[Federal Register Volume 59, Number 71 (Wednesday, April 13, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-8777]


[[Page Unknown]]

[Federal Register: April 13, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES
National Institutes of Health

 

Privacy Act of 1974; New System of Records

AGENCY: Public Health Service, HHS.

ACTION: Notification of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Public Health Service (PHS) is publishing a notice of a new system of 
records, 09-25-0172, ``Clinical Research: National Center for Human 
Genome Research, HHS/NIH/NCHGR.'' We are also proposing routine uses 
for this new system.

DATES: PHS invites interested parties to submit comments on the 
proposed internal and routine uses on or before May 13, 1994. PHS has 
sent a report of a New System to the Congress and to the Office of 
Management and Budget (OMB) on March 30, 1994. This system of records 
will be effective 40 days from the date of publication unless PHS 
receives comments on the routine uses which would result in a contrary 
determination.

ADDRESS: Please submit comments to: NIH Privacy Act Officer, Building 
31, room 3B03, 9000 Rockville Pike, Bethesda, MD 20892, 301-496-2832.
    Comments received will be available for inspection at this same 
address from 9 a.m. to 3 p.m., Monday through Friday.

FOR FURTHER INFORMATION CONTACT:
Chief, Office of Human Genome Communications, National Center for Human 
Genome Research, National Institutions of Health, building 38A, room 
617, 9000 Rockville Pike, Bethesda, Maryland 20892, 301-402-0911.
    The numbers listed above are not toll free.

SUPPLEMENTARY INFORMATION: The National Institutes of Health (NIH) 
proposes to establish a new system of records: 09-25-0172, ``Clinical 
Research: National Center for Human Genome Research, HHS/NIH/NCHGR.'' 
Established as of October 1, 1989, the National Center for Human Genome 
Research (NCHGR) is the focal point within the NIH and the Department 
of Health and Human Services for the development of research policy and 
long-range planning for the NIH component of the Human Genome Project. 
NCHGR's Division of Extramural Research funds research in laboratories 
throughout the country in chromosome mapping, deoxyribonucleic acid 
(DNA) sequencing, database development, technology development, and 
studies of the ethical, legal, and social implications of genetics 
research. NCHGR's newly established Division of Intramural Research 
plans to focus on technologies for finding disease genes, developing 
DNA diagnostics and gene therapies. The Division will serve as a hub 
for NIH-wide human genetics research and enhance the work of 
investigators in other Institutes who are searching for specific genes 
and studying their function in health and disease. This system of 
records will be used by NIH to support clinical research aimed at 
understanding the genetic basis of human disease, its diagnosis and 
treatment.
    The system will comprise records that contain information 
identifying participants (such as name, address, Social Security 
number), medical records (including psychosocial evaluations), progress 
reports, correspondence, epidemiological data, research findings, and 
records on biological specimens, (e.g., blood, urine, and genetic 
materials). Provision of the Social Security number is voluntary.
    The amount of information recorded on each individual will be only 
that which is necessary to accomplish the purpose of the system. The 
records in this system will be maintained in a secure manner compatible 
with their content and use. NIH and contractor staff will be required 
to adhere to the provisions of the Privacy Act and the HHS Privacy Act 
Regulations. The System Manager will control access to the data. Only 
authorized users whose official duties require the use of such 
information will have regular access to the records in this system. 
Authorized users are HHS employees, and contractors responsible for 
implementing the clinical research. Researchers authorized to conduct 
research on biological specimens will have access to the system through 
the use of encrypted identifiers sufficient to link individuals with 
records in such a manner that does not compromise confidentiality of 
the individual.
    Records will be stored in file folders, computer tapes, computer 
diskettes, microfiche, and file cards. Manual and computerized records 
will be maintained in accordance with the standards of Chapter 45-13 of 
the HHS General Administration Manual, ``Safeguarding Records Contained 
in Systems of Records,'' supplementary Chapter PHS hf: 45-13, the 
Department's Automated Information System Security Program Handbook, 
and the National Institute of Standards and Technology Federal 
Information Processing Standards (FIPS Pub. 41 and FIPS Pub. 31).
    Data stored in computers will be accessed through the use of 
keywords known only to authorized users. Rooms where records are stored 
are locked when not in use. During regular business hours, rooms are 
unlocked but are controlled by on-site personnel. Depending upon the 
sensitivity of the information in the record, additional safeguard 
measures are employed.
    The routine uses proposed for this system are compatible with the 
stated purposes of the system. The first routine use permitting 
disclosure to a congressional office is proposed to allow subject 
individuals to obtain assistance from their representatives in 
Congress, should they so desire. Such disclosure would be made only 
pursuant to a request of the individual. The second routine use allows 
disclosure to the Department of Justice to defend the Federal 
Government, the Department, or employees of the Department in the event 
of litigation. The third routine use allows disclosure to contractors 
and subcontractors for the purpose of processing, maintaining and 
refining records in the system. Contracting for such services is 
advisable because the agency lacks necessary internal resources and 
because processing or refining the records using contractors will be 
cost-effective. The contractors will maintain and will be required to 
ensure that subcontractors maintain Privacy Act safeguards with respect 
to such records. The fourth routine use permits disclosure of a record 
for an authorized research purpose under specified conditions.
    The following notice is written in the present, rather than future 
tense, in order to avoid the unnecessary expenditure of public funds to 
republish the notice after the system has become effective.

    Dated: March 25, 1994.
Wilford J. Forbush,
Director, Office of Management.
09-25-0172
    Clinical Research: National Center for Human Genome Research, HHS/
NIH/NCHGR.
    None.
    National Center for Human Genome Research, National Institutes of 
Health, Building 38A, room 617, 9000 Rockville Pike, Bethesda, Maryland 
20892, and at hospitals, medical schools, universities, research 
institutions, commercial organizations, collaborating State and Federal 
Government agencies, and Federal Records Centers. A list of locations 
is available upon request from the System Manager.
    Patients with diseases of genetic origin, normal healthy volunteers 
who serve as controls for comparison with patients, relatives of 
patients and other individuals whose characteristics or conditions are 
being studied for possible genetic connections with the occurrence of 
the diseases under investigation.
    Information identifying participants (such as name, address, Social 
Security number), medical records (including psychosocial evaluations), 
progress reports, correspondence, epidemiological data, research 
findings, and records on biological specimens, (e.g., blood, urine, and 
genetic materials).
    42 U.S.C. 287c, ``National Center for Human Genome Research,'' 
stating that the purpose of NCHGR is to characterize the structure and 
function of the human genome, including the mapping and sequencing of 
individual genes, as well as planning and coordinating the research 
goal of the Genome project; reviewing and funding research proposals; 
developing training programs; coordinating international genome 
research; communicating advances in genome research to the public; and 
reviewing and funding research to address the genome project's ethical 
and legal issues.
    These records are used to support clinical research aimed at 
understanding the role of the structure and function of the human 
genome in human disease, diagnosis and treatment.
    1. Disclosure may be made to a congressional office from the record 
of an individual in response to an inquiry from the congressional 
office made at the request of that individual.
    2. In the event of litigation where the defendant is (a) the 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
affect directly the operations of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Department of Justice has agreed to represent such 
employee, for example, in defending a claim against the Public Health 
Service, based upon an individual's mental or physical condition and 
alleged to have arisen because of activities of the Public Health 
Service in connection with such individual, the Department may disclose 
such records as it deems desirable or necessary to the Department of 
Justice to enable that Department to present an effective defense, 
provided that such disclosure is compatible with the purpose for which 
the records were collected.
    3. NIH may disclose records to Department contractors and 
subcontractors for the purpose of collecting, compiling, aggregating, 
analyzing, or refining records in the system. Contractors maintain, and 
are also required to ensure that subcontractors maintain, Privacy Act 
safeguards with respect to such records.
    4. A record may be disclosed for a research purpose, when the 
Department: (A) Has determined that the use or disclosure does not 
violate legal or policy limitations under which the record was 
provided, collected, or obtained; (B) has determined that the research 
purpose (1) cannot be reasonably accomplished unless the record is 
provided in individually identifiable form, and (2) warrants the risk 
to the privacy of the individual that additional exposure of the record 
might bring; (C) has required the recipient to (1) establish reasonable 
administrative, technical, and physical safeguards to prevent 
unauthorized use or disclosure of the record, (2) remove or destroy the 
information that identifies the individual at the earliest time at 
which removal or destruction can be accomplished consistent with the 
purpose of the research project, unless the recipient has presented 
adequate justification of a research or health nature for retaining 
such information, and (3) make no further use or disclosure of the 
record except (a) in emergency circumstances affecting the health or 
safety of any individual, (b) for use in another research project, 
under these same conditions, and with written authorization of the 
Department, (c) for disclosure to a properly identified person for the 
purpose of an audit related to the research project, if information 
that would enable research subjects to be identified is removed or 
destroyed at the earliest opportunity consistent with the purpose of 
the audit, or (d) when required by law; (D) has secured a written 
statement attesting to the recipient's understanding of, and 
willingness to abide by these provisions.
    Records may be stored in file folders, computer tapes and 
diskettes, microfiche, and file cards.
    Records are retrieved by name, Social Security number, or other 
identifying numbers, keywords, and parameters of individual patient 
health or medical record data.
    1. Authorized users: Data on computer files is accessed by keyword 
known only to authorized users who are NIH or contractor employees who 
have a need for the data in performance of their duties as determined 
by the System Manager. A list of authorized users will be maintained 
and updated periodically. Researchers authorized to conduct research on 
biological specimens will have access to the system through the use of 
encrypted identifiers sufficient to link individuals with records in 
such a manner that does not compromise confidentiality of the 
individual. Access to information is thus limited to those with a need 
to know.
    2. Physical safeguards: Rooms where records are stored are locked 
when not in use. During regular business hours rooms are unlocked but 
are controlled by on-site personnel. Depending upon the sensitivity of 
the information in the record, additional safeguard measures may be 
employed.
    3. Procedural and technical safeguards: Data stored in computers is 
accessed through the use of keywords known only to authorized users. A 
password is required to access the terminal and a data set name 
controls the release of data to only authorized users. All users of 
personal information in connection with the performance of their jobs 
(see Authorized Users, above) protect information from public view and 
from unauthorized personnel entering an unsupervised office. 
Contractors and subcontractors who maintain records in this system are 
instructed to make no further disclosure of the records except as 
authorized by the System Manager and as permitted by the Privacy Act. 
Privacy Act requirements are specifically included in contracts and in 
agreements with grantees or collaborators participating in research 
activities supported by this system. HHS project directors, contract 
officers, and project officers oversee compliance with these 
requirements.
    These practices are in compliance with the standards of Chapter 45-
13 of the HHS General Administration Manual, ``Safeguarding Records 
Contained in Systems of Records,'' supplementary Chapter PHS hf: 45-13, 
and the Department's Automated Information System Security Program 
Handbook, and the National Institute of Standards and Technology 
Federal Information Processing Standards (FIPS Pub. 41 and FIPS Pub. 
31).
    Records are retained and disposed of under the authority of the NIH 
Records Control Schedule contained in NIH Manual Chapter 1743, Appendix 
1--``Keeping and Destroying Records'' (HHS Records Management Manual, 
Appendix B-361), item 3000-G-3(b), which allows records to be kept as 
long as they are useful in scientific research. Refer to the NIH Manual 
Chapter for specific disposition instructions.
    Chief, Office of Human Genome Communications, National Center for 
Human Genome Research, National Institutes of Health, Building 38A, 
room 617, 9000 Rockville Pike, Bethesda, Maryland 20892.
    To determine if a record exists, write to the System Manager listed 
above. The requester must also verify his or her identity by providing 
either a notarization of the request or a written certification that 
the requester is who he or she claims to be and understands that the 
knowing and willful request for acquisition of a record pertaining to 
an individual under false pretenses is a criminal offense under the 
Act, subject to a five thousand dollar fine. The request should 
include: (a) Full name, and (b) appropriate dates of participation.
    Write to the System Manager specified above to attain access to 
records and provide the same information as is required under the 
Notification Procedures. Requesters should also reasonably specify the 
record contents being sought. Individuals may also request an 
accounting of disclosure of their records, if any.
    Individuals who request notification of or access to a medical 
record shall, at the time the request is made, designate in writing a 
responsible representative who will be willing to review the record and 
inform the subject individual of its contents at the representative's 
discretion.
    A parent or guardian who requests notification of, or access to, a 
child's/incompetent person's medical record shall designate a family 
physician or other health professional (other than a family member) to 
whom the record, if any, will be sent. The parent or guardian must 
verify their relationship to the child/incompetent person as well as 
his/her own identity.
    Contact the System Manager specified above and reasonably identify 
the record, specify the information to be contested, the corrective 
action sought, and your reasons for requesting the correction, along 
with supporting information to show how the record is inaccurate, 
incomplete, untimely or irrelevant. The right to contest records is 
limited to information which is incomplete, irrelevant, incorrect, or 
untimely (obsolete).
    Subject individual, patient health and medical record data.
    None.

[FR Doc. 94-8777 Filed 4-12-94; 8:45 am]
BILLING CODE 4140-01-M