[Federal Register Volume 63, Number 99 (Friday, May 22, 1998)]
[Notices]
[Pages 28396-28398]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-13856]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Care Financing Administration


Privacy Act of 1974; Report of New System

AGENCY: Health Care Financing Administration (HCFA), Department Health 
and Human Services (HHS).

ACTION: Notice of New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to establish a new system of records, ``Long 
Term Care Minimum Data Set (LTC MDS),'' HHS/HCFA/CMSO System No. 09-70-
1516. We have provided background information about the proposed system 
in the ``Supplementary Information'' section below. Although the 
Privacy Act requires only that the ``routine use'' portion of the 
system be published for comment, HCFA invites comments on all portions 
of this notice. See ``Effective Dates'' section for comment period.

EFFECTIVE DATES: HCFA filed a new system report with the Chair of the 
House Committee on Government Reform and Oversight, the Chair of the 
Senate Committee on Governmental Affairs, and the Administrator, Office 
of Information and Regulatory Affairs, Office of Management and Budget 
(OMB) on May 19, 1998. To ensure that all parties have adequate time in 
which to comment, the new system of records, including routine uses, 
will become effective 40 days after the publication of this notice or 
from the date submitted to OMB and the Congress, whichever is later, 
unless HCFA receives comments which require alterations to this notice.

ADDRESSES: The public should address comments to the HCFA Privacy Act 
Officer, Division of Freedom of Information and Privacy, Office of 
Information Services, C2-01-11, Baltimore, Maryland 21244-1850. 
Comments received will be available for review at this location, by 
appointment, Monday through Friday from 9 am.--3 pm., eastern time 
zone.

FOR FURTHER INFORMATION CONTACT: Helene Fredeking, Director, Division 
of Outcomes and Improvements, Center for Medicaid and State Operations, 
HCFA, 7500 Security Boulevard, S2-11-07, Baltimore, Maryland 21244-
1850. The telephone number is (410) 786-7304.

SUPPLEMENTARY INFORMATION: Sections 1819(b)(3)(A) and 1919(b)(3)(A) of 
the Social Security Act require LTC facilities participating in the 
Medicare and Medicaid programs to conduct comprehensive, accurate, 
standardized, reproducible assessments of each resident's functional 
capacity. Sections 1819(f) and 1919(f) of the Social Security Act 
require the Secretary to specify an MDS of core elements and common 
definitions for use by the facilities, to establish guidelines for use 
of the data set, and to designate one or more assessment instruments 
which a state requires facilities to use.
    A notice of proposed rulemaking (NPRM) was published in the Federal 
Register, Vol. 57, No. 249, page 61626 on December 28, 1992. A final 
rule was published, in the Federal Register, Vol. 62, No. 246, page 
67174--67213, on December 23, 1997. The rule requires facilities 
certified to participate in Medicare and/or Medicaid to encode and 
transmit the information contained in the MDS to the state using a 
format that conforms to standard record layouts and data dictionaries. 
The state is subsequently required to transmit the data to HCFA using 
the same standard record layouts and data dictionaries.
    This new system of records shall contain the assessment information 
(MDS records) for each individual residing in LTC facilities that are 
certified to participate in the Medicare and/or Medicaid programs 
(including private pay individuals). Each state's resident assessment 
instrument must contain the assessment instrument designated by HCFA, 
which includes the MDS and its common definitions, triggers, and 
utilization guidelines.
    The LTC MDS includes standard demographic data for identification 
such as resident name, Social Security Number, Medicare number, 
Medicaid number, gender, race/ethnicity, and birth date. The MDS may 
also contain data elements that describe the resident's health status 
in the following areas:

    Customary Routines
    Cognitive Patterns
    Communication/Hearing Patterns
    Vision Patterns
    Mood and Behavior Patterns
    Psychosocial Well-being
    Physical Functioning and Structural Problems
    Continence Status
    Disease Diagnoses
    Health Conditions
    Oral/Nutritional Status
    Oral/Dental Status
    Skin Condition
    Activity Pursuit Patterns
    Medications
    Special Treatments and Procedures
    Discharge Potential and Overall Status
    Participation in Assessment

    The Privacy Act allows us to disclose information without an 
individual's consent if the information is to be used for a purpose 
which is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use.'' The proposed routine uses in this system meet the compatibility 
requirement of the Privacy Act.

    Dated: May 19, 1998.
Nancy-Ann Min DeParle,
Administrator, Health Care Financing Administration.
09-70-1516

SYSTEM NAME:
    Long Term Care Minimum Data Set (LTC MDS), HHS/HCFA/CMSO.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    HCFA Data Center, 7500 Security Boulevard, Baltimore, Maryland 
21244-1850.
    HCFA contractors and agents at various locations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Residents in all LTC facilities that are Medicare and/or Medicaid 
certified, including private pay individuals.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Individual-level demographic and identifying data as well as 
clinical status data.

[[Page 28397]]

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Sections 1102(a), 1819(f), 1919(f), 1819(b)(3)(A), 1919(b)(3)(A), 
and 1864 of the Social Security Act.

PURPOSE(S):
    To aid in the administration of the survey and certification of 
Medicare/Medicaid LTC facilities and to study the effectiveness and 
quality of care given in those facilities. This system will also 
support regulatory, reimbursement, policy, and research functions, and 
enable regulators to provide long term care facility staff with outcome 
data for providers' internal quality improvement activities.

ROUTINE USE OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    These routine uses specify additional circumstances under which 
HCFA may release information from the LTC MDS system without the 
consent of the individual to whom such information pertains. Each 
proposed disclosure of information under these routine uses will be 
evaluated to ensure that the disclosure is legally permissible, 
including but not limited to ensuring that the purpose of the 
disclosure is compatible with the purpose for which the information was 
collected. Also, HCFA will require each prospective recipient of such 
information to agree in writing to certain conditions to ensure the 
continuing confidentiality and physical safeguards of the information. 
More specifically, as a condition of each disclosure under these 
routine uses, HCFA will, as necessary and appropriate:
    (a) Determine that no other Federal statute specifically prohibits 
disclosure of the information;
    (b) Determine that the use or disclosure does not violate legal 
limitations under which the information was provided, collected, or 
obtained;
    (c) Determine that the purpose for which the disclosure is to be 
made;
    (1) Cannot reasonably be accomplished unless the information is 
provided in individually identifiable form;
    (2) Is of sufficient importance to warrant the effect on or the 
risk to the privacy of the individual(s) that additional exposure of 
the record(s) might bring; and
    (3) There is a reasonable probability that the purpose of the 
disclosure will be accomplished;
    (d) Require the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized access, use, or disclosure of the 
record or any part thereof. The physical safeguards shall provide a 
level of security that is at least the equivalent to the level of 
security contemplated in OMB Circular No. A-130 (revised), Appendix 
III, Security of Federal Automated Information Systems which sets forth 
guidelines for security plans for automated information systems in 
Federal agencies.
    (2) Remove or destroy the information that allows subject 
individual(s) to be identified at the earliest time at which removal or 
destruction can be accomplished, consistent with the purpose of the 
request;
    (3) Refrain from using or disclosing the information for any 
purpose other than the stated purpose under which the information was 
disclosed; and
    (4) Make no further use or disclosure of the information except:
    (i) To prevent or address an emergency directly affecting the 
health or safety of an individual;
    (ii) For use on another project under the same conditions, provided 
HCFA has authorized the additional use(s) in writing; or
    (iii) When required by law;
    (e) Secure a written statement or agreement from the prospective 
recipient of the information whereby the prospective recipient attests 
to an understanding of, and willingness to abide by, the foregoing 
provisions and any additional provisions that HCFA deems appropriate in 
the particular circumstance; and
    (f) Determine whether the disclosure constitutes a computer 
``matching program'' as defined in 5 U.S.C. 552a(a)(8). If the 
disclosure is determined to be a computer ``matching program,'' the 
instructions regarding preparation and transmission of a matching 
agreement as stated in 5 U.S.C. 552a(o) must be followed.
    Disclosure may be made:
    1. To a Congressional office from the record of an individual in 
response to an inquiry from the Congressional office made at the 
request of that individual.
    2. To the Bureau of Census for use in processing research and 
statistical data directly related to the administration of Agency 
programs.
    3. To the Department of Justice, to a court or other tribunal, or 
to another party before such tribunal, when:
    (a) HHS, or any component thereof;
    (b) Any HHS employee in his or her official capacity; or
    (c) Any HHS employee in his or her individual capacity where the 
Department of Justice (or HHS, where it is authorized to do so) has 
agreed to represent the employee; or
    (d) The United States or any agency thereof where HHS determines 
that the litigation is likely to affect HHS or any of its components; 
is party to litigation or has an interest to such litigation, and HHS 
determines that the use of such records by the Department of Justice, 
the tribunal, or the other party is relevant and necessary to the 
litigation and would help in the effective presentation of the 
governmental party or interest, provided, however, that in each case 
HHS determines that such disclosure is compatible with the purpose for 
which the records were collected.
    4. To an individual or organization for a research, evaluation, or 
epidemiological project related to the prevention of disease or 
disability, or the restoration or maintenance of health.
    5. To a HCFA contractor for the purpose of collating, analyzing, 
aggregating, or otherwise refining or processing records in this system 
or for developing, modifying, and/or manipulating automated data 
processing (ADP) software. Data could also be disclosed to contractors 
incidental to consultation, programming, operation, user assistance, or 
maintenance for ADP or telecommunications systems containing or 
supporting records in the system.
    6. To an agency of a state government, or established by state law, 
for purposes of determining, evaluating, and/or assessing overall or 
aggregate cost, effectiveness, and/or quality of health care services 
provided in the state; or for the purpose of administration of federal-
state health care programs within the state. Data will be released to 
the state only on those individuals who are either residents in long 
term care facilities within the state or are legal residents of the 
state irrespective of the location of the LTC facility wherein they are 
residents. In effect, only data collected by the state for HCFA may be 
released for this purpose.
    7. To another Federal agency (1) To contribute to the accuracy of 
HCFA's proper payment of Medicare health benefits, and/or (2) to enable 
such agency to administer a Federal health benefits program, or as 
necessary to enable such agency to fulfill a requirement of a Federal 
statute or regulation that implements a health benefits program funded 
in whole or in part with Federal funds.
    8. To a HCFA contractor to perform Title XI or Title XVIII (of the 
Social Security Act) functions. Records from the LTC MDS may be 
released to a Peer Review Organization (PRO), or other HCFA contractor 
respectively, for performing medical review functions under these 
provisions of the law.

[[Page 28398]]

    9. To a HCFA contractor, including but not limited to, fiscal 
intermediaries and carriers under Title XVIII of the Social Security 
Act, to administer some aspect of a HCFA-administered health benefits 
program, or to a grantee of a HCFA-administered grant program, which 
program is or could be affected by fraud or abuse, for the purpose of 
preventing, deterring, discovering, detecting, investigating, 
examining, prosecuting, suing with respect to, defending against, 
correcting, remedying, or otherwise combating such fraud or abuse in 
such programs.
    10. To another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States, including any state or local government agency, for the purpose 
of preventing, deterring, discovering, detecting, investigating, 
examining, prosecuting, suing with respect to, defending against, 
correcting, remedying, or otherwise combating such fraud or abuse in 
such programs.
    11. To any entity that makes payment for or oversees administration 
of health care services, for the purpose of preventing, deterring, 
discovering, detecting, investigating, examining, prosecuting, suing 
with respect to, defending against, correcting, remedying, or otherwise 
combating fraud or abuse against such entity or the program or services 
administered by such entity, provided:
    (i) Such entity enters into an agreement with HCFA to share 
knowledge and information regarding actual or potential fraudulent or 
abusive practices or activities regarding the delivery or receipt of 
health care services, or regarding securing payment or reimbursement 
for health care services, or any practice or activity that, if directed 
toward a HCFA-administered program, might reasonably be construed as 
actually or potentially fraudulent or abusive;
    (ii) Such entity does, on a regular basis, or at such times as HCFA 
may request, fully and freely share such knowledge and information with 
HCFA, or as directed by HCFA, with HCFA's contractors; and
    (iii) HCFA determines that it may reasonably conclude that the 
knowledge or information it has received or is likely to receive from 
such entity could lead to preventing, deterring, discovering, 
detecting, investigating, examining, prosecuting, suing with respect 
to, defending against, correcting, remedying, or otherwise combating 
fraud or abuse in the Medicare, Medicaid, or other health benefits 
program administered by HCFA or funded in whole or in part by Federal 
funds.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    All records are stored on magnetic media.

RETRIEVABILITY:
    All records are retrieved by Social Security Number or Health 
Insurance Claim Number or by state-assigned Medicaid number.

SAFEGUARDS:
    For computerized records, safeguards established in accordance with 
Department standards and National Institute of Standards and Technology 
guidelines (e.g., security codes) will be used, limiting access to 
authorized personnel. System securities are established in accordance 
with HHS, Information Resource Management (IRM) Circular #10, Automated 
Information Systems (AIS) Guide, Systems Security Policies, and OMB 
Circular No. A-130 (revised), Appendix III.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers as long as needed for 
program research.

SYSTEM MANAGER(s) AND ADDRESS:
    Director, Center for Medicaid and State Operations, 7500 Security 
Boulevard, Baltimore, Maryland, 21244-1850.

NOTIFICATION PROCEDURE:
    To determine whether the individual's record is in the system, the 
subject individual should write to the system manager and furnish the 
following information: Name of system; health insurance claim number; 
and for verification purposes, the subject individual's name (woman's 
maiden name, if applicable), social security number, address, date of 
birth, and sex.

RECORD ACCESS PROCEDURES:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Individuals in the system should also 
reasonably specify the record contents being sought. (These access 
procedures are in accordance with the Department regulations 45 CFR 
5b.5.)

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulations 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:
    LTC Resident Assessment Instrument which includes the minimum data 
set and resident assessment protocols.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 98-13856 Filed 5-21-98; 8:45 am]
BILLING CODE 4120-03-P