[Federal Register Volume 72, Number 35 (Thursday, February 22, 2007)]
[Notices]
[Pages 7993-7998]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-2984]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of a Modified or Altered System of 
Records

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice of a Modified or Altered System of Records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 and section 1106 of the Social 
Security Act (the Act) explain when and how CMS may release the 
personal data of people with Medicare. The Medicare Prescription Drug, 
Improvement, and Modernization Act of 2003 (MMA) (Public Law 108-173) 
added requirements for releasing and using personal data. The primary 
purpose of this system is to collect, maintain, and process information 
on all Medicare covered, and as many non-covered drug events as 
possible, for people with Medicare who have a Medicare Part D plan. The 
system will help CMS determine appropriate payment of covered drugs. It 
will also provide for processing, storing, and maintaining drug 
transaction data in a large-scale database, while putting data into 
data marts to support payment analysis. CMS would allow the release of 
information in this system to: (1) Support regulatory, analysis, 
oversight, reimbursement, and policy functions performed within the 
agency or by a contractor, consultant, or a CMS grantee; (2) help 
another Federal and/or state agency, agency of a state government, an 
agency established by state law, or its fiscal agent; (3) help Medicare 
Part D plans; (4) support an individual or organization for a research, 
an evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, the restoration or maintenance of health, or for payment 
related purposes; (5) help Quality Improvement Organizations; (6) 
support lawsuits involving the agency; and (7) combat fraud, waste, and 
abuse in certain health benefits programs.
    To meet these additional requirements, CMS proposes to modify the 
existing system of records (SOR) titled ``Medicare Drug Data Processing 
System (DDPS),'' System No. 09-70-0553, established at 70 Federal 
Register (FR) 58436 (October 6, 2005). Under this modification we are 
clarifying the statutory authorities for which these data are collected 
and disclosed. The original SOR notice cited the statutory section 
governing CMS's payment of Part D plan sponsors (Social Security Act 
(the Act) Sec.  1860D-15) that limits the uses of the data collected to 
plan payment and oversight of plan payment. However, the broad 
authority of Sec.  1860D-12(b)(3)(D) authorizes CMS to collect, use and 
disclose these same claims data for broader purposes related to CMS's 
responsibilities for program administration and research. Furthermore 
the authority under Sec.  1106 of the Act allows the Secretary to 
release data pursuant to a regulation, which in this case would be 42 
CFR 423.322 and 423.505. CMS has published a Notice of Proposed 
Rulemaking (NPRM) in order to clarify our statutory authority and 
explain how we propose to implement the broad authority of Sec.  1860D-
12(b)(3)(D). This SOR is being revised to reflect our intended use of 
this broader statutory authority.
    CMS proposes to make the following modifications to the DDPS 
system:
     Revise routine use number 1 to include CMS grantees that 
perform a task for the agency.
     Add a new routine use number 2 to allow the release of 
information to other Federal and state agencies for accurate payment of 
Medicare benefits; to administer a Federal health benefits program, or 
to fulfill a requirement or allowance of a Federal statute or 
regulation that implements a health benefits program funded in whole or 
in part with Federal funds; and help Federal/state Medicaid programs 
that may need information from this system.
     Broaden the scope of routine use number 4 to allow the 
release of data to an individual or organization for a research, 
evaluation, or epidemiological or other project related to protecting 
the public's health, the prevention of disease or disability, the 
restoration or maintenance of health, or payment-related projects.
     Delete routine use number 5 which authorizes disclosure to 
support constituent requests made to a congressional representative.
     Broaden the scope of routine use number 7 and 8, to 
include combating ``waste,'' fraud, and abuse that results in 
unnecessary cost to all Federally-funded health benefit programs.
     Revise language regarding routine uses disclosures to 
explain the purpose of the routine use and make clear CMS's intention 
to release personal information contained in this system.
     Reorder and prioritize the routine uses.
     Update any sections of the system affected by the 
reorganization or revision of routine uses because of MMA provisions.

[[Page 7994]]

     Update language in the administrative sections to be 
consistent with language used in other CMS SORs.
    Although the Privacy Act allows CMS to only ask for comments on the 
modified routine uses, CMS is asking for comments on all proposed 
changes discussed in this notice. See the EFFECTIVE DATES section below 
for the comment period.

EFFECTIVE DATES: The modified system will become effective 30 days from 
the publication of the notice, or 40 days from the date it was 
submitted to the Office of Management and Budget (OMB) and Congress on 
02/13/2007, whichever is later, unless CMS receives comments that 
require changes to this notice.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Compliance, Enterprise Architecture and Strategy 
Group, Office of Information Services, CMS, Room N2-04-27, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850. Comments received 
will be available for review at this location, by appointment, during 
regular business hours, Monday through Friday from 9 a.m.-3 p.m., 
eastern time zone.

FOR FURTHER INFORMATION CONTACT: Amanda Ryan, Health Insurance 
Specialist, Division of Payment Systems, Medicare Plan Payment Group, 
Centers for Beneficiary Choices, CMS, Room C1-26-14, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850. The telephone number is 410-
786-0419 or contact [email protected].

SUPPLEMENTARY INFORMATION: In December 2003, Congress added Part D 
under Title XVIII when it passed the Medicare Prescription Drug, 
Improvement, and Modernization Act. The Act allows Medicare to pay 
plans to provide Part D prescription drug coverage as described in 
Title 42, Code of Federal Regulations (CFR) Sec.  423.401. The Act 
allows Medicare to pay plans in one of four ways: 1. direct subsidies; 
2. premium and cost-sharing subsidies for qualifying low-income 
individuals (low-income subsidy); 3. Federal reinsurance subsidies; and 
4. risk-sharing. Throughout this notice, the term ``plans'' means all 
entities that provide Part D prescription drug coverage and submit 
claims data to CMS for payment calculations.
    As a condition of payment, all Part D plans must submit data and 
information necessary for CMS to carry out payment provisions (Sec.  
1860D-15(c)(1)(C) and (d)(2) of the Act, and 42 CFR 423.322). In 
addition, these data may be disclosed to other entities, pursuant to 
Sec.  1860D-12(b)(3)(D) and 42 CFR 423.505 (b)(8) and (f)(3) and (5) 
for the purposes described in the routine uses described in this SOR 
notice. Furthermore, this data may be disclosed pursuant to Sec.  1106 
of the Act.
    This notice explains how CMS would collect data elements on 100% of 
the Part D prescription drug ``claims'' or events according to the 
statute. The data, including dollar fields, would be used for payment 
purposes, as well as other purposes allowed by Sec.  1860-D. However, 
some of the other data elements such as pharmacy and prescriber 
identifiers would be used to validate claims and meet other legislative 
requirements such as quality monitoring, program integrity, and 
oversight.

I. Description of the Modified System of Records

A. Statutory and Regulatory Basis for System

    This system is mandated under provisions of the Medicare 
Prescription Drug, Improvement, and Modernization Act, amending the 
Social Security Act by adding Part D under Title XVIII (Sec. Sec.  
1860D-15(c)(1)(C) and (d)(2), as described in Title 42, Code of Federal 
Regulations (CFR) Sec. Sec.  423.401 and 1860D-12(b)(3)(D) of the Act, 
as described in 42 CFR Sec. Sec.  423.505(b)(8) and (f)(3) and (5)).

B. Data in the System

    The system contains summary prescription drug claim information on 
all covered and non-covered drug events for people with Medicare. The 
data in this system includes prescription drug claim data, health 
insurance claim number, card holder identification number, date of 
service, gender, and date of birth (if provided). It also contains 
provider characteristics, prescriber identification number, assigned 
provider number (facility, referring/servicing physician), national 
drug code, total charges, Medicare payment amount, and beneficiary's 
liability amount.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

    Below are CMS' policies and procedures for giving out information 
maintained in the system. CMS would only release the minimum personal 
data necessary to achieve the purpose of the DDPS.
    1. The information or use of the information is consistent with the 
reason that the data is being collected.
    2. The individually identifiable information is necessary to 
complete the project (taking into account the risk on the privacy of 
the individual).
    3. The organization receiving the information establishes 
administrative, technical, and physical protections to prevent 
unauthorized use of the information; returns or destroys all 
individually identifiable information when the contract ends; and 
agrees not to use or give out the information for any purpose other 
than the reason provided for needing the information.
    4. The data are valid and reliable.
    The Privacy Act allows CMS to give out identifiable and not-
identifiable information for routine uses without an individual's 
consent. The data described in this notice is listed under Section I. 
B. above.

III. Routine Uses of Data

    A. In addition to those entities specified in the Privacy Act of 
1974, CMS may release information from the DDPS without individual 
consent for some routine uses. Below are the modified routine uses for 
releasing information without individual consent that CMS would add or 
modify in the DDPS.
    1. To support Agency contractors, consultants, or CMS grantees who 
are helping CMS with the DDPS and who have a need to access the records 
in order to provide assistance. Recipients shall be required to comply 
with the requirements of the Privacy Act, 5 U.S.C. 552a.
    CMS must be able to give a contractor, consultant, or CMS grantee 
necessary information in order to complete their contractual 
responsibilities. In these situations, protections are provided in the 
contract prohibiting the contractor, consultant, or grantee from using 
or releasing the information for any purpose other than that described 
in the contract. The contract also requires the contractor, consultant, 
or grantee to return or destroy all information when the contract ends.
    2. To help another Federal or state agency, agency of a state 
government, an agency established by state law, or its fiscal agent to:
    a. contribute to the accuracy of CMS' payment of Medicare benefits,
    b. administer a Federal health benefits program or fulfill a 
Federal statute or regulatory requirement or allowance that implements 
a health benefits program funded in whole or in part with Federal 
funds, or
    c. access data required for Federal/state Medicaid programs.
    Other Federal or state agencies in their administration of a 
Federal health program may require DDPS information in order to support 
evaluations and

[[Page 7995]]

monitoring of Medicare claims information of beneficiaries, including 
proper reimbursement for services provided.
    In addition, disclosure under this routine use shall be used by 
state agencies pursuant to agreements with the HHS for determining 
Medicare or Medicaid eligibility, for quality control studies, for 
determining eligibility of recipients of assistance under titles IV, 
XVIII, and XIX of the Act, and for the administration of the Medicare 
and Medicaid programs. Data will be released to the state only on those 
individuals who are or were patients under the services of a program 
within the state or who are residents of that state.
    3. To support plans and other entities in protecting their members 
(and former members for the periods enrolled in a given plan) against 
unauthorized medical expenses, including unauthorized prescription drug 
expenses, and providing information about events that affect their 
members' rights to any benefit or payment. This includes having 
information to coordinate benefits with Medicare and the Medicare 
Secondary Payer provision at 42 U.S.C. 1395y(b).
    Other insurers may need data in order to support evaluations and 
monitoring of Medicare claims information, including proper 
reimbursement for services. In order to receive the information, plans 
and other entities must:
    a. certify that the individual is or was a plan member or is 
insured and/or employed by, or contracted with another entity for whom 
they serve as a Third Party Administrator;
    b. use the information only to process the individual's insurance 
claims; and
    c. safeguard the confidentiality of the data to prevent 
unauthorized access.
    4. To assist an individual or organization with research, an 
evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, restoration or maintenance of health, or for payment 
related purposes. CMS must:
    a. determine if the use or release of data violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. determine that the purpose for the release of information:
    (1) cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) is of sufficient importance to warrant the effect or risk on 
the privacy of the individual, and
    (3) meets the objectives of the project;
    c. requires the recipient of the information to:
    (1) establish reasonable administrative, technical, and physical 
protections to prevent unauthorized use or release of information,
    (2) return or destroy the information unless there is an acceptable 
research reason for keeping the information, and
    (3) no longer use or release information except:
    (a) in emergency circumstances affecting the health or safety of 
any individual,
    (b) for use in another research project, under these same 
conditions and with written CMS approval,
    (c) for an audit related to the research, or
    (d) when required by Federal law.
    d. get signed, written statements from the entity receiving the 
information that they understand and will follow all provisions in this 
notice.
    e. complete and submit a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    DDPS data will provide for research, evaluation, and 
epidemiological projects, a broader, longitudinal, national perspective 
of the status of Medicare beneficiaries. CMS anticipates that many 
researchers will have legitimate requests to use these data in projects 
that could ultimately improve the care provided to Medicare 
beneficiaries and the policy that governs the care.
    5. To support Quality Improvement Organizations (QIO) in the claims 
review process, or with studies or other review activities performed in 
accordance with Part B of Title XI of the Act. QIOs can also use the 
data for outreach activities to establish and maintain entitlement to 
Medicare benefits or health insurance plans.
    QIOs will work to implement quality improvement programs, provide 
consultation to CMS, its contractors, and to state agencies. QIOs will 
assist the state agencies in related monitoring and enforcement 
efforts, assist CMS and intermediaries in program integrity assessment, 
and prepare summary information for release to CMS.
    6. To the Department of Justice (DOJ), court, or adjudicatory body 
when there is a lawsuit in which the Agency, any employee of the Agency 
in his or her official capacity or individual capacity (if the DOJ 
agrees to represent the employee), or the United States Government is a 
party or CMS' policies or operations could be affected by the outcome. 
The information must be both relevant and necessary to the lawsuit, and 
the use of the records is for a purpose that is compatible with the 
purpose for which CMS collected the records.
    Whenever CMS is involved in litigation, or occasionally when 
another party is involved in litigation and CMS' policies or operations 
could be affected by the outcome of the litigation, CMS would be able 
to disclose information to the DOJ, court, or adjudicatory body 
involved.
    7. To help a CMS contractor that assists in the administration of a 
CMS health benefits program or a grantee of a CMS-administered grant 
program if the information is necessary, in any capacity, to combat 
fraud, waste, or abuse in such program. CMS will only provide this 
information if CMS can enter into a contract or grant for this purpose.
    CMS must be able to give a contractor or CMS grantee necessary 
information in order to complete their contractual responsibilities. In 
these situations, protections are provided in the contract prohibiting 
the contractor or grantee from using or releasing the information for 
any purpose other than that described in the contract. It also requires 
the contractor or grantee to return or destroy all information when the 
contract ends.
    8. To help another Federal agency or any United States government 
jurisdiction (including any state or local governmental agency) if the 
information is necessary, in any capacity, to combat fraud, waste, or 
abuse in a health benefits program that is funded in whole or in part 
by Federal funds.
    Other agencies may require DDPS information for the purpose of 
combating fraud, waste, or abuse in such Federally-funded programs.
    B. To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 FR 82462 (December 28, 2000), release of 
information that are otherwise allowed by these routine uses may only 
be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information.'' (See 45 CFR 
164.512(a)(1)).
    C. In addition, CMS will not give out information that is not 
directly identifiable if there is a possibility that a person with 
Medicare could be identified because the sample is small enough to 
identify participants. CMS would make exceptions if the information is 
needed for one of the routine uses or if it's required by law.

[[Page 7996]]

IV. Protections

    CMS has protections in place for authorized users to make sure they 
are properly using the data and there is no unauthorized use. Personnel 
having access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system can't release data until the recipient agrees to implement 
appropriate management, operational and technical safeguards that will 
protect the confidentiality, integrity, and availability of the 
information and information systems.
    This system would follow all applicable Federal laws and 
regulations, and Federal, HHS, and CMS security and data privacy 
policies and standards. These laws and regulations include but are not 
limited to: the Privacy Act of 1974; the Federal Information Security 
Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the 
Health Insurance Portability and Accountability Act of 1996; the E-
Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare 
Modernization Act of 2003, and the corresponding implementing 
regulations. OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and CMS policies and standards include but are 
not limited to all pertinent National Institute of Standards and 
Technology publications, the HHS Information Systems Program Handbook, 
and the CMS Information Security Handbook.

V. Effects on Individual Rights

    CMS doesn't anticipate a negative effect on individual privacy as a 
result of giving out personal information from this system. CMS 
established this system in accordance with the principles and 
requirements of the Privacy Act and would collect, use, and release 
information that follow these requirements. CMS would only give out the 
minimum amount of personal data to achieve the purpose of the system. 
Release of information from the system will be approved only to the 
extent necessary to accomplish the purpose of releasing the data. CMS 
has assigned a higher level of security clearance for the information 
maintained in this system in an effort to provide added security and 
protection of individuals' personal information of an individuals' 
personal information, and, if feasible, ask that once the information 
is no longer needed that it be returned or destroyed.
    CMS would take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy, or other personal or property rights. CMS would collect only 
information necessary to perform the system's functions. In addition, 
CMS would only give out information if the individual, or his or her 
legal representative has given approval, or if allowed by one of the 
exceptions noted in the Privacy Act.

    Dated: February 13, 2007.
Charlene Frizzera,
Acting Chief Operating Officer, Centers for Medicare & Medicaid 
Services.
SYSTEM No. 09-70-0553

SYSTEM NAME:
    Medicare Drug Data Processing System (DDPS), HHS/CMS/CBC.

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive.

SYSTEM LOCATION:
    CMS Data Center, 7500 Security Boulevard, North Building, First 
Floor, Baltimore, Maryland 21244-1850 and at various contractor sites.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system contains summary prescription drug claim information on 
all covered and non-covered drug events for people with Medicare.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The data in this system includes prescription drug claim data, 
health insurance claim number, card holder identification number, date 
of service, gender, and date of birth (if provided). It also contains 
provider characteristics, prescriber identification number, assigned 
provider number (facility, referring/servicing physician), national 
drug code, total charges, Medicare payment amount, and beneficiary's 
liability amount.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    This system is mandated under provisions of the Medicare 
Prescription Drug, Improvement, and Modernization Act, amending the 
Social Security Act (the Act) by adding Part D under Title XVIII 
(Sec. Sec.  1860D-15(c)(1)(C) and (d)(2), as described in Title 42, 
Code of Federal Regulations (CFR) 423.401 and 1860D-12(b)(3)(D) of the 
Act, as described in 42 CFR 423.505(b)(8) and (f)(3) and (5). 
Furthermore, this data may be disclosed pursuant to Sec.  1106 of the 
Act.

PURPOSE (S) OF THE SYSTEM:
    The primary purpose of this system is to collect, maintain, and 
process information on all Medicare covered and as many non-covered 
drug events as possible, for people with Medicare who have a Medicare 
Part D plan. The system will help CMS determine appropriate payment of 
covered drugs. It will also provide for processing, storing, and 
maintaining drug transaction data in a large-scale database, while 
putting data into data marts to support payment analysis. CMS would 
allow the release of information in this system to: (1) Support 
regulatory, analysis, oversight, reimbursement, and policy functions 
performed within the agency or by a contractor, consultant, or a CMS 
grantee; (2) help another Federal and/or State agency, agency of a 
State government, an agency established by State law, or its fiscal 
agent; (3) help Medicare Part D plans; (4) support an individual or 
organization for a research, an evaluation, or an epidemiological or 
other project related to protecting the public's health, the prevention 
of disease or disability, the restoration or maintenance of health, or 
for payment related purposes; (5) help Quality Improvement 
Organizations; (6) support lawsuits involving the agency; and (7) 
combat fraud, waste, and abuse in certain health benefits programs.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
ROUTINE USES OF DATA:
    A. In addition to those entities specified in the Privacy Act of 
1974, CMS may release information from the DDPS without individual 
consent for some routine uses. Below are the modified routine uses for 
releasing information without individual consent that CMS would add or 
modify in the DDPS.
    1. To support Agency contractors, consultants, or CMS grantees who 
are helping CMS with the DDPS and who have a need to access the records 
in order to provide assistance. Recipients shall be required to comply 
with the requirements of the Privacy Act, 5 U.S.C. 552a.
    2. To help another Federal or State agency, agency of a State 
government, an agency established by State law, or its fiscal agent to:
    a. Contribute to the accuracy of CMS' payment of Medicare benefits,
    b. Administer a Federal health benefits program or fulfill a 
Federal statute or regulatory requirement or allowance that implements 
a health benefits program funded in whole or in part with Federal 
funds, or
    c. Access data required for Federal/State Medicaid programs.
    3. To support plans and other entities in protecting their members 
(and former

[[Page 7997]]

members for the periods enrolled in a given plan) against unauthorized 
medical expenses, including unauthorized prescription drug expenses, 
and providing information about events that affect their members' 
rights to any benefit or payment. This includes having information to 
coordinate benefits with Medicare and the Medicare Secondary Payer 
provision at 42 U.S.C. 1395y(b).
    4. To assist an individual or organization with research, an 
evaluation, or an epidemiological or other project related to 
protecting the public's health, the prevention of disease or 
disability, restoration or maintenance of health, or for payment 
related purposes. CMS must:
    a. Determine if the use or release of data violate legal 
limitations under which the record was provided, collected, or 
obtained;
    b. Determine that the purpose for the release of information:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form, (2) is of sufficient importance to 
warrant the effect or risk on the privacy of the individual, and
    (3) Meets the objectives of the project;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
protections to prevent unauthorized use or release of information, (2) 
return or destroy the information unless there is an acceptable 
research reason for keeping the information, and
    (3) No longer use or release information except:
    (a) In emergency circumstances affecting the health or safety of 
any individual,
    (b) For use in another research project, under these same 
conditions and with written CMS approval,
    (c) For an audit related to the research, or (d) when required by 
Federal law.
    d. Get signed, written statements from the entity receiving the 
information that they understand and will follow all provisions in this 
notice.
    e. Complete and submit a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    5. To support Quality Improvement Organizations (QIO) in the claims 
review process, or with studies or other review activities performed in 
accordance with Part B of Title XI of the Act. QIOs can also use the 
data for outreach activities to establish and maintain entitlement to 
Medicare benefits or health insurance plans.
    6. To the Department of Justice (DOJ), court, or adjudicatory body 
when there is a lawsuit in which the Agency, any employee of the Agency 
in his or her official capacity or individual capacity (if the DOJ 
agrees to represent the employee), or the United States Government is a 
party or CMS' policies or operations could be affected by the outcome. 
The information must be both relevant and necessary to the lawsuit, and 
the use of the records is for a purpose that is compatible with the 
purpose for which CMS collected the records.
    7. To help a CMS contractor that assists in the administration of a 
CMS health benefits program or a grantee of a CMS-administered grant 
program if the information is necessary, in any capacity, to combat 
fraud, waste, or abuse in such program. CMS will only provide this 
information if CMS can enter into a contract or grant for this purpose.
    8. To help another Federal agency or any United States government 
jurisdiction (including any State or local governmental agency) if the 
information is necessary, in any capacity, to combat fraud, waste, or 
abuse in a health benefits program that is funded in whole or in part 
by Federal funds.
    B. To the extent this system contains Protected Health Information 
(PHI) as defined by HHS regulation ``Standards for Privacy of 
Individually Identifiable Health Information'' (45 CFR Parts 160 and 
164, Subparts A and E) 65 FR 82462 (December 28, 2000), release of 
information that are otherwise allowed by these routine uses may only 
be made if, and as, permitted or required by the ``Standards for 
Privacy of Individually Identifiable Health Information.'' (See 45 CFR 
164.512(a)(1)).
    C. In addition, CMS will not give out information that is not 
directly identifiable if there is a possibility that a person with 
Medicare could be identified because the sample is small enough to 
identify participants. CMS would make exceptions if the information is 
needed for one of the routine uses or if it's required by law.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored on both tape cartridges (magnetic storage media) 
and in a DB2 relational database management environment (DASD data 
storage media).

RETRIEVABILITY:
    Information is most frequently retrieved by HICN, provider number 
(facility, physician, IDs), service dates, and beneficiary State code.

PROTECTIONS:
    CMS has protections in place for authorized users to make sure they 
are properly using the data and there is no unauthorized use. Personnel 
having access to the system have been trained in the Privacy Act and 
information security requirements. Employees who maintain records in 
this system can't release data until the recipient agrees to implement 
appropriate management, operational and technical safeguards that will 
protect the confidentiality, integrity, and availability of the 
information and information systems.
    This system would follow all applicable Federal laws and 
regulations, and Federal, HHS, and CMS security and data privacy 
policies and standards. These laws and regulations include but are not 
limited to: the Privacy Act of 1974; the Federal Information Security 
Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the 
Health Insurance Portability and Accountability Act of 1996; the E-
Government Act of 2002, the Clinger-Cohen Act of 1996; the Medicare 
Modernization Act of 2003, and the corresponding implementing 
regulations. OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal, HHS, and CMS policies and standards include but are 
not limited to all pertinent National Institute of Standards and 
Technology publications, the HHS Information Systems Program Handbook, 
and the CMS Information Security Handbook.

RETENTION AND DISPOSAL:
    Records will be retained until an approved disposition authority is 
obtained from the National Archive and Records Administration.

SYSTEM MANAGER AND ADDRESS:
    Director, Division of Payment Systems, Medicare Plan Payment Group, 
Centers for Beneficiary Choices, CMS, Room C1-26-14, 7500 Security 
Boulevard, Baltimore, Maryland 21244-1850.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write to 
the system manager who will require the system name, and the retrieval 
selection criteria (e.g., HICN, facility/pharmacy number, service 
dates, etc.).

RECORD ACCESS PROCEDURE:
    For purpose of access, use the same procedures outlined in 
Notification

[[Page 7998]]

Procedures above. Requestors should also reasonably specify the record 
contents being sought. (These procedures are in accordance with 
Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:
    Summary prescription drug claim information contained in this 
system is obtained from the Prescription Benefit Package (PBP) Plans 
and Medicare Advantage (MA-PBP) Plans daily and monthly drug event 
transaction reports, Medicare Beneficiary Database (09-70-0530), and 
other payer information to be provided by the TROOP Facilitator.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE PRIVACY ACT:
    None.
 [FR Doc. E7-2984 Filed 2-21-07; 8:45 am]
BILLING CODE 4120-03-P