[Title 20 CFR 401] [Code of Federal Regulations (annual edition) - April 1, 1996 Edition] [Title 20 - EMPLOYEES' BENEFITS] [Chapter III - SOCIAL SECURITY ADMINISTRATION] [Part 401 - DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION] [From the U.S. Government Publishing Office]20 EMPLOYEES' BENEFITS 2 1996-04-01 1996-04-01 false DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION 401 PART 401 EMPLOYEES' BENEFITS SOCIAL SECURITY ADMINISTRATION PART 401--DISCLOSURE OF OFFICIAL RECORDS AND INFORMATION--Table of Contents Subpart A--General Provisions Sec. 401.100 Purposes of the regulation. 401.105 When the regulation applies. 401.110 Terms defined. 401.115 Situations not specified in this part. 401.120 Safeguards against unauthorized disclosure or use. 401.125 Fees. Subpart B--How Laws Apply 401.200 General. 401.205 Disclosures required by law. 401.210 Disclosures prohibited by law. 401.215 Freedom of Information Act. 401.220 Other laws. Subpart C--Individual Disclosures 401.300 General principles. 401.305 Within HHS. 401.310 Compatible purposes. 401.315 Law enforcement purposes. 401.320 Health or safety. 401.325 Statistical and research activities. 401.330 Congress. 401.335 General Accounting Office. 401.340 Courts. 401.345 Other specific recipients. 401.350 Deceased persons. Subpart D--Obtaining and Correcting Your Records 401.400 General. 401.405 How to get your own record. 401.410 Medical information. 401.415 Records about two or more individuals. 401.420 How to correct your record. Subpart E--Appeals 401.500 Which decisions are covered. 401.505 Appeal of refusal to correct a record. 401.510 Appeals after denial of access. Subpart F--Disclosures of Addresses by Blood Donor Locator Service 401.600 Blood Donor Locator Service. Authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b-11); 5 U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923. Source: 45 FR 74914, Nov. 13, 1980, unless otherwise noted. Subpart A--General Provisions Sec. 401.100 Purposes of the regulation. The Social Security Administration (SSA) generally provides information which individuals request about themselves. This regulation describes how individuals may get access to their own records. This regulation also describes the rules SSA uses to decide whether to disclose information about individuals without their consent. These rules are set out in subparts A through E of this part. These rules comply with the Freedom of Information Act, the Privacy Act, section 1106 of the Social Security Act, and other applicable statutes. When required by the Privacy Act, SSA publishes notices of routine use for public information and comment. Procedures for requesting information are in Secs. 422.426 and 422.428 of this chapter and 45 CFR parts 5 and 5b. [45 FR 74914, Nov. 13, 1980, as amended at 50 FR 28568, July 15, 1985] Sec. 401.105 When the regulation applies. (a) Scope of rules. This regulation sets out the general guidelines which we follow in deciding whether to make disclosures. However, we must examine the facts of each case separately to decide if we should disclose the information or keep it confidential. (b) Social security records. This regulation applies to information about an individual contained in SSA's records. Other regulations apply to-- (1) Information which is not about an individual--45 CFR part 5 and subpart E of part 22 of this chapter; or (2) Information about acts of SSA officials and employees or to SSA's personnel records--45 CFR parts 5 and 5b; or (3) Information in the possession of a State or local agency administering a program of Aid to Families with Dependent Children--45 CFR 205.50. (c) Health insurance records. This regulation also applies to health insurance records which SSA maintains for the Health Care Financing Administration's (HCFA) programs under title XVIII of the Social Security Act. SSA will disclose these records to HCFA. HCFA may redisclose these records [[Page 5]] under the regulations applying to records in HCFA's custody. (d) Black lung benefit records. This regulation also applies to records which SSA maintains for the administration of the Federal Coal Mine Health and Safety Act. However, this information is not covered by section 1106 of the Social Security Act. (e) Records kept by consultants. Information retained by a medical, psychological or vocational professional concerning an examination performed under contract in the social security program shall not be disclosed except as permitted by this part. Sec. 401.110 Terms defined. Access, as that term is used in the Privacy Act (5 U.S.C. 552a(d)), means the individual's right to review and copy records about that individual. Act means the Social Security Act. Disclosure means the availability or release of a record about an individual to another party. FOIA means the Freedom of Information Act. HHS means the Department of Health and Human Services. Individual means a living natural person; this does not include corporations, partnerships, and unincorporated business or professional groups of two or more persons. Information means information about an individual, and includes, but is not limited to, vital statistics; race, sex, or other physical characteristics; earnings information; professional fees paid to an individual and other financial information; benefit data or other claims information; the social security number, employer identification number, or other individual identifier; address; phone number; medical information, including psychological or psychiatric information or lay information used in a medical determination; and information about marital and family relationships and other personal relationships. Record means any item, collection, or grouping of information about an individual that SSA maintains (e.g., employment history, medical history (including consultative examinations), education) and that contains his or her name, or an identifying number, symbol, or any other means by which an individual can be identified. Secretary means the Secretary of Health and Human Services and any individual authorized to act for him or her in the administration of a social security program. Social Security Administration (SSA) means (1) that principal operating component of the Department of Health and Human Services which has administrative responsibilities under titles, I, II, IV--parts A, X, XI, XIV, XVI, and XVIII of the Act; and (2) units of State governments which make determinations under agreements made under sections 221 and 1633 of the Act. Social security program means any program or provision of law which SSA is responsible for administering, including the Freedom of Information Act and Privacy Act. This includes our responsibilities under parts B and C of the Federal Coal Mine Health and Safety Act. System of records means a group of records under our control from which information about an individual is retrieved by the name of the individual or by an identifying number, symbol, or other identifying particular. We means the Social Security Administration. Sec. 401.115 Situations not specified in this part. If no other provision in this regulation specifically allows SSA to disclose information, the Commissioner or designee may disclose this information if not prohibited by Federal law. For example the Commissioner or designee may disclose information necessary to respond to life threatening situations. Sec. 401.120 Safeguards against unauthorized disclosure or use. The FOIA does not authorize us to impose any restrictions on how information is used after we disclose it under that law. However, the FOIA does permit us to withhold information, for example, if disclosure would result in a ``clearly unwarranted invasion of personal privacy.'' In deciding whether this exemption applies in a given case, we must consider all the ways in which the recipient might use the information and how likely the [[Page 6]] recipient is to redisclose the information to other parties. Thus, before we disclose personal information we may consider such factors as-- (a) Whether only those individuals who have a need to know the information will obtain it; (b) Whether appropriate measures to safeguard the information to avoid unwarranted use or misuse will be taken; and (c) Whether we would be permitted to conduct on-site inspections to see whether the safeguards are being met. Sec. 401.125 Fees. We follow HHS regulations (45 CFR 5.60, 5.61 and 5b.13) and Secs. 422.440 and 422.441 of this chapter to determine the amount of fees, if any, to be charged for providing information under the FOIA and Privacy Act. [45 FR 74914, Nov. 13, 1980, as amended at 50 FR 28568, July 15, 1985] Subpart B--How Laws Apply Sec. 401.200 General. This section describes how various laws control the disclosure or confidentiality of personal information which we keep. We must consider these laws in the following order. (a) Some laws require us to disclose information (Sec. 401.205); some laws require us to withhold information (Sec. 401.210). These laws control whenever they apply. (b) If no law of this type applies in a given case, then we must look to the FOIA. See Sec. 401.215. (c) When the FOIA doesn't require disclosure, we may disclose information if both the Privacy Act and section 1106 of the Social Security Act permit the disclosure. See Sec. 401.220. Sec. 401.205 Disclosures required by law. We disclose information when a law specifically requires it. The Social Security Act requires us to disclose information for certain program purposes. These include disclosures to the Office of Inspector General, HHS, the parent Locator Service, and to States pursuant to an arrangement regarding use of the Blood Donor Locator Service. Also, there are other laws which require that we furnish other agencies information which they need for their programs. These include the Department of Veterans Affairs for its benefit programs, the Immigration and Naturalization Service to carry out its duties regarding aliens, the Railroad Retirement Board for its benefit programs, and to Federal, State, and local agencies administering Aid to Families with Dependent Children, Medicaid, unemployment compensation, food stamps, and other programs. [56 FR 66565, Dec. 24, 1991] Sec. 401.210 Disclosures prohibited by law. We do not disclose information when a law specifically prohibits it. The Internal Revenue Code generally prohibits us from disclosing tax return information which we receive to maintain individual earnings records. This includes, for example, amounts of wages and contributions from employers. Other laws restrict our disclosure of certain information about drug and alcohol abuse which we collect to determine eligibility for social security benefits. Sec. 401.215 Freedom of Information Act. The FOIA requires us to disclose any information in our records upon request from the public, unless one of several exemptions in the FOIA applies. When the FOIA requires disclosure, the Privacy Act permits it. The public does not include Federal agencies, courts, or the Congress, but does include State agencies, individuals, corporations, and most other parties. The FOIA does not apply to requests that are not from the public (e.g., from a Federal agency). However, we apply FOIA principles to requests from these sources for disclosure of information (see Sec. 401.300; also see Secs. 401.330 and 401.335 for disclosures to Congress and the General Accounting Office. Sec. 401.220 Other laws. When the FOIA does not apply, we may not disclose any personal information unless both the Privacy Act and section 1106 of the Social Security Act permit the disclosure. Sections 401.305 through 401.340 discuss how we apply the various provisions of the Privacy [[Page 7]] Act that permit disclosure. Section 1106 of the Social Security Act requiries the Secretary of HHS to set out in regulations what disclosures may be made; therefore, any disclosure permitted by this regulation is permitted by section 1106. Subpart C--Individual Disclosures Sec. 401.300 General principles. When no law specifically requiring or prohibiting disclosure (see Secs. 401.205 and 401.210) applies to a question of whether to disclose information, we follow the FOIA principles to resolve that question. We do this to insure uniform treatment in all situations. The FOIA principle which most often applies to SSA disclosure questions is whether the disclosure would result in a ``clearly unwarranted invasion of personal privacy.'' To decide whether a disclosure would be a clearly unwarranted invasion of personal privacy we consider-- (a) The sensitivity of the information (e.g., whether individuals would suffer harm or embarrassment as a result of the disclosure); (b) The public interest in the disclosure; (c) The rights and expectations of individuals to have their personal information kept confidential; and (d) The public's interest in maintaining general standards of confidentiality of personal information; and (e) Those factors discussed in Sec. 401.120. We feel that there is a strong public interest in sharing information with other agencies with programs having the same or similar purposes, so we generally share information with those agencies. However, since there is usually little or no public interest in disclosing information for disputes between two private parties or for other private or commercial purposes; we generally do not share information for these purposes. Sec. 401.305 Within HHS. The Privacy Act allows an agency to share information inside the agency when necessary for the agency to carry out its duties. For purposes of this provision, HHS considers itself one agency. SSA, as a part of HHS, discloses information to another HHS component when SSA determines that the other component has a legitimate need for the information and no other law prohibits it. Sec. 401.310 Compatible purposes. (a) General. The Privacy Act allows us to disclose information, without the consent of the individual, to any other party for routine uses. (b) Routine use. This means the disclosure of a record outside HHS for a purpose which is compatible with the purpose for which the record was collected. We publish notices of systems of records in the Federal Register which contain a list of all routine use disclosures. (c) Determining compatibility. We disclose information for routine uses where necessary to carry out SSA's programs. It is also our policy to disclose information for use in other programs which have the same purposes as SSA programs if the information concerns eligibility, benefit amounts, or other matters of benefit status in a social security program and is relevant to determining the same matters in the other program. For example, we disclose information to the Railroad Retirement Board for pension and unemployment compensation programs, to the Veterans Administration for its benefit program, to worker's compensation programs, to State general assistance programs, and to other income maintenance programs at all levels of government; we also disclose for health-maintenance programs like Medicare and Medicaid, and in appropriate cases, for epidemiological and similar research. Sec. 401.315 Law enforcement purposes. (a) General. The Privacy Act allows us to disclose information for law enforcement purposes under certain conditions. Much of the information in our files is especially sensitive or very personal. Furthermore, participation in social security programs is mandatory, so people cannot limit what information is given to us. Therefore, we generally disclose information for law enforcement purposes only in limited situations. Paragraphs (b) and (c) of this [[Page 8]] section discuss the disclosures we generally make for these purposes. (b) Serious crimes. SSA may disclose information for criminal law enforcement purposes where a violent crime such as murder or kidnapping has been committed and the individual about whom the information is being sought has been indicted or convicted of that crime. The Privacy Act allows us to disclose if the head of the law enforcement agency makes a written request giving enough information to show--That these conditions are met; What information is needed; and Why it is needed. (c) Criminal activity involving the social security program or another program with the same purposes. We disclose information when necessary to investigate or prosecute fraud or other criminal activity involving the social security program. We may also disclose information for investigation or prosecution of criminal activity in other income- maintenance or health-maintenance programs (e.g., other governmental pension programs, unemployment compensation, general assistance, Medicare or Medicaid) if the information concerns eligibility, benefit amounts, or other matters of benefit status in a social security program and is relevant to determining the same matters in the other program. Sec. 401.320 Health or safety. The Privacy Act allows us to disclose information in compelling circumstances where an individual's health or safety is affected. For example, if we learn that someone has been exposed to an excessive amount of radiation, we may notify that person and appropriate health officials. If we learn that someone has made a threat against someone else, we may notify that other person and law enforcement officials. When we make these disclosures, the Privacy Act requires us to send a notice of the disclosure to the last known address of the person whose record was disclosed. Sec. 401.325 Statistical and research activities. (a) General. Statistical and research activities often do not require information in a format that identifies specific individuals. Therefore, whenever possible, we release information for statistical or research purposes only in the form of aggregates or individual data that cannot be associated with a particular individual. The Privacy Act allows us to release records if there are safeguards that the record will be used solely as a statistical or research record and the individual cannot be identified from any information in the record. (b) Safeguards for disclosure with identifiers. The Privacy Act also allows us to disclose data for statistical and research purposes in a form allowing individual identification when the purpose is compatible with the purpose for which the record was collected. We will disclose personally identifiable information for statistical and research purposes if-- (1) We determine that the requester needs the information in an identifiable form for a statistical or research activity, will use the information only for that purpose, and will protect individuals from unreasonable and unwanted contacts; (2) The activity is designed to increase knowledge about present or alternative social security programs or other Federal or State income- maintenance or health-maintenance programs, or consists of epidemiological or similar research; and (3) The recipient will keep the information as a system of statistical records, will follow appropriate safeguards, and agrees to our on-site inspection of those safeguards so we can be sure the information is used or redisclosed only for statistical or research purposes. No redisclosure of the information may be made without SSA's approval. We will also require these safeguards when we disclose personally identifiable information to another HHS component for its own statistical or research functions (see Sec. 401.305). (c) Statistical record. A statistical record is a record in a system of records which is maintained only for statistical and research purposes, and which is not used to make any determination about an individual. We maintain and use statistical records only for statistical and research [[Page 9]] purposes. We may disclose a statistical record if the conditions in paragraph (b) of this section are met. (d) Compiling of records. Where a request for information for statistical and research purposes would require us to compile records, and doing that would be administratively burdensome to ongoing SSA operations, we may decline to furnish the information. Sec. 401.330 Congress. (a) We disclose information to either House of Congress. We also disclose information to any committee or subcommittee of either House, or to any joint committee of Congress or subcommittee of that committee, if the information is on a matter within the committee's or subcommittee's jurisdiction. (b) We disclose to any member of Congress the information needed to respond to constituents' requests for information about themselves (including requests from parents of minors, or legal guardians). However, these disclosures are subject to the restrictions in Sec. 401.400ff. Sec. 401.335 General Accounting Office. We disclose information to the General Accounting Office when that agency needs the information to carry out its duties. Sec. 401.340 Courts. (a) General. The Privacy Act allows us to disclose information when we receive an order from a court of competent jurisdiction. However, much of our information is especially sensitive. Participation in social security programs is mandatory, and so people cannot limit what information is given to SSA. When information is used in a court proceeding, it usually becomes part of a public record, and its confidentiality cannot be protected. Therefore, we treat subpoenas or other court orders for information under the rules in paragraph (b) of this section. (b) We generally disclose information in response to a subpoena or other court order if-- (1) Another section of this part would specificially allow the release; or (2) The Secretary of HHS is a party to the proceeding; or (3) The information is necessary for due process in a criminal proceeding. In other cases, we try to satisfy the needs of courts while preserving the confidentiality of information. Sec. 401.345 Other specific recipients. In addition to disclosures we make under the routine use provision, we also release information to-- (a) The Bureau of the Census for purposes of planning or carrying out a census, survey, or related activity; and (b) The National Archives of the United States if the record has sufficient historical or other value to warrant its continued preservation by the United States Government. We also disclose a record to the Administrator of General Services for a determination whether the record has such a value. Sec. 401.350 Deceased persons. We do not consider the disclosure of information about a deceased person to be a clearly unwarranted invasion of that person's privacy. However, in disclosing information about a deceased person, we follow the principles in Sec. 401.300 to insure that the privacy rights of a living person are not violated. Subpart D--Obtaining and Correcting Your Records Sec. 401.400 General. The Freedom of Information Act allows you to request information from SSA whether or not it is in a system of records. The Privacy Act gives you the right to have access to most records about yourself that are in our systems of records. Exceptions to this Privacy Act right include-- (a) Certain medical records (see 5 U.S.C. 552a(f)(3) and Sec. 401.410); (b) Certain criminal law enforcement records (see 5 U.S.C. 552a(k), and HHS' rule in 45 CFR 5b.11); and (c) Records compiled in reasonable anticipation of a court action or formal administrative proceeding. We generally follow the HHS rules in 45 CFR 5b.5 and 5b.6 on access to an individual's record. However, in a few situations our rules are somewhat more strict, because of the especially [[Page 10]] sensitive nature of many of our records. This subpart briefly describes our rules. Sec. 401.405 How to get your own record. (a) Who may ask. You may ask for any record about yourself that is in an SSA system of records. If you are a minor, you may get information about yourself under the same rules as for an adult. Under the Privacy Act, if you are the parent or guardian of a minor, or the legal guardian of someone who has been declared legally incompetent, and you are acting on his or her behalf, you may ask for information about that individual. See Sec. 401.410 for the rules which apply to requests for medical records. (b) Identification. When you request access to a record, you must identify yourself. One means of identity is your signature but you may also be requested to show your driver's license, birth certificate, or similar document. (c) How to ask. To request access to a record you may visit your local social security office or write to the manager of the SSA system of records. The name and address of the manager of the system is part of the notice of systems of records which is published annually in the Federal Register. Every local social security office keeps a copy of the Federal Register containing that notice. That office can also help you get access to your record. You do not need to use any special form to ask for a record about you in our files, but your request must give enough identifying information about the record you want to enable us to find your particular record. This identifying information should include the system of records in which the record is located and the name and social security number (or other identifier) under which the record is filed. We do not honor requests for all records, all information, or similar blanket requests. Sec. 401.410 Medical information. (a) Your own record. In accordance with 45 CFR 5b.6, when you request medical information about yourself, you must also name a representative in writing. The representative may be a physician, other health professional, or other responsible individual who would be willing to review the record and inform you of its contents at your representative's discretion. If you do not designate a representative, we may decline to release the requested information. In some cases, it may be possible to release medical information directly to you rather than to your representative. (b) Requests on behalf of a minor. If you are the parent or guardian of a minor, we will release the minor's medical record only to a representative that you name in writing. The representative in these cases must be a physician or other health professional (excluding a family member) who would be willing to review the record and inform you of its contents at the representative's discretion. If you do not designate a representative, we will decline to release the requested information. We will also make reasonable efforts to inform the minor that the record has been given to the representative. We will also tell the representative when further disclosure may be an unwarranted invasion of the minor's privacy. We will also ask the representative to consider the effect that disclosing the record to the parent or guardian would have on the minor in determining whether the minor's record should be made available to the parent or guardian. (c) Requests on behalf of an incapacitated adult. If you are the legal guardian of an adult who has been declared legally incompetent, you may receive his or her records directly. Sec. 401.415 Records about two or more individuals. (a) When information about two or more individuals is in one record filed under your social security number, you may receive the information about you and the fact of entitlement and the amount of benefits payable to other persons based on your record. You may receive information about yourself or others, which is filed under someone else's social security number, if that information affects your entitlement to social security benefits or the amount of those benefits. [[Page 11]] Sec. 401.420 How to correct your record. (a) How to request a correction. This section applies to all records kept by SSA (as described in Sec. 401.105) except for records of earnings. (Section 422.125 of this chapter describes how to request correction of your earnings record.) You may request that your record be corrected or amended if you believe that the record is not accurate, timely, complete, relevant, or necessary to the administration of a social security program. To amend or correct your record, you should write to the manager identified in the notice of systems of records which is published annually in the Federal Register (see Sec. 401.405(c) on how to locate this information). The staff at any social security office can help you prepare the request. You should submit any available evidence to support your request. Your request should indicate-- (1) The system of records from which the record is retrieved; (2) The particular record which you want to correct or amend; (3) Whether you want to add, delete or substitute information in the record; and (4) Your reasons for believing that your record should be corrected or amended. (b) What we will not change. You cannot use the correction process to alter, delete, or amend information which is part of a determination of fact or which is evidence received in the record of a claim in the administrative appeal process. Disagreements with these determinations are to be resolved through the SSA appeal process. (See subparts I and J of part 404, and subpart N of part 416, of this chapter.) For example, you cannot use the correction process to alter or delete a document showing a birth date used in deciding your social security claim. However, you may submit a statement on why you think certain information should be altered, deleted, or amended, and this will be made part of your file. (c) Acknowledgement of correction request. We will acknowledge receipt of a correction request within 10 working days, unless the request can be reviewed, processed, and an initial determination of denial or compliance given before that time. (d) Notice of error. If the record is wrong, we will correct it promptly. If wrong information was disclosed from the record, we will tell all those who received that information that it was wrong and will give them the correct information. This will not be necessary if the change is not due to an error, e.g., a change of name or address. (e) Record found to be correct. If the record is correct, we will advise you in writing of the reason why we refuse to amend your record and we will also inform you of your right to seek a review of the refusal and the name and address of the official to whom you should send your request for review. Subpart E--Appeals Sec. 401.500 Which decisions are covered. This subpart describes how to appeal a decision made under the Privacy Act concerning your request for correction of a record or for access to your records, those of your minor child, or those of a person for whom you are the legal guardian. We generally handle a denial of your request for information about another person under the provisions of the FOIA (see part 422, subpart E of this chapter). This subpart applies only to written requests. [50 FR 28568, July 15, 1985] Sec. 401.505 Appeal of refusal to correct a record. (a) If we deny your request to correct a record, you may request a review of that decision. As discussed in Sec. 401.420(e), our letter denying your request will tell you to whom to write. (b) The official will review your request within 30 working days from the date of receipt. However, for a good reason and with the approval of the Commissioner, this time limit may be extended up to an additional 30 days. In that case, the official will notify you about the delay, the reason for it, and the date when the review is expected to be completed. If, after review, the official determines that the record should be corrected, the record will be corrected. If, after review, the reviewing official also refuses to amend the record exactly as you requested, the official will advise you-- [[Page 12]] (1) That your request has been refused and the reason; (2) That this refusal is SSA's final decision; (3) That you have a right to seek court review of this request to amend the record; and (4) That you have a right to file a statement of disagreement with the decision. Your statement should include the reason you disagree. Your statement will be made available to anyone to whom the record is subsequently disclosed, together with a statement of SSA's reasons for refusal to amend the record. Also, prior recipients of the record will be provided a copy of your statement. Sec. 401.510 Appeals after denial of access. If, under the Privacy Act, we deny your request for access to your own record, those of your minor child, or those of a person for whom you are the legal guardian, we will advise you in writing of the reason for that denial, the name and title or position of the person responsible for the decision, and your right to appeal that decision. You may appeal the denial decision to the Commissioner of Social Security, 6401 Security Boulevard, Baltimore, MD 21235, within 30 days after you receive the notice denying all or part of your request, or, if later, within 30 days after you receive materials in partial compliance with your request. If we refuse to release a medical record because you did not designate a representative (Sec. 401.410) to receive the material, that refusal is not a formal denial of access and, therefore, may not be appealed to the Commissioner. If you file an appeal, either the Commissioner or a designee will review your request and any supporting information submitted and then send you a notice explaining the decision on your appeal. The decision must be made within 20 working days after your appeal is received. The Commissioner or a designee may extend this time limit up to 10 additional working days if one of the circumstances in Sec. 422.429 is met. You will be notified in writing of any extension, the reason for the extension, and the date by which your appeal will be decided. The notice of the decision on your appeal will explain your right to have the matter reviewed in a Federal district court if you disagree with all or part of the decision. [50 FR 28568, July 15, 1985; 50 FR 30144, July 24, 1985] Subpart F--Disclosures of Addresses by Blood Donor Locator Service Sec. 401.600 Blood Donor Locator Service. (a) General. We will enter into arrangements with State agencies under which we will furnish to them at their request the last known personal mailing addresses (residence or post office box) of blood donors whose blood donations show that they are or may be infected with the human immunodeficiency virus which causes acquired immune deficiency syndrome. The State agency or other authorized person, as defined in paragraph (b) of this section, will then inform the donors that they may need medical care and treatment. The safeguards that must be used by authorized persons as a condition to receiving address information from the Blood Donor Locator Service are in paragraph (g) of this section, and the requirements for a request for address information are in paragraph (d). (b) Definitions. State means the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, the Commonwealth of Northern Marianas, and the Trust Territory of the Pacific Islands. Authorized person means-- (1) Any agency of a State (or of a political subdivision of a State) which has duties or authority under State law relating to the public health or otherwise has the duty or authority under State law to regulate blood donations; and (2) Any entity engaged in the acceptance of blood donations which is licensed or registered by the Food and Drug Administration in connection with the acceptance of such blood donations, and which provides for-- (i) The confidentiality of any address information received pursuant to these rules and section 1141 of the Social [[Page 13]] Security Act and related blood donor records; (ii) Blood donor notification procedures for individuals with respect to whom such information is requested and a finding has been made that they are or may be infected with the human immunodeficiency virus; and (iii) Counseling services for such individuals who have been found to have such virus. New counseling programs are not required, and an entity may use existing counseling programs or referrals to provide these services. Related blood donor records means any record, list, or compilation established in connection with a request for address information which indicates, directly or indirectly, the identity of any individual with respect to whom a request for address information has been made pursuant to these rules. (c) Use of social security number for identification. A State or an authorized person in the State may require a blood donor to furnish his or her social security number when donating blood. The number may then be used by an authorized person to identify and locate a donor whose blood donation indicates that he or she is or may be infected with the human immunodeficiency virus. (d) Request for address of blood donor. An authorized person which has been unable to locate a blood donor at the address he or she may have given at the time of the blood donation may request assistance from the State agency which has arranged with us to participate in the Blood Donor Locator Service. The request to the Blood Donor Locator Service must-- (1) Be in writing; (2) Be from a participating State agency either on its own behalf as an authorized person or on behalf of another authorized person; (3) Indicate that the authorized person meets the confidentiality safeguards of paragraph (g) of this section; and (4) Include the donor's name and social security number, the addresses at which the authorized person attempted without success to contact the donor, the date of the blood donation if available, a statement that the donor has tested positive for the human immunodeficiency virus according to the latest Food and Drug Administration standards or that the history of the subsequent use of the donated blood or blood products indicates that the donor has or may have the human immunodeficiency virus, and the name and address of the requesting blood donation facility. (Approved by the Office of Management and Budget under control number 0960-0501) (e) SSA response to request for address. After receiving a request that meets the requirements of paragraph (d) of this section, we will search our records for the donor's latest personal mailing address. If we do not find a current address, we will request that the Internal Revenue Service search its tax records and furnish us any personal mailing address information from its files, as required under section 6103(m)(6) of the Internal Revenue Code. After completing these searches, we will provide to the requesting State agency either the latest mailing address available for the donor or a response stating that we do not have this information. We will then destroy the records or delete all identifying donor information related to the request and maintain only the information that we will need to monitor the compliance of authorized persons with the confidentiality safeguards contained in paragraph (g) of this section. (f) SSA refusal to furnish address. If we determine that an authorized person has not met the requirements of paragraphs (d) and (g) of this section, we will not furnish address information to the State agency. In that case, we will notify the State agency of our determination, explain the reasons for our determination, and explain that the State agency may request administrative review of our determination. The Commissioner of Social Security or a delegate of the Commissioner will conduct this review. The review will be based on the information of record and there will not be an opportunity for an oral hearing. A request for administrative review, which may be submitted only by a State agency, must be in writing. The State agency must send its request for administrative review to the Commissioner of Social Security, 6401 Security Boulevard, Baltimore, [[Page 14]] MD 21235, within 60 days after receiving our notice refusing to give the donor's address. The request for review must include supporting information or evidence that the requirements of these rules have been met. If we do not furnish address information because an authorized person failed to comply with the confidentiality safeguards of paragraph (g) of this section, the State agency will have an opportunity to submit evidence that the authorized person is now in compliance. If we then determine, based on our review of the request for administrative review and the supporting evidence, that the authorized person meets the requirements of these rules, we will respond to the address request as provided in paragraph (e) of this section. If we determine on administrative review that the requirements have not been met, we will notify the State agency in writing of our decision. We will make our determination within 30 days after receiving the request for administrative review, unless we notify the State agency within this 30- day time period that we will need additional time. Our determination on the request for administrative review will give the findings of fact, the reasons for the decision, and what actions the State agency should take to ensure that it or the blood donation facility is in compliance with these rules. (g) Safeguards to ensure confidentiality of blood donor records. We will require assurance that authorized persons have established and continue to maintain adequate safeguards to protect the confidentiality of both address information received from the Blood Donor Locator Service and related blood donor records. The authorized person must, to the satisfaction of the Secretary-- (1) Establish and maintain a system for standardizing records which includes the reasons for requesting the addresses of blood donors, dates of the requests, and any disclosures of address information; (2) Store blood donors' addresses received from the Blood Donor Locator Service and all related blood donor records in a secure area or place that is physically safe from access by persons other than those whose duties and responsibilities require access; (3) Restrict access to these records to authorized employees and officials who need them to perform their official duties related to notifying blood donors who are or may be infected with the human immunodeficiency virus that they may need medical care and treatment; (4) Advise all personnel who will have access to the records of the confidential nature of the information, the safeguards required to protect the information, and the civil and criminal sanctions for unauthorized use or disclosure of the information; (5) Destroy the address information received from the Blood Donor Locator Service, as well as any records established in connection with the request which indicate directly or indirectly the identity of the individual, after notifying or attempting to notify the donor at the address obtained from the Blood Donor Locator Service; and (6) Upon request, report to us the procedures established and utilized to ensure the confidentiality of address information and related blood donor records. We reserve the right to make onsite inspections to ensure that these procedures are adequate and are being followed and to request such information as we may need to ensure that the safeguards required in this section are being met. (h) Unauthorized disclosure. Any official or employee of the Federal Government, a State, or a blood donation facility who discloses blood donor information, except as provided for in this section or under a provision of law, will be subject to the same criminal penalty as provided in section 7213(a) of the Internal Revenue Code of 1986 for the unauthorized disclosure of tax information. [56 FR 66565, Dec. 24, 1991; 57 FR 956, Jan. 9, 1992] Pt. 404