[Federal Register Volume 67, Number 173 (Friday, September 6, 2002)]
[Notices]
[Pages 57011-57014]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-22602]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Civil Rights


Privacy Act of 1974; New System of Records

AGENCY: Office for Civil Rights, HHS.

ACTION: Notification of a New System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act, the 
Office for Civil Rights (OCR) is publishing notice of a new system of 
records (SOR) called the ``Program information Management System 
(PIMS), HHS/OS/OCR (09-90-0052).'' We are giving notice of the routine 
uses for this new system.

EFFECTIVE DATES: OCR invites interested parties to submit comments on 
the proposed internal and routine uses on or before October 7, 2002. 
OCR has sent a Report of a New System of Records to the Congress and to 
the Office of Management and Budget (OMB) on August 6, 2002. The system 
of records

[[Page 57012]]

will be effective 40 days from the date submitted to OMB unless OCR 
receives comments which would result in a contrary determination.

ADDRESSES: The public should address comments to: Larry Velez, Program, 
Policy and Training Division, Office for Civil Rights, Department of 
Health and Human Services, Room 553E, Hubert H. Humphrey Building, 200 
Independence Avenue SW., Washington, DC 20201. Comments also may be 
sent via e-mail to [email protected]. Comments received will be through 
Friday from 9 a.m. - 3 p.m., eastern standard time.

FOR FURTHER INFORMATION CONTACT: Claudia Schlosberg, Acting Director, 
Program, Policy and Training Division, Office for Civil Rights, 
Department of Health and Human Services, Room 553E, Hubert H. Humphrey 
Building, 200 Independence Avenue SW., Washington, DC 20201. Telephone 
number: (202) 619-3197.

SUPPLEMENTARY INFORMATION: The Office for Civil Rights (OCR) is 
responsible for enforcing Title VI of the Civil Rights Act of 1964, 
section 504 of the Rehabilitation Act of 1973, the Age Discrimination 
Act of 1975 and other statutes which prohibit discrimination by 
programs or entities that receive Federal financial assistance. 
Additionally, OCR has jurisdiction over Federally conducted programs in 
cases involving disability-based discrimination under section 504 of 
the Rehabilitation Act, over state and local public entities in cases 
involving disability-based discrimination under Title II of the 
Americans with Disabilities Act and certain health plans, health 
clearinghouses and health care providers with respect to enforcement of 
medical privacy obligations under the Health Insurance Portability and 
Accountability Act (HIPAA).
    Currently, OCR maintains two system of records: the ``Case 
Information Management System (CIMS), HHS/OS/OCR (09-90-0050),'' and 
the ``Complaint File and Log, HHS/OS/OCR (09-90-0051).'' CIMS also 
includes the Case Activity Tracking System (CATS) which was created to 
use newer computer technology (i.e., moved CIMS off a mainframe 
computer onto a local area network environment), but continued to 
collect and store the same information as in CIMS.
    CMS is used to track complaints and compliance review activity. The 
Complaint File and Log consists primarily of paper files, complaint 
allegations, information gathered during complaint investigations or 
reviews, letters of findings and correspondence relating to 
investigations. The Complaint File and Log was exempted from the 
notification, access, correction and amendment provisions of the 
Privacy Act under subsection (k)(2) concerning records compiled for law 
enforcement purposes. 49 FR 14107 (April 10, 1984).
    OCR proposes to establish a new system of records: ``Program 
Information Management System (PIMS), HHS/OS/OCR (09-90-0052).'' PIMS 
will be used for OCR staff and will consist of an electronic repository 
of information and documents, and supplementary paper document files. 
PIMS effectively combines and replaces OCR's two existing systems of 
records, (CIMS and the Complaint File and Log), into a single 
integrated system with enhanced electronic storage, retrieval and 
tracking capacities. While the types of information collected and 
stored in PIMS will be the same as the information collected in CIMS 
and the Complaint File and Log, PIMS will allow OCR to manage more 
effectively the information that it does collect.
    The PIMS system will allow OCR to integrate all of OCR's various 
business processes, including all its compliance activities, to allow 
for real time access and results reporting and other varied information 
management needs. PIMS will provide: (1) A single, central, electronic, 
repository of all OCR documents and information including investigative 
files, correspondence, administrative records, policy and procedure 
manuals and other documents and information developed or maintained by 
OCR; (2) easy, robust capability to search all the information in OCR's 
repository; (3) better quality control at the front end with simplified 
data entry and stronger data validation; (4) tools to help staff work 
on and manage their casework, and (5) supplementary document files. The 
system will have the capacity to generate reports concerning the status 
of all current and closed complaints, reviews and correspondence, and 
will allow OCR to track outreach, training and other activities and to 
locate and retrieve information in order to manage more efficiently its 
work and report results. In addition, PIMS, consistent with its 
predecessor management information systems, will allow for the tracking 
of work assignments to employees to facilitate workload balancing, 
timely response to complaints and completion of reviews, and outreach 
and public education initiatives focused on organizations and 
individuals.
    OCR investigative files maintained in PIMS either as paper records 
or electronic documents are records compiled for law enforcement 
purposes. In the course of investigations, OCR often has a need to 
obtain confidential information involving individuals other than the 
complainant. In these cases, it is necessary for OCR to preserve the 
confidentiality of this information to avoid unwarranted invasions of 
personal privacy and to assure recipients of Federal financial 
assistance that such information provided to OCR will be kept 
confidential. This assurance is often central to resolving disputes 
concerning access by OCR to the recipients's records, and is necessary 
to facilitate prompt and effective completion of the investigations.
    Unrestricted disclosure of confidential information in OCR files 
can impede ongoing investigations, invade personal privacy of 
individuals, reveal the identities of confidential sources, of 
otherwise impair the ability of OCR to conduct investigations. For 
these reasons, the Department is exempting all investigative files from 
the notification, access, correction and amendment provisions under 
subsection (k)(2) of the Privacy Act.
    The PIMS system will conform to applicable law and policy governing 
the privacy and security of Federal automated information systems. 
These include, but are not limited to: The Privacy Act of 1984, 
Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the 
Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix, III, 
``Security of Federal Automated Information Resources.'' OCR has 
prepared a system security plan as required by OMB Circular A-130, 
Appendix III. This plan conforms fully to guidance issued by the 
National Institute for Standards and Technology (NIST) in NIST Special 
Publication 800-18, ``Guide for Developing Security Plans for 
Information Technology Systems.'' The plan includes conduct of a risk 
assessment that addresses the confidentiality and integrity of the 
data.
    Only authorized users whose official duties require the use of such 
information will have regular access to the records in this system. 
Records may be disclosed to student volunteers, individuals working 
under a personal services contract, and other individuals performing 
functions for the Department, but technically not having the status of 
agency employees, if they need access to the records in order to 
perform their assigned agency functions.
    The routine uses proposed for this system are compatabile with the 
stated purpose of the system. The first routine use proposed for this 
system, permitting disclosure to a congressional office,

[[Page 57013]]

allows subject individuals to obtain assistance from their 
representatives in Congress, should they so desire. Such disclosure 
would be made only pursuant to the request of the individual. The 
second routine use allows disclosure to the Department of Justice or a 
court in the event of litigation. The third routine use allows referral 
to the appropriate agency, in the event that a System of Records 
maintained by this agency to carry out its functions indicates a 
violation or potential violation of law. The fourth routine use allows 
disclosure of records to contractors for the purpose of processing or 
refining records in the system.
    The following notice is written in the present, rather than future 
tense, in order to avoid the unnecessary expenditure of public funds to 
republish the notice after the system has become effective.

    Dated: August 30, 2002.
Richard M. Campanelli,
Director, Office for Civil Rights.
09-90-0052

System Name:
    Program Information Management System (PIMS), HHS/OS/OCR.

Security Classification:
    None.

System Location:
    The automated portion of the system is maintained at OCR 
Headquarters. Paper files are maintained in headquarters and regional 
offices as noted in Appendix I.

Categories of Individuals Covered by the System:
    Covered individuals include persons who file complaints alleging 
discrimination or violation of their rights under the statutes 
identified below (Authority for Maintenance) and covered entities 
(e.g., service providers) that are individuals and not organization or 
institutions, investigated by OCR as a result of complaints filed or 
through reviews conducted by OCR. Covered individuals also include 
persons who submit correspondence to OCR related to other compliance 
activities, (e.g., outreach and public education) and other 
correspondence unrelated to a complaint or review and requiring 
response by OCR. In addition, OCR employees who use the system to 
record the status of their work are covered.

Categories of Records in the System:
    The system encompasses a variety of records having to do with 
complaints, reviews, and correspondence. The complaint files and log 
include complaint allegations, information gathered during the 
complaint investigation, findings and results of the investigation, and 
correspondence relating to the investigation, as well as status 
information for all complaints. This component of PIMS is being 
exempted from the notification, access, correction and amendment 
provisions of the Privacy Act (see below: Systems Exempted From Certain 
Provisions of the Act). Equivalent types of information are maintained 
for reviews and correspondence activities--namely information gathered, 
findings, results, correspondence and status.

Authority for Maintenance of the System:
    Title VI of the 1964 Civil Rights Act; sections 533, 542, 794, 855, 
1947 and 1908 of the Public Health Service Act; sections 504 and 508 of 
the Rehabilitation Act of 1973: Title II of the Americans with 
Disabilities Act of 1990; the Age Discrimination Act of 1975; the Equal 
Employment Opportunity Provisions of the Public Telecommunications 
Financing Act of 1978; Title VI and Title XVI of the Public Health 
Service Act (the ``community services of obligation'' of facilities 
funded under the Act); Title IX of the 1972 Education Amendments; 
section 407 of the Drug Abuse Office and Treatment Act; section 321 of 
the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, 
and Rehabilitation Act of 1970; section 508 of the Social Security Act, 
the Family Violence Prevention and Services Act; Low-Income Home Energy 
Assistance Act of 1981; Section 1808 of the Small Business Job 
Protection Act of 1996; and the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA).

PURPOSE(S):
    PIMS will be used by OCR staff and will consist of an electronic 
repository of information and documents, and supplementary paper 
document files. PIMS effectively combines and replaces OCR's two 
existing systems of records, the ``Case Information Management System 
(CIMS), HHS/OS/OCR, 09-90-0050,'' and the ``Complaint File and Log, 
HHS/OS/OCR 09-00-0051,'' into a single integrated system with enhanced 
electronic storage, retrieval and tracking capacities. While the types 
of information collected and stored in PIMS will be the same as the 
information collected in CIMS and the Complaint File and Log, PIMS will 
allow OCR to manage more effectively the information that it does 
collect. The system is designed to allow OCR to integrate all of OCR's 
various business processes, including all its compliance activities, to 
allow for real time access and results reporting and other varied 
information management needs. PIMS will provide: (1) A single, central, 
electronic, repository of all significant OCR documents and 
information, including investigative files, correspondence, 
administrative records, policy and procedure manuals and other 
documents and information developed or maintained by OCR; (2) easy, 
robust capability to search all the information in OCR's repository; 
(3) better quality control at the front end with simplified data entry 
and stronger data validation; (4) tools to help staff work on and 
manage their casework, and (5) supplementary papaer document files. The 
system will have the capacity to generate reports concerning the status 
of all current and closed complaints, reviews and correspondence, and 
will allow OCR to track outreach, training and other activities and to 
locate and retrieve information in order to manage more efficiently its 
work and report results. In addition, PIMS, consistent with its 
predecessor management information systems, will allow for the tracking 
of work assignments to employees to facilitate workload balancing, 
timely response to complaints and completion of review, and outreach 
and public education initiatives focused on organizations and 
individuals.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    The routine uses proposed for this system are compatible with the 
stated purpose of the system. The first routine use proposed for this 
system, permitting disclosure to a congressional office, allows subject 
individuals to obtain assistance from their representatives in 
Congress, should they so desire. Such disclosure would be made only 
pursuant to the request of the individual. The second routine use 
allows disclosure to the Department of Justice or a court in the event 
of litigation. The third routine use allows referral to the appropriate 
agency, in the event that a System of Records maintained by this agency 
to carry out its functions indicates a violation or potential violation 
of law. The fourth routine use allows disclosure of records to 
contractors for the purpose of processing or refining records in the 
system.

[[Page 57014]]

POLICIES AND PRACTICES FOR STRONG, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
Storage:
    Automated records are maintained on magnetic disc and tape back-up. 
Paper records are kept in file folders.

Retrievability:
    Records are indexed by transaction number, but may be retrieved by 
name, street address, and other complainant or covered entity 
characteristic (such as type of entity, city, state and type of service 
provided) by OCR staff engaged in compliance activities.

Safeguards:
    The PIMS system will conform to applicable law and policy governing 
the privacy and security of Federal automated information systems. 
These include but are not limited to: the Privacy Act of 1984, Computer 
Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-
Cohen Act of 1996, and OMB Circular A-130, Appendix III, ``Security of 
Federal Automated Information Resources.'' OCR has prepared a system 
security plan as required by OMB Circular A-130, Appendix III. This 
plan conforms fully to guidance issued by the National Institute for 
Standards and Technology (NIST) in NIST Special Publication 800-18, 
``Guide for Developing Security Plans for Information Technology 
Systems.'' The plan includes conduct of a risk assessment that 
addresses the confidentiality and integrity of the data.
    Only authorized users have access to the information in the system. 
Categories of users include: OCR investigators, regional and 
headquarters managers, team leaders, OCR budget and Government 
Performance and Results Act planning staff, program and policy staff, 
and data analysts. Specific access to structured around need and is 
determined by the person's role in the organization. Access is managed 
through the use of electronic access control lists, which regulate the 
ability to read, change and delete information in the system. Each OCR 
user has read access to designated information in the system, with the 
ability to modify only their own submissions or those of others within 
their region or group. Data identified as confidential is so designated 
and only specified individuals are granted access. The system maintains 
an audit trail of all actions against the data base.
    All electronic data is stored on servers maintained in locked 
facilities with computerized access control allowing access to only 
those support personnel with a demonstrated need for access. A data 
base is kept of all individuals granted security cart access to the 
room, and all visitors are escorted while in the room. The server 
facility has appropriate environmental security controls, including 
measures to mitigate damage to automated information system resources 
caused by fire, electricity, water and inadequate climate controls.
    Access control to servers, individual computers and databases 
includes a required user log-on with a password, inactivity lockout to 
systems based on a specified period of time, legal notices and security 
warnings at log-on, and remote access security that allows user access 
for remote users (e.g., while on government travel) under the same 
terms and conditions as for users within the office. System 
administrators have appropriate security clearance.
    Printed materials are filed in secure cabinets in secure Federal 
buildings with access based on need as described above for the 
automated component of the PIMS system.

Retention and Disposal:
    Documents related to complaints and reviews are retained at OCR for 
two years from the date the complaint is closed and then are archived 
at the National Archives and Records Administration for 15 years. 
Correspondence is retained for one year following the end of the fiscal 
year in which processed.

System Manager(s) and Address:
    PIMS Project Manager, Resource Management Division, Office for 
Civil Rights, 200 Independence Ave. SW., Room 509F, Washington, DC 
20201.

Notification Procedure:
    Contact System Manager (above). Include name and address of 
complainant, and name of the recipient against which the allegation was 
filed. The Department is exempting all investigative records from this 
provision (see below: Records Exempted).

Record Access Procedure:
    Same as notification procedures. Requesters should also reasonably 
specify the record contents being sought. Request should be made to the 
system manager (above). The Department is exempting all investigative 
records from this provision (see below: Records Exempted).

Contesting Record Procedure:
    Contact the official(s) at the address specified under System 
Manager, and reasonably identify the record and specify the information 
to be contested and corrective action sought with supporting 
justification. (These procedures are in accordance with Department 
Regulations (45 CFR 5b.7) Federal Register, October 8, 1975, page 
47411.) The Department is exempting all investigative records from this 
provision (see below: Records Exempted).

Record Source Categories:
    Information is provided by complainants and covered entities.

Records Exempted from Certain Provisions of the Act:
    OCR investigative records maintained in PIMS, either as paper 
records or electronic documents are records complied for law 
enforcement purposes and will be exempt under subsection (k)(2) from 
the notification, access, correction and amendment provisions of the 
Privacy Act.

Appendix Number 1--System Locations:

    This system is located at HHS offices in the following cities.
Headquarters, PIMS Project Manager, Resource Management Division, 
Office for Civil Rights, 200 Independence Ave. SW., Room 509F, 
Washington, DC 20201.
Region I, Regional Manager, OCR/HHS, J.F. Kennedy Federal Building--
Room 1875, Boston, Massachusetts 02203.
Region II, Regional Manager, OCR/HHS, 26 Federal Plaza--Suite 3312, 
New York, NY 10278.
Region III, Regional Manager, OCR/HHS, 150 S. Independence Mall 
West, Suite 372, Public Ledger Building, Philadelphia, PA 19106.
Region IV, Regional Manager, OCR/HHS, Atlanta Federal Center, Suite 
3B70, 67 Forsyth Street, SW., Atlanta, GA 30303.
Region V, Regional Manager, OCR/HHS, 233 N. Michigan Ave, Suite 240, 
Chicago, IL 60601.
Region VI, Regional Manager, OCR/HHS, 1301 Young Street, Suite 1169, 
Dallas, TX 75202.
Region VII, Regional Manager, OCR/HHS, 601 E. 12th Street--Room 248, 
Kansas City, MO 64106.
Region VIII, Regional Manager, OCR/HHS, Federal Office Building, 
1961 Stout Street--Room 1185, Denver, CO 80294.
Region IX, Regional Manager, OCR/HHS, 50 United Nations Plaza--Room 
322, San Francisco, CA 94102.
Region X, Regional Manager, OCR/HHS, 2201 Sixth Avenue--Suite 900, 
Seattle, WA 98121.

[FR Doc. 02-22602 Filed 9-5-02; 8:45 am]
BILLING CODE 4153-01-M