[Federal Register Volume 75, Number 70 (Tuesday, April 13, 2010)]
[Notices]
[Pages 18841-18846]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-8412]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office for Civil Rights; Privacy Act of 1974, Amended System of
Records
AGENCY: Office for Civil Rights (OCR), Department of Health and Human
Services (HHS or the Department).
ACTION: Notice of modified or altered System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act, we are proposing to modify
or alter an existing SOR, ``Program Information Management System
(PIMS),'' System No. 09-90-0052, published at 67 FR 57011, September 6,
2002. First, we propose to add a new authority, the Health Information
Technology for Economic and Clinical Health (HITECH) Act, part of the
American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), to
those under which OCR collects information. Second, we propose to add
three new purposes of the PIMS system. Third, we propose to add six new
routine uses to the PIMS system. Fourth, we propose to expand the
categories of information stored in the PIMS system to include
information that covered entities under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and their business
associates report to the Secretary with respect to a breach of
protected health information. See Effective Dates section for comment
period.
DATES: Effective Dates: OCR filed a system report with the Chair of the
House Committee on Government Reform and Oversight, the Chair of the
Senate Committee on Homeland Security and Governmental Affairs, and the
Administrator, Office of Information and Regulatory Affairs, Office of
Management and Budget (OMB) on March 30, 2010. Comments on this SOR may
be submitted within 40 days from the publication of the notice, or from
the date it was submitted to OMB and the Congress, whichever is later.
The SOR, including routine uses, will become effective at the end of
the 40-day period, unless OCR receives comments that require
alterations to this notice.
ADDRESSES: You may submit comments by any of the following methods
(please do not submit duplicate comments):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments. Attachments should be
in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft
Word.
Regular, Express, or Overnight Mail: U.S. Department of
Health and Human Services, Office for Civil Rights, Attention: PIMS
System of Records, Hubert H. Humphrey Building, Room 509F, 200
Independence Avenue, SW., Washington, DC 20201. Please submit one
original and two copies.
Hand Delivery or Courier: Office for Civil Rights,
Attention: PIMS System of Records, Hubert H. Humphrey Building, Room
509F, 200 Independence Avenue, SW., Washington, DC 20201. Please submit
one original and two copies. (Because access to the interior of the
Hubert H. Humphrey Building is not readily available to persons without
Federal government identification, commenters are encouraged to leave
their comments in the mail drop slots located in the main lobby of the
building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at http://www.regulations.gov. Because
[[Page 18842]]
comments will be made public, they should not include any sensitive
personal information, such as a person's social security number; date
of birth; driver's license number, state identification number or
foreign country equivalent; passport number; financial account number;
or credit or debit card number. Comments also should not include any
sensitive health information, such as medical records or other
individually identifiable health information.
FOR FURTHER INFORMATION CONTACT: For further information contact: PIMS
Project Manager, Management Operations Division, Office for Civil
Rights, 200 Independence Ave., SW., Room 509F, Washington, DC 20201.
Telephone number: (202) 619-2888.
SUPPLEMENTARY INFORMATION: The system of records (i.e., PIMS) described
in the OCR's Privacy Act notice, 67 FR 57011 (Sept. 6, 2002), is used
by OCR staff and consists of an electronic repository of information
and documents, and supplementary paper document files. PIMS effectively
combined and replaced OCR's two previous systems of records, (CIMS and
the Complaint File and Log), into a single, integrated system with
enhanced electronic storage, retrieval, and tracking capacities that
allows OCR to manage more effectively the information that it collects.
PIMS was modified to add a new authority, the Patient Safety and
Quality Improvement Act of 2005, and altered to add two new routine
uses in OCR's Privacy Act notice at 72 FR 8734 (Feb. 27, 2007).
The Privacy Act permits OCR to disclose information or records
pertaining to an individual without that individual's consent if the
information is to be used for a purpose that is compatible with the
purpose(s) for which the information was collected, 5 U.S.C.
552a(b)(3). Any such disclosure is known as a ``routine use.'' The PIMS
system conforms to applicable law and policy governing the privacy and
security of Federal automated information systems. These include but
are not limited to: The Privacy Act of 1974, Federal Information
Security Management Act of 2002, Computer Security Act of 1987, the
Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and OMB
Circular A-130, Appendix, III, ``Security of Federal Automated
Information Resources.''
OCR has prepared a system security plan as required by OMB Circular
A-130, Appendix III. This plan conforms fully to guidance issued by the
National Institute for Standards and Technology (NIST) in NIST Special
Publication 800-18, ``Guide for Developing Security Plans for
Information Technology Systems.'' The plan includes performance of a
risk assessment that addresses the confidentiality and integrity of the
data. Only authorized users have access to the information in the
system.
Specific access is structured around need and is determined by the
person's role in the organization. Access is managed through the use of
electronic access control lists, which regulate the ability to read,
change, and delete information in the system. Each OCR user has read
access to designated information in the system, with the ability to
modify only their own submissions or those of others within their
region or group. Data identified as confidential is so designated and
only specified individuals are granted access. The system maintains an
audit trail of all actions against the data base. All electronic data
is stored on servers maintained in locked facilities with computerized
access control allowing access to only those support personnel with a
demonstrated need for access. A database is kept of all individuals
granted security card access to the room, and all visitors are escorted
while in the room. The server facility has appropriate environmental
security controls, including measures to mitigate damage to automated
information system resources caused by fire, electricity, water, and
inadequate climate controls. Access control to servers, individual
computers and databases includes a required user log-on with a
password, inactivity lockout to systems based on a specified period of
time, legal notices and security warnings at log-on, and remote access
security that allows user access for remote users (e.g., while on
government travel) under the same terms and conditions as for users
within the office. System administrators have appropriate security
clearance. Printed materials are filed in secure cabinets in secure
Federal buildings with access based on need as described above for the
automated component of the PIMS system.
Section 13402(e)(3) of the HITECH Act requires HIPAA covered
entities to provide notice to the Secretary of the Department of Health
and Human Services (HHS or the Department) of a breach of unsecured
protected health information. Notice to the Secretary is required
immediately if a breach affects 500 or more individuals and annually
for breaches affecting fewer than 500 individuals. Section 13402(e)(4)
of the HITECH Act requires the Secretary to make available to the
public on the HHS Web site a list that identifies each covered entity
involved in a breach affecting more than 500 individuals. To implement
these HITECH provisions, HHS published an interim final rule on August
24, 2009 (74 FR 42740). Section 164.408(a) of the regulations published
in the interim final rule requires covered entities to notify the
Secretary of breaches of unsecured protected health information.
Section 164.408(b) requires breaches that affect 500 or more
individuals to be reported to the Secretary contemporaneously with
notice to the individual--that is, without unreasonable delay and in no
case later than 60 calendar days after a covered entity discovers a
breach (subject to a law enforcement delay as provided in section
164.412). Section 164.408(c) sets out the annual reporting for breaches
affecting fewer than 500 individuals. Covered entities are required to
report these breaches in the manner specified on the HHS Web site. A
breach report form that has been approved by OMB for collection of this
information can be found at http://transparency.cit.nih.gov/breach/index.cfm. A breach report must be filed through this Web site.
Accordingly, this notice modifies PIMS by adding a new authority
for maintenance of the system, identifies three new purposes of the
PIMS system, adds new routine uses of the PIMS system, and expands the
categories of information stored in the PIMS system. In addition to the
new routine uses proposed because of breach notification requirements
under the HITECH Act, one proposed new routine use regards responding
to breaches of personally identifiable information within the
Department, consistent with Office of Management and Budget (OMB)
Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information, dated May 22, 2007. Another
proposed new routine use regards disclosing relevant personally
identifiable information including the identity of covered entities and
business associates to obtain information relevant and necessary to
investigate violations and potential violations, as well as to conduct
compliance reviews, of the Federal laws and regulations OCR has legal
authority to enforce. The last new proposed routine use regards
allowing OCR to disclose relevant information to the public to inform
the public of the results of investigations and compliance reviews of
the Federal laws and regulations that OCR has legal authority to
enforce, after OCR determines that
[[Page 18843]]
the disclosure would not constitute an unwarranted invasion of personal
privacy. OCR expects these modifications will not result in any
unwarranted invasion of personal privacy.
OCR proposes to add the following authority for maintenance of the
PIMS system: section 13402 of the HITECH Act, part of the American
Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).
OCR proposes to add the following three new purposes of the PIMS
system: (1) To collect, maintain, and post on the HHS Web site a list
of covered entities that experience breaches of unsecured protected
health information affecting more than 500 individuals using
information reported to the Secretary by covered entities (or a
business associate on behalf of a covered entity) as required by
section 13402(e) of the HITECH Act; (2) to develop an annual report to
Congress, as required by section 13402(i) of the HITECH Act, regarding
breach notification using information reported to the Secretary by
covered entities (or a business associate on behalf of a covered
entity) under section 13402(e) of the HITECH Act; and (3) to provide
technical assistance, training, and guidance materials regarding
breaches of protected health information.
OCR proposes to establish the following six new routine use
disclosures of information for PIMS. Each routine use is compatible
with a stated purpose of the system.
I. The first new routine use allows OCR to post on its Web site, as
required by section 13402(e)(4) of the HITECH Act, information reported
by a covered entity (or a business associate on behalf of a covered
entity) to the Secretary pursuant to section 13402(e)(3) of the HITECH
Act that identifies covered entities that experience breaches of
unsecured protected health information affecting more than 500
individuals.
II. The second new routine use allows OCR to disclose information
regarding breaches of unsecured protected health information in an
annual report to Congress, as required by section 13402(i) of the
HITECH Act, regarding the number and nature of the breaches reported to
the Secretary and actions taken in response to such breaches.
III. The third new routine use allows OCR to disclose information
regarding breaches of unsecured protected health information to the
public and to appropriate Federal agencies and Department contractors
to provide technical assistance, training, and guidance materials,
after OCR determines that the disclosure would not constitute an
unwarranted invasion of personal privacy.
IV. The fourth new routine use allows OCR to disclose information
to appropriate Federal agencies and Department contractors that have a
need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
security or confidentiality of information maintained in this system of
records, and the information disclosed is relevant and necessary for
that assistance.
V. The fifth new routine use allows OCR to disclose information to
third party contacts, including public and private organizations, to
investigate violations and potential violations, as well as to conduct
compliance reviews, of the Federal laws and regulations that OCR has
legal authority to enforce.
VI. The sixth new routine use allows OCR to disclose relevant
information to the public to inform the public of the results of
investigations and compliance reviews of the Federal laws and
regulations that OCR has legal authority to enforce, after OCR
determines that the disclosure would not constitute an unwarranted
invasion of personal privacy.
OCR proposes to add the following category of information included
in the PIMS system: Information that HIPAA covered entities (or a
business associate on behalf of a covered entity) (defined in 45 CFR
160.103) are required to provide to HHS to fulfill their breach
notification requirements to the Secretary pursuant to section 13402(e)
of the HITECH Act. This information includes the name, address, and
contact information of the covered entity or business associate, as
well as the contact name of the individual at the covered entity or
business associate that reported the breach of protected health
information.
OCR will continue to collect only information that is necessary to
perform the PIMS functions. We only disclose the minimum personal data
necessary to achieve the purpose of PIMS. Disclosure of information
from the system will be approved only to the extent necessary to
accomplish the purpose of the disclosure. Further, OCR continues to
take precautionary measures to minimize the risks of unauthorized
access to the records and the potential harm to individual privacy or
other individual rights. In addition, OCR makes disclosures from the
PIMS system only with consent of the subject individual, or his/her
legal representative, or in accordance with an applicable exception
provision of the Privacy Act. OCR, therefore, believes that no
unfavorable effect on individual privacy will result from the
modifications and alterations to PIMS proposed herein.
The following notice is written in the present, rather than the
future tense, to avoid the unnecessary expenditure of public funds to
republish the notice after the system has become effective.
Dated: March 30, 2010.
Georgina C. Verdugo,
Director, Office for Civil Rights.
09-90-0052
SYSTEM NAME:
``Program Information Management System'' (PIMS) (09-90-0052) HHS/
OS/OCR.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
The automated portion of the system is maintained at OCR
Headquarters. Paper files are maintained in headquarters and regional
offices as noted in Appendix I.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Covered individuals include persons who file complaints alleging
discrimination or violation of their rights or other violations under
the statutes identified below (Authority for Maintenance) and covered
entities (e.g., health care providers) that are individuals and not
organizations or institutions, investigated by OCR as a result of
complaints filed or through reviews conducted by OCR. Covered
individuals also include persons who submit correspondence to OCR
related to other compliance activities (e.g., outreach and public
education), and other correspondence unrelated to a complaint or review
and requiring responses by OCR. Covered individuals also include
covered entities and business associates (that are individuals and not
organizations or institutions), as defined in 45 CFR 160.103, who
report breaches of protected health information by submitting a breach
report through the HHS Web site. In addition, OCR employees that use
the system to record the status of their work are covered by the
system.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system encompasses a variety of records having to do with
complaints, reviews, correspondence, and reports of breaches of
protected health information. For example, the system includes records
containing individual names, Social Security numbers (SSN), tax
identification numbers (TIN),
[[Page 18844]]
addresses, dates of birth, provider names and addresses, physicians'
names, prescriber identification numbers, assigned provider numbers
(facility, referring/servicing physician), and/or other identification
numbers of HIPAA covered entities.
The complaint files and log include complaint allegations,
information gathered during the complaint investigation, findings and
results of the investigation, and correspondence relating to the
investigation, as well as status information for all complaints. This
component of PIMS is exempt from the notification, access, correction
and amendment provisions of the Privacy Act (see below: Systems
Exempted From Certain Provisions of the Act). Equivalent types of
information are maintained for reviews and correspondence activities--
namely, information gathered, findings, results, correspondence and
status.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for the collection, maintenance, and disclosures from
this system is given under Title VI of the 1964 Civil Rights Act;
Sections 533, 542, 794, 855, 1947 and 1908 of the Public Health Service
Act; Sections 504 and 508 of the Rehabilitation Act of 1973; Title II
of the Americans with Disabilities Act of 1990; the Age Discrimination
Act of 1975; the Equal Employment Opportunity Provisions of the Public
Telecommunications Financing Act of 1978; Title VI and Title XVI of the
Public Health Service Act (the ``community services obligation'' of
facilities funded under the Act); Title IX of the 1972 Education
Amendments; Section 407 of the Drug Abuse Office and Treatment Act;
Section 321 of the Comprehensive Alcohol Abuse and Alcoholism
Prevention, Treatment, and Rehabilitation Act of 1970; Section 508 of
the Social Security Act; the Family Violence Prevention and Services
Act; Low-Income Home Energy Assistance Act of 1981; Section 1808 of the
Small Business Job Protection Act of 1996; the Health Insurance
Portability and Accountability Act of 1996; the Patient Safety and
Quality Improvement Act of 2005 (Patient Safety Act); and section 13402
of the Health Information Technology for Economic and Clinical Health
(HITECH) Act.
PURPOSE(S) OF THE SYSTEM:
PIMS is used by OCR staff and consists of an electronic repository
of information and documents, and supplementary paper document files.
PIMS effectively combines and replaces OCR's two previous systems of
records, the ``Case Information Management System (CIMS), HHS/OS/OCR,
09-90-0050,'' and the ``Complaint File and Log, HHS/OS/OCR 09-00-
0051,'' into a single, integrated system with enhanced electronic
storage, retrieval and tracking capacities that allows OCR to manage
more effectively the information it collects.
The system is designed to allow OCR to integrate all of OCR's
various business processes, including all its compliance activities, to
allow for real time access and results reporting and other varied
information management needs. PIMS provides: (1) A single, central,
electronic repository of all significant OCR documents and information,
including investigative files, correspondence, administrative records,
policy and procedure manuals and other documents and information
developed or maintained by OCR; (2) easy, robust capability to search
all the information in OCR's repository; (3) better quality control at
the front end with simplified data entry and stronger data validation;
(4) tools to help staff work on and manage their casework, and (5)
supplementary paper document files. The system has the capacity to
generate reports concerning the status of all current and closed
complaints, reviews, and correspondence; track outreach, training, and
other activities; and to locate and retrieve information, and report
results, in order to manage more efficiently OCR's work. In addition,
PIMS allows for the tracking of work assignments to employees to
facilitate workload balancing, timely response to complaints and
completion of reviews, and outreach and public education initiatives
focused on organizations and individuals.
PIMS also is used by OCR: (1) To collect, maintain, and post on the
HHS Web site a list of covered entities that experience breaches of
unsecured protected health information affecting more than 500
individuals using information reported to the Secretary by covered
entities (or a business associate on behalf of a covered entity) as
required by section 13402(e) of the HITECH Act; (2) to develop an
annual report to Congress, as required by section 13402(i) of the
HITECH Act, regarding breach notification using information reported to
the Secretary by covered entities (or a business associate on behalf of
a covered entity) pursuant to section 13402(e) of the HITECH Act; and
(3) to provide technical assistance, training, and guidance regarding
breaches of protected health information.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
The Privacy Act allows us to disclose information without an
individual's consent if the information is to be used for a purpose
that is compatible with the purpose(s) for which the information was
collected. Any such compatible use of data is known as a ``routine
use.'' The routine uses in this system meet the compatibility
requirement of the Privacy Act. The following are the routine use
disclosures of information maintained in the PIMS system:
I. The first routine use for this system, permitting disclosure to
a congressional office, allows subject individuals to obtain assistance
from their representatives in Congress, should they so desire. Such
disclosure would be made only pursuant to the request of the
individual.
II. The second routine use allows disclosure to the Department of
Justice or a court in the event of litigation.
III. The third routine use allows referral to the appropriate
agency, in the event that a System of Records maintained by this agency
to carry out its functions indicates a violation or potential violation
of law.
IV. The fourth routine use allows disclosure of records to
contractors for the purpose of processing or refining records in the
system.
V. The fifth routine use allows records to be disclosed to student
volunteers, individuals working under a personal services contract, and
other individuals performing functions for the Department but
technically not having the status of agency employees, if they need
access to the records in order to perform their assigned agency
functions.
VI. The sixth routine use allows referrals of Age Discrimination
Act complaints to the Federal Mediation and Conciliation Service (FMCS)
for purposes of mediation.
VII. The seventh routine use allows OCR to post on its Web site, as
required by section 13402(e)(4) of the HITECH Act, information reported
by a covered entity (or a business associate on behalf of a covered
entity) to the Secretary pursuant to section 13402(e)(3) of the HITECH
Act that identifies covered entities that experience breaches of
unsecured protected health information affecting more than 500
individuals.
VIII. The eighth routine use allows OCR to disclose information
regarding breaches of unsecured protected health information in an
annual report to Congress, as required by section 13402(i) of the
HITECH Act, regarding the number and nature of the breaches
[[Page 18845]]
reported to the Secretary and actions taken in response to such
breaches.
IX. The ninth routine use allows OCR to disclose information
regarding breaches of unsecured protected health information to the
public and to appropriate Federal agencies and Department contractors
to provide technical assistance, training, and guidance materials,
after OCR determines that the disclosure would not constitute an
unwarranted invasion of personal privacy.
X. The tenth routine use allows OCR to disclose information to
appropriate Federal agencies and Department contractors that have a
need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
security or confidentiality of information maintained in this system of
records, and the information disclosed is relevant and necessary for
that assistance.
XI. The eleventh routine use allows OCR to disclose information to
third party contacts, including public and private organizations, to
investigate violations and potential violations, as well as to conduct
compliance reviews, of the Federal laws and regulations that OCR has
legal authority to enforce.
XII. The twelfth routine use allows OCR to disclose relevant
information to the public to inform the public of the results of
investigations and compliance reviews of the Federal laws and
regulations that OCR has legal authority to enforce, after OCR
determines that the disclosure would not constitute an unwarranted
invasion of personal privacy.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Automated records are maintained on magnetic disc and tape back-up.
Paper records are kept in file folders.
RETRIEVABILITY:
Records are indexed by transaction number, but may be retrieved by
name, street address, and other complainant, covered entity, or
business associate characteristic (such as type of entity, city, state,
and type of service provided).
SAFEGUARDS:
The PIMS system conforms to applicable law and policy governing the
privacy and security of Federal automated information systems. These
include but are not limited to: the Privacy Act of 1974, Federal
Information Security Management Act of 2002, Computer Security Act of
1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of
1996, and OMB Circular A-130, Appendix, III, ``Security of Federal
Automated Information Resources.'' OCR has prepared a system security
plan as required by OMB Circular A-130, Appendix III. This plan
conforms fully to guidance issued by the National Institute for
Standards and Technology (NIST) in NIST Special Publication 800-18,
``Guide for Developing Security Plans for Information Technology
Systems.'' The plan includes conduct of a risk assessment that
addresses the confidentiality and integrity of the data. Only
authorized users have access to the information in the system.
Categories of users include: OCR investigators, regional and
headquarters managers, team leaders, OCR budget and Government
Performance and Results Act planning staff, program and policy staff,
and data analysts. Specific access is structured around need and is
determined by the person's role in the organization. Access is managed
through the use of electronic access control lists, which regulate the
ability to read, change, and delete information in the system. Each OCR
user has read access to designated information in the system, with the
ability to modify only their own submissions or those of others within
their region or group. Data identified as confidential is so designated
and only specified individuals are granted access. The system maintains
an audit trail of all actions against the data base.
All electronic data is stored on servers maintained in locked
facilities with computerized access control allowing access to only
those support personnel with a demonstrated need for access. A database
is kept of all individuals granted security card access to the room,
and all visitors are escorted while in the room. The server facility
has appropriate environmental security controls, including measures to
mitigate damage to automated information system resources caused by
fire, electricity, water, and inadequate climate controls.
Access control to servers, individual computers, and databases
includes a required user log-on with a password, inactivity lockout to
systems based on a specified period of time, legal notices and security
warnings at log-on, and remote access security that allows user access
for remote users (e.g., while on government travel) under the same
terms and conditions as for users within the office. System
administrators have appropriate security clearance. Printed materials
are filed in secure cabinets in secure Federal buildings with access
based on need as described above for the automated component of the
PIMS system.
RETENTION AND DISPOSAL:
Documents related to breaches are retained at OCR for two years
from the date the breach is reported and then are archived at the
National Archives and Records Administration for 15 years.
Correspondence is retained for one year following the end of the fiscal
year in which processed.
SYSTEM MANAGER AND ADDRESS:
PIMS Project Manager, Management Operations Division, Office for
Civil Rights, 200 Independence Ave., SW., Room 509F, Washington, DC
20201.
NOTIFICATION PROCEDURE:
Contact System Manager (above). Include name and address of
complainant, and name of the recipient against which the allegation was
filed. The Department is exempting all investigative records from this
provision (see below: Records Exempted).
RECORD ACCESS PROCEDURE:
Same as notification procedures. Requesters also should reasonably
specify the record contents being sought. Requests should be made to
the system manager (above). The Department is exempting all
investigative records from this provision. (See below: Records
Exempted).
CONTESTING RECORD PROCEDURE:
Contact the official(s) at the address specified under System
Manager, and reasonably identify the record and specify the information
to be contested and corrective action sought with supporting
justification. (These procedures are in accordance with Department
Regulations (45 CFR 5b.7) The Department is exempting all investigative
records from this provision (see below: Records Exempted).
RECORD SOURCE CATEGORIES:
Information is provided by complainants, covered entities, and
business associates.
SYSTEM RECORDS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
OCR investigative records maintained in PIMS, either as paper
records or electronic documents, are records compiled for law
enforcement purposes and are exempt under subsection (k)(2) from the
notification, access, correction, and amendment provisions of the
Privacy Act.
[[Page 18846]]
APPENDIX NUMBER 1--SYSTEM LOCATIONS:
This system is located at HHS offices in the following cities:
Headquarters, PIMS Project Manager, Management Operations Division,
Office for Civil Rights, 200 Independence Ave., SW., Room 509F,
Washington, DC 20201.
Region I, Regional Manager, OCR/HHS, J.F. Kennedy Federal
Building--Room 1875 Boston, MA 02203.
Region II, Regional Manager, OCR/HHS, 26 Federal Plaza--Suite 3312,
New York, NY 10278.
Region III, Regional Manager, OCR/HHS, 150 S. Independence Mall
West, Suite 372, Public Ledger Building, Philadelphia, PA 19106-9111.
Region IV, Regional Manager, OCR/HHS, Atlanta Federal Center, Suite
3B70, 61 Forsyth Street, SW., Atlanta, GA 30303-8909.
Region V, Regional Manager, OCR/HHS, 233 N. Michigan Ave, Suite
240, Chicago, IL 60601.
Region VI, Regional Manager, OCR/HHS, 1301 Young Street, Suite
1169, Dallas, TX 75202.
Region VII, Regional Manager, OCR/HHS, 601 E. 12th Street--Room
248, Kansas City, MO 64106.
Region VIII, Regional Manager, OCR/HHS, Federal Office Building,
1961 Stout Street--Room 1426 FOB, Denver, CO 80294-3538.
Region IX, Regional Manager, OCR/HHS, 90 7th Street, Suite 4-100,
San Francisco, CA 94103.
Region X, Regional Manager, OCR/HHS, 2201 Sixth Avenue-- M/S: RX-
11, Seattle, WA 98121-2290.
[FR Doc. 2010-8412 Filed 4-12-10; 8:45 am]
BILLING CODE 4153-01-P