[Federal Register Volume 66, Number 52 (Friday, March 16, 2001)]
[Notices]
[Pages 15264-15268]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-6539]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Care Financing Administration


Privacy Act of 1974; Report of Modified or Altered System

AGENCY: Department of Health and Human Services (HHS), Health Care 
Financing Administration (HCFA).

ACTION: Notice of modified or altered system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to modify or alter a system of records, ``Record 
of Individuals Authorized Entry to HCFA Buildings Via A Card Key Access 
System (RICKS), HHS/HCFA/OBA, System No. 09-70-3001.'' We are also 
proposing to delete previously published routine use number 1 
pertaining to the Federal Protective Services, number 2 pertaining to 
management officials inquiring about an individual's arrival time, 
number 3 pertaining to contractors and other Federal agencies, number 6 
pertaining to a contractor, and an unnumbered routine use which 
authorized disclosure to the Social Security Administration (SSA). 
Disclosures allowed by routine uses number 1, 3 pertaining to ``Federal 
agencies,'' and to the SSA will be covered by proposed routine use 
number 2 to permit release of information to ``another Federal 
agency.'' Routine use number 2 is being deleted because it is not clear 
what ``management officials'' are being identified and who should 
receive information referred to in routine use number 2. Disclosures to 
a ``management official inquiring about an individual's arrival time'' 
are covered by exception 1 of the Privacy Act and should not be treated 
as a routine use. Disclosures previously allowed by routine uses number 
3 pertaining to contractors and number 6 will now be

[[Page 15265]]

covered by proposed routine use number 1. The security classification 
previously reported as ``None'' will be modified to reflect that the 
data in this system is considered to be ``Level Three Privacy Act 
Sensitive.'' We are modifying the language in the remaining routine 
uses to provide clarity to HCFA's intention to disclose individual-
specific information contained in this system. The routine uses will 
then be prioritized and reordered according to their proposed usage. We 
will also take the opportunity to update any sections of the system 
that were affected by the recent reorganization and to update language 
in the administrative sections to correspond with language used in 
other HCFA systems of records.
    The primary purpose of the system of records is to issue and 
control United States Government card keys to all HCFA employees and 
other authorized individuals who require access into certain designated 
or secured areas. Information retrieved from this system of records 
will be used to: support regulatory and policy functions performed 
within the agency or by a contractor or consultant, assist other 
Federal agencies to conduct activities related to this system, support 
constituent requests made to a congressional representative, and 
support litigation involving the agency. We have provided background 
information about the modified system in the Supplementary Information 
section below. Although the Privacy Act requires only that HCFA provide 
an opportunity for interested persons to comment on the proposed 
routine uses, HCFA invites comments on all portions of this notice. See 
Effective Dates section for comment period.

EFFECTIVE DATES: HCFA filed a modified or altered system report with 
the Chair of the House Committee on Government Reform and Oversight, 
the Chair of the Senate Committee on Governmental Affairs, and the 
Administrator, Office of Information and Regulatory Affairs, Office of 
Management and Budget (OMB) on March 12, 2001. To ensure that all 
parties have adequate time in which to comment, the modified or altered 
system of records, including routine uses, will become effective 40 
days from the publication of the notice, or from the date it was 
submitted to OMB and the Congress, whichever is later, unless HCFA 
receives comments that require alterations to this notice.

ADDRESSES: The public should address comments to: Director, Division of 
Data Liaison and Distribution, HCFA, Room N2-04-27, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850. Comments received will be 
available for review at this location, by appointment, during regular 
business hours, Monday through Friday from 9 a.m.-3 p.m., eastern time 
zone.

FOR FURTHER INFORMATION CONTACT: Marcia Levin, Division of Facilities 
Management Services, Administrative Services Group, HCFA, SLL-11-18, 
7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone 
number is 410-786-7840.

SUPPLEMENTARY INFORMATION:

I. Description of the Modified System of Records

Statutory and Regulatory Basis for System of Records

    In 1981, HCFA established a system of records under the authority 
of Title 41 Code of Federal Regulations (CFR) Chapter 101-20.302, 
``Conduct on Federal Property,'' Title 5 United States Code (U.S.C.) 
552a(e)(10), and Office of Management and Budget Circular A-123, 
``Internal Control Systems.'' Notice of this system, ``Record of 
Individuals Authorized Entry to HCFA Buildings via A Card Key Access 
System, HHS/HCFA/OBA, System No. 09-70-3001'' was published in the 
Federal Register on January 15, 1981 (46 FR 3524), and modified at 61 
FR 6645 (added unnumbered social security use). These regulations and 
directives established that federal workers and other authorized 
personnel may be issued United States Government identification cards.

II. Collection and Maintenance of Data in the System

A. Scope of the Data Collected

    The system contains names of Federal employees, contractors and 
consultants, Government Services Administration (GSA) employees, and 
contract guards working in the central office complex in Baltimore, 
assigned card key number, and the building/secure area location. The 
system also contains the date and time of actual or attempted entry to 
secured areas.

B. Agency Policies, Procedures, and Restrictions on the Routine Use

    The Privacy Act permits us to disclose information without an 
individual's consent if the information is to be used for a purpose 
which is compatible with the purpose(s) for which the information was 
collected. Any such disclosure of data is known as a ``routine use.'' 
The government will only release RICKS information as provided for 
under ``Section III. Entities Who May Receive Disclosures Under Routine 
Use.''
    We will only disclose the minimum personal data necessary to 
achieve the purpose of RICKS. HCFA has the following policies and 
procedures concerning disclosures of information which will be 
maintained in the system. In general, disclosure of information from 
the system of records will be approved only for the minimum information 
necessary to accomplish the purpose of the disclosure only after HCFA:
    (a) Determines that the use or disclosure is consistent with the 
reason that the data is being collected, e.g., to issue and control 
United States Government card keys to all HCFA employees and other 
authorized individuals.
    (b) Determines:
    (1) That the purpose for which the disclosure is to be made can 
only be accomplished if the record is provided in individually 
identifiable form;
    (2) That the purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect and/or risk on the privacy 
of the individual that additional exposure of the record might bring; 
and
    (3) That there is a strong probability that the proposed use of the 
data would in fact accomplish the stated purpose(s).
    (c) Requires the information recipient to:
    (1) Establish administrative, technical, and physical safeguards to 
prevent unauthorized use of disclosure of the record;
    (2) Remove or destroy at the earliest time all individually-
identifiable information; and
    (3) Agree to not use or disclose the information for any purpose 
other than the stated purpose under which the information was 
disclosed.
    (d) Determines that the data are valid and reliable.

III. Proposed Routine Use Disclosures of Data in the System

Entities Who May Receive Disclosures Under Routine Use

    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which HCFA may 
release information from the RICKS without the consent of the 
individual to whom such information pertains. Each proposed disclosure 
of information under these routine uses will be evaluated to ensure 
that the disclosure is legally permissible, including but not limited 
to ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We are proposing to 
establish

[[Page 15266]]

or modify the following routine use disclosures of information 
maintained in the system:
    1. To agency contractors, or consultants who have been engaged by 
the agency to assist in accomplishment of a HCFA function relating to 
the purposes for this system of records and who need to have access to 
the records in order to assist HCFA.
    We contemplate disclosing information under this routine use only 
in situations in which HCFA may enter into a contractual or similar 
agreement with a third party to assist in accomplishing a HCFA function 
relating to purposes for this system of records.
    HCFA occasionally contracts out certain of its functions when doing 
so would contribute to effective and efficient operations. HCFA must be 
able to give a contractor or consultant whatever information is 
necessary for the contractor or consultant to fulfill its duties. In 
these situations, safeguards are provided in the contract prohibiting 
the contractor or consultant from using or disclosing the information 
for any purpose other than that described in the contract and requires 
the contractor or consultant to return or destroy all information at 
the completion of the contract.
    2. To another federal agency to conduct activities related to this 
system of records and who need to have access to the records in order 
to perform the activity.
    We contemplate disclosing information under this routine use only 
in situations in which HCFA may enter into a contractual or similar 
agreement with another Federal agency to assist in accomplishing HCFA 
functions relating to purposes for this system of records.
    The Federal Protection Service may require RICKS information if 
investigating a crime and/or in the administration of its assigned 
responsibilities.
    3. To a Member of Congress or to a congressional staff member in 
response to an inquiry of the congressional office made at the written 
request of the constituent about whom the record is maintained.
    Federal employees and other individuals sometimes request the help 
of a Member of Congress in resolving an issue relating to a matter 
before HCFA. The Member of Congress then writes HCFA, and HCFA must be 
able to give sufficient information to be responsive to the inquiry.
    4. To the Department of Justice (DOJ), court or adjudicatory body 
when:
    (a) The agency or any component thereof, or
    (b) Any employee of the agency in his or her official capacity, or
    (c) Any employee of the agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    (d) The United States Government,

is a party to litigation or has an interest in such litigation, and by 
careful review, HCFA determines that the records are both relevant and 
necessary to the litigation and that the use of such records by the 
DOJ, court or adjudicatory body is compatible with the purpose for 
which the agency collected the records.
    Whenever HCFA is involved in litigation, or occasionally when 
another party is involved in litigation and HCFA's policies or 
operations could be affected by the outcome of the litigation, HCFA 
would be able to disclose information to the DOJ, court or adjudicatory 
body involved.

IV. Safeguards

    The RICKS system will conform with applicable law and policy 
governing the privacy and security of Federal automated information 
systems. These include but are not limited to: the Privacy Act of 1974, 
Computer Security Act of 1987, the Paperwork Reduction Act (PRA) of 
1995, the Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix 
III, ``Security of Federal Automated Information Resources.'' HCFA has 
prepared a comprehensive systems security plan as required by the OMB 
Circular A-130, Appendix III. This plan conforms fully to guidance 
issued by the National Institute for Standards and Technology (NIST) in 
NIST Special Publication 800-18, ``Guide for Developing Security Plans 
for Information Technology Systems.'' Paragraphs A-C of this section 
highlight some of the specific methods that HCFA is using to ensure the 
security of this system and the information within it.

A. Authorized Users

    Personnel having access to the system have been trained in Privacy 
Act and systems security requirements. Employees and contractors who 
maintain records in the system are instructed not to release any data 
until the intended recipient agrees to implement appropriate 
administrative, technical, procedural, and physical safeguards 
sufficient to protect the confidentiality of the data and to prevent 
unauthorized access to the data. In addition, HCFA is monitoring the 
authorized users to ensure against excessive or unauthorized use. 
Records are used in a designated work area or work station and the 
system location is attended at all times during working hours.
    To ensure security of the data, the proper level of class user is 
assigned for each individual user as determined at the agency level. 
This prevents unauthorized users from accessing and modifying critical 
data. The system database configuration includes five classes of 
database users:
     Database Administrator class owns the database objects, 
e.g., tables, triggers, indexes, stored procedures, packages, and has 
database administration privileges to these objects; and
     Submitter class has read and write access to database 
objects, but no database administration privileges.

B. Physical Safeguards

    All server sites have implemented the following minimum 
requirements to assist in reducing the exposure of computer equipment 
and thus achieve an optimum level of protection and security for the 
RICKS system:
    Access to all servers is controlled, with access limited to only 
those support personnel with a demonstrated need for access. Servers 
are to be kept in a locked room accessible only by specified management 
and systems support personnel. Each server requires a specific log-on 
process. All entrance doors are identified and marked. A log is kept of 
all personnel who were issued a security card, key and/or combination 
which grants access to the room housing the server, and all visitors 
are escorted while in this room. All servers are housed in an area 
where appropriate environmental security controls are implemented, 
which include measures implemented to mitigate damage to Automated 
Information System resources caused by fire, electricity, water and 
inadequate climate controls.
    Protection applied to the workstations, servers and databases 
include:
     User Log-ons--Authentication is performed by the Primary 
Domain Controller/Backup Domain Controller of the log-on domain.
     Workstation Names--Workstation naming conventions may be 
defined and implemented at the agency level.
     Hours of Operation--May be restricted by Windows NT. When 
activated, all applicable processes will automatically shut down at a 
specific time and not be permitted to resume until the predetermined 
time. The appropriate hours of operation are determined and implemented 
at the agency level.
     Inactivity Log-out--Access to the NT workstation is 
automatically logged out after a specified period of inactivity.

[[Page 15267]]

     Warnings--Legal notices and security warnings display on 
all servers and workstations.
     Remote Access Services (RAS)--Windows NT RAS security 
handles resource access control. Access to NT resources is controlled 
for remote users in the same manner as local users, by utilizing 
Windows NT file and sharing permissions. Dial-in access can be granted 
or restricted on a user-by-user basis through the Windows NT RAS 
administration tool.
    There are several levels of security found in the RICKS system. 
Windows NT provides much of the overall system security. The Windows NT 
security model is designed to meet the C2-level criteria as defined by 
the U.S. Department of Defense's Trusted Computer System Evaluation 
Criteria document (DoD 5200.28-STD, December 1985). Netscape Enterprise 
Server is the security mechanism for all transmission connections to 
the system. As a result, Netscape controls all information access 
requests. Anti-virus software is applied at both the workstation and NT 
server levels.
    Access to different areas on the Windows NT server is maintained 
through the use of file, directory and share level permissions. These 
different levels of access control provide security that is managed at 
the user and group level within the NT domain. The file and directory 
level access controls rely on the presence of an NT File System hard 
drive partition. This provides the most robust security and is tied 
directly to the file system. Windows NT security is applied at both the 
workstation and NT server levels.

C. Procedural Safeguards

    All automated systems must comply with Federal laws, guidance, and 
policies for information systems security as stated previously in this 
section. Each automated information system should ensure a level of 
security commensurate with the level of sensitivity of the data, risk, 
and magnitude of the harm that may result from the loss, misuse, 
disclosure, or modification of the information contained in the system.

V. Effect of the Modified System of Records on Individual Rights

    HCFA proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. We will only 
disclose the minimum personal data necessary to achieve the purpose of 
RICKS. Disclosure of information from the system of records will be 
approved only to the extent necessary to accomplish the purpose of the 
disclosure. HCFA has assigned a higher level of security clearance for 
the information maintained in this system in an effort to provide added 
security and protection of data in this system.
    HCFA will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights. HCFA will collect only 
that information necessary to perform the system's functions. In 
addition, HCFA will make disclosure from the proposed system only with 
consent of the subject individual, or his/her legal representative, or 
in accordance with an applicable exception provision of the Privacy 
Act.
    HCFA, therefore, does not anticipate an unfavorable effect on 
individual privacy as a result of the disclosure of information 
relating to individuals.

Michael McMullan,
Acting Deputy Administrator, Health Care Financing Administration.
09-70-3001

System Name:
    Record of Individuals Authorized Entry to HCFA Buildings via a Card 
Key Access System (RICKS), HHS/HCFA/OICS.

Security Classification:
    Level Three Privacy Act Sensitive Data.

System Location:
    HCFA, 7500 Security Boulevard, North Building, First Floor 
(magnetic media), and South Building, Lower Level (paper), Baltimore, 
Maryland 21244-1850.

Categories of Individuals Covered by the System:
    The identified individual includes Federal employees; contractors 
and consultants; and Government Services Administration employees and 
contract guards working in HCFA's central office complex at 7500 
Security Boulevard, Baltimore, Maryland.

Categories of Records in the System:
    This system contains the name of the employees or the other 
authorized individual, assigned card key number, and building/secure 
area. The system also contains the date and time of actual or attempted 
entry to secured areas.

Authority for Maintenance of the System:
    Authority for maintenance of this system is given under Title 41 
Code of Federal Regulations (CFR) Chapter 101-20.302, ``Conduct on 
Federal Property,'' Title 5 United States Code (U.S.C.) 552a(e)(10), 
and Office of Management and Budget Circular A-123, ``Internal Control 
Systems.

Purpose(s):
    The primary purpose of the system of records is to issue and 
control United States Government card keys to all HCFA employees and 
other authorized individuals who require access into certain designated 
or secured areas. Information retrieved from this system of records 
will be used to: support regulatory and policy functions performed 
within the agency or by a contractor or consultant, assist other 
Federal agencies to conduct activities related to this system, support 
constituent requests made to a congressional representative, and 
support litigation involving the agency.

Routine Uses of Records Maintained in the System, Including Categories 
or Users and the Purposes of Such Uses:
    The Privacy Act allows us to disclose information without an 
individual's consent if the information is to be used for a purpose 
which is compatible with the purpose(s) for which the information was 
collected. Any such compatible use of data is known as a ``routine 
use.'' The proposed routine use in this system meets the compatibility 
requirement of the Privacy Act. We are proposing to establish the 
following routine use disclosures of information which will be 
maintained in the system:
    1. To agency contractors, or consultants who have been engaged by 
the agency to assist in accomplishment of a HCFA function relating to 
the purposes for this system of records and who need to have access to 
the records in order to assist HCFA.
    2. To another Federal agency engaged by the agency to assist in the 
performance of a service related to this system of records and who need 
to have access to the records in order to perform the activity.
    3. To a Member of Congress or to a congressional staff member in 
response to an inquiry of the congressional office made at the written 
request of the constituent about whom the record is maintained.
    4. To the Department of Justice (DOJ), court or adjudicatory body 
when:
    (a) The agency or any component thereof, or
    (b) Any employee of the agency in his or her official capacity, or
    (c) Any employee of the agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or

[[Page 15268]]

    (d) The United States Government, is a party to litigation or has 
an interest in such litigation, and by careful review, HCFA determines 
that the records are both relevant and necessary to the litigation and 
that the use of such records by the DOJ, court or adjudicatory body is 
compatible with the purpose for which the agency collected the records.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
Storage:
    All records are stored on paper and magnetic disk.

Retrievability:
    Magnetic media records are retrieved by the name of the employees 
or other authorized individual and/or card key number. Paper records 
are retrieved alphabetically by name.

Safeguards:
    HCFA has safeguards for authorized users and monitors such users to 
ensure against excessive or unauthorized use. Personnel having access 
to the system have been trained in the Privacy Act and systems security 
requirements. Employees who maintain records in the system are 
instructed not to release any data until the intended recipient agrees 
to implement appropriate administrative, technical, procedural, and 
physical safeguards sufficient to protect the confidentiality of the 
data and to prevent unauthorized access to the data.
    In addition, HCFA has physical safeguards in place to reduce the 
exposure of computer equipment and thus achieve an optimum level of 
protection and security for the RICKS system. For computerized records, 
safeguards have been established in accordance with HHS standards and 
National Institute of Standards and Technology guidelines, e.g., 
security codes will be used, limiting access to authorized personnel. 
System securities are established in accordance with HHS, Information 
Resource ManagementCircular #10, Automated Information Systems Security 
Program, HCFA Automated Information Systems Guide, Systems Securities 
Policies, and OMB Circular No. A-130 (revised), Appendix III.

Retention and Disposal:
    Records are retained for up to 3 years following expiration of an 
individual's authority to enter secured areas. When an individual is no 
longer authorized, information is deleted from magnetic media 
immediately.

System Manager(s) and Address:
    Director, Division of Facilities Management Services, 
Administrative Services Group, Office of Internal Customer Support, 
Health Care Financing Administration, 7500 Security Boulevard, SLL-11-
08, Baltimore, Maryland 21244-1850.

Notification Procedure:
    For purpose of access, the subject individual should write to the 
system manager who will require the system name, assigned card key 
number, and building/secure area, and for verification purposes, the 
subject individual's name (woman's maiden name, if applicable), and 
social security number (SSN). Furnishing the SSN is voluntary, but it 
may make searching for a record easier and prevent delay.

Record Access Procedure:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5(a)(2).)

Contesting Record Procedures:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7.)

Record Source Categories:
    HCFA obtains information in this system from the individuals who 
submit a request for access to a secure building or area.

Systems Exempted from Certain Provisions of the Act:
    None.

[FR Doc. 01-6539 Filed 3-15-01; 8:45 am]
BILLING CODE 4120-03-U