[Federal Register Volume 68, Number 163 (Friday, August 22, 2003)]
[Notices]
[Pages 50795-50804]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-21444]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare and Medicaid Services


Privacy Act of 1974; Report of New System

AGENCY: Centers for Medicare and Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, we are proposing to establish a new system of records. The 
proposed system is titled, ``ASPEN Complaints/Incidents Tracking System 
(ACTS), HHS/CMS/CMSO, 09-70-1519.'' The primary purpose of the system 
of records is to track and process complaints and incidents reported 
against Medicare/Medicaid/CLIA providers and suppliers, and to maintain 
information on laboratory directors and owners. ACTS is a windows-
based, program designed to track and process complaints and incidents 
reported against health care facilities regulated by the Centers for 
Medicare and Medicaid Services (CMS). It is designed to manage all 
operations associated with complaint/incident tracking and processing, 
from initial intake and investigation through the final disposition. 
ACTS allows CMS to track complaints/incidents, allegations, 
investigations, disposition and certain information for CLIA 
laboratories.
    Information retrieved from this system of records will also be used 
to aid in the administration of the survey and certification of 
Medicare/Medicaid/CLIA providers and suppliers; support agencies of the 
State governments to determine, evaluate and assess overall 
effectiveness and quality of provider/supplier services provided in the 
State; aid in the administration of Federal and

[[Page 50796]]

State programs within the State; support constituent requests made to a 
Congressional representative, support litigation involving the agency, 
and facilitate research on the quality and effectiveness of care 
provided. We have provided background information about the proposed 
system in the SUPPLEMENTARY INFORMATION section below. Although the 
Privacy Act requires only that the ``routine use'' portion of the 
system be published for comment, CMS invites comments on all portions 
of this notice. See EFFECTIVE DATES section for comment period.

EFFECTIVE DATES: CMS filed a new system report with the Chair of the 
House Committee on Government Reform and Oversight, the Chair of the 
Senate Committee on Governmental Affairs, and the Administrator, Office 
of Information and Regulatory Affairs, Office of Management and Budget 
(OMB) on August 8, 2003.

ADDRESSES: The public should address comments to: Director, Division of 
Privacy Compliance Data Development (DPCDD), CMS, Room N2-04-27, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received 
will be available for review at this location, by appointment, during 
regular business hours, Monday through Friday from 9 a.m.-3 p.m., 
eastern time zone.

FOR FURTHER INFORMATION CONTACT: Wayne Smith, Finance, Systems and 
Budget Group, Center for Medicaid and State Operations, Centers for 
Medicare and Medicaid Services, 7500 Security Boulevard, Room S3-18-11, 
Baltimore, Maryland 21244-1850, Telephone Number: (410) 786-3258.
    Steven Pelovitz, Survey and Certification Group, Center for 
Medicaid and State Operations, Centers for Medicare and Medicaid 
Services, 7500 Security Boulevard, Room S2-12-25, Baltimore, Maryland 
21244-1850, Telephone Number: (410) 786-3160.

SUPPLEMENTARY INFORMATION:

I. Description of the Proposed System of Records

A. Glossary of Terms

    ACTS--ASPEN Complaints/Incidents Tracking System.
    ASPEN--Automated Survey Processing Environment.
    CLIA--Clinical Laboratory Improvement Amendments of 1988.
    OSCAR--Online Survey Certification and Reporting System.

B. Background

    The implementation of ACTS is critical to CMS's mission of assuring 
that beneficiaries receive quality care in a safe environment. Several 
reports in recent years have highlighted this need. In March 1999, the 
General Accounting Office (GAO) issued a report entitled, ``Complaint 
Investigation Processes Often Inadequate to Protect Residents.'' GAO 
assessed the effectiveness of State complaint investigation practices 
and the role of CMS in establishing standards and conducting oversight. 
The GAO recommended stronger requirements, increased federal monitoring 
and improved tracking of findings for complaints. In addition, in 1999, 
the Office of the Inspector General (OIG) issued a report entitled 
``The External Review of Hospital Quality.'' OIG recommended that CMS 
hold accreditation agencies and State agencies more fully accountable 
for their performance in reviewing hospitals. One of the areas that OIG 
made specific recommendations about was the handling of complaints. 
ACTS is part of CMS'' response to these recommendations.
    The ACTS responds to the concerns and problems found by the GAO, 
OIG and CMS'' own needs. The ability to capture data that are useful, 
analyze data in a meaningful way, and use the products of the analysis 
to make refinements and improvements is critical to continuous quality 
improvement. Before ACTS, complaint data was maintained in the OSCAR 
Complaint System. The OSCAR Complaint System collected a minimal amount 
of data that was the result of an onsite survey. The data in ACTS is 
much more comprehensive than data that was maintained in the OSCAR 
Complaint System. ACTS automates complaint management operations. ACTS 
is a windows-based, client-server application that tracks, processes, 
and reports on complaints/incidents made against certified health care 
providers and suppliers. It is designed to manage all operations 
associated with complaints/incidents processing, from initial intake 
and investigation through final disposition. It is fully integrated 
into the ASPEN standard system architecture. Specific fields are 
configurable by individual states to accommodate a variety of 
operations environments.
    ACTS is a national tracking system used by all States. It permits 
the collection procedures for complaints to be timely, consistent and 
complete. ACTS will eliminate redundant data collection systems, and it 
takes advantage of new technology and open systems architecture. ACTS 
will be used for all certified providers and suppliers. These providers 
and suppliers include: Skilled nursing facilities, nursing facilities, 
hospitals, home health agencies, end-stage renal disease facilities, 
hospices, rural health clinics, comprehensive outpatient rehabilitation 
facilities, outpatient physical therapy services, community mental 
health centers, federally qualified health centers, ambulatory surgical 
centers, portable X-Ray facilities, intermediate care facilities for 
persons with mental retardation, and CLIA laboratories. Data in ACTS is 
collected and entered by the State Survey Agencies and CMS Regional 
Offices.

C. Statutory and Regulatory Basis for System of Records

    Section 1864 of the Social Security Act (the Act) states the 
Secretary may use State agencies to determine compliance by providers 
of services with the conditions of participation. Under section 1864(a) 
the Act, the Secretary uses the help of State health agencies, or other 
appropriate agencies, when determining whether health care entities 
meet Federal Medicare standards. Also, section 1902(a)(9)(A) of the Act 
requires that a State use this same agency to set and maintain 
additional standards for the State Medicaid program. Section 
1902(a)(33)(B) requires that the State use the agency utilized for 
Medicare or, if such agency is not the State agency responsible for 
licensing health institutions, the State use the agency responsible for 
such licensing to determine whether institutions meet all applicable 
Federal health standards for Medicaid participation, subject to 
validation by the Secretary. The State survey agencies perform both 
Federal certification and State licensure functions, including the 
investigation of complaints and entity-reported incidents. Sections 
1819(d) and 1919(d) of the Act require licensure under applicable State 
and local laws.
    Sections 1864 (c) and 1865 of the Act provides the basis for 
conducting complaint surveys of accredited hospitals and establishes 
the basic framework of complaint surveys for virtually all other 
accredited providers and suppliers. Regulations authorizing such 
surveys are found in 42 CFR 488.7(a)(2). 42 CFR 488.332 authorizes 
investigation of complaints of violations and monitoring of compliance. 
42 CFR 488.335 authorizes actions on complaints of resident neglect and 
abuse, and misappropriation of resident property for nursing homes. 42 
CFR 482.13(f) requires a hospital to report any death that occurs while 
a patient is restrained or in seclusion for behavior management, or 
where it is reasonable to assume that a patient's death is a

[[Page 50797]]

result of restraint or seclusion. 42 CFR 483.13 also requires nursing 
homes to ensure that all alleged violations involving mistreatment, 
neglect, abuse, including injuries of unknown source, and 
misappropriation of resident property are reported immediately to the 
administrator of the facility and to other officials in accordance with 
State law through established procedures, including to the State survey 
and certification agency. Section 353 of the Public Health Service Act 
(42 U.S.C. 263a) authorizes collection of information from any person 
or entity seeking certification under CLIA.
    The Privacy Act of 1974 requires Federal agencies to implement and 
publish procedures for the collection, maintenance, and storage of 
personal information. It requires that the information be gathered only 
for lawful purposes and that the disclosure of personally identifiable 
records must be limited and safeguarded. The Privacy Act allows 
disclosure of an individual's data without consent, given that the data 
will be used for a purpose that is compatible with the purpose for 
which the information was collected.

II. Collection and Maintenance of Data in the System

A. Scope of the Data Collected

    ACTS tracks allegations of complaints made against providers and 
suppliers. ACTS includes demographic data for identification of 
providers/suppliers, such as the Medicare identification number, name 
of the facility, address, city, state and ZIP code. ACTS contains data 
for identification of complainants, residents/patients, contacts/
witnesses, alleged perpetrators, survey team members, laboratory 
directors, and laboratory owners. Complainant information includes: 
Name, title, address, city, state, ZIP code, telephone numbers, e-mail 
address, and relationship to beneficiary, if applicable. Contacts/
Witnesses information includes: Name, title, address, city, state, ZIP 
code, telephone numbers, fax, and a field to indicate if the individual 
is a possible witness. Resident/patient information includes: Name, 
title, date of birth, gender, date admitted, date discharged, location, 
and room. ACTS also contains information related to any resident/
patient deaths that are associated with the use of restraints or 
seclusion. This information includes: Name, death type (restraint or 
seclusion) and date of death. Alleged Perpetrator information includes: 
Name, title, address, city, state, ZIP code, telephone numbers, license 
number, social security number and Alias name, if any. Survey Team 
information includes: Name, title, and surveyor identification number. 
Contact/Witnesses, Resident/Patient and Alleged Perpetrator are not 
mandatory fields in the ACTS database. These are optional data fields. 
ACTS will also maintain information for CLIA laboratories. Identifiable 
information for CLIA laboratories includes: Laboratory director's name, 
laboratory owner's name and Federal Tax Identification Number.
    ACTS will maintain Federal complaint information, as well as state 
licensure complaint information. State licensure information is both 
relevant and necessary to meet CMS' purposes. Under section 1864(a) of 
the Social Security Act (the Act), the Secretary uses the help of State 
health agencies, or other appropriate agencies, when determining 
whether health care entities meet Federal Medicare standards. Also, 
section 1902(a)(9)(A) of the Act requires that a State use this same 
agency to set and maintain additional standards for the State Medicaid 
program. Section 1902(a)(33)(B) requires that the State use the agency 
utilized for Medicare or, if such agency is not the State agency 
responsible for licensing health institutions, the State use the agency 
responsible for such licensing to determine whether institutions meet 
all applicable Federal health standards for Medicaid participation, 
subject to validation by the Secretary. The State survey agencies 
perform both Federal certification and State licensure functions, 
including the investigation of complaints and entity-reported 
incidents. In fact, sections 1819(d) and 1919(d) of the Act require 
licensure under applicable State and local laws. In order to encourage 
efficiency in State operations, ACTS permits collection of Federal and 
State information, so that the States may maintain only one database, 
instead of multiple systems. CMS does seek to eliminate duplicative 
processes and unnecessary burden, to the extent possible, so that the 
States can achieve more effective management of their certification and 
licensure responsibilities.
    There are mechanisms in ACTS that allow users to distinguish 
between information that is collected for the purpose of meeting the 
1864 Agreement from information that is collected for State licensure 
purposes. ACTS supports the entry of both Federal and State licensure 
information, thus reflecting the actual business practices of State 
agencies as they track complaints and incidents. In many areas, ACTS 
allows entry of both types of information while still maintaining 
discrete records to support separate and different views, reports and 
statistics. Federal and State licensure data are stored in the same 
tables in the database. However, Federal and State licensure data is 
easily discernable and separate. For reporting purposes, ACTS allows 
users to exclude complaint and incidents against state licensure only 
facilities using Facility Type filters. Report customization features 
in ACTS also allow users to include or exclude complaints or incidents 
that contain only State-licensure elements.

B. Agency Policies, Procedures, and Restrictions on the Routine Use

    The Privacy Act permits us to disclose information without an 
individual's consent if the information is to be used for a purpose, 
which is compatible with the purpose(s) for which the information was 
collected. Any such disclosure of data is known as a ``routine use.'' 
CMS has the following policies, procedures and restrictions on routine 
use disclosures of information that will be maintained in the system. 
In general, disclosure of information from the system of records will 
be approved only for the minimum information necessary to accomplish 
the purpose of the disclosure after CMS:
    (a) Determines that the use or disclosure is consistent with the 
reason that the data is being collected, e.g., track and process 
complaints and incidents reported against Medicare/Medicaid/CLIA 
providers and suppliers, and to maintain information on laboratory 
directors and owners.
    (b) Determines:
    (1) That the purpose for which the disclosure is to be made can 
only be accomplished if the record is provided in individually 
identifiable form;
    (2) That the purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect and/or risk on the privacy 
of the individual that additional exposure of the record might bring; 
and
    (3) That there is a strong probability that the proposed use of the 
data would in fact accomplish the stated purpose(s).
    (c) Requires the information recipient to:
    (1) Establish administrative, technical, and physical safeguards to 
prevent unauthorized use of disclosure of the record;
    (2) Remove or destroy at the earliest time all patient-identifiable 
information; and
    (3) Agree not to use or disclose the information for any purpose 
other than the stated purpose under which the information was 
disclosed.
    (d) Determines that the data are valid and reliable.

[[Page 50798]]

    (e) Secure a written statement or agreement from the prospective 
recipient if the information whereby the prospective recipient attests 
to an understanding of, and willingness to abide by, the foregoing 
provisions and any additional provisions that CMS deems appropriate in 
the particular circumstance.

III. Proposed Routine Use Disclosures of Data in the System

A. Entities Who May Receive Disclosure Under Routine Use

    The routine use disclosures of identifiable data for ACTS may occur 
to the following categories of entities. In addition, our policy will 
be to prohibit release even of non-identifiable data beyond the listed 
categories, if there is a possibility that an individual can be 
identified through implicit deduction based on small cell sizes.
    1. To the Department of Justice (DOJ), court or adjudicatory body 
when
    (a) The agency or any component thereof; or
    (b) Any employee of the agency in his or her official capacity; or
    (c) Any employee of the agency in his or her individual capacity 
whether the DOJ has agreed to represent the employee; or
    (d) The United States Government

is a party to litigation or has an interest in such litigation, and by 
careful review, CMS determines that the records are both relevant and 
necessary to the litigation and the use of such records by the DOJ, 
court or adjudicatory body is therefore deemed by the agency to be for 
a purpose that is compatible with the purpose for which the agency 
collected the records.
    Whenever CMS is involved in litigation, and occasionally when 
another party is involved in litigation and CMS' policies or operations 
could be affected by the outcome of the litigation, CMS would be able 
to disclose information to the DOJ, court or adjudicatory body 
involved. A determination would be made in each instance that, under 
the circumstances involved, the purposes served by the use of the 
information in the particular litigation is compatible with a purpose 
for which CMS collects the information.
    2. To agency contractors, or consultants who have been engaged by 
the agency to assist in the performance of a service related to this 
system of records and who need to have access to the records in order 
to perform the activity. Recipients shall be required to comply with 
the requirements of the Privacy Act of 1974, as amended, pursuant to 5 
U.S.C. 52a(m).
    We contemplate disclosing information under this routine use only 
in situations in which CMS may enter into a contract or similar 
agreement with a third party to assist in accomplishing CMS functions 
relating to purposes for this system of records. CMS occasionally 
contracts out certain of its functions when doing so would contribute 
to effective and efficient operations. CMS must be able to give a 
contractor whatever information is necessary for the contractor to 
fulfill its duties. In these situations, safeguards are provided in the 
contract prohibiting the contractor from using or disclosing the 
information for any purpose other than that described in the contract 
and requires the contractor to return or destroy all information at the 
completion of the contract.
    3. To a CMS contractor (including, but not limited to fiscal 
intermediaries and carriers) that assists in the administration of a 
CMS administered health benefits program, or to a grantee of a CMS 
administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud or abuse in such program.
    We contemplate disclosing information under this routine use only 
in situations in which CMS may enter into a contract or similar 
agreement with a third party to assist in accomplishing CMS functions 
relating to purposes for this system of records.
    4. To a Quality Improvement Organization (QIO) in order to assist 
the QIO to perform Title XI and Title XVIII functions relating to 
assessing and improving quality of care. QIO's work to implement 
quality improvement programs; provide consultation to CMS, its 
contractors, and to State agencies. The QIO's provide a supportive role 
to health care facilities in their endeavors to comply with Medicare 
Conditions of Participation; assist State agencies in related 
monitoring and enforcement efforts; assist CMS in program integrity 
assessment; and prepare summary information about the nation's health 
care for release to beneficiaries.
    5. To the agency of a State Government, or established by State 
law, for purposes of determining, evaluating and/or assessing overall 
or aggregate cost, effectiveness, and/or the quality of services 
provided in the State; for developing and operating Medicaid 
reimbursement systems; or for the purpose of administration of Federal/
State program within the State. Data will be released to the State only 
on those individuals who are either patients within the State, or are 
legal residents of the State, regardless of the location of the 
facility in which the patient is receiving services.
    6. To a Federal or State agency (e.g., State Medicaid agencies) to 
contribute to the accuracy of CMS's health insurance operations 
(payment, treatment and coverage) and/or to support State agencies in 
the evaluation and monitoring of care. Data may be released to State 
agencies such as State Ombudsmen, State Licensing Boards, and Adult 
Protective Services.
    Other Federal or State agencies in their administration of a 
Federal health program may require ACTS information in order to support 
evaluations and monitoring of Medicare claims information of 
beneficiaries. Releases of information would be allowed if the proposed 
use(s) for the information proved compatible with the purpose for which 
CMS collects the information.
    7. To another Federal agency (e.g., Office of the Inspector 
General, General Accounting Office) or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any State or local governmental agency), that 
administers, or that has the authority to investigate potential fraud 
or abuse in, a health benefits program funded in whole or in part by 
Federal funds, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud or abuse in such programs.
    Other agencies (e.g., Medicaid Fraud Control Units) may require 
ACTS information for combating fraud and abuse in such federally funded 
programs. Releases of information would be allowed if the proposed 
use(s) for the information proved compatible with the purposes of 
collecting the information.
    8. To an individual or organization for research, evaluation, or 
epidemiological project related to the prevention of disease or 
disability, or the restoration or maintenance of health, and for 
payment related projects.
    CMS anticipates that many researchers will have legitimate requests 
to use these data in projects that could ultimately improve the care 
provided to Medicare and Medicaid patients and the policy that governs 
the care. CMS understands the concerns about the privacy and 
confidentiality of the release of data for a research use. Disclosure 
of ACTS data for research and evaluation purposes will usually involve 
aggregate data rather than individual-specific data.

[[Page 50799]]

    9. To a member of Congress or to a congressional staff member in 
response to an inquiry of the Congressional Office made at the written 
request of the constituent about whom the record is maintained.
    Beneficiaries, as well as other individuals, may request the help 
of a member of Congress in resolving an issue relating to a matter 
before CMS. The member of Congress then writes CMS, and CMS must be 
able to give sufficient information to be responsive to the inquiry.
    10. To a national accreditation organization that has been granted 
deeming authority by CMS for the purpose of improving the quality of 
care provided through the provision of health care accreditation and 
related services that support performance improvement and monitors the 
quality of deemed providers/suppliers through the investigation of 
complaints (e.g., JCAHO, AOA, AAAASF, AAAHC, AABB, ASHI, CAP, CARF, 
CHAP, COLA).
    11. To a Protection and Advocacy Group that provides legal 
representation and other advocacy services for the purposes of 
monitoring, investigating and attempting to remedy adverse conditions, 
and for responding to allegations of abuse, neglect and violations of 
the rights of persons with disabilities.
    12. To another agency or to an instrumentality of any governmental 
jurisdiction within or under the control of the United States 
(including any State or local law enforcement agencies) for a civil or 
criminal law enforcement activity (e.g., police, FBI, State Attorney 
General's office).

B. Additional Provisions Affecting Routine Use Disclosures

    In addition, CMS policy will be to prohibit release even of non-
identifiable data, except pursuant to one of the routine uses, if there 
is a possibility that an individual can be identified through implicit 
deduction based on small cell sizes (instances where the patient 
population is so small that individuals who are familiar with the 
enrollees could, because of the small size, use this information to 
deduce the identity of the beneficiary).
    This System of Records contains Protected Health Information as 
defined by the Department of Health and Human Services' regulation 
``Standards for Privacy of Individually Identifiable Health 
Information'' (45 CFR parts 160 and 164, 65 FR 82462 (12-28-00), 
subparts A and E. Disclosures of Protected Health Information 
authorized by these routine uses may only be made if, and as, permitted 
or required by the ``Standards for Privacy of Individually Identifiable 
Health Information.''

IV. Safeguards

    The ACTS system conforms to applicable laws and policy governing 
the privacy and security of Federal automated information systems. 
These include but are not limited to: the Privacy Act of 1974, Computer 
Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-
Cohen Act of 1996, and OMB Circular A-130, Appendix III, ``Security of 
Federal Automated Information Resources''. CMS has prepared a 
comprehensive System Security Plan as required by OMB Circular A-130, 
Appendix III. This plan conforms to guidance issued by the National 
Institute for Standards and Technology (NIST) in NIST Special 
Publication 800-18, ``Guide for Developing Security Plans for 
Information Technology Systems.'' Paragraphs A-C of this section 
highlight some of the specific methods that CMS is using to ensure the 
security of this system and the information within it.

A. Authorized Users and Access Control

    Personnel having access to the system have been trained in Privacy 
Act and system security requirements. Employees and contractors who 
maintain records in the system are instructed not to release any data 
until the intended recipient agrees to implement appropriate 
administrative, technical, procedural, and physical safeguards 
sufficient to protect the confidentiality of the data and to prevent 
unauthorized access to the data. In addition, CMS monitors authorized 
users to ensure against excessive or unauthorized use. Records are used 
in a designated work area and system location is attended at all times 
during working hours.
    To ensure security of the data, authentication and access control 
profiles are maintained within both the database and the ACTS 
application system used to view information in the database. Within the 
database access, control is implemented by assigning the proper access 
profile for each individual user as determined at the State agency 
level. This prevents unauthorized users from accessing and modifying 
critical data using other system tools not provided by CMS.
    Database-level Protections: The State database upon which ACTS 
operates includes five classes of database users:
    [sbull] Database Administrator class owns the database objects; 
e.g., tables, triggers, indexes, stored procedures, packages and has 
database administration privileges to these objects;
    [sbull] Quality Control Administrator class has read and write 
access to key fields in the database;
    [sbull] ASPEN User class provides read and write access to tables 
and fields, which are required to support complaint, survey and related 
activities.
    [sbull] Quality Indicator Report Generator class has read-only 
access to all fields and tables;
    [sbull] Policy Research class has query access to tables, but are 
not allowed to access confidential patient identification information.
    ACTS Application-Level Protections: All ASPEN applications, 
including ACTS, provide user login/password authentication, which is 
tied directly to each State's internal network user login process. 
Internal application access controls, which secure system functions to 
pre-approved user groups, are also a key safeguard controlling user 
access to functions and data. ACTS application and related database 
safeguards include:
    [sbull] Application login: All ASPEN users must be authenticated to 
their State or CMS regional office network as a pre-requisite for 
starting an ASPEN application. This is enforced internally by the ASPEN 
application. Thus, only known, pre-authenticated users may start an 
ASPEN application.
    [sbull] Application access control: Once authenticated, ASPEN users 
may only view information and perform tasks according to pre-assigned 
security and access control profiles determined by the system 
administrator. Security profiles may be assigned down to the level of 
individual menu functions, action buttons and form displays. This means 
ASPEN allows State and CMS RO administrators to finely tune which users 
may view certain information and perform specific tasks within the 
system (such as adding or modifying complaint information). Thus, while 
a complaint investigator may be able to update findings for a specific 
complaint, they may be prohibited through their security profile from 
removing complaints from the system.
    [sbull] Provider Type Access Control: In addition to the data and 
access control security just described, ASPEN allows administrators to 
specify user access to information based on provider category. For 
example, while an investigator may have a security profile that enables 
the investigator to add findings to a complaint, the system 
administrator may limit this user to specific categories of providers/
suppliers, such as nursing homes--thus, preventing the user from 
changing findings of complaints for other types of providers/suppliers. 
An

[[Page 50800]]

ASPEN user must have both a security profile that allows a specific 
function to be performed, and be assigned to appropriate Provider Type 
access before a specific system action may be taken against a provider/
supplier type.
    [sbull] Secondary Database Access Control: Since ASPEN provides an 
Application-centric security model, it is not necessary to assign each 
ASPEN user an individual Oracle user name, password and Oracle profile. 
Instead, all ASPEN users share a single Oracle login whose password is 
known only by CMS. This protects against a significant threat to data 
integrity: access to the Oracle database using non-ASPEN system tools; 
thus, preventing accidental or malicious bypassing of the ASPEN 
security controls through third-party system tools which may be capable 
of connecting to Oracle databases. ACTS users may only access ASPEN 
data via the security-controlled environment of the ACTS application.
    [sbull] Audit trail: ACTS maintains an audit trail for key 
information elements in the database. Any changes made to these 
elements via the ACTS system are logged. The log includes information 
on which element was changed, who changed it, the time of change and 
prior and current values for the element.

B. Physical Safeguards

    All server sites have implemented the following minimum 
requirements to assist in reducing the exposure of computer equipment 
and thus achieve an optimum level of protection and security for the 
ACTS system:
    Access to all servers is controlled, with access limited to only 
those support personnel with a demonstrated need for access. Servers 
are to be kept in a locked room accessible only by specified management 
and system support personnel. Each server requires a specific log-on 
process. All entrance doors are identified and marked. A log is kept of 
all personnel who were issued a security card, key and/or combination 
that grants access to the room housing the server, and all visitors are 
escorted while in this room. All servers are housed in an area where 
appropriate environmental security controls are implemented, which 
include measures implemented to mitigate damage to Automated 
Information Systems resources caused by fire, electricity, water and 
inadequate climate controls.
    Protection applied to the system administration workstations and 
the Windows 2000 servers, which house the ACTS Oracle database, 
include:
    [sbull] User Log-ons--Authentication is performed by the Windows 
2000 Primary Domain Controller/Backup Domain Controller of the log-on 
domain.
    [sbull] Workstation Names--Workstation naming conventions may be 
defined and implemented at the State agency level.
    [sbull] Hours of Operation--May be restricted by Windows 2000. When 
activated all applicable processes will automatically shut down at a 
specific time and not be permitted to resume until the predetermined 
time. The appropriate hours of operation are determined and implemented 
at the State agency level.
    [sbull] Inactivity Log-out--Access to the 2000 workstation is 
automatically logged out after a specified period of inactivity.
    [sbull] Warnings--Legal notices and security warnings display on 
all servers and workstations.
    There are several levels of security found in the overall ASPEN 
system. Windows 2000 servers provide much of the overall system 
security. The Windows 2000 security model is designed to meet the C2-
level criteria as defined by the U.S. Department of Defense's Trusted 
Computer System Evaluation Criteria document (DoD 5200.28-STD, December 
1985). Other non-ACTS CMS functions are supported on the same Windows 
2000/Oracle servers as ACTS--such as MDS submission from facilities. 
Such operations are performed via separate Netscape Enterprise Server, 
which provides an additional layer of user authentication, security and 
access control. In this case, Netscape controls all CMS information 
access requests. Anti-virus system is applied at both the system 
administration workstation and Windows 2000 server levels.
    Access to different areas on the Windows NT server is maintained 
through the use of file, directory and share level permissions. These 
different levels of access control provide security that is managed at 
the user and group level within the Windows 2000 server domain. The 
file and directory level access controls rely on the presence of a 
Windows NT File System (NTFS) hard drive partition. This provides the 
most robust security and is tied directly to the file system. Windows 
2000 security is applied at both the workstation and Windows 2000 
server levels.
    Firewalls have been installed on each State server. Appendix A 
lists the location of each State server. A firewall is a security 
feature that does not allow unwanted or unsolicited network traffic to 
flow to certain parts of the system. A Cisco 3640 router is installed 
at each state. These routers have been programmed to allow the state IP 
addresses to access certain locations within the CMS network. CMS 
contractors set up and manage the routers. Using CMS specifications, 
they have installed the allowed IP's to the router tables. If an 
unauthorized IP tries to access the CMS data, the firewall (router) 
will pass the request away from its intended destination. That is, if 
the firewall does not match the IP of the request to an allowed IP in 
its table, the request will not be fulfilled. CMS contractors monitor 
the firewalls and review them for anomalies that could represent a 
hacking attempt or a hardware problem.

C. Procedural Safeguards

    All automated systems must comply with Federal and State laws, 
guidance, and policies for information systems security, as stated 
previously in this section. Each State must ensure a level of security 
commensurate with the level of sensitivity of the data, risk, and 
magnitude of the harm that may result from the loss, misuse, 
disclosure, or modification of the information contained in the system.

V. Effects of the Proposed System of Records on Individual Rights

    CMS proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. Data in this 
system will be subject to the authorized releases in accordance with 
the routine uses identified in this system of records. CMS and the 
State Survey Agencies will monitor the collection and reporting of ACTS 
data.
    CMS and the State Survey Agencies will take precautionary measures 
to minimize the risks of unauthorized access to the records and the 
potential harm to individual privacy or other personal or property 
rights of individuals whose data are maintained in the system. CMS will 
collect only that information necessary to perform the system's 
functions.
    To ensure data that resides in a CMS Privacy Act System of Records; 
to ensure the integrity, security, and confidentiality of information 
maintained by CMS; and to permit appropriate disclosure and use of such 
data as permitted by law, CMS and the non-CMS recipient of the data, 
hereafter termed ``User,'' enter into an agreement to comply with the 
following specific requirements. The agreement addresses the conditions 
under which CMS will disclose and the user will obtain and use the 
information contained in the system of records. The parties mutually 
agree that CMS retains ownership rights to the data and that the user 
does not

[[Page 50801]]

obtain any right, title, or interest in any of the data furnished by 
CMS. The user represents and warrants further that the facts and 
statements made in any study or research protocol or project plan 
submitted to CMS for each purpose are complete and accurate. The user 
shall not disclose, release, reveal, show, sell, rent, lease, loan, or 
otherwise grant access to the data disclosed from the system of records 
to any person. The user agrees that access to the data shall be limited 
to the minimum number of individuals necessary to achieve the purpose 
stated in the protocol and to those individuals on a need to know basis 
only. If CMS determines or has reasonable belief that the user has made 
an unauthorized disclosure of the data, CMS in its sole discretion may 
require the user to: (a) Promptly investigate and report to CMS any 
alleged or actual unauthorized disclosures; (b) promptly resolve any 
problems identified by the investigation; (c) submit a formal response 
to any allegation of unauthorized disclosures; (d) submit a corrective 
action plan with steps to prevent any future unauthorized disclosures; 
and (e) return data files to CMS. If CMS determines or has reasonable 
belief that unauthorized disclosures have taken place, CMS may refuse 
to release further CMS data to the user for a period to be determined 
by CMS.
    The Privacy Act provides criminal penalties for certain violations. 
The Act provides that ``Any officer or employee of an agency, who by 
virtue of his (or her) employment or official position, has possession 
of, or access to agency records which contain individually identifiable 
information the disclosure of which is prohibited by this section or by 
rules or regulations established there under, and who knowing that 
disclosure of the specific materials is so prohibited, willfully 
discloses the material in any manner to a person or agency not entitled 
to receive it, shall be guilty of a misdemeanor and fined not more than 
$5,000'' (5 U.S.C. 552a(i)(1)). The Act also provides that ``Any person 
who knowingly and willfully requests or obtains any record concerning 
an individual from an agency under false pretenses shall be guilty of a 
misdemeanor and fined not more than $5,000'' (5 U.S.C. 552a(i)(3)). The 
agency's contractor and any contractors' employees who are covered by 5 
U.S.C. 552a(m)(1) are considered employees of the agency for the 
purposes of these criminal penalties.
    CMS, therefore, does not anticipate an unfavorable effect on 
individual privacy as a result of the disclosure of information 
relating to individuals.

    Dated: August 8, 2003.
Thomas A. Scully,
Administrator, Centers for Medicare & Medicaid Services.
System No. 09-70-1519

SYSTEM NAME:
    ASPEN Complaints/Incidents Tracking System (ACTS).

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive Data.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850. Federal Servers are located at 
each State agency. Appendix A lists the location of each State server.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Identifiable information will be retained in the system of records 
for individuals who are complainants, residents/clients, contacts/
witnesses, alleged perpetrators, survey team members, laboratory 
directors, and laboratory owners.

CATEGORIES OF RECORDS IN THE SYSTEM:
    ACTS contains information related to allegations of complaints and 
incidents filed against Medicare, Medicaid or CLIA certified providers 
or suppliers. The system contains demographic and identifying data, as 
well as survey and deficiency data. Identifying data includes: Names, 
title, address, city, state, ZIP code, e-mail address, telephone 
numbers, fax number, licensure number, social security number, Federal 
tax identification number, alias names, date of birth, gender, date 
admitted and/or date discharged.
    ACTS maintains Federal complaint information, as well as state 
licensure complaint information. State licensure information is both 
relevant and necessary to meet CMS'' purposes. CMS uses the help of 
State health agencies, or other appropriate agencies, when determining 
whether health care entities meet Federal Medicare standards. The State 
survey agencies perform both Federal certification and State licensure 
functions, including the investigation of complaints and entity-
reported incidents. The Social Security Act requires that providers/
suppliers receive licensure under applicable State and local laws. In 
order to encourage efficiency in State operations, ACTS permits 
collection of Federal and State information. ACTS allows users to 
distinguish between Federal information and information that is 
collected for State licensure purposes. ACTS supports the entry of both 
Federal and state licensure information, thus reflecting the actual 
business practices of state agencies as they track complaints and 
incidents. In many areas, ACTS allows entry of both types of 
information while still maintaining discrete records to support 
separate and different views, reports and statistics.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Sections 11819(d), 1864, 1865, 1902(a)(9)(A), 1902(a)(33)(B), and 
1919(d) of the Social Security Act. Section 353 of the Public Health 
Service Act (42 U.S.C. 263a), 42 CFR 482.13(f), 42 CFR 483.13, 42 CFR 
488.7(a)(2), 42 CFR 488.332, and 42 CFR 488.335.

PURPOSE(S):
    The primary purpose of the system of records is to track and 
process complaints and incidents reported against Medicare/Medicaid/
CLIA providers and suppliers, and to maintain information on laboratory 
directors and owners.
    ACTS provides access to survey and provider/supplier information 
for data-driven analysis and evaluation. This system will improve CMS's 
ability to monitor the performance of State Survey Agencies including 
analyzing program variations and more effectively managing program 
costs. Information retrieved from this system of records will be used 
to aid in the administration of the survey and certification of 
Medicare/Medicaid/CLIA providers and suppliers; support agencies of the 
State governments to determine, evaluate and assess overall 
effectiveness and quality of provider/supplier services provided in the 
State; aid in the administration of Federal and State programs within 
the State; support constituent requests made to a Congressional 
representative, support litigation involving the agency, and facilitate 
research on the quality and effectiveness of care provided.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    The Privacy Act allows us to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. We are proposing to establish the following routine use 
disclosures of information maintained in the system:
    1. To the Department of Justice (DOJ), court or adjudicatory body 
when:
    (a) The agency or any component thereof; or

[[Page 50802]]

    (b) Any employee of the agency in his or her official capacity; or
    (c) Any employee of the agency in his or her individual capacity 
when the DOJ has agreed to represent the employee; or
    (d) The United States Government; is a party to litigation or has 
an interest in such litigation, and by careful review, CMS determines 
that the records are both relevant and necessary to the litigation and 
the use of such records by the DOJ, court or adjudicatory body is 
therefore deemed by the agency to be for a purpose that is compatible 
with the purpose for which the agency collected the records.
    2. To agency contractors, or consultants who have been engaged by 
the agency to assist in the performance of a service related to this 
system of records and who need to have access to the records in order 
to perform the activity.
    3. To a CMS contractor (including, but not necessarily limited to 
fiscal intermediaries and carriers) that assists in the administration 
of a CMS-administrated health benefits program, or to a grantee of a 
CMS-administered health benefits program, when disclosure is deemed 
reasonably necessary by CMS to prevent, deter, discover, detect, 
investigate, examine, prosecute, sue with respect to, defend against, 
correct, remedy, or otherwise combat fraud or abuse in such program.
    4. To a Quality Improvement Organization (QIO) in order to assist 
the QIO to perform Title XI and Title XVIII functions relating to 
assessing and improving quality of care.
    5. To the agency of a State Government, or established by State 
law, for purposes of determining, evaluating and/or assessing overall 
or aggregate cost, effectiveness, and/or the quality of services 
provided in the State; for developing and operating Medicaid 
reimbursement systems; or for the purpose of administration of Federal/
State programs within the State.
    6. To a Federal or State agency (e.g., State Medicaid agencies) to 
contribute to the accuracy of CMS's health insurance operations 
(payment, treatment and coverage) and/or to support State agencies in 
the evaluation and monitoring of care.
    7. To another Federal agency (e.g., Office of the Inspection 
General, General Accounting Office, Medicaid Fraud Control Unit) or to 
an instrumentality of any governmental jurisdiction within or under the 
control of the United States (including any State or local governmental 
agency) that administers, or that has the authority to investigate 
potential fraud or abuse in a health benefits program funded in whole 
or in part by Federal funds, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud or abuse in such programs.
    8. To an individual or organization for research, evaluation, or 
epidemiological project related to the prevention of disease or 
disability, the restoration or maintenance of health, or payment 
related projects.
    9. To a member of Congress or to a congressional staff member in 
response to an inquiry of the Congressional Office made at the written 
request of the constituent about whom the record is maintained.
    10. To a national accreditation organization that has been granted 
deeming authority by CMS for the purpose of improving the quality of 
care provided through the provision of health care accreditation and 
related services that support performance improvement and monitors the 
quality of deemed providers/suppliers through the investigation of 
complaints.
    11. To a Protection and Advocacy Group that provides legal 
representation and other advocacy services for the purposes of 
monitoring, investigating and attempting to remedy adverse conditions, 
and for responding to allegations of abuse, neglect, and violations of 
the rights of persons with disabilities.
    12. To another agency or to an instrumentality of any governmental 
jurisdiction within or under the control of the United States 
(including any State or local law enforcement agencies) for a civil or 
criminal law enforcement activity (e.g., police, FBI, State Attorney 
General's office).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    All records are stored on the magnetic disk sub-system of the 
Windows 2000 server. Furthermore, these records are saved to magnetic 
tape backup on a nightly basis.

RETRIEVABILITY:
    The Medicare, Medicaid, and CLIA records are retrieved by name of 
provider/supplier, Medicare provider number, ACTS Complaint number, 
State assigned Medicaid number, or other CMS assigned numbers, 
complainant's name, resident/patient's name, contact/witnesses name, 
alleged perpetrator's name, survey team member's name, surveyor 
identification number, laboratory director's name, laboratory owner's 
name or federal tax identification number.

SAFEGUARDS:
    CMS has safeguards for authorized users and monitors such users to 
ensure against excessive or unauthorized use. Personnel having access 
to the system have been trained in the Privacy Act and systems security 
requirements. Employees who maintain records in the system are 
instructed not to release any data until the intended recipient agrees 
to implement appropriate administrative, technical, procedural, and 
physical safeguards sufficient to protect the confidentiality of the 
data and to prevent unauthorized access to the data.
    In addition, CMS has physical safeguards in place to reduce the 
exposure of computer equipment and thus achieve an optimum level of 
protection and security for the ACTS system. For computerized records, 
safeguards have been established in accordance with the Department 
Health and Human Services standards and National Institute of Standards 
and Technology guidelines, e.g., security codes will be used, limiting 
access to authorized personnel. System securities are established in 
accordance with HHS, Information Resource Management Circular 
10, Automated Information System Security Program; CMS 
Automated Information Systems (AIS) Guide, Systems Securities Policies, 
and OMB Circular No. A-130 (revised), Appendix III.

RETENTION AND DISPOSAL:
    CMS will retain identifiable ACTS data for a total period not to 
exceed 15 years.

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Finance, Systems and Budget Group, Center for Medicaid 
and State Operations, Centers for Medicare & Medicaid Services, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850.
    Director, Survey and Certification Group, Center for Medicaid and 
State Operations, Center for Medicaid and State Operations, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:
    For the purpose of accessing records based on individual 
identifiable data, the subject individual should write to the system 
manager who will require the system name, Medicare provider/supplier 
identification number, provider/supplier's name and address, and for 
verification purposes the subject

[[Page 50803]]

individual's name, social security number (SSN) (furnishing the SSN is 
voluntary, but it may make searching for a record easier and prevent 
delay), address, date of birth and sex.

RECORD ACCESS PROCEDURE:
    For accessing records based on individual identifiable data, use 
the same procedures outlined in Notification Procedures above. 
Requestors should also reasonably specify the record contents being 
sought. (These procedures are in accordance with Department regulation 
45 CFR 5b.5(a)(2).)

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:
    The following forms and the ACTS software are used to collect ACTS 
data.
    Medicare/Medicaid/CLIA Complaint Form (CMS-562).
    Statement of Deficiencies and Plan of Correction (CMS-2567).
    Post-Certification Revisit Report (CMS-2567B).
    Survey Team Composition and Workload Report (CMS-670).
    Request for Validation of Accreditation Survey for Hospital (CMS-
2802).
    Request for Validation of Accreditation Survey for Laboratory (CMS-
2802A).
    Request for Validation of Accreditation Survey for Hospice (CMS-
2802B).
    Request for Validation of Accreditation Survey for Home Health 
Agency (CMS-2802C).
    Request for Validation of Accreditation Survey for Ambulatory 
Surgical Center (CMS-2802D).
    Request for Survey of 489.20 and 489.24 Essentials of Provider 
Agreements:
    Responsibilities of Medicare Participating Hospitals in Emergency 
Cases (CMS-1541A).
    CMS-116--CLIA Laboratory Application.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    Waiver of 40 day waiting period.

Appendix A Location of State Servers

    North Dakota Department of Health Resources, 600 East Boulevard 
Avenue, Suite 206, Bismarck, ND 58505.
    Department of Health, Facility Licensing and Certification 
Bureau, 2040 South Pacheco, Colgate Building 2nd Floor, Santa Fe, NM 
87505.
    Utah Department of Health, M/M Program Certification, 288 North, 
1460 West, Salt Lake City, UT 84114-2905.
    Department of Public Health and Human Services, Senior and Long 
Term Care Division, 111 Sanders Avenue, Suite 210, P.O. Box 4210, 
Helena, MT 59601.
    Division of Medicaid, Bureau of Facility Standards, Myers & 
Stauffer, 8555 West Hackamore Dr., Suite 100, Boise, ID 83709-1665.
    Rhode Island Department of Health, Three Capitol Hill, Cannon 
Building, Room 306, Providence, RI 02908-5097.
    State of Connecticut, Department of Public Health, 410 Capitol 
Avenue MS13DPR, P.O. Box 340308, Hartford, CT 06134-0308.
    Minnesota Department of Health, F&PC Division, 85 East 7th 
Place-Suite 300, P.O. Box 64900, St. Paul, MN 55101.
    Bureau of Quality Assurance, Department of Health and Family 
Services, 1 West Wilson Street, Suite 150, P.O. Box 7850, Madison, 
WI 53701-0309.
    Louisiana Department of Health and Hospitals, Health Standards 
Section, 500 Laurel Street, Suite 100, Baton Rouge, LA 70801.
    Texas Department of Human Services (TDHS), 701 West 51st Street, 
P.O. Box 149030, MC W-519, Austin, TX 78751.
    Alabama Department of Public Health, Division of Health Care 
Facilities, 201 Monroe Street, Suite 840, P.O. Box 303017, 
Montgomery, AL 36104-3017.
    Division of Emergency Medical Services, 570 East Woodrow Wilson 
Blvd., Third Floor A-300, Jackson, MS 39215.
    State of New Jersey, Department of Health and Senior Services 
Long Term Care. Systems Development and Quality, 120 S Stockton 
Street, lower level, Trenton, NJ 08625.
    Office of Health Facilities Licensing and Certification, LTC 
Residents Protection, Three Mill Road, Suite 308, Wilmington, DE 
19806.
    Colorado Department of Public Health and Environment, Health 
Facilities Division, HFD-a2, 4300 Cherry Creek Drive, South, Second 
Floor, Denver, CO 80246-1530.
    Office of Health Quality, 2020 Carey Avenue, First Bank 
Building, 8th Floor, Cheyenne, WY 82002.
    Department of Health & Human Services Division of Facility 
Services Licensure and Certification Section, 805 Briggs Drive, 
Raleigh, NC 27603.
    SCDHEC, Division of Certification, 1777 Saint Julian Place, 
Suite 302, Columbia, SC 29204.
    Seniors and People with Disabilities, 875 Union St.--4th Fl., 
Salem, OR 97310.
    AASA--Division of Residential Services, 0B2 1115 North 
Washington, Olympia, WA 98503.
    Myers and Stauffer, 6380 Flank Drive, Suite 100, Harrisburg, PA 
17112.
    DHHR, Management Information Services, 350 Capital Street, Room 
206, Third Floor Computer Room, Charleston, WV 25301-3178.
    Office of Regulatory Services, Georgia Department of Human 
Resources, 2 Peachtree Street North West, Suite 24, Atlanta, GA 
30303-3167.
    Management Information Systems, Agency for Health Care 
Administration, 2727 Mahan Dr, Fort Knox, Bldg 3, Room 100, MS9a, 
Tallahassee, FL 32308-5403.
    Illinois Department of Public Aid, Division of Medical Programs, 
201 South Grand Avenue, East, Prescott Bloom Bldg. 2nd floor, 
Springfield, IL 62763.
    Indiana State Department of Health, 2 North Meridian Street, 
Indianapolis, IN 46204.
    Cabinet for Health Services Office of Inspector General, 275 
East Main Street 5E-A, Frankfurt, KY 40621.
    Tennessee Department of Health, Division of Health Care 
Facilities, 426 5th Avenue, North, Cordell Hull Building, 1st Floor, 
Nashville, TN 37247-0508.
    Massachusetts Department of Public Health, Division of Health 
Care Quality, 10 West Street, 5th floor, Boston, MA 02111.
    Division of Licensing and Protection, 103 South Main Street, 
Ladd Hall room 898, Waterbury, VT 05671.
    Missouri Department of Social Services, Division of Aging, 615 
Howerton Court, Jefferson City, MO 65109.
    Department of Human Services DMS/OLTC/ Reimbursement Unit, 700 
Main, 4th Floor, PO Box 8059--Slot 407, Little Rock, AR 72203-8059.
    Oklahoma State Department of Health, SHS, 1000 North East 10th 
Street, Oklahoma City, OK 73117-1299.
    Myers & Stauffer Consulting Services, 4123 Southwest Gage Center 
Drive, Suite 200, Topeka, KS 66604.
    Bureau of Licensure and Certification, 1550 East College 
Parkway, Suite 158, Carson City, NV 89706.
    Arizona Department of Health Services, 1647 East Morten Ave., 
Suite 200, Phoenix, AZ 85020.
    Virginia Department of Health, 1500 East Main Street, Room 211, 
Main Street Station, Richmond, VA 23219.
    Department of Consumer and Regulatory Affairs, Service Facility 
Regulation Administration, 825 N Capitol Street NE., 2nd Floor LRA--
Room 221, Washington, DC 20002.
    Michigan Department of Community Health, 300 East Michigan, 
Chandler River Plaza Building, Lansing, MI 48933.
    Ohio Department of Health, 246 N. High St., 3rd Floor, Columbus, 
OH 43215.
    Dept of Human Services, 442 Civic Center Drive, Augusta, ME 
04330.
    Department of Health and Human Services, Office of Program 
Support, Office of Information Systems, 129 Pleasant Street, Brown 
Bldg., Concord, NH 03301-3857.
    Office of Health Care Assurance, 601 Kamokila, RM 395, Kapolei, 
HI 96707.
    South Dakota Department of Social Services, Office of Adult 
Services and Aging, 700 Governors Drive, Pierre, SD 57501.
    California Department of Health Services, Licensing and 
Certification, 630 Bercut Dr. Suite B, Sacramento, CA 95814.
    State of Maryland, Department of Health Care Quality, 55 Wade 
Avenue, Spring Grove

[[Page 50804]]

Center, Bland Bryant Bldg., Fourth Floor, Catonsville, MD 21228.
    Department of Health and Human Services, Medicaid Division, P.O. 
Box 95026--301 Centennial Mall, South, 5th Floor, Lincoln, NE 68509.
    DHHS Div of Med. Assistance Heath Facilities Licensing and 
Certification, 4730 Business Park Boulevard, Suite 18, Anchorage, AK 
99503.
    NYS Dept. of Health, Empire State Plaza, Concourse Room 148, 
Albany, NY 12237.
    Virgin Islands, IFMC, 6000 Westown Parkway, West Des Moines, IA 
50266.
    Puerto Rico Department of Health, Assistant Secretariat for the 
Regulation and Accreditation of Health Facilities, Former Ruez Soler 
Hospital Road 2, Bayamon, PR 00959.

[FR Doc. 03-21444 Filed 8-21-03; 8:45 am]
BILLING CODE 4120-03-P