[Federal Register Volume 63, Number 99 (Friday, May 22, 1998)] [Notices] [Pages 28396-28398] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 98-13856] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Health Care Financing Administration Privacy Act of 1974; Report of New System AGENCY: Health Care Financing Administration (HCFA), Department Health and Human Services (HHS). ACTION: Notice of New System of Records. ----------------------------------------------------------------------- SUMMARY: In accordance with the requirements of the Privacy Act of 1974, we are proposing to establish a new system of records, ``Long Term Care Minimum Data Set (LTC MDS),'' HHS/HCFA/CMSO System No. 09-70- 1516. We have provided background information about the proposed system in the ``Supplementary Information'' section below. Although the Privacy Act requires only that the ``routine use'' portion of the system be published for comment, HCFA invites comments on all portions of this notice. See ``Effective Dates'' section for comment period. EFFECTIVE DATES: HCFA filed a new system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on May 19, 1998. To ensure that all parties have adequate time in which to comment, the new system of records, including routine uses, will become effective 40 days after the publication of this notice or from the date submitted to OMB and the Congress, whichever is later, unless HCFA receives comments which require alterations to this notice. ADDRESSES: The public should address comments to the HCFA Privacy Act Officer, Division of Freedom of Information and Privacy, Office of Information Services, C2-01-11, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, Monday through Friday from 9 am.--3 pm., eastern time zone. FOR FURTHER INFORMATION CONTACT: Helene Fredeking, Director, Division of Outcomes and Improvements, Center for Medicaid and State Operations, HCFA, 7500 Security Boulevard, S2-11-07, Baltimore, Maryland 21244- 1850. The telephone number is (410) 786-7304. SUPPLEMENTARY INFORMATION: Sections 1819(b)(3)(A) and 1919(b)(3)(A) of the Social Security Act require LTC facilities participating in the Medicare and Medicaid programs to conduct comprehensive, accurate, standardized, reproducible assessments of each resident's functional capacity. Sections 1819(f) and 1919(f) of the Social Security Act require the Secretary to specify an MDS of core elements and common definitions for use by the facilities, to establish guidelines for use of the data set, and to designate one or more assessment instruments which a state requires facilities to use. A notice of proposed rulemaking (NPRM) was published in the Federal Register, Vol. 57, No. 249, page 61626 on December 28, 1992. A final rule was published, in the Federal Register, Vol. 62, No. 246, page 67174--67213, on December 23, 1997. The rule requires facilities certified to participate in Medicare and/or Medicaid to encode and transmit the information contained in the MDS to the state using a format that conforms to standard record layouts and data dictionaries. The state is subsequently required to transmit the data to HCFA using the same standard record layouts and data dictionaries. This new system of records shall contain the assessment information (MDS records) for each individual residing in LTC facilities that are certified to participate in the Medicare and/or Medicaid programs (including private pay individuals). Each state's resident assessment instrument must contain the assessment instrument designated by HCFA, which includes the MDS and its common definitions, triggers, and utilization guidelines. The LTC MDS includes standard demographic data for identification such as resident name, Social Security Number, Medicare number, Medicaid number, gender, race/ethnicity, and birth date. The MDS may also contain data elements that describe the resident's health status in the following areas: Customary Routines Cognitive Patterns Communication/Hearing Patterns Vision Patterns Mood and Behavior Patterns Psychosocial Well-being Physical Functioning and Structural Problems Continence Status Disease Diagnoses Health Conditions Oral/Nutritional Status Oral/Dental Status Skin Condition Activity Pursuit Patterns Medications Special Treatments and Procedures Discharge Potential and Overall Status Participation in Assessment The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose which is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a ``routine use.'' The proposed routine uses in this system meet the compatibility requirement of the Privacy Act. Dated: May 19, 1998. Nancy-Ann Min DeParle, Administrator, Health Care Financing Administration. 09-70-1516 SYSTEM NAME: Long Term Care Minimum Data Set (LTC MDS), HHS/HCFA/CMSO. SECURITY CLASSIFICATION: None. SYSTEM LOCATION: HCFA Data Center, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. HCFA contractors and agents at various locations. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Residents in all LTC facilities that are Medicare and/or Medicaid certified, including private pay individuals. CATEGORIES OF RECORDS IN THE SYSTEM: Individual-level demographic and identifying data as well as clinical status data. [[Page 28397]] AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Sections 1102(a), 1819(f), 1919(f), 1819(b)(3)(A), 1919(b)(3)(A), and 1864 of the Social Security Act. PURPOSE(S): To aid in the administration of the survey and certification of Medicare/Medicaid LTC facilities and to study the effectiveness and quality of care given in those facilities. This system will also support regulatory, reimbursement, policy, and research functions, and enable regulators to provide long term care facility staff with outcome data for providers' internal quality improvement activities. ROUTINE USE OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: These routine uses specify additional circumstances under which HCFA may release information from the LTC MDS system without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. Also, HCFA will require each prospective recipient of such information to agree in writing to certain conditions to ensure the continuing confidentiality and physical safeguards of the information. More specifically, as a condition of each disclosure under these routine uses, HCFA will, as necessary and appropriate: (a) Determine that no other Federal statute specifically prohibits disclosure of the information; (b) Determine that the use or disclosure does not violate legal limitations under which the information was provided, collected, or obtained; (c) Determine that the purpose for which the disclosure is to be made; (1) Cannot reasonably be accomplished unless the information is provided in individually identifiable form; (2) Is of sufficient importance to warrant the effect on or the risk to the privacy of the individual(s) that additional exposure of the record(s) might bring; and (3) There is a reasonable probability that the purpose of the disclosure will be accomplished; (d) Require the recipient of the information to: (1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized access, use, or disclosure of the record or any part thereof. The physical safeguards shall provide a level of security that is at least the equivalent to the level of security contemplated in OMB Circular No. A-130 (revised), Appendix III, Security of Federal Automated Information Systems which sets forth guidelines for security plans for automated information systems in Federal agencies. (2) Remove or destroy the information that allows subject individual(s) to be identified at the earliest time at which removal or destruction can be accomplished, consistent with the purpose of the request; (3) Refrain from using or disclosing the information for any purpose other than the stated purpose under which the information was disclosed; and (4) Make no further use or disclosure of the information except: (i) To prevent or address an emergency directly affecting the health or safety of an individual; (ii) For use on another project under the same conditions, provided HCFA has authorized the additional use(s) in writing; or (iii) When required by law; (e) Secure a written statement or agreement from the prospective recipient of the information whereby the prospective recipient attests to an understanding of, and willingness to abide by, the foregoing provisions and any additional provisions that HCFA deems appropriate in the particular circumstance; and (f) Determine whether the disclosure constitutes a computer ``matching program'' as defined in 5 U.S.C. 552a(a)(8). If the disclosure is determined to be a computer ``matching program,'' the instructions regarding preparation and transmission of a matching agreement as stated in 5 U.S.C. 552a(o) must be followed. Disclosure may be made: 1. To a Congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual. 2. To the Bureau of Census for use in processing research and statistical data directly related to the administration of Agency programs. 3. To the Department of Justice, to a court or other tribunal, or to another party before such tribunal, when: (a) HHS, or any component thereof; (b) Any HHS employee in his or her official capacity; or (c) Any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) The United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components; is party to litigation or has an interest to such litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help in the effective presentation of the governmental party or interest, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected. 4. To an individual or organization for a research, evaluation, or epidemiological project related to the prevention of disease or disability, or the restoration or maintenance of health. 5. To a HCFA contractor for the purpose of collating, analyzing, aggregating, or otherwise refining or processing records in this system or for developing, modifying, and/or manipulating automated data processing (ADP) software. Data could also be disclosed to contractors incidental to consultation, programming, operation, user assistance, or maintenance for ADP or telecommunications systems containing or supporting records in the system. 6. To an agency of a state government, or established by state law, for purposes of determining, evaluating, and/or assessing overall or aggregate cost, effectiveness, and/or quality of health care services provided in the state; or for the purpose of administration of federal- state health care programs within the state. Data will be released to the state only on those individuals who are either residents in long term care facilities within the state or are legal residents of the state irrespective of the location of the LTC facility wherein they are residents. In effect, only data collected by the state for HCFA may be released for this purpose. 7. To another Federal agency (1) To contribute to the accuracy of HCFA's proper payment of Medicare health benefits, and/or (2) to enable such agency to administer a Federal health benefits program, or as necessary to enable such agency to fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds. 8. To a HCFA contractor to perform Title XI or Title XVIII (of the Social Security Act) functions. Records from the LTC MDS may be released to a Peer Review Organization (PRO), or other HCFA contractor respectively, for performing medical review functions under these provisions of the law. [[Page 28398]] 9. To a HCFA contractor, including but not limited to, fiscal intermediaries and carriers under Title XVIII of the Social Security Act, to administer some aspect of a HCFA-administered health benefits program, or to a grantee of a HCFA-administered grant program, which program is or could be affected by fraud or abuse, for the purpose of preventing, deterring, discovering, detecting, investigating, examining, prosecuting, suing with respect to, defending against, correcting, remedying, or otherwise combating such fraud or abuse in such programs. 10. To another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States, including any state or local government agency, for the purpose of preventing, deterring, discovering, detecting, investigating, examining, prosecuting, suing with respect to, defending against, correcting, remedying, or otherwise combating such fraud or abuse in such programs. 11. To any entity that makes payment for or oversees administration of health care services, for the purpose of preventing, deterring, discovering, detecting, investigating, examining, prosecuting, suing with respect to, defending against, correcting, remedying, or otherwise combating fraud or abuse against such entity or the program or services administered by such entity, provided: (i) Such entity enters into an agreement with HCFA to share knowledge and information regarding actual or potential fraudulent or abusive practices or activities regarding the delivery or receipt of health care services, or regarding securing payment or reimbursement for health care services, or any practice or activity that, if directed toward a HCFA-administered program, might reasonably be construed as actually or potentially fraudulent or abusive; (ii) Such entity does, on a regular basis, or at such times as HCFA may request, fully and freely share such knowledge and information with HCFA, or as directed by HCFA, with HCFA's contractors; and (iii) HCFA determines that it may reasonably conclude that the knowledge or information it has received or is likely to receive from such entity could lead to preventing, deterring, discovering, detecting, investigating, examining, prosecuting, suing with respect to, defending against, correcting, remedying, or otherwise combating fraud or abuse in the Medicare, Medicaid, or other health benefits program administered by HCFA or funded in whole or in part by Federal funds. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: All records are stored on magnetic media. RETRIEVABILITY: All records are retrieved by Social Security Number or Health Insurance Claim Number or by state-assigned Medicaid number. SAFEGUARDS: For computerized records, safeguards established in accordance with Department standards and National Institute of Standards and Technology guidelines (e.g., security codes) will be used, limiting access to authorized personnel. System securities are established in accordance with HHS, Information Resource Management (IRM) Circular #10, Automated Information Systems (AIS) Guide, Systems Security Policies, and OMB Circular No. A-130 (revised), Appendix III. RETENTION AND DISPOSAL: Records are maintained with identifiers as long as needed for program research. SYSTEM MANAGER(s) AND ADDRESS: Director, Center for Medicaid and State Operations, 7500 Security Boulevard, Baltimore, Maryland, 21244-1850. NOTIFICATION PROCEDURE: To determine whether the individual's record is in the system, the subject individual should write to the system manager and furnish the following information: Name of system; health insurance claim number; and for verification purposes, the subject individual's name (woman's maiden name, if applicable), social security number, address, date of birth, and sex. RECORD ACCESS PROCEDURES: For purpose of access, use the same procedures outlined in Notification Procedures above. Individuals in the system should also reasonably specify the record contents being sought. (These access procedures are in accordance with the Department regulations 45 CFR 5b.5.) CONTESTING RECORD PROCEDURES: The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulations 45 CFR 5b.7.) RECORD SOURCE CATEGORIES: LTC Resident Assessment Instrument which includes the minimum data set and resident assessment protocols. SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT: None. [FR Doc. 98-13856 Filed 5-21-98; 8:45 am] BILLING CODE 4120-03-P