[Federal Register Volume 71, Number 177 (Wednesday, September 13, 2006)]
[Proposed Rules]
[Pages 53994-54000]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-15101]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 71, No. 177 / Wednesday, September 13, 2006 / 
Proposed Rules  

[[Page 53994]]



SOCIAL SECURITY ADMINISTRATION

20 CFR Part 401

RIN 0960-AE88


Privacy and Disclosure of Official Records and Information

AGENCY: Social Security Administration.

ACTION: Proposed rules.

-----------------------------------------------------------------------

SUMMARY: We are proposing to revise our privacy and disclosure rules to 
clarify certain provisions and to provide expanded regulatory support 
for new and existing responsibilities and functions. These changes in 
the regulations will increase Agency efficiency and ensure consistency 
in the implementation of the Social Security Administration's (SSA) 
policies and responsibilities under the Privacy Act and the Social 
Security Act.

DATES: To be sure that your comments are considered, we must receive 
them no later than November 13, 2006.

ADDRESSES: You may give us your comments by: the Federal eRulemaking 
Portal: http://www.regulations.gov; e-mail to [email protected]; 
telefax to (410) 966-2830; or letter to the Commissioner of Social 
Security, P.O. Box 17703, Baltimore, MD 21235-7703. You may also 
deliver them to the Office of Regulations, Social Security 
Administration, 107 Altmeyer Building, 6401 Security Boulevard, 
Baltimore, MD 21235-6401, between 8 a.m. and 4:30 p.m. on regular 
business days. Comments are posted on our Internet site, or you may 
inspect them on regular business days by making arrangements with the 
contact person shown in this preamble.

FOR FURTHER INFORMATION CONTACT: Christine W. Johnson, Office of Public 
Disclosure, 3 A-6 Operations Building, 6401 Security Boulevard, 
Baltimore, MD 21235-6401, (410) 965-8563 or TTY (410) 965-5609. For 
information on eligibility or filing for benefits, call our national 
toll-free numbers, 1-800-772-1213 or TTY 1-800-325-0778, or visit our 
Internet Web site, Social Security Online, at http://www.socialsecurity.gov.

SUPPLEMENTARY INFORMATION: 

Electronic Version

    The electronic file of this document is available on the date of 
publication in the Federal Register at http://www.gpoaccess.gov/FR/index.html. It is also available on the Internet site for the Social 
Security Administration (e.g., Social Security Online) at http://policy.ssa.gov/pnpublic.nsf.LawsRegs.

Background

    We last revised the privacy and disclosure regulations in 1980 when 
the Social Security Administration (SSA) was a part of the Department 
of Health and Human Services (DHHS) (formerly the Department of Health, 
Education and Welfare) and subject to DHHS' disclosure policy 
oversight. Since 1980, significant changes have occurred in the 
procedures. We propose to codify these changes in the procedures 
governing access to, and disclosure of, personally identifiable 
information. We are also proposing to make minor housekeeping changes 
to further clarify our procedures. In general, the proposed changes 
reflect SSA's compliance with technological, legal and legislative 
changes that have occurred since 1980.
    Thus, we propose to clarify the provisions regarding requests for 
access to information developed by medical sources for Social Security 
programs, fully describe the existing responsibilities and functions of 
the Privacy Officer position, establish the new senior agency official 
for privacy as required by the Office of Management and Budget (OMB) 
and explain the related responsibilities, and implement SSA's new 
Privacy Impact Assessment process in accordance with the E-Government 
Act of 2002, Pub. L. 107-347. Further, as required by OMB, we propose 
to require adequate safeguards against inappropriate disclosure of 
personal information by electronic means, e.g., over the Internet, and 
revise our procedures on notification of, or access to, medical records 
on behalf of another person, e.g., an adult or child.
    These proposed rules would also clarify SSA's policy concerning an 
individual's access to, or notification of, program records, amend the 
language concerning appeal requests under the Privacy Act to include 
denial of access to the record, and amend the language to insert the 
word ``written'' prior to ``consent'' to clarify that the requirement 
means disclosure with written consent and expand the language to more 
clearly define what information we will disclose with written consent. 
Further, we propose to revise the language to show that SSA also has 
physical custody of personnel records, and revise the language under 
disclosure of personal information in nonprogram records to show the 
new name of the former General Accounting Office.
    These proposed rules would also amend the language under disclosure 
of personal information in program records to make clear that we 
disclose information from program records only when there is a 
legitimate need for the information, and revise the language under 
disclosures required by law to show the current name for Aid to 
Families with Dependent Children. We also propose to amend the language 
under compatible purposes to clearly state how we implement the routine 
use provision of the Privacy Act (5 U.S.C. 552a(b)(3)) and what we mean 
by routine use in terms of the information we can disclose, and amend 
the language under law enforcement purposes to clarify that disclosures 
under 5 U.S.C. 552a(b)(7) also require a written request. Further, we 
propose to amend the language under statistical and research activities 
to reflect the language in the new routine use of data for research 
purposes, amend the language in the General Accounting Office section 
to correctly reflect the new name of the agency, and clarify certain 
matters related to our rules on disclosure under court order and other 
legal process.

Explanation of Changes

Section 401.20 Scope

    We propose to amend the section heading in Sec.  401.20(a) to read 
``Access'' and to amend paragraph (a) to clarify the rules regarding 
the access provision as it pertains to information developed by medical 
sources that perform consultative examinations for us. We also propose 
to amend the heading in Sec.  401.20(b)(1)(iii) to read ``Records kept 
by medical sources,'' and amend the language in that paragraph.

[[Page 53995]]

Section 401.30 Privacy Act Responsibilities

    We propose to add new paragraphs (d), (e) and (f) to Sec.  401.30.
Privacy Officer
    New Sec.  401.30(d) will fully describe the position of the SSA 
Privacy Officer and the responsibilities and functions of that 
position. SSA has always had a designated Privacy Officer since the 
enactment of the Privacy Act in 1974. Since that time, the Privacy 
Officer has overall responsibility for coordination of SSA privacy 
matters within the Agency. As such, the Privacy Officer advises the 
Agency on privacy policy matters and is responsible for developing and 
implementing privacy policies and related requirements, ensures 
compliance with the Privacy Act, and provides general oversight of 
privacy and disclosure policy involving privacy and disclosure matters. 
The Privacy Officer has other responsibilities including evaluating 
legislative proposals and other initiatives proposed by Congress, other 
agencies and the public, and reviewing multifunctional projects, 
studies and research activities involving personal information. The 
responsibilities also include facilitating the incorporation of privacy 
principles into information technology systems architectures and 
technical designs to ensure that privacy policies and practices are 
properly reflected in our business requirements.
    We are proposing to provide an explanation of the Privacy Officer's 
responsibilities to emphasize SSA's long-standing commitment to the 
public that personal information maintained in SSA's Privacy Act 
systems of records is handled in full compliance with the law.
Senior Agency Official for Privacy
    To help protect the privacy rights of Americans and to ensure that 
agencies continue to have effective information privacy management 
programs in place to carry out this important responsibility, OMB 
requires that each agency designate a senior agency official to serve 
as the person in charge of privacy issues.
    The Senior Agency Official for Privacy will have overall 
responsibility and accountability for privacy issues at the national 
and agency-wide levels. The official will also have a central role in 
overseeing agency compliance efforts in privacy policy procedures as 
well as a key role in policy-making as it pertains to the development 
and evaluation of legislative, regulatory and other policy proposals 
that might implicate privacy issues.
    New Sec.  401.30(e) will establish SSA's Senior Agency Official for 
Privacy and fully describe the responsibilities of that position as 
prescribed by OMB. (See OMB Memorandum M-08-05, dated February 11, 
2005).
Privacy Impact Assessments
    In accordance with Section 208 of the E-Government Act of 2002 
(Pub. L. 107-347, 44 U.S.C. Ch. 36), the Office of Management and 
Budget now requires that certain Information Technology (IT) projects 
receive a special privacy review called a Privacy Impact Assessment 
(PIA). The PIA review is in addition to the current SSA requirement 
that SSA's Privacy Officer certify Agency procurement requests for 
automated data processing resources and proposed contracts. The PIA 
review will strengthen the existing process by incorporating privacy 
involvement directly into the development of the IT system lifecycle 
and establishing a process that the entire Agency can understand in 
terms of privacy involvement in IT system development efforts.
    New Sec.  401.30(f) will describe the PIA requirements for ensuring 
that privacy considerations receive a standardized review. We will 
determine if adequate measures have been taken to protect the privacy 
of the personally identifiable information the IT project will affect 
and if the requirements of the Privacy Act and applicable SSA 
regulations and policy are properly addressed.

Section 401.45 Verifying Your Identity

    We propose to add to Sec.  401.45 new paragraphs (b)(3) and (b)(4) 
to emphasize that when SSA provides convenient service to you over open 
computer networks such as the Internet, we will adequately protect 
against improper disclosure of records. We will redesignate present 
paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), 
respectively. We will also revise the language in redesignated (b)(5).
    Increasingly, computer technology enables us to transact business 
with you as a taxpayer, Social Security beneficiary, employer or third-
party organization. We will move cautiously to allow you to communicate 
with us securely over open networks such as the Internet. Such expanded 
services are dependent on our development of practices and mechanisms 
to ensure identity confirmation to protect you against improper 
disclosure of the personal information we maintain in our records, and 
to improve privacy protections.

Section 401.55 Special Procedures for Notification of or Access to 
Medical Records

    We propose to revise the section heading to read ``Access to 
medical records.'' We also propose to revise the procedures for access 
to medical records to conform to the practices and systems of records 
that set out special procedures under which individuals may have direct 
access to their medical records.
    Currently, when you request your medical records, Sec.  
401.55(b)(1)(ii) requires you to designate a representative to receive 
the records for you and gives the representative the discretion to 
inform you about the contents of your record. We propose to modify the 
special procedures in that paragraph to require the representative to 
release your record to you after the discussion of its contents. The 
representative no longer has the discretion to withhold any part of 
your record.
    Section 401.55(c)(2)(iii) currently gives a designated 
representative (e.g., family physician or other health care 
professional) discretion about making the contents of a minor's medical 
record available to the parent or legal guardian. The proposed rule 
would modify this provision to require the representative to release 
the minor's records to the parent or legal guardian following the 
discussion of its contents. Additionally, we are redesignating present 
paragraph (d) concerning requests on behalf of incapacitated adults as 
paragraph (c)(3).

Section 401.60 Access or Notification of Program Records About Two or 
More Individuals

    Currently, Sec.  401.60 is entitled ``Access or notification of 
program records about two or more individuals.'' The first sentence in 
the section reads ``When information about two or more individuals is 
in one record filed under your social security number, you may receive 
the information about you and the fact of entitlement and the amount of 
benefits payable to other persons based on your record.'' We propose to 
amend Sec.  401.60 by inserting the word ``to'' after the word 
``Access'' in the heading and revising the language in both the heading 
and first sentence to read ``about more than one individual.''

Section 401.70 Appeals of Refusals to Correct or Amend Records

    Currently, Sec.  401.70 is entitled ``Appeals of refusals to 
correct or amend records.'' We propose to amend the section heading to 
include appeals after denial of access. We also propose to

[[Page 53996]]

clarify the policy in the section by revising the language in existing 
paragraphs (a), (b) and (c). Further, we propose to add a new paragraph 
(d) to clearly explain the process after you file your appeal.

Section 401.100 Disclosure of Records With the Consent of the Subject 
of the Record

    We propose to amend the language in the section heading under Sec.  
401.100 to insert the word ``written'' before ``consent.'' We also 
propose to revise the language in paragraph (a) to clarify that the 
consent must be in writing and define what information we will disclose 
with written consent. To present the information in a more reader-
friendly format, the second and third sentences of paragraph (a) will 
be designated as new paragraphs (b) ``Disclosure with written 
consent'', and (c) ``Disclosure of the entire record,'' respectively. 
We propose to make conforming changes to existing paragraph (b) and 
redesignate it as paragraph (d).

Section 401.105 Disclosure of Personal Information Without the Consent 
of the Subject of the Record

    We propose to revise the second sentence of paragraph (b) into two 
sentences to clarify that SSA also has physical custody of personnel 
records maintained as part of the Office of Personnel Management's 
(OPM) Privacy Act government-wide systems of records and that these 
records are subject to OPM's rules on access and disclosure at 5 CFR 
parts 293 and 297.

Section 401.110 Disclosure of Personal Information in Nonprogram 
Records Without the Consent of the Subject of the Record

    We propose to amend the language in Sec.  401.110 (j) to show the 
new name for the former General Accounting Office.

Section 401.115 Disclosure of Personal Information in Program Records 
Without the Consent of the Subject of the Record

    We propose to amend the introductory language in Sec.  401.115 to 
make clear that the information in program records will be disclosed 
only on a need-to-know basis.

Section 401.120 Disclosure Required by Law

    Currently, the last sentence in Sec.  401.120 reads ``* * * and to 
Federal, State and local agencies administering Aid to Families with 
Dependent Children, Medicaid, unemployment compensation, food stamps, 
and other programs.'' We propose to amend the language to reflect the 
current name of the AFDC program. The new name will read ``* * * 
Temporary Assistance for Needy Families * * *.''

Section 401.150 Compatible Purposes

    We propose to amend Sec.  401.150 to clearly state how we implement 
the routine use provision. More specifically, the language in 
paragraphs (a) and (b) will be expanded to include what we mean by 
``routine use'' in terms of the information we can disclose and how we 
give notice of routine use disclosures, respectively. We will amend 
paragraph (c) by adding new paragraphs (c)(1) and (c)(2) to clearly 
show the distinctions between disclosure in SSA programs and programs 
similar to SSA programs, for compatibility purposes.

Section 401.155 Law Enforcement Purposes

    We propose to amend Sec.  401.155 to make clear that the Privacy 
Act requires a written request for information from the head of the law 
enforcement agency in situations involving both serious crimes and 
criminal activity involving Social Security programs or other programs 
with the same purpose.

Section 401.165 Statistical and Research Activities

    We propose to amend Sec.  401.165 to make it consistent with the 
recently published new routine use of data for research purposes.

Section 401.175 General Accounting Office

    We propose to amend the section heading in Sec.  401.175 to reflect 
a name change. The new heading will read ``Government Accountability 
Office.'' We also propose to revise the language in the paragraph to 
read ``* * * to the Government Accountability Office when that agency 
needs the information to carry out its duties.''

Section 401.180 Courts

    We propose to revise the entire section of Sec.  401.180 to clarify 
our policy on disclosure when we receive an order from a court of 
competent jurisdiction.
    In 1980, when Sec.  401.180 was initially published as a final 
rule, the status of subpoenas and other legal process under paragraph 
(b)(11) of the statute was unclear. Since then, SSA has not treated a 
subpoena or similar legal process as a court order unless a judge signs 
it. We believe that this position is now established as law as it is 
consistent with court decisions and OMB guidance interpreting the 
Privacy Act. See, e.g., Doe v. DiGenova, 779 F.2d 74 (D.C. Cir. 1985); 
Stiles v. Atlanta Gas Light Co., 453 F.Supp. 798 (N.D. Ga. 1978).
    Therefore, we propose to revise Sec.  401.180 as follows: In 
paragraph (a) we will make clear that when information disclosed from 
SSA records is used in court proceedings, it usually becomes part of 
the public record of the proceedings and its confidentiality often 
cannot be protected. Accordingly, we will follow the rules in new 
paragraph (d) of this section in deciding whether an order is from a 
court of competent jurisdiction.
    We propose to change the heading in paragraph (b) to read ``Court'' 
and amend the language in the paragraph to state SSA's position that a 
court, for purposes of 5 U.S.C. Sec.  552a(b)(11), is an institution of 
a judicial branch of government consisting of one or more judges who 
seek to adjudicate disputes and administer justice. The definition 
clarifies that other entities in other branches of government or not in 
the United States are not courts for purposes of the Privacy Act.
    We propose to add a new paragraph (c) to explain that only a legal 
process, such as a summons or warrant, that is signed by a judge and 
that commands the disclosure of information by SSA will be considered 
to be a court order for purposes of the statutory exception in 5 U.S.C. 
Sec.  552a(b)(11). References to subpoenas would be removed from this 
regulation.
    When we receive legal process that is not an order of a court of 
competent jurisdiction, (such as a grand jury subpoena, a subpoena 
signed by the clerk of the court or the attorney representing a party 
to the proceeding), we may decide to disclose information if the 
conditions described in any other provision of this regulation would 
permit the disclosure (for example, for a compatible purpose under 
Sec.  401.150). However, we will not disclose without an order from a 
court of competent jurisdiction if the Privacy Act or any other law 
would prohibit the disclosure without such an order. We will also add a 
new paragraph (d) to explain our view on court of competent 
jurisdiction.
    In new paragraph (e) we propose to describe the conditions for 
disclosure under court order and clarify the rules on disclosure when a 
court order is involved.
    We propose to add a new paragraph (f) to explain that in other 
circumstances we may attempt to satisfy the needs of a court of 
competent jurisdiction when the circumstances in paragraph (e) are not 
met. We will make these determinations in accordance with Sec.  
401.140.

[[Page 53997]]

    We propose to add new paragraph (g) to explain that we will treat a 
state criminal court as a court of competent jurisdiction in the 
limited circumstance when a disclosure is necessary to preserve the 
rights of an accused individual to due process in a criminal 
proceeding. We view that extending this exception to a state court 
hearing criminal matters does not in any way waive sovereign immunity. 
We are including this provision to clarify SSA's position that SSA 
should balance an individual's constitutional right to due process 
while preserving the confidentiality of information. SSA will disclose 
information when it believes the due process right outweighs the need 
to preserve confidentiality. We expect the court order to include 
language articulating the due process need for the information.
    Further, we propose to add a new paragraph (h) to provide a cross-
reference to additional regulations contained in 20 CFR part 403 
concerning testimony and production of records in legal proceedings.

Regulatory Procedures

Executive Order 12866

    The Office of Management and Budget has reviewed these proposed 
rules in accordance with Executive Order 12866, as amended by Executive 
Order 13258.

Regulatory Flexibility Act

    We certify that these proposed rules would not have a significant 
economic impact on a substantial number of small entities because they 
affect only individuals or entities acting on their behalf. Thus, a 
regulatory flexibility analysis as provided in the Regulatory 
Flexibility Act, as amended, is not required.

Paperwork Reduction Act

    These proposed rules contain reporting requirements as shown in the 
table below. Where the public reporting burden is accounted for in 
Information Collection Requests for the various forms that the public 
uses to submit the information to SSA, a 1-hour placeholder burden is 
being assigned to the specific reporting requirement(s) contained in 
these rules.

----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                                  Annual  number   Frequency of     burden per       Estimated
                     Section                       of  responses     response        response     annual  burden
                                                                                     (minutes)        (hours)
----------------------------------------------------------------------------------------------------------------
401.45(b).......................................          20,000               1              10            3333
401.70(a), (b)..................................  ..............  ..............  ..............               1
401.100(b)......................................  ..............  ..............  ..............               1
                                                 ---------------------------------------------------------------
    Total.......................................          20,000               1              10            3335
----------------------------------------------------------------------------------------------------------------

    An Information Collection Request has been submitted to OMB for 
clearance. We are soliciting comments on the burden estimate; the need 
for the information; its practical utility; ways to enhance its 
quality, utility and clarity; and on ways to minimize the burden on 
respondents, including the use of automated collection techniques or 
other forms of information technology. Comments should be submitted 
and/or faxed to the Office of Management and Budget and the Social 
Security Administration at the following addresses/numbers:

Office of Management and Budget, Attn: Desk Officer for SSA, Fax 
Number: 202-395-6974.
Social Security Administration, Attn: SSA Reports Clearance Officer, 
Rm. 1338 Annex Building, 6401 Security Boulevard, Baltimore, MD 21235-
6401, Fax Number: 410-965-6400.

    Comments can be received for up to 60 days after publication of 
this notice and will be most useful if received within 30 days of 
publication. To receive a copy of the OMB clearance package, you may 
call the SSA Reports Clearance Officer on 410-965-0454.

(Catalog of Federal Domestic Assistance Program Nos. 96.001 Social 
Security--Disability Insurance; 96.002 Social Security--Retirement 
Insurance; 96.004 Social Security--Survivors Insurance; 96.006 
Supplemental Security Income)

List of Subjects in 20 CFR Part 401

    Information, Records, Administrative practice and procedure, 
Archives and records.

    Dated: September 5, 2006.
Jo Anne B. Barnhart,
Commissioner of Social Security.
    For the reasons set out in the preamble, we are proposing to amend 
subparts A, B and C of part 401 of chapter III of title 20 of the Code 
of Federal Regulations as set forth below:

PART 401--PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND 
INFORMATION

    1. The authority citation for part 401 continues to read as 
follows:

    Authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social 
Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b-11); 5 
U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923.
    2. Section 401.20 is amended by revising paragraphs (a) and 
(b)(1)(iii) to read as follows:


Sec.  401.20  Scope.

    (a) Access. Sections 401.30 through 401.95, which set out SSA's 
rules for implementing the Privacy Act, apply to records retrieved by 
an individual's name or personal identifier subject to the Privacy Act. 
The rules in Sec. Sec.  401.30 through 401.95 also apply to information 
developed by medical sources for the Social Security program and shall 
not be accessed except as permitted by this part.
    (b) * * *
    (1) * * *
    (iii) Records kept by medical sources. Information retained by 
medical sources pertaining to a consultative examination performed for 
the Social Security program shall not be disclosed except as permitted 
by this part.
* * * * *
    3. Section 401.30 is amended by adding paragraphs (d), (e) and (f) 
to read as follows:


Sec.  401.30  Privacy Act responsibilities.

* * * * *
    (d) Privacy Officer. The Privacy Officer is an advisor to the 
Agency on all privacy policy and disclosure matters. The Privacy 
Officer coordinates the development and implementation of Agency 
privacy policies and related legal requirements to ensure Privacy Act 
compliance, and monitors the coordination, collection, maintenance, use 
and disclosure of personal information. The Privacy Officer also 
ensures the integration of privacy principles into information 
technology systems architecture and technical designs, and generally 
provides to Agency officials policy guidance and directives in carrying 
out the privacy and disclosure policy.

[[Page 53998]]

    (e) Senior Agency Official for Privacy. The Senior Agency Official 
for Privacy assumes overall responsibility and accountability for 
ensuring the agency's implementation of information privacy protections 
as well as agency compliance with Federal laws, regulations, and 
policies relating to the privacy of information, such as the Privacy 
Act. The compliance efforts also include reviewing information privacy 
procedures to ensure that they are comprehensive and up-to-date and, 
where additional or revised procedures may be called for, working with 
the relevant agency offices in the consideration, adoption, and 
implementation of such procedures. The official also ensures that 
agency employees and contractors receive appropriate training and 
education programs regarding the information privacy laws, regulations, 
polices and procedures governing the agency's handling of personal 
information. In addition to the compliance role, the official will have 
a central policy-making role in the agency's development and evaluation 
of legislative, regulatory and other policy proposals which might 
implicate information privacy issues, including those relating to the 
collection, use, sharing, and disclosure of personal information.
    (f) Privacy Impact Assessment. In our comprehensive Privacy Impact 
Assessment (PIA) review process, we incorporate the tenets of privacy 
law, SSA privacy regulations, and privacy policy directly into the 
development of certain Information Technology projects. Our review 
examines the risks and ramifications of collecting, maintaining and 
disseminating information in identifiable form in an electronic 
information system and identifies and evaluates protections and 
alternate processes to reduce the risk of unauthorized disclosures. As 
we accomplish the PIA review, we ask systems personnel and program 
personnel to resolve questions on data needs and data protection prior 
to the development of the electronic system.
    4. Section 401.45 is amended by redesignating paragraphs (b)(3), 
(b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively, adding 
new paragraphs (b)(3) and (b)(4) and revising redesignated paragraph 
(b)(5) to read as follows:


Sec.  401.45  Verifying your identity.

* * * * *
    (b) * * *
    (3) Electronic requests. If you make a request by computer or other 
electronic means, e.g., over the Internet, we require you to verify 
your identity by using identity confirmation procedures that are 
commensurate with the sensitivity of the information that you are 
requesting. If we cannot confirm your identity using our identity 
confirmation procedures, we will not process the electronic request. 
When you cannot verify your identity through our procedures, we will 
require you to submit your request in writing.
    (4) Electronic disclosures. When we collect or provide personally 
identifiable information over open networks such as the Internet, we 
use encryption in all of our automated online transaction systems to 
protect the confidentiality of the information. When we provide an 
online access option, such as a standard e-mail comment form on our Web 
site, and encryption is not being used, we alert you that personally 
identifiable information (such as your social security number) should 
not be included in your message.
    (5) Requests not made in person. Except as provided in paragraphs 
(b)(2) of this section, if you do not make a request in person, you 
must submit a written request to SSA to verify your identify or you 
must certify in your request that you are the individual you claim to 
be. You must also sign a statement that you understand that the knowing 
and willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense.
* * * * *
    5. Section 401.55 is amended by revising paragraphs (a), 
(b)(1)(ii), (c)(1) and (c)(2)(iii) and by redesignating paragraph (d) 
as paragraph (c)(3) to read as follows:


Sec.  401.55  Access to medical records.

    (a) General. You have a right to access your medical records, 
including any psychological information that we maintain.
    (b) * * *
    (1) * * *
    (ii) When you request medical information about yourself, you must 
also name a representative in writing. The representative may be a 
physician, other health professional, or other responsible individual 
who will be willing to review the record and inform you of its 
contents. Following the discussion, you are entitled to your records. 
The representative does not have the discretion to withhold any part of 
your record. If you do not designate a representative, we may decline 
to release the requested information. In some cases, it may be possible 
to release medical information directly to you rather than to your 
representative.
* * * * *
    (c) Medical records of minors--(1) Request by the minor. You may 
request access to your own medical records in accordance with paragraph 
(b) of this section.
    (2) Request on a minor/s behalf. * * *
    (iii) Where a medical record on the minor exists, we will in all 
cases send it to the physician or health professional designated by the 
parent or guardian. The representative will review the record, discuss 
its contents with the parent or legal guardian, then release the entire 
record to the parent or legal guardian. The representative does not 
have the discretion to withhold any part of the minor's record. We will 
respond in the following similar manner to the parent or guardian 
making the request:


We have completed processing your request for notification of or access 
to --------'s (Name of minor) medical records. Please be informed that 
if any medical record was found pertaining to that individual, it has 
been sent to your designated physician or health professional.
* * * * *
    6. Section 401.60 is amended by revising the section heading and 
first sentence of the paragraph to read as follows:


Sec.  401.60  Access to or notification of program records about more 
than one individual.

    When information about more than one individual is in one record 
filed under your social security number, you may receive the 
information about you and the fact of entitlement and the amount of 
benefits payable to other persons based on your record. * * *
    7. Section 401.70 is revised to read as follows:


Sec.  401.70  Appeals of refusals to correct records or refusals to 
allow access to records.

    (a) General. This section describes how to appeal decisions made by 
SSA under the Privacy Act concerning your request for correction of or 
access to your records, those of your minor child or those of a person 
for whom you are the legal guardian. We generally handle a denial of 
your request for information about another person under the provisions 
of the Freedom of Information Act (see part 402 of this chapter). To 
appeal a decision under this section, your request must be in writing.
    (b) Appeal of refusal to correct or amend records. If we deny your 
request

[[Page 53999]]

to correct an SSA record, you may request a review of that decision. As 
discussed in Sec.  401.65(e), our letter denying your request will tell 
you to whom to write.
    (1) We will review your request within 30 working days from the 
date of the receipt. However, for a good reason and with the approval 
of the Executive Director for the Office of Public Disclosure, this 
time limit may be extended up to an additional 30 days. In that case, 
we will notify you about the delay, the reason for it and the date when 
the review is expected to be completed.
    (2) If, after review, we determine that the record should be 
corrected, we will do so. However, if we refuse to amend the record as 
you requested, we will inform you that--
    (i) Your request has been refused and the reason for refusing;
    (ii) The refusal is SSA's final decision; and
    (iii) You have a right to seek court review of SSA's final 
decision.
    (3) We will also inform you that you have a right to file a 
statement of disagreement with the decision. Your statement should 
include the reason you disagree. We will make your statement available 
to anyone to whom the record is subsequently disclosed, together with a 
statement of our reasons for refusing to amend the record. Also, we 
will provide a copy of your statement to individuals whom we are aware 
received the record previously.
    (c) Appeals after denial of access. If, under the Privacy Act, we 
deny your request for access to your own record, those of your minor 
child or those of a person to whom you are the legal guardian, we will 
advise you in writing of the reason for that denial, the name and title 
or position of the person responsible for the decision and your right 
to appeal that decision. You may appeal the denial decision to the 
Executive Director for the Office of Public Disclosure, 6401 Security 
Boulevard, Baltimore, MD 21235-6401, within 30 days after you receive 
notice denying all or part of your request, or, if later, within 30 
days after you receive materials sent to you in partial compliance with 
your request.
    (d) Filing your appeal. If you file an appeal, the Executive 
Director or his or her designee will review your request and any 
supporting information submitted and then send you a notice explaining 
the decision on your appeal. The time limit for making our decision 
after we receive your appeal is 30 working days. The Executive Director 
or his or her designee may extend this time limit up to 30 additional 
working days if one of the circumstances in 20 CFR 402.140 is met. We 
will notify you in writing of any extension, the reason for the 
extension and the date by which we will decide your appeal. The notice 
of the decision on your appeal will explain your right to have the 
matter reviewed in a Federal district court if you disagree with all or 
part of our decision.
    8. Section 401.100 is revised to read as follows:


Sec.  401.100  Disclosure of records with the written consent of the 
subject of the record.

    (a) General. Except as permitted by the Privacy Act and the 
regulations in this chapter, or when required by the FOIA, we will not 
disclose your records without your written consent.
    (b) Disclosure with written consent. The written consent must 
clearly specify to whom the information may be disclosed, the 
information you want us to disclose (e.g., social security number, date 
and place of birth, monthly Social Security benefit amount, date of 
entitlement), and, where applicable, during which time frame the 
information may be disclosed (e.g., during the school year, while the 
subject individual is out of the country, whenever the subject 
individual is receiving specific services).
    (c) Disclosure of the entire record. We will not disclose your 
entire record. For example, we will not honor a blanket consent for all 
information in a system of records or any other record consisting of a 
variety of data elements. We will disclose only the information you 
specify in the consent. We will verify your identity and where 
applicable (e.g., where you consent to disclosure of a record to a 
specific individual), the identity of the individual to whom the record 
is to be disclosed.
    (d) A parent or guardian of a minor is not authorized to give 
written consent to a disclosure of a minor's medical record. See Sec.  
401.55 (c)(2) for the procedures for disclosure of or access to medical 
records of minors.
    9. Section 401.105 is amended by revising the second sentence of 
paragraph (b) to read as follows:


Sec.  401.105  Disclosure of personal information without the consent 
of the subject of the record.

* * * * *
    (b) * * * For administrative and personnel records, we apply the 
Privacy Act restrictions on disclosure. To the extent that SSA has 
physical custody of personnel records maintained as part of the Office 
of Personnel Management's (OPM) Privacy Act government-wide systems of 
records, these records are subject to OPM's rules on access and 
disclosure at 5 CFR parts 293 and 297. * * *
    10. Paragraph (j) of Sec.  401.110 is revised to read as follows:


Sec.  401.110  Disclosure of personal information in nonprogram records 
without the consent of the subject of the record.

* * * * *
    (j) To the Comptroller General, or any of his authorized 
representatives, in the course of the performance of duties of the 
Government Accountability Office.
* * * * *
    11. Section 401.115 is amended by revising the introductory text to 
read as follows:


Sec.  401.115  Disclosure of personal information in program records 
without the consent of the subject of the record.

    This section describes how various laws control the disclosure or 
confidentiality of personal information that we keep. We disclose 
information in the program records only when a legitimate need exists. 
For example, we disclose information to officers and employees of SSA 
who have a need for the record in the performance of their duties. We 
also must consider the laws identified below in the respective order 
when we disclose program information:
* * * * *
    12. Section 401.120 is amended by revising the last sentence in the 
paragraph to read as follows:


Sec.  401.120  Disclosures required by law.

    * * * These agencies include the Department of Veterans Affairs for 
its benefit programs, U.S. Citizenship and Immigration Services to 
carry out its duties regarding aliens, the Railroad Retirement Board 
for its benefit programs, and to Federal, State and local agencies 
administering Temporary Assistance for Needy Families, Medicaid, 
unemployment compensation, food stamps, and other programs.
    13. Section 401.150 is revised to read as follows:


Sec.  401.150  Compatible purposes.

    (a) General. The Privacy Act allows us to disclose information 
without your consent to any other party for routine uses. ``Routine 
use'' means that your information can be disclosed for use in any 
program that is compatible with the purpose for which SSA collected the 
information.
    (b) Notice of routine use disclosures. A list of permissible 
routine use disclosures is included in every system of records notice 
published in the Federal Register.
    (c) Determining compatibility--(1) Disclosure to carry out SSA 
programs.

[[Page 54000]]

We disclose information for routine uses where necessary to carry out 
SSA's programs.
    (2) Disclosure to carry out programs similar to SSA programs. We 
disclose information for routine uses in the administration of other 
government programs that have the same purposes as SSA programs and 
meet the following conditions:
    (i) The program is clearly identifiable as a Federal, State, or 
local government program.
    (ii) The information requested concerns eligibility, benefit 
amounts, or other matters of benefit status in a Social Security 
program and is relevant to determining the same matters in the other 
program. For example, we disclose information to the Railroad 
Retirement Board for pension and unemployment compensation programs, to 
the Department of Veterans Affairs for its benefit programs, to 
worker's compensation programs, to State general assistance programs 
and to other income maintenance programs at all levels of government. 
We also disclose for health maintenance programs like Medicaid and 
Medicare.
    (iii) In appropriate cases, we will disclose information for use in 
epidemiological and similar research.
    14. Section 401.155 is amended by adding a sentence between the 
fourth and fifth sentences in paragraph (a) and by removing the last 
sentence of paragraph (b).


Sec.  401.155  Law enforcement purposes.

    (a) General. * * * The Privacy Act allows us to disclose 
information if the head of the law enforcement agency makes a written 
request giving enough information to show that the conditions in 
paragraphs (b) or (c) of this section are met, what information is 
needed, and why it is needed. * * *
* * * * *
    15. Section 401.165 is amended by revising paragraph (b)(2) to read 
as follows:


Sec.  401.165  Statistical and research activities.

* * * * *
    (b) * * *
    (2) The activity is designed to increase knowledge about present or 
alternative Social Security programs or other Federal or State income-
maintenance or health-maintenance programs; or is used for research 
that is of importance to the Social Security program or the Social 
Security beneficiaries; or an epidemiological research project that 
relates to the Social Security program or beneficiaries; and
* * * * *
    16. Section 401.175 is revised to read as follows:


Sec.  401.175  Government Accountability Office.

    We disclose information to the Government Accountability Office 
when that agency needs the information to carry out its duties.
    17. Section 401.180 is revised to read as follows:


Sec.  401.180  Disclosure under court order or other legal process.

    (a) General. The Privacy Act permits us to disclose information 
when we are ordered to do so by a court of competent jurisdiction. When 
information is used in a court proceeding, it usually becomes part of 
the public record of the proceeding and its confidentiality often 
cannot be protected in that record. Much of the information that we 
collect and maintain in our records on individuals is especially 
sensitive. Therefore, we follow the rules in paragraph (d) of this 
section in deciding whether we may disclose information in response to 
an order from a court of competent jurisdiction. When we disclose 
pursuant to an order from a court of competent jurisdiction, and the 
order is a matter of public record, the Privacy Act requires us to send 
a notice of the disclosure to the last known address of the person 
whose record was disclosed.
    (b) Court. For purposes of this section, a court is an institution 
of a judicial branch of government within the United States consisting 
of one or more judges who seek to adjudicate disputes and administer 
justice. Entities not in the judicial branch of government within the 
United States are not courts for purposes of this section.
    (c) Court order. For purposes of this section, a court order is any 
legal process which satisfies all of the following conditions:
    (1) It is issued under the authority of a court;
    (2) A judge of that court signs it;
    (3) It commands SSA to disclose information; and
    (4) The court is a court of competent jurisdiction.
    (d) Court of competent jurisdiction. It is the view of SSA that 
under the Privacy Act the Federal Government has not waived sovereign 
immunity, which precludes state court jurisdiction over a Federal 
agency or official. Therefore, SSA will not honor state court orders as 
an independent basis for disclosure except in the circumstances 
described in paragraph (g) of this section. Other state court orders 
will be treated in accordance with the other provisions of this part.
    (e) Conditions for disclosure under a court order of competent 
jurisdiction. We disclose information in compliance with an order of a 
court of competent jurisdiction if --
    (1) Another section of this part specifically allows such 
disclosure, or
    (2) SSA, the Commissioner of Social Security, or any officer or 
employee of SSA in his or her official capacity is properly a party in 
the proceeding, or
    (3) Disclosure of the information is necessary to ensure that an 
individual who is accused of criminal activity receives due process of 
law in a criminal proceeding.
    (f) In other circumstances. We may disclose information to a court 
of competent jurisdiction in circumstances other than those stated in 
paragraph (e) of this section. We will make our decision regarding 
disclosure by balancing the needs of a court while preserving the 
confidentiality of information. For example, we may disclose 
information under a court order that restricts the use and redisclosure 
of the information by the participants in the proceeding; we may offer 
the information for inspection by the court in camera and under seal; 
or we may arrange for the court to exclude information identifying 
individuals from that portion of the record of the proceedings that is 
available to the public. We will make these determinations in 
accordance with section 401.140.
    (g) Conditions for disclosure under state court orders. We may 
disclose information in compliance with a state court order only if the 
disclosure is necessary to preserve the rights of an accused to due 
process in a criminal proceeding. We will make our decision regarding 
disclosure by balancing the needs of a state court while preserving the 
confidentiality of information.
    (h) Other regulations on request for testimony, subpoenas and 
production of records in legal proceedings. See 20 CFR part 403 of this 
chapter for additional rules covering disclosure of information and 
records governed by this part and requested in connection with legal 
proceedings.

[FR Doc. E6-15101 Filed 9-12-06; 8:45 am]
BILLING CODE 4191-02-P