[Federal Register Volume 73, Number 60 (Thursday, March 27, 2008)]
[Notices]
[Pages 16307-16308]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-6238]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary


Office of the Assistant Secretary for Preparedness and Response 
(ASPR), Office of Preparedness and Emergency Operations (OPEO), Revised 
National Disaster Medical System (NDMS) Patient Treatment and Tracking 
Records System

AGENCY: Office of the Assistant Secretary for Preparedness and 
Response, HHS.

ACTION: Notice of a Revised Privacy Act System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, we are proposing 
to revise the new Privacy Act System of Records (SOR) entitled, ``The 
National Disaster Medical System (NDMS) Patient Treatment and Tracking 
Records System,'' System Number 09-90-0040, in response to public 
comments received. The primary purpose of the NDMS Patient Treatment 
and Tracking Records System is to collect and store data about 
individuals who are served by the medical care response capabilities 
provided by the Department of Health and Human Services (HHS) through 
the NDMS, and through other HHS medical personnel. The proposed system 
will cover the collection, storage and sharing of personally 
identifiable data in accordance with the Privacy Act.

SUPPLEMENTARY INFORMATION:

A. Background

    In a Federal Register Notice [72 FR 35052-35055] published on June 
26, 2007, the HHS, ASPR, OPEO, NDMS proposed to establish the NDMS 
Patient Treatment and Tracking Record System. This system will collect 
demographic and health care data from individuals treated by the 
medical response personnel of HHS and in particular, ASPR. The HHS 
notice included reasons why this system is necessary as well as routine 
uses for disclosures. HHS received comments from private, non-profit 
organizations regarding the privacy protections that apply to 
information about individuals treated by HHS medical personnel. The 
comments suggested that the notice lacked clarity. The following 
paragraphs summarize the comments, recommendations and the agency's 
responses. We are also making other editorial changes to the System of 
Records Notice at this time.

B. Comments and Responses

    Comment: There was an overall comment that the notice lacked 
adequate discussion of whether this system would be maintained in 
compliance with the Health Insurance Portability and Accountability Act 
(HIPAA) Privacy Rule. It was recommended that compliance with the HIPAA 
Privacy Rule be ``spelled out in the notice.''
    Response: While ASPR, in operating NDMS, provides medical care to 
individuals who are victims of disasters, emergencies, public health 
emergencies, and events of national significance, ASPR is not a covered 
entity or a health care component of a covered entity, and therefore is 
not subject to the HIPAA Privacy Rule. Congress provided that these 
HIPAA standards only apply to health care providers that transmit 
health information electronically in connection with a transaction for 
which the Secretary of HHS has adopted standards (i.e., the standards 
provided for in the HIPAA Transactions Rule at 45 CFR Part 162). NDMS 
health care providers, operating under ASPR auspices, do not engage in 
these electronic transactions. However, the records within the NDMS 
Patient Treatment and Tracking Records System are protected by the 
Privacy Act.
    Comment: The organizations which commented on the notice wanted to 
make it clear that there will be ``no routine uses that are in 
violation of HIPAA.''
    Response: As explained above, while ASPR provides medical care to 
individuals who are victims of disasters, emergencies, public health 
emergencies, and events of national significance, ASPR is not subject 
to the HIPAA Privacy Rule. The routine uses will comply with the 
provisions of the Privacy Act.
    Comment: There was a comment regarding clarifying the use of data 
by NDMS's federal partners.
    Response: The language has been clarified. Disclosure of personally 
identifiable information between federal partners will be limited to 
what is needed to support patient care and medical transport.
    Comment: There is a concern that routine disclosure of patient 
location, especially when the patient is a victim of domestic violence, 
should be changed.
    Response: Agree. The routine disclosure to family members regarding 
patient location and status has been revised to state that disclosure 
is not permitted when there is a reasonable belief that such 
information could endanger the life, safety, health, or well-being of 
the patient.

[[Page 16308]]

Revised Document

    1. The Categories of Individuals Covered by the System section in 
the System of Records Notice (SORN) is revised to include other HHS 
personnel who may treat individuals. The section is revised as follows:
The individuals covered by the system are all persons and owners of 
animals treated by NDMS and other HHS medical personnel when the NDMS 
Disaster Medical Assistance Teams (DMATs), National Veterinary Response 
Teams (NVRTs), or other HHS medical personnel are activated to respond 
to emergency situations, or as a response to any other situation for 
which they are activated.
    2. The Purpose(s) section in the SORN is revised to include other 
HHS personnel who may treat individuals. The first sentence of that 
section is revised to read:
Medical and demographic information is collected on all patients seen 
and/or treated by NDMS or other HHS personnel.
    3. Routine Use No. 1 in the SORN is revised to clarify that it 
refers to sharing information between NDMS partner agencies, and to 
include a discussion, at the end of the routine use, of the 
relationship between all of the NDMS partners regarding the use of 
medical records as follows:
NDMS is a coordinated effort between HHS, the Department of Homeland 
Security (DHS), the Department of Defense (DoD), and the Department of 
Veterans Affairs (VA). As such, the medical treatment and movement of 
patients is a shared responsibility between these partnership agencies. 
The medical and demographic information collected during the treatment 
of a patient is shared with the partners to ensure that patients 
treated through NDMS receive the appropriate level of health care. The 
health information disclosed among the partners is limited to what is 
needed for continuity of health care operations.
    4. Routine Use No. 4 in the SORN is revised to include volunteers 
as follows:
Disclosure to agency contractors, consultants, grantees, or volunteers 
who have been engaged by the agency to assist in the performance of a 
service related to this collection and who have a need to have access 
to the records in order to perform the activity.
    5. Routine Use No. 6 in the SORN is revised to include a 
discussion, at the end of the routine use, of the circumstances when 
the agency will not disclose the patient's location or status to family 
members as follows:
Disclosure of a patient's location or status is not permitted when 
there is a reasonable belief that disclosing such information could 
endanger the life, safety, health, or well-being of the patient.
    6. In the SORN, in the Policies and Practices for Storing, 
Retrieving, Accessing, Retaining, and Disposing of Records in the 
System, in the Disposition authority subsection, the first two 
sentences are revised as follows:
Patient Care Forms or other Medical Records created by the Federal 
Medical Station(s) (FMS) or by any component of HHS/ASPR inclusive of 
NDMS during a response to an event while caring for victims of that 
event are cutoff at the end of the response activity by the Federal 
Medical Station(s) or HHS/ASPR component for a particular event. Cutoff 
refers to breaking, or ending files at regular intervals, usually at 
the close of a fiscal or calendar year, to permit their disposal or 
transfer in complete blocks and, in this case, cutoff is at the end of 
the response activity. The cutoff date marks the beginning of the 
records retention period.

    Dated: March 3, 2008.
Kevin Yeskey,
Deputy Assistant Secretary, Director, Office of Preparedness and 
Emergency Operations.
[FR Doc. E8-6238 Filed 3-26-08; 8:45 am]
BILLING CODE 4150-37-P