[Federal Register Volume 72, Number 81 (Friday, April 27, 2007)]
[Rules and Regulations]
[Pages 20935-20942]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-7940]


=======================================================================
-----------------------------------------------------------------------

SOCIAL SECURITY ADMINISTRATION

20 CFR Part 401

[Docket No. SSA 2006-0074]
RIN 0960-AE88


Privacy and Disclosure of Official Records and Information

AGENCY: Social Security Administration.

ACTION: Final rules.

-----------------------------------------------------------------------

SUMMARY: These final rules revise our privacy and disclosure rules to 
clarify certain provisions and to provide expanded regulatory support 
for new and existing responsibilities and functions. These changes in 
the regulations will increase Agency efficiency and ensure consistency 
in the implementation of the Social Security Administration's (SSA) 
policies and responsibilities under the Privacy Act and the Social 
Security Act.

DATES: These rules are effective May 29, 2007.

FOR FURTHER INFORMATION CONTACT: Christine W. Johnson, Office of Public 
Disclosure, 3-A-6 Operations Building, 6401 Security Boulevard, 
Baltimore, MD 21235-6401, (410) 965-8563 or TTY (410) 965-5609. For 
information on eligibility or filing for benefits, call our national 
toll-free numbers, 1-800-772-1213 or TTY 1-800-325-0778, or visit our 
Internet Web site, Social Security Online, at http://www.socialsecurity.gov.

SUPPLEMENTARY INFORMATION:

Electronic Version

    The electronic file of this document is available on the date of 
publication in the Federal Register at http://www.gpoaccess.gov/FR/index.html.

Background

    We last revised the privacy and disclosure regulations in 1980 when 
the Social Security Administration (SSA) was a part of the Department 
of Health and Human Services (DHHS) (formerly the Department of Health, 
Education and Welfare) and subject to DHHS' disclosure policy 
oversight. Since 1980, significant changes have occurred in the 
procedures. We are codifying these changes in the procedures governing 
access to, and disclosure of, personally identifiable information. We 
are also making minor housekeeping changes to further clarify our 
procedures. In general, these final rules reflect SSA's compliance with 
technological, legal and legislative changes that have occurred since 
1980.
    We are clarifying the provisions regarding requests for access to 
information developed by medical sources for Social Security programs, 
fully describing the existing responsibilities and functions of the 
Privacy Officer position, establishing the new senior agency official 
for privacy as required by the Office of Management and Budget (OMB) 
and explaining the related responsibilities, and implementing SSA's new 
Privacy Impact Assessment process in accordance with the E-Government 
Act of 2002, Pub. L. 107-347. As required by OMB, we are requiring 
adequate safeguards against inappropriate disclosure of personal 
information by electronic means, e.g., over the Internet, and revising 
our procedures on notification of, or access to, medical records on 
behalf of another person, e.g., an adult or child.
    These final rules also clarify SSA policy concerning an 
individual's access to, or notification of, program records, amend the 
language concerning appeal requests under the Privacy Act to include 
denial of access to the record, and amend the language to insert the 
word ``written'' prior to ``consent'' to clarify that the requirement 
means disclosure with written consent and expands the language to more 
clearly define what information we will disclose with written consent. 
We are revising the language to show that SSA also has physical custody 
of personnel records, and revising the language under disclosure of 
personal information in nonprogram records to show the new name of the 
former General Accounting Office.
    These final rules amend the language under disclosure of personal 
information in program records to make clear that we disclose 
information from program records only when there is a legitimate need 
for the information, and revise the language under disclosures required 
by law to show the current name for Aid to Families with Dependent 
Children. We are amending the language under compatible purposes to 
clearly state how we implement the routine use provision of the Privacy 
Act (5 U.S.C. 552a(b)(3)) and what we mean by routine use in terms of 
the information we can disclose, and amending the language under law 
enforcement purposes to clarify that disclosures under 5 U.S.C. 
552a(b)(7) also require a written request. We are amending the language 
under statistical and research activities to reflect the language in 
the new routine use of data for research purposes, amending the 
language in the General Accounting Office section to correctly reflect 
the new name of the agency, and clarifying certain matters related to 
our rules on

[[Page 20936]]

disclosure under court order and other legal process.

Comments on the Notice of Proposed Rulemaking

    We published the Notice of Proposed Rulemaking (NPRM) in the 
Federal Register on September 13, 2006 (71 FR at 53994). The 60-day 
comment period ended on November 13, 2006. We received no public 
comments on the proposed rule. Accordingly, we are adopting the 
proposed rules as final rules. However, we made one substantive change 
to proposed Sec.  401.180, which we discuss below in connection with 
the explanation of how these final rules change the current rules. We 
also made a few minor revisions to the text of the proposed rules for 
clarity. The changes are all non-substantive.

Explanation of Changes

Section 401.20 Scope

    We are amending the section heading in Sec.  401.20(a) to read 
``Access'' and amending paragraph (a) to clarify the rules regarding 
the access provision as it pertains to information developed by medical 
sources that perform consultative examinations for us. We are amending 
the heading in Sec.  401.20(b)(1)(iii) to read ``Records kept by 
medical sources,'' and amending the language in that paragraph.

Section 401.30 Privacy Act and Other Responsibilities

    We are adding new paragraphs (d), (e) and (f) to Sec.  401.30.

Privacy Officer

    New paragraph Sec.  401.30(d) fully describes the position of the 
SSA Privacy Officer and the responsibilities and functions of that 
position. SSA has always had a designated Privacy Officer since the 
enactment of the Privacy Act in 1974. Since that time, the Privacy 
Officer has overall responsibility for coordination of SSA privacy 
matters within the Agency. As such, the Privacy Officer advises the 
Agency on privacy policy matters and is responsible for developing and 
implementing privacy policies and related requirements, ensures 
compliance with the Privacy Act, and provides general oversight of 
privacy and disclosure policy involving privacy and disclosure matters. 
The Privacy Officer has other responsibilities including evaluating 
legislative proposals and other initiatives proposed by Congress, other 
agencies and the public, and reviewing multifunctional projects, 
studies and research activities involving personal information. The 
responsibilities also include facilitating the incorporation of privacy 
principles into information technology systems architectures and 
technical designs to ensure that privacy policies and practices are 
properly reflected in our business requirements.
    We are providing an explanation of the Privacy Officer's 
responsibilities to emphasize SSA's long-standing commitment to the 
public that personal information maintained in SSA's Privacy Act 
systems of records is handled in full compliance with the law.

Senior Agency Official for Privacy

    To help protect the privacy rights of Americans and to ensure that 
agencies continue to have effective information privacy management 
programs in place to carry out this important responsibility, OMB 
requires that each agency designate a senior agency official to serve 
as the person in charge of privacy issues.
    The Senior Agency Official for Privacy will have overall 
responsibility and accountability for privacy issues at the national 
and agency-wide levels. The official will also have a central role in 
overseeing agency compliance efforts in privacy policy procedures as 
well as a key role in policy-making as it pertains to the development 
and evaluation of legislative, regulatory and other policy proposals 
that might implicate privacy issues.
    New paragraph Sec.  401.30(e) establishes SSA's Senior Agency 
Official for Privacy and fully describe the responsibilities of that 
position as prescribed by OMB. (See OMB Memorandum M-08-05, dated 
February 11, 2005).

Privacy Impact Assessments

    In accordance with Section 208 of the E-Government Act of 2002 
(Pub. L. 107-347, 44 U.S.C. 3501 note), the Office of Management and 
Budget now requires that certain Information Technology (IT) projects 
receive a special privacy review called a Privacy Impact Assessment 
(PIA). The PIA review is in addition to the current SSA requirement 
that SSA's Privacy Officer certify Agency procurement requests for 
automated data processing resources and proposed contracts. The PIA 
review will strengthen the existing process by incorporating privacy 
involvement directly into the development of the IT system lifecycle 
and establishing a process that the entire Agency can understand in 
terms of privacy involvement in IT system development efforts.
    New paragraph Sec.  401.30(f) describes the PIA requirements for 
ensuring that privacy considerations receive a standardized review. We 
will determine if adequate measures have been taken to protect the 
privacy of the personally identifiable information the IT project will 
affect and if the requirements of the Privacy Act and applicable SSA 
regulations and policy are properly addressed.

Section 401.45 Verifying Your Identity

    We are adding to Sec.  401.45 new paragraphs (b)(3) and (b)(4) to 
emphasize that when SSA provides convenient service to you over open 
computer networks such as the Internet, we will adequately protect 
against improper disclosure of records. We are redesignating present 
paragraphs (b)(3), (b)(4) and (b)(5) as (b)(5), (b)(6) and (b)(7), 
respectively. We are also revising the language in redesignated (b)(5).
    Increasingly, computer technology enables us to transact business 
with you as a taxpayer, Social Security beneficiary, employer or third-
party organization. We are moving cautiously to allow you to 
communicate with us securely over open networks such as the Internet. 
Such expanded services are dependent on our development of practices 
and mechanisms to ensure identity confirmation to protect you against 
improper disclosure of the personal information we maintain in our 
records, and to improve privacy protections.

Section 401.55 Special Procedures for Notification of or Access to 
Medical Records

    We are revising the section heading to read ``Access to medical 
records.'' We are revising the procedures for access to medical records 
to conform to the practices and systems of records that set out special 
procedures under which individuals may have direct access to their 
medical records.
    Currently, when you request your medical records, Sec.  
401.55(b)(1)(ii) requires you to designate a representative to receive 
the records for you and gives the representative the discretion to 
inform you about the contents of your record. We are modifying the 
special procedures in that paragraph to require the representative to 
release your record to you after the discussion of its contents. The 
representative no longer has the discretion to withhold any part of 
your record.
    Section 401.55(c)(2)(iii) currently gives a designated 
representative (e.g., family physician or other health care 
professional) discretion about making the contents of a minor's medical 
record available to the parent or legal guardian.

[[Page 20937]]

These final rules modify this provision to require the representative 
to release the minor's records to the parent or legal guardian 
following the discussion of its contents. Additionally, we are 
redesignating present paragraph (d) concerning requests on behalf of 
incapacitated adults as paragraph (c)(3).

Section 401.60 Access or Notification of Program Records About Two or 
More Individuals

    Currently, Sec.  401.60 is entitled ``Access or notification of 
program records about two or more individuals.'' The first sentence in 
the section reads ``When information about two or more individuals is 
in one record filed under your social security number, you may receive 
the information about you and the fact of entitlement and the amount of 
benefits payable to other persons based on your record.'' We are 
amending Sec.  401.60 by inserting the word ``to'' after the word 
``Access'' in the heading and revising the language in both the heading 
and first sentence to read ``about more than one individual.''

Section 401.70 Appeals of Refusals To Correct or Amend Records

    Currently, Sec.  401.70 is entitled ``Appeals of refusals to 
correct or amend records.'' We are amending the section heading to 
include appeals after denial of access. We are clarifying the policy in 
the section by revising the language in existing paragraphs (a), (b) 
and (c). We are adding a new paragraph (d) to clearly explain the 
process after you file your appeal.

Section 401.100 Disclosure of Records With the Consent of the Subject 
of the Record

    We are amending the language in the section heading under Sec.  
401.100 to insert the word ``written'' before ``consent.'' We are 
revising the language in paragraph (a) to clarify that the consent must 
be in writing and define what information we will disclose with written 
consent. To present the information in a more reader-friendly format, 
the second and third sentences of paragraph (a) are designated as new 
paragraphs (b) ``Disclosure with written consent'', and (c) 
``Disclosure of the entire record,'' respectively. We are making 
conforming changes to existing paragraph (b) and redesignating it as 
paragraph (d).

Section 401.105 Disclosure of Personal Information Without the Consent 
of the Subject of the Record

    We are revising the second sentence of paragraph (b) into two 
sentences to clarify that SSA also has physical custody of personnel 
records maintained as part of the Office of Personnel Management's 
(OPM) Privacy Act government-wide systems of records and that these 
records are subject to OPM's rules on access and disclosure at 5 CFR 
parts 293 and 297.

Section 401.110 Disclosure of Personal Information in Nonprogram 
Records Without the Consent of the Subject of the Record

    We are amending the language in Sec.  401.110(j) to show the new 
name for the former General Accounting Office.

Section 401.115 Disclosure of Personal Information in Program Records 
Without the Consent of the Subject of the Record

    We are amending the introductory language in Sec.  401.115 to make 
clear that the information in program records will be disclosed only on 
a need-to-know basis.

Section 401.120 Disclosure Required by Law

    Currently, the last sentence in Sec.  401.120 reads ``* * * and to 
Federal, State and local agencies administering Aid to Families with 
Dependent Children, Medicaid, unemployment compensation, food stamps, 
and other programs.'' We are amending the language to reflect the 
current name of the AFDC program. The new name will read ``* * * 
Temporary Assistance for Needy Families * * *''

Section 401.150 Compatible Purposes

    We are amending Sec.  401.150 to clearly state how we implement the 
routine use provision. More specifically, the language in paragraphs 
(a) and (b) is expanded to include what we mean by ``routine use'' in 
terms of the information we can disclose and how we give notice of 
routine use disclosures, respectively. We are amending paragraph (c) by 
adding new paragraphs (c)(1) and (c)(2) to clearly show the 
distinctions between disclosure in SSA programs and programs similar to 
SSA programs, for compatibility purposes.

Section 401.155 Law Enforcement Purposes

    We are amending Sec.  401.155 to make clear that the Privacy Act 
requires a written request for information from the head of the law 
enforcement agency in situations involving both serious crimes and 
criminal activity involving Social Security programs or other programs 
with the same purpose.

Section 401.165 Statistical and Research Activities

    We are amending Sec.  401.165 to make it consistent with the 
recently published new routine use of data for research purposes.

Section 401.175 General Accounting Office

    We are amending the section heading in Sec.  401.175 to reflect a 
name change. The new heading will read ``Government Accountability 
Office.'' We are also revising the language in the paragraph to read 
``* * * to the Government Accountability Office when that agency needs 
the information to carry out its duties.''

Section 401.180 Courts

    We are revising the entire section of Sec.  401.180 to clarify our 
policy on disclosure when we receive an order from a court of competent 
jurisdiction.
    In 1980, when Sec.  401.180 was initially published as a final 
rule, the status of subpoenas and other legal process under paragraph 
(b)(11) of the statute was unclear. Since then, SSA has not treated a 
subpoena or similar legal process as a court order unless a judge signs 
it. We believe that this position is now established as law as it is 
consistent with court decisions and OMB guidance interpreting the 
Privacy Act. See, e.g., Doe v. DiGenova, 779 F.2d 74 (D.C. Cir. 1985); 
Stiles v. Atlanta Gas Light Co., 453 F.Supp. 798 (N.D. Ga. 1978).
    The Privacy Act (5 U.S.C. 552a(b)(11)) permits disclosure by an 
agency pursuant to the order of a court of competent jurisdiction. 
Under this provision, we consider only a Federal court of the United 
States to be a court of competent jurisdiction. However, the proposed 
rules provided that we may disclose information in compliance with a 
state court order if the disclosure was necessary to preserve the 
rights of an accused to due process in a criminal proceeding (71 FR at 
54000). This provision of the proposed rules could have been 
misconstrued to be inconsistent with the Privacy Act and proposed (and 
final) Sec.  401.180(d). Final Sec.  401.180(d) states our view that, 
under the Privacy Act, the Federal Government has not waived its 
sovereign immunity, which would preclude state court jurisdiction over 
a Federal agency or official. Since a state court does not have 
jurisdiction over a Federal agency or official in the absence of a 
waiver of the Federal Government's sovereign immunity, we have deleted 
the exception for certain state court orders set out in proposed Sec.  
401.180(g).
    The final rules are consistent with our position that state court 
orders do not

[[Page 20938]]

provide an independent basis for disclosure. Consequently, under the 
final rules, we may disclose information in response to a state court 
order only if another provision of this part permits disclosure (such 
as law enforcement or consent). If we find an independent basis for 
disclosure, we may honor the request for information sought in the 
state court order under the authority of the other provision. As a 
result, in these final rules, we revised the second sentence of 
proposed Sec.  401.180(d) to state that ``* * * state court orders will 
be treated in accordance with other provisions of this part.''
    We also amended the language as appropriate to make clear that, for 
purposes of this section, a court is a judicial branch of the Federal 
government. In a conforming change, we redesignated proposed Sec.  
401.180(h) as final Sec.  401.180(g).
    In paragraph 401.180(a) we make clear that when information 
disclosed from SSA records is used in court proceedings, it usually 
becomes part of the public record of the proceedings and its 
confidentiality often cannot be protected. Accordingly, we will follow 
the rules in new paragraph (d) of this section in deciding whether an 
order is from a court of competent jurisdiction.
    We are changing the heading in paragraph (b) to read ``Court'' and 
amending the language in the paragraph to state SSA's position that a 
court, for purposes of 5 U.S.C. 552a(b)(11), is an institution of a 
judicial branch of the Federal government consisting of one or more 
judges who seek to adjudicate disputes and administer justice. The 
definition clarifies that other entities in other branches of the 
Federal government or not in the United States are not courts for 
purposes of the Privacy Act.
    We are adding a new paragraph (c) to explain that only a legal 
process, such as a summons or warrant, that is signed by a judge and 
that commands the disclosure of information by SSA will be considered 
to be a court order for purposes of the statutory exception in 5 U.S.C. 
552a(b)(11). References to subpoenas have been removed from this 
regulation.
    When we receive legal process that is not an order of a court of 
competent jurisdiction, (such as a grand jury subpoena, a subpoena 
signed by the clerk of the court or the attorney representing a party 
to the proceeding), we may decide to disclose information if the 
conditions described in any other provision of this regulation would 
permit the disclosure (for example, for a compatible purpose under 
Sec.  401.150). However, we will not disclose without an order from a 
court of competent jurisdiction if the Privacy Act or any other law 
would prohibit the disclosure without such an order. We are adding a 
new paragraph (d) to explain our view on court of competent 
jurisdiction.
    In new paragraph (e) of this section we describe the conditions for 
disclosure under court order and clarify the rules on disclosure when a 
court order is involved.
    We are adding a new paragraph (f) to explain that in other 
circumstances we may attempt to satisfy the needs of a court of 
competent jurisdiction when the circumstances in paragraph (e) are not 
met. We will make these determinations in accordance with 401.140.
    We are removing existing paragraph (g) and redesignating paragraph 
(h) as paragraph (g). New paragraph (g) provides a cross-reference to 
additional regulations contained in 20 CFR part 403 concerning 
testimony and production of records in legal proceedings.

Regulatory Procedures

Executive Order 12866

    The Office of Management and Budget has reviewed these final rules 
in accordance with Executive Order 12866, as amended by Executive Order 
13258.

Regulatory Flexibility Act

    We certify that these final rules would not have a significant 
economic impact on a substantial number of small entities because they 
affect only individuals or entities acting on their behalf. Thus, a 
regulatory flexibility analysis as provided in the Regulatory 
Flexibility Act, as amended, is not required.

Paperwork Reduction Act

    These final rules contain reporting requirements as shown in the 
table below. Where the public reporting burden is accounted for in 
Information Collection Requests for the various forms that the public 
uses to submit the information to SSA, a 1-hour placeholder burden is 
being assigned to the specific reporting requirement(s) contained in 
these rules.

----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                                  Annual  number   Frequency of     burden per       Estimated
                     Section                       of  responses     response        response      annual burden
                                                                                      (min.)          (hours)
----------------------------------------------------------------------------------------------------------------
401.45(b).......................................          20,000               1              10            3333
401.70(a)(b)....................................  ..............  ..............  ..............               1
401.100(b)......................................  ..............  ..............  ..............               1
                                                 ---------------------------------------------------------------
    Total.......................................          20,000               1              10            3335
----------------------------------------------------------------------------------------------------------------

    An Information Collection Request has been submitted to OMB for 
clearance. To receive a copy of the OMB clearance package, you may call 
the SSA Reports Clearance Officer on 410-965-0454.

(Catalog of Federal Domestic Assistance Program Nos. 96.001 Social 
Security--Disability Insurance; 96.002 Social Security--Retirement 
Insurance; 96.004 Social Security--Survivors Insurance; 96.006 
Supplemental Security Income).

List of Subjects in 20 CFR Part 401

    Information, Records, Administrative practice and procedure, 
Archives and records.

    Dated: January 17, 2007.
Jo Anne B. Barnhart,
Commissioner of Social Security.

    Editorial Note: This document was received at the Office of the 
Federal Register on April 20, 2007.

0
For the reasons set out in the preamble, we are amending subparts A, B 
and C of part 401 of chapter III of title 20 of the Code of Federal 
Regulations as set forth below:

PART 401--PRIVACY AND DISCLOSURE OF OFFICIAL RECORDS AND 
INFORMATION

0
1. The authority citation for part 401 continues to read as follows:

    Authority: Secs. 205, 702(a)(5), 1106, and 1141 of the Social 
Security Act (42 U.S.C. 405, 902(a)(5), 1306, and 1320b-11); 5 
U.S.C. 552 and 552a; 8 U.S.C. 1360; 26 U.S.C. 6103; 30 U.S.C. 923.

[[Page 20939]]


0
2. Section 401.20 is amended by revising paragraphs (a) and (b)(1)(iii) 
to read as follows:


Sec.  401.20  Scope.

    (a) Access. Sections 401.30 through 401.95, which set out SSA's 
rules for implementing the Privacy Act, apply to records retrieved by 
an individual's name or personal identifier subject to the Privacy Act. 
The rules in Sec. Sec.  401.30 through 401.95 also apply to information 
developed by medical sources for the Social Security program and shall 
not be accessed except as permitted by this part.
    (b) * * *
    (1) * * *
    (iii) Information retained by medical sources pertaining to a 
consultative examination performed for the Social Security program 
shall not be disclosed except as permitted by this part.
* * * * *

0
3. Section 401.30 is amended by revising the heading and adding 
paragraphs (d), (e) and (f) to read as follows:


Sec.  401.30  Privacy Act and other responsibilities.

* * * * *
    (d) Privacy Officer. The Privacy Officer is an advisor to the 
Agency on all privacy policy and disclosure matters. The Privacy 
Officer coordinates the development and implementation of Agency 
privacy policies and related legal requirements to ensure Privacy Act 
compliance, and monitors the coordination, collection, maintenance, use 
and disclosure of personal information. The Privacy Officer also 
ensures the integration of privacy principles into information 
technology systems architecture and technical designs, and generally 
provides to Agency officials policy guidance and directives in carrying 
out the privacy and disclosure policy.
    (e) Senior Agency Official for Privacy. The Senior Agency Official 
for Privacy assumes overall responsibility and accountability for 
ensuring the agency's implementation of information privacy protections 
as well as agency compliance with federal laws, regulations, and 
policies relating to the privacy of information, such as the Privacy 
Act. The compliance efforts also include reviewing information privacy 
procedures to ensure that they are comprehensive and up-to-date and, 
where additional or revised procedures may be called for, working with 
the relevant agency offices in the consideration, adoption, and 
implementation of such procedures. The official also ensures that 
agency employees and contractors receive appropriate training and 
education programs regarding the information privacy laws, regulations, 
polices and procedures governing the agency's handling of personal 
information. In addition to the compliance role, the official has a 
central policy-making role in the agency's development and evaluation 
of legislative, regulatory and other policy proposals which might 
implicate information privacy issues, including those relating to the 
collection, use, sharing, and disclosure of personal information.
    (f) Privacy Impact Assessment. In our comprehensive Privacy Impact 
Assessment (PIA) review process, we incorporate the tenets of privacy 
law, SSA privacy regulations, and privacy policy directly into the 
development of certain Information Technology projects. Our review 
examines the risks and ramifications of collecting, maintaining and 
disseminating information in identifiable form in an electronic 
information system and identifies and evaluates protections and 
alternate processes to reduce the risk of unauthorized disclosures. As 
we accomplish the PIA review, we ask systems personnel and program 
personnel to resolve questions on data needs and data protection prior 
to the development of the electronic system.

0
4. Section 401.45 is amended by redesignating paragraphs (b)(3), (b)(4) 
and (b)(5) as (b)(5), (b)(6) and (b)(7), respectively, adding new 
paragraphs (b)(3) and (b)(4) and revising redesignated paragraph (b)(5) 
to read as follows:


Sec.  401.45  Verifying your identity.

* * * * *
    (b) * * *
    (3) Electronic requests. If you make a request by computer or other 
electronic means, e.g., over the Internet, we require you to verify 
your identity by using identity confirmation procedures that are 
commensurate with the sensitivity of the information that you are 
requesting. If we cannot confirm your identity using our identity 
confirmation procedures, we will not process the electronic request. 
When you cannot verify your identity through our procedures, we will 
require you to submit your request in writing.
    (4) Electronic disclosures. When we collect or provide personally 
identifiable information over open networks such as the Internet, we 
use encryption in all of our automated online transaction systems to 
protect the confidentiality of the information. When we provide an 
online access option, such as a standard e-mail comment form on our Web 
site, and encryption is not being used, we alert you that personally 
identifiable information (such as your social security number) should 
not be included in your message.
    (5) Requests not made in person. Except as provided in paragraphs 
(b)(2) of this section, if you do not make a request in person, you 
must submit a written request to SSA to verify your identify or you 
must certify in your request that you are the individual you claim to 
be. You must also sign a statement that you understand that the knowing 
and willful request for or acquisition of a record pertaining to an 
individual under false pretenses is a criminal offense.
* * * * *

0
5. Section 401.55 is amended by revising the heading and paragraphs 
(a), (b)(1)(ii), (c)(1) and (c)(2)(iii) and by redesignating paragraph 
(d) as paragraph (c)(3) to read as follows:


Sec.  401.55  Access to medical records.

    (a) General. You have a right to access your medical records, 
including any psychological information that we maintain.
    (b) * * *
    (1) * * *
    (ii) When you request medical information about yourself, you must 
also name a representative in writing. The representative may be a 
physician, other health professional, or other responsible individual 
who will be willing to review the record and inform you of its 
contents. Following the discussion, you are entitled to your records. 
The representative does not have the discretion to withhold any part of 
your record. If you do not designate a representative, we may decline 
to release the requested information. In some cases, it may be possible 
to release medical information directly to you rather than to your 
representative.
* * * * *
    (c) Medical records of minors.
    (1) Request by the minor. You may request access to your own 
medical records in accordance with paragraph (b) of this section.
    (2) Request on a minor's behalf. * * *
    (iii) Where a medical record on the minor exists, we will in all 
cases send it to the physician or health professional designated by the 
parent or guardian. The representative will review the record, discuss 
its contents with the parent or legal guardian, then release the entire 
record to the parent or legal guardian. The representative does not 
have the discretion to withhold any part of the minor's record. We will 
respond in the following similar manner to the

[[Page 20940]]

parent or guardian making the request: ``We have completed processing 
your request for notification of or access to ----------'s (Name of 
minor) medical records. Please be informed that if any medical record 
was found pertaining to that individual, it has been sent to your 
designated physician or health professional.''
* * * * *

0
6. Section 401.60 is amended by revising the section heading and first 
sentence of the paragraph to read as follows:


Sec.  401.60  Access to or notification of program records about more 
than one individual.

    When information about more than one individual is in one record 
filed under your social security number, you may receive the 
information about you and the fact of entitlement and the amount of 
benefits payable to other persons based on your record. * * *

0
7. Section 401.70 is revised to read as follows:


Sec.  401.70  Appeals of refusals to correct records or refusals to 
allow access to records.

    (a) General. This section describes how to appeal decisions made by 
SSA under the Privacy Act concerning your request for correction of or 
access to your records, those of your minor child, or those of a person 
for whom you are the legal guardian. We generally handle a denial of 
your request for information about another person under the provisions 
of the Freedom of Information Act (see part 402 of this chapter). To 
appeal a decision under this section, your request must be in writing.
    (b) Appeal of refusal to correct or amend records. If we deny your 
request to correct an SSA record, you may request a review of that 
decision. As discussed in Sec.  401.65(e), our letter denying your 
request will tell you to whom to write.
    (1) We will review your request within 30 working days from the 
date of the receipt. However, for a good reason and with the approval 
of the Executive Director for the Office of Public Disclosure, this 
time limit may be extended up to an additional 30 days. In that case, 
we will notify you about the delay, the reason for it and the date when 
the review is expected to be completed.
    (2) If, after review, we determine that the record should be 
corrected, we will do so. However, if we refuse to amend the record as 
you requested, we will inform you that--
    (i) Your request has been refused and the reason for refusing;
    (ii) The refusal is SSA's final decision; and
    (iii) You have a right to seek court review of SSA's final 
decision.
    (3) We will also inform you that you have a right to file a 
statement of disagreement with the decision. Your statement should 
include the reason you disagree. We will make your statement available 
to anyone to whom the record is subsequently disclosed, together with a 
statement of our reasons for refusing to amend the record. Also, we 
will provide a copy of your statement to individuals whom we are aware 
received the record previously.
    (c) Appeals after denial of access. If, under the Privacy Act, we 
deny your request for access to your own record, those of your minor 
child or those of a person to whom you are the legal guardian, we will 
advise you in writing of the reason for that denial, the name and title 
or position of the person responsible for the decision and your right 
to appeal that decision. You may appeal the denial decision to the 
Executive Director for the Office of Public Disclosure, 6401 Security 
Boulevard, Baltimore, MD 21235-6401, within 30 days after you receive 
notice denying all or part of your request, or, if later, within 30 
days after you receive materials sent to you in partial compliance with 
your request.
    (d) Filing your appeal. If you file an appeal, the Executive 
Director or his or her designee will review your request and any 
supporting information submitted and then send you a notice explaining 
the decision on your appeal. The time limit for making our decision 
after we receive your appeal is 30 working days. The Executive Director 
or his or her designee may extend this time limit up to 30 additional 
working days if one of the circumstances in 20 CFR 402.140 is met. We 
will notify you in writing of any extension, the reason for the 
extension and the date by which we will decide your appeal. The notice 
of the decision on your appeal will explain your right to have the 
matter reviewed in a Federal district court if you disagree with all or 
part of our decision.

0
8. Section 401.100 is revised to read as follows:


Sec.  401.100  Disclosure of records with the written consent of the 
subject of the record.

    (a) General. Except as permitted by the Privacy Act and the 
regulations in this part, or when required by the FOIA, we will not 
disclose your records without your written consent.
    (b) Disclosure with written consent. The written consent must 
clearly specify to whom the information may be disclosed, the 
information you want us to disclose (e.g., social security number, date 
and place of birth, monthly Social Security benefit amount, date of 
entitlement), and, where applicable, during which timeframe the 
information may be disclosed (e.g., during the school year, while the 
subject individual is out of the country, whenever the subject 
individual is receiving specific services).
    (c) Disclosure of the entire record. We will not disclose your 
entire record. For example, we will not honor a blanket consent for all 
information in a system of records or any other record consisting of a 
variety of data elements. We will disclose only the information you 
specify in the consent. We will verify your identity and where 
applicable (e.g., where you consent to disclosure of a record to a 
specific individual), the identity of the individual to whom the record 
is to be disclosed.
    (d) A parent or guardian of a minor is not authorized to give 
written consent to a disclosure of a minor's medical record. See Sec.  
401.55(c)(2) for the procedures for disclosure of or access to medical 
records of minors.

0
9. Section 401.105 is amended by revising the second sentence of 
paragraph (b) to read as follows:


Sec.  401.105  Disclosure of personal information without the consent 
of the subject of the record.

* * * * *
    (b) * * * For administrative and personnel records, the Privacy Act 
applies. To the extent that SSA has physical custody of personnel 
records maintained as part of the Office of Personnel Management's 
(OPM) Privacy Act government-wide systems of records, these records are 
subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 
297. * * *

0
10. Paragraph (j) of Sec.  401.110 is revised to read as follows:


Sec.  401.110  Disclosure of personal information in nonprogram records 
without the consent of the subject of the record.

* * * * *
    (j) To the Comptroller General, or any of his authorized 
representatives, in the course of the performance of duties of the 
Government Accountability Office.
* * * * *

0
11. Section 401.115 is amended by revising the introductory text to 
read as follows:

[[Page 20941]]

Sec.  401.115  Disclosure of personal information in program records 
without the consent of the subject of the record.

    This section describes how various laws control the disclosure of 
personal information that we keep. We disclose information in the 
program records only when a legitimate need exists. For example, we 
disclose information to officers and employees of SSA who have a need 
for the record in the performance of their duties. We also must 
consider the laws identified below in the respective order when we 
disclose program information:
* * * * *

0
12. Section 401.120 is amended by revising the last sentence in the 
paragraph to read as follows:


Sec.  401.120  Disclosures required by law.

    * * * These agencies include the Department of Veterans Affairs for 
its benefit programs, U.S. Citizenship and Immigration Services to 
carry out its duties regarding aliens, the Railroad Retirement Board 
for its benefit programs, and to Federal, State and local agencies 
administering Temporary Assistance for Needy Families, Medicaid, 
unemployment compensation, food stamps, and other programs.

0
13. Section 401.150 is revised to read as follows:


Sec.  401.150  Compatible purposes.

    (a) General. The Privacy Act allows us to disclose information 
maintained in a system of records without your consent to any other 
party if such disclosure is pursuant to a routine use published in the 
system's notice of system of records. A ``Routine use'' must be 
compatible with the purpose for which SSA collected the information.
    (b) Notice of routine use disclosures. A list of permissible 
routine use disclosures is included in every system of records notice 
published in the Federal Register.
    (c) Determining compatibility.
    (1) Disclosure to carry out SSA programs. We disclose information 
for published routine uses necessary to carry out SSA's programs.
    (2) Disclosure to carry out programs similar to SSA programs. We 
may disclose information for the administration of other government 
programs. These disclosures are pursuant to published routine uses 
where the use is compatible with the purpose for which the information 
was collected. These programs generally meet the following conditions:
    (i) The program is clearly identifiable as a Federal, State, or 
local government program.
    (ii) The information requested concerns eligibility, benefit 
amounts, or other matters of benefit status in a Social Security 
program and is relevant to determining the same matters in the other 
program. For example, we disclose information to the Railroad 
Retirement Board for pension and unemployment compensation programs, to 
the Department of Veterans Affairs for its benefit programs, to 
worker's compensation programs, to State general assistance programs 
and to other income maintenance programs at all levels of government. 
We also disclose for health maintenance programs like Medicaid and 
Medicare.
    (iii) The information will be used for appropriate epidemiological 
or similar research purposes.

0
14. Section 401.155 is amended by adding the following language between 
the fourth and fifth sentences in paragraph (a) and by removing the 
last sentence of paragraph (b).


Sec.  401.155  Law enforcement purposes.

    (a) General. * * * The Privacy Act allows us to disclose 
information if the head of the law enforcement agency makes a written 
request giving enough information to show that the conditions in 
paragraphs (b) or (c) of this section are met, what information is 
needed, and why it is needed. * * *
* * * * *

0
15. Section 401.165 is amended by revising paragraph (b)(2) to read as 
follows:


Sec.  401.165  Statistical and research activities.

* * * * *
    (b) * * *
    (2) The activity is designed to increase knowledge about present or 
alternative Social Security programs or other Federal or State income-
maintenance or health-maintenance programs; or is used for research 
that is of importance to the Social Security program or the Social 
Security beneficiaries; or an epidemiological research project that 
relates to the Social Security program or beneficiaries; and
* * * * *

0
16. Section 401.175 is revised to read as follows:


Sec.  401.175  Government Accountability Office.

    We disclose information to the Government Accountability Office 
when that agency needs the information to carry out its duties.

0
17. Section 401.180 is revised to read as follows:


Sec.  401.180  Disclosure under court order or other legal process.

    (a) General. The Privacy Act permits us to disclose information 
when we are ordered to do so by a court of competent jurisdiction. When 
information is used in a court proceeding, it usually becomes part of 
the public record of the proceeding and its confidentiality often 
cannot be protected in that record. Much of the information that we 
collect and maintain in our records on individuals is especially 
sensitive. Therefore, we follow the rules in paragraph (d) of this 
section in deciding whether we may disclose information in response to 
an order from a court of competent jurisdiction. When we disclose 
pursuant to an order from a court of competent jurisdiction, and the 
order is a matter of public record, the Privacy Act requires us to send 
a notice of the disclosure to the last known address of the person 
whose record was disclosed.
    (b) Court. For purposes of this section, a court is an institution 
of the judicial branch of the U.S. Federal government consisting of one 
or more judges who seek to adjudicate disputes and administer justice. 
(See 404.2(c)(6) of this chapter). Entities not in the judicial branch 
of the Federal government are not courts for purposes of this section.
    (c) Court order. For purposes of this section, a court order is any 
legal process which satisfies all of the following conditions:
    (1) It is issued under the authority of a Federal court;
    (2) A judge or a magistrate judge of that court signs it;
    (3) It commands SSA to disclose information; and
    (4) The court is a court of competent jurisdiction.
    (d) Court of competent jurisdiction. It is the view of SSA that 
under the Privacy Act the Federal Government has not waived sovereign 
immunity, which precludes state court jurisdiction over a Federal 
agency or official. Therefore, SSA will not honor state court orders as 
a basis for disclosure. State court orders will be treated in 
accordance with the other provisions of this part.
    (e) Conditions for disclosure under a court order of competent 
jurisdiction. We disclose information in compliance with an order of a 
court of competent jurisdiction if--
    (1) another section of this part specifically allows such 
disclosure, or
    (2) SSA, the Commissioner of Social Security, or any officer or 
employee of SSA in his or her official capacity is properly a party in 
the proceeding, or
    (3) disclosure of the information is necessary to ensure that an 
individual

[[Page 20942]]

who is accused of criminal activity receives due process of law in a 
criminal proceeding under the jurisdiction of the judicial branch of 
the Federal government.
    (f) In other circumstances. We may disclose information to a court 
of competent jurisdiction in circumstances other than those stated in 
paragraph (e) of this section. We will make our decision regarding 
disclosure by balancing the needs of a court while preserving the 
confidentiality of information. For example, we may disclose 
information under a court order that restricts the use and redisclosure 
of the information by the participants in the proceeding; we may offer 
the information for inspection by the court in camera and under seal; 
or we may arrange for the court to exclude information identifying 
individuals from that portion of the record of the proceedings that is 
available to the public. We will make these determinations in 
accordance with Sec.  401.140.
    (g) Other regulations on request for testimony, subpoenas and 
production of records in legal proceedings. See 20 CFR part 403 of this 
chapter for additional rules covering disclosure of information and 
records governed by this part and requested in connection with legal 
proceedings.

[FR Doc. E7-7940 Filed 4-26-07; 8:45 am]
BILLING CODE 4191-02-P