Option Identifier, the individual's
first name, middle initial, last name, job title, date of birth, social
security number, e-mail address, telephone number, fax number, employer
name, and business address. When submitting claims to the Department
for reimbursement, employment-based plans (or their insurers) will
submit documentation of the actual costs of the medical claims,
including the health benefit provided, the provider or supplier, the
incurred date, the individual for whom the health benefit was provided,
the date and
[[Page 31442]]
amount of payment net any known negotiated price concessions, and the
employment-based plan and benefit option under which the health benefit
was provided. Thus, such information is maintained in this system.
II. Agency Policies, Procedures, and Restrictions on Routine Uses
A. The Privacy Act permits us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such disclosure of data is known as a ``routine use.''
The government will only release ERRP information that can be
associated with an individual as provided for under ``Section III.
Proposed Routine Use Disclosures of Data in the System.'' Both
identifiable and non-identifiable data may be disclosed under a routine
use.
We will only disclose the minimum personal data necessary to
achieve the purpose of ERRP. HHS has the following policies and
procedures concerning disclosures of information that will be
maintained in the system. In general, disclosure of information from
the system will be approved only for the minimum information necessary
to accomplish the purpose of the disclosure and only after HHS:
1. Determines that the use or disclosure is consistent with the
reason that the data is being collected, e.g., to collect, maintain,
and process information necessary to effectively and efficiently
administer the ERRP;
2. Determines that:
a. The purpose for which the disclosure is to be made can only be
accomplished if the record is provided in individually identifiable
form;
b. The purpose for which the disclosure is to be made is of
sufficient importance to warrant the effect and/or risk on the privacy
of the individual that additional exposure of the record might bring;
and
c. There is a strong probability that the proposed use of the data
would in fact accomplish the stated purpose(s).
3. Requires the information recipient to:
a. Establish administrative, technical, and physical safeguards to
prevent unauthorized use of disclosure of the record;
b. Remove or destroy at the earliest time all individually-
identifiable information; and
c. Agree to not use or disclose the information for any purpose
other than the stated purpose under which the information was
disclosed.
4. Determines that the data are valid and reliable.
III. Proposed Routine Use Disclosures of Data in the System
A. Entities Who May Receive Disclosures Under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which HHS may
release information from the ERRP without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We propose to
establish the following routine use disclosures of information
maintained in the system:
1. To support HHS contractors, consultants, or HHS grantees who
have been engaged by HHS to assist in accomplishment of an HHS function
relating to the purposes for this SOR and who need to have access to
the records in order to assist HHS.
We contemplate disclosing information under this routine use only
in situations in which HHS may enter into a contractual or similar
agreement with a third party to assist in accomplishing an HHS function
relating to purposes for this SOR.
HHS occasionally contracts out certain of its functions when doing
so would contribute to effective and efficient operations. HHS will
give a contractor, consultant, or HHS grantee the information necessary
for the contractor or consultant to fulfill its duties. In these
situations, safeguards are provided in the contract prohibiting the
contractor, consultant, or grantee from using or disclosing the
information for any purpose other than that described in the contract
and requires the contractor, consultant, or grantee to return or
destroy all information at the completion of the contract. Contractors
are also required to provide the appropriate management, operational,
and technical controls to secure the data.
2. To assist another Federal or State agency, agency of a State
government, an agency established by State law, or its fiscal agent
pursuant to agreements with HHS to:
a. Contribute to the accuracy of HHS''s reimbursement to sponsors
under the ERRP;
b. Enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds, and/or
c. Assist Federal/State Medicaid programs which may require ERRP
information for purposes related to this system.
Other Federal or State agencies in their administration of a
Federal health program may require ERRP information in order to support
evaluations and monitoring of claims information of beneficiaries,
including proper reimbursement for services provided.
3. To support the Department of Justice (DOJ), court, or
adjudicatory body when:
a. The Department or any component thereof, or
b. Any employee of HHS in his or her official capacity, or
c. Any employee of HHS in his or her individual capacity where the
DOJ has agreed to represent the employee, or
d. The United States Government, is a party to litigation or has an
interest in such litigation, and by careful review, HHS determines that
the records are both relevant and necessary to the litigation and that
the use of such records by the DOJ, court or adjudicatory body is
compatible with the purpose for which the agency collected the records.
Whenever HHS is involved in litigation, or occasionally when
another party is involved in litigation and HHS's policies or
operations could be affected by the outcome of the litigation, HHS
would be able to disclose information to the DOJ, court, or
adjudicatory body involved.
4. To assist an HHS contractor (including, but not limited to
fiscal intermediaries and carriers) that assists in the administration
of an HHS-administered health benefits program, or to a grantee of an
HHS-administered grant program, when disclosure is deemed reasonably
necessary by HHS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud, waste or abuse in such program.
We contemplate disclosing information under this routine use only
in situations in which HHS may enter into a contract or grant with a
third party to assist in accomplishing HHS functions relating to the
purpose of combating fraud, waste or abuse.
HHS occasionally contracts out certain of its functions when doing
so would contribute to effective and efficient operations. HHS must be
able to give a contractor or grantee whatever
[[Page 31443]]
information is necessary for the contractor or grantee to fulfill its
duties. In these situations, safeguards are provided in the contract
prohibiting the contractor or grantee from using or disclosing the
information for any purpose other than that described in the contract
and requiring the contractor or grantee to return or destroy all
information.
5. To assist another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any State or local governmental agency), that
administers, or that has the authority to investigate potential fraud,
waste or abuse in a health benefits program funded in whole or in part
by Federal funds, when disclosure is deemed reasonably necessary by HHS
to prevent, deter, discover, detect, investigate, examine, prosecute,
sue with respect to, defend against, correct, remedy, or otherwise
combat fraud, waste or abuse in such programs.
Other agencies may require ERRP information for the purpose of
combating fraud, waste or abuse in such Federally-funded programs.
6. To assist appropriate Federal agencies and Department
contractors that have a need to know the information for the purpose of
assisting the Department's efforts to respond to a suspected or
confirmed breach of the security or confidentiality of information
maintained in this system of records, and the information disclosed is
relevant and unnecessary for the assistance.
Other agencies may require ERRP information for the purpose of
assisting the Department's efforts to respond to a suspected or
confirmed breach of the security or confidentiality of information
maintained in this system of records.
B. Additional Circumstances Affecting Routine Use Disclosures
Our policy will be to prohibit release even of data not directly
identifiable, except pursuant to one of the routine uses or if required
by law, if we determine there is a possibility that an individual can
be identified through implicit deduction based on small cell sizes
(instances where the patient population is so small that individuals
could, because of the small size, use this information to deduce the
identity of the individual).
IV. Safeguards
HHS has safeguards in place for authorized users and monitors such
users to ensure against unauthorized use. Personnel having access to
the system have been trained in the Privacy Act and information
security requirements. Employees who maintain records in this system
are instructed not to release data until the intended recipient agrees
to implement appropriate management, operational and technical
safeguards sufficient to protect the confidentiality, integrity and
availability of the information and information systems and to prevent
unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal and HHS policies and standards as they relate
to information security and data privacy. These laws and regulations
include but are not limited to: The Privacy Act of 1974; the Federal
Information Security Management Act of 2002; the Computer Fraud and
Abuse Act of 1986; the E-Government Act of 2002, and the Clinger-Cohen
Act of 1996; OMB Circular A-130, Management of Federal Resources,
Appendix III, Security of Federal Automated Information Resources also
applies. Federal and HHS policies and standards include but are not
limited to: All pertinent National Institute of Standards and
Technology publications; and the HHS Information Systems Program
Handbook.
V. Effects of the New System on the Rights of Individuals
HHS proposes to establish this system in accordance with the
principles and requirements of the Privacy Act and will collect, use,
and disseminate information only as prescribed therein. We will only
disclose the minimum personal data necessary to achieve the purpose of
ERRP. Disclosure of information from the system will be approved only
to the extent necessary to accomplish the purpose of the disclosure.
HHS has assigned a higher level of security clearance for the
information maintained in this system in an effort to provide added
security and protection of data in this system.
HHS will take precautionary measures to minimize the risks of
unauthorized access to the records and the potential harm to individual
privacy or other personal or property rights. HHS will collect only
that information necessary to perform the system's functions. In
addition, HHS will make disclosure from the proposed system only with
consent of the subject individual, or his/her legal representative, or
in accordance with an applicable exception provision of the Privacy
Act.
HHS, therefore, does not anticipate an unfavorable effect on
individual privacy as a result of the disclosure of information
relating to individuals.
Dated: May 20, 2010.
Jay Angoff,
Director Office of Consumer Information and Insurance Oversight.
SYSTEM NUMBER: 09-90-0250
SYSTEM NAME:
``Early Retirement Reinsurance Program (ERRP),'' OCIIO, OS/HHS.
SECURITY CLASSIFICATION:
Level Three Privacy Act Sensitive.
SYSTEM LOCATION:
Office of Consumer Information and Insurance Oversight, U.S.
Department of Health & Human Services, 200 Independence Avenue, SW.,
Suite 738F, Washington, DC 20201.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Information in this system is maintained on individuals associated
with plan sponsors who perform key tasks on behalf of the sponsor, so
that the sponsor can participate in and get reimbursement under the
program. Information in this system is also maintained on early
retirees and their spouses, surviving spouses, and dependents that are
enrolled in employment-based plans that participate in the program.
With respect to medical claims submitted by plan sponsors for
reimbursement, information in this system is maintained on early
retirees and their spouses, surviving spouses, and dependents with
respect to those medical claims, including the health benefit provided,
the provider or supplier, the incurred date, the individual for whom
the health benefit was provided, the date and amount of payment net any
known negotiated price concessions, and the employment-based plan and
benefit option under which the health benefit was provided.
CATEGORIES OF RECORDS IN THE SYSTEM:
Information in this system is maintained on early retirees and
their spouses, surviving spouses, and dependents that are enrolled in
employment-based plans that participate in the program. Information
maintained in this system includes, but is not limited to, first name,
last name, middle initial, date of birth, Social Security Number (SSN),
gender, standard data for identification such as Plan Sponsor
Identification Number, Application Identification Number, Benefit
Option Identifier, and relationship to early retiree. Information in
this system is maintained on
[[Page 31444]]
individuals associated with plan sponsors who perform key tasks on
behalf of the sponsor, so that the sponsor can participate in and get
reimbursement under the program. Information maintained in the system
regarding these individuals includes, but is not limited to, standard
data for identification such as Plan Sponsor Identification Number,
Application Identification Number, Benefit Option Identifier, the
individual's first name, middle initial, last name, job title, date of
birth, social security number, e-mail address, telephone number, fax
number, employer name, and business address. With respect to medical
claims submitted by plan sponsors for reimbursement, information in
this system is maintained on early retirees and their spouses,
surviving spouses, and dependents with respect to those medical claims,
including the health benefit provided, the provider or supplier, the
incurred date, the individual for whom the health benefit was provided,
the date and amount of payment net any known negotiated price
concessions, and the employment-based plan and benefit option under
which the health benefit was provided.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for the collection, maintenance, and disclosures from
this system is given under provisions of Sec. 1102 of the Affordable
Care Act and its implementing regulations codified at Title 45 Code of
Federal Regulations (CFR) Part 149.
PURPOSE(S) OF THE SYSTEM:
The purpose of this system is to collect and maintain information
on individuals who are early retirees (and spouses, etc.), to collect
and maintain information on individuals who are associated with plan
sponsors who perform key tasks on behalf of the sponsor, and to collect
and maintain information on medical claims submitted to the U.S.
Department of Health & Human Services (HHS) for reimbursement, so that
accurate and timely reimbursements may be made to plan sponsors who
continue to offer qualifying health benefits to such individuals.
Information maintained in this system will also be disclosed to:
(1)Support regulatory, reimbursement, and policy functions performed by
an HHS contractor, consultant or grantee; (2) assist another Federal or
State agency, agency of a State government, an agency established by
State law, or its fiscal agent; (3) support litigation involving the
Department; (4) combat fraud and abuse in certain health benefits
programs; and (5) assist efforts to respond to a suspected or confirmed
breach of the security or confidentiality of information maintained in
this system of records.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
B. Entities Who May Receive Disclosures Under Routine Use
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which HHS may
release information from the ERRP without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible, including but not limited to
ensuring that the purpose of the disclosure is compatible with the
purpose for which the information was collected. We propose to
establish or modify the following routine use disclosures of
information maintained in the system:
1. To support Agency contractors, consultants, or HHS grantees who
have been engaged by the Agency to assist in accomplishment of an HHS
function relating to the purposes for this SOR and who need to have
access to the records in order to assist HHS.
2. To assist another Federal or State agency, agency of a State
government, an agency established by State law, or its fiscal agent
pursuant to agreements with HHS to:
a. Contribute to the accuracy of HHS's reimbursement to sponsors
under the ERRP,
b. Enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds, and/or
c. Assist Federal/State Medicaid programs which may require ERRP
information for purposes related to this system.
3. To the Department of Justice (DOJ), court, or adjudicatory body
when:
b. The Agency or any component thereof, or
e. Any employee of the Agency in his or her official capacity, or
f. Any employee of the Agency in his or her individual capacity
where the DOJ has agreed to represent the employee, or
g. The United States Government, is a party to litigation or has an
interest in such litigation, and by careful review, HHS determines that
the records are both relevant and necessary to the litigation and that
the use of such records by the DOJ, court or adjudicatory body is
compatible with the purpose for which the agency collected the records.
4. To assist an HHS contractor (including, but not limited to
fiscal intermediaries and carriers) that assists in the administration
of an HHS-administered health benefits program, or to a grantee of an
HHS-administered grant program, when disclosure is deemed reasonably
necessary by HHS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud, waste or abuse in such program.
5. To assist another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any State or local governmental agency), that
administers, or that has the authority to investigate potential fraud,
waste or abuse in a health benefits program funded in whole or in part
by Federal funds, when disclosure is deemed reasonably necessary by HHS
to prevent, deter, discover, detect, investigate, examine, prosecute,
sue with respect to, defend against, correct, remedy, or otherwise
combat fraud, waste or abuse in such programs.
6. To appropriate Federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information disclosed is relevant
and necessary for that assistance.
C. Additional Circumstances Affecting Routine Use Disclosures
Our policy will be to prohibit release even of data not directly
identifiable, except pursuant to one of the routine uses or if required
by law, if we determine there is a possibility that an individual can
be identified through implicit deduction based on small cell sizes
(instances where the patient population is so small that individuals
could, because of the small size, use this information to deduce the
identity of the beneficiary).
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
We will be storing records in hardcopy files and various electronic
storage media (including DB2, Oracle, and other relational data
structures).
[[Page 31445]]
RETRIEVABILITY:
Information is most frequently retrieved by first name, last name,
middle initial, date of birth, or Social Security Number (SSN).
SAFEGUARDS:
HHS has safeguards in place for authorized users and monitors such
users to ensure against unauthorized use. Personnel having access to
the system have been trained in the Privacy Act and information
security requirements. Employees who maintain records in this system
are instructed not to release data until the intended recipient agrees
to implement appropriate management, operational and technical
safeguards sufficient to protect the confidentiality, integrity and
availability of the information and information systems and to prevent
unauthorized access.
This system will conform to all applicable Federal laws and
regulations and Federal, HHS, and HHS policies and standards as they
relate to information security and data privacy. These laws and
regulations include but are not limited to: The Privacy Act of 1974;
the Federal Information Security Management Act of 2002; the Computer
Fraud and Abuse Act of 1986; the E-Government Act of 2002, and the
Clinger-Cohen Act of 1996. OMB Circular A-130, Management of Federal
Resources, Appendix III, Security of Federal Automated Information
Resources also applies. Federal, HHS, and HHS policies and standards
include but are not limited to: all pertinent National Institute of
Standards and Technology publications; and the HHS Information Systems
Program Handbook. HHS will give a contractor, consultant, or HHS
grantee the information necessary for the contractor or consultant to
fulfill its duties. In these situations, safeguards are provided in the
contract prohibiting the contractor, consultant, or grantee from using
or disclosing the information for any purpose other than that described
in the contract and requires the contractor, consultant, or grantee to
return or destroy all information at the completion of the contract.
Contractors are also required to provide the appropriate management,
operational, and technical controls to secure the data.
RETENTION AND DISPOSAL:
Records are maintained with identifiers for all transactions after
they are entered into the system for a period of 10 years. Records are
housed in both active and archival files in accordance with HHS data
and document management policies and standards. All sponsor
applications, claims, and other program-related records are encompassed
by the document preservation order and will be retained until
notification is received from the Department of Justice.
SYSTEM MANAGER AND ADDRESS:
David Gardner, Acting Director, Early Retiree Reinsurance Division,
Office of Insurance Programs, Office of Consumer Information and
Insurance Oversight, U.S. Department of Health & Human Services, 200
Independence Avenue, SW., Suite 738F, Washington, DC 20201.
NOTIFICATION PROCEDURE:
For purpose of notification, the subject individual should write to
the system manager who will require the system name, and the retrieval
selection criteria (e.g., name, SSN, etc.).
RECORD ACCESS PROCEDURE:
For purpose of access, use the same procedures outlined in
Notification Procedures above. Requestors should also reasonably
specify the record contents being sought. (These procedures are in
accordance with Department regulation 45 CFR 5b.5(a)(2)).
CONTESTING RECORD PROCEDURES:
The subject individual should contact the system manager named
above, and reasonably identify the record and specify the information
to be contested. State the corrective action sought and the reasons for
the correction with supporting justification. (These procedures are in
accordance with Department regulation 45 CFR 5b.7).
RECORD SOURCE CATEGORIES:
Record source categories include program participants, individuals
on whose behalf reimbursements are being sought, and those who
voluntarily submit data and personal information for the ERRP program.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
[FR Doc. 2010-13178 Filed 6-2-10; 8:45 am]
BILLING CODE 4150-65-P