[Federal Register Volume 73, Number 188 (Friday, September 26, 2008)]
[Rules and Regulations]
[Pages 55772-55775]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-21909]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 5b

[CMS-0029-F]
RIN 0938-A069


Exemption of Certain Systems of Records Under the Privacy Act

AGENCY: Office of the Secretary, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule exempts four systems of records (SORs) from 
subsections (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f) 
of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2): The Automated 
Survey Processing Environment (ASPEN) Complaint/ Incidents Tracking 
System (ACTS), HHS/CMS, System No. 09-70-0565; the Health Insurance 
Portability and Accountability Act (HIPAA) Information Tracking System 
(HITS), HHS/CMS, System No. 09-70-0544; the Organ Procurement 
Organizations System (OPOS), HHS/CMS, System No. 09-70-0575; and the 
Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-0527.

DATES: Effective Date: These regulations are effective on October 27, 
2008.

FOR FURTHER INFORMATION CONTACT: Walter Stone, (410) 786-5357.

SUPPLEMENTARY INFORMATION: 

I. Background

    The four systems of records (SORs) that are the subject of this 
final rule and the May 25, 2007 proposed rule are as follows:

A. The Automated Survey Processing Environment Complaints/Incidents 
Tracking System (ACTS), HHS/CMS, System No. 09-70-0565

    In the August 22, 2003 Federal Register (68 FR 50795), we published 
a notice announcing a new SOR titled Automated Survey Processing 
Environment (ASPEN) Complaint/Incidents Tracking System (ACTS), HHS/
CMS, System No. 09-70-0565.
    In the May 23, 2006 Federal Register (71 FR 29643) we published a 
notice that modified the ACTS SOR. This notice included all 
modifications and the full text of this system of records. ACTS is a 
Windows-based program whose primary purpose is to track and process 
complaints and incidents reported against health care facilities 
regulated by CMS and State agencies. These facilities include Clinical 
Laboratory Improvement Amendment (CLIA)-certified laboratories, skilled 
nursing facilities (SNFs), nursing facilities, hospitals, home health 
agencies (HHAs), end stage renal disease (ESRD) facilities, hospices, 
rural health clinics (RHCs), comprehensive outpatient rehabilitation 
facilities (CORFs), outpatient physical therapy services, community 
mental health centers (CMHCs), ambulatory surgical centers (ASCs), 
suppliers of portable x-ray services, and intermediate care facilities 
for persons with mental retardation (ICF/MRs). ACTS contains 
identifiable information on individuals, who are complainants, 
residents, patients, clients, contacts or witnesses. It also may 
include alleged perpetrators, survey team members, laboratory 
directors, laboratory owners, and employees and directors of the health 
care facilities noted previously. ACTS is designed to manage all 
operations associated with complaint and incident tracking and 
processing, from initial intake and investigation through the final 
disposition.

B. The Health Insurance Portability and Accountability Act (HIPAA) 
Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544.

    In the July 6, 2005 Federal Register (70 FR 38944), we published a 
notice announcing a new SOR titled Health Insurance Portability and 
Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS, 
System No. 09-70-0544
    In general, HITS consists of an electronic repository of 
information, documents, and supplementary paper document files 
resulting from investigations of alleged violations of the transactions 
and code sets, security, and unique identifier provisions of HIPAA. 
HITS' purpose is to support investigations of complainants, 
determinations as to whether there were violations as charged in the 
original complaint, referral of violations to law enforcement entities 
as necessary, and maintenance and retrieval of records that contain the 
results of the complaint investigations. The system of records

[[Page 55773]]

covers individuals who have submitted complaints alleging violations of 
the provisions of HIPAA. Investigative files maintained in HITS are 
received either as electronic documents or as paper records that are 
compiled for law enforcement purposes.

C. The Organ Procurement Organizations System (OPOS), HHS/CMS, System 
No. 09-70-0575

    In the May 22, 2006 Federal Register (71 FR 29336), we published a 
notice announcing a new SOR titled Organ Procurement Organizations 
System (OPOS), HHS/CMS, System No. 09-70-0575. OPOS is a Windows based 
program whose purpose is to track and process complaints and incidents 
reported against Organ Procurement Organizations. Section 701 of the 
Organ Procurement Organization System Certification Act of 2000 (Pub. 
L. 106-505) gave the Department the authority to collect and maintain 
individually identifiable information pertaining to allegations filed 
by a complainant, beneficiary, or provider of services against Organ 
Procurement Organizations. This information includes information 
gathered during all aspects of an investigation, including initial 
complaints, findings, results, disposition, and relevant 
correspondence.

D. The Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-
0527

    In the October 28, 2002 Federal Register (70 FR 65795), we 
published a notice that modified, among other things, the name of a SOR 
entitled ``CMS Utilization Review Investigatory Files, System No. 09-
70-0527'' to ``CMS Fraud Investigation Database (FID).'' The notice 
included the full text of the FID system of records. The FID system of 
records contains the name, work address, work phone number, social 
security number, Unique Provider Identification Number (UPIN), and 
other identifying demographics of individuals alleged to have violated 
provisions of the Social Security Act (the Act) related to Medicare, 
Medicaid, HMO/Managed Care, and the Children's Health Insurance 
Program. The FID system of records also contains the contact 
information and other identifying demographics of individuals alleged 
to have violated other criminal or civil statutes connected with the 
Act and the Act's programs. Here, individuals are persons alleged to 
have abused the Act's programs. (For example, an individual could be a 
person alleged to have rendered unnecessary services to Medicare 
beneficiaries or Medicaid recipients, over-used services, or engaged in 
improper billing.) They are persons whose activities have provided a 
substantial basis for criminal or civil prosecution, or who are 
identified as defendants in criminal prosecution cases.

II. Provisions of the Proposed Rule

    In the May 25, 2007 Federal Register (72 FR 29289) we published a 
proposed rule that would exempt the ACTS, HITS, OPOS, and FID systems 
of records from subsection (c)(3), (d)(1) through (d)(4), (e)(4)(G) and 
(H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). These 
exemptions would apply only to the extent that information in a record 
is subject to exemption pursuant to 5 U.S.C. 552a(k)(2). We proposed 
that the ACTS, HITS, OPOS, and FID systems of records would be exempted 
from the following subsections for the reasons set forth below:
     Subsection (c)(3). Release of an accounting of disclosures 
to an individual who is the subject of an investigation could reveal 
the nature and scope of the investigation and could result in the 
altering or destruction of evidence, improper influencing of witnesses, 
and other evasive actions that could impede or compromise the 
investigation.
     Subsection (d)(1). Release of investigative records to an 
individual who is the subject of an investigation could interfere with 
pending or prospective law enforcement proceedings, constitute an 
unwarranted invasion of the personal privacy of third parties, reveal 
the identity of confidential sources, or reveal sensitive investigative 
techniques and procedures.
     Subsections (d)(2) through (d)(4). Amendment or correction 
of investigative records could interfere with pending or prospective 
law enforcement proceedings, or could impose an impossible 
administrative and investigative burden by requiring us to continuously 
retrograde our investigations in an attempt to resolve questions of 
accuracy, relevance, timeliness, and completeness.
     Subsection (e)(4)(G) and (H). Notifying an individual who 
is the subject of an investigation or a witness that a system of 
records contains information about him or her could reveal the nature 
and scope of the investigation and could result in the altering or 
destruction of evidence, improper influencing of witnesses, and other 
evasive actions that could impede or compromise the investigation.
     Subsection (f). Establishing procedures for notification, 
inspection or amendment of records, or appeals of denials of access to 
records would interfere with pending or prospective law enforcement 
proceedings, constitute an unwarranted invasion of the personal privacy 
of third parties, reveal the identity of confidential sources, or 
reveal sensitive investigative techniques. Furthermore, these actions 
could impose an impossible administrative and investigative burden by 
requiring us to continuously retrograde our investigations in an 
attempt to resolve questions of accuracy, relevance, timeliness, and 
completeness.
    Accordingly, we proposed to amend 45 CFR 5b.11(b)(2)(ii) of the 
Privacy Act regulations by adding the following:
     A new paragraph (H) that exempts investigative materials 
compiled for law enforcement purposes from ACTS.
     A new paragraph (I) that exempts investigative materials 
compiled for law enforcement purposes from HITS.
     A new paragraph (J) that exempts investigative materials 
compiled for law enforcement purposes from OPOS.
     A new paragraph (K) that exempts investigative materials 
compiled for law enforcement purposes from FID.

III. Analysis of and Responses to Public Comments

    We solicited and received two timely public comments on the May 25, 
2007 proposed rule. The following is a summary of the comments and our 
responses.
    Comment: One commenter believed that 45 CFR 5b.11(d) seems to allow 
the Department of Health and Human Services to disclose identities of 
sources who furnished information under an express promise of 
confidentiality.
    Response: We do not disclose information that would reveal the 
identities of sources who furnish information under an express promise 
of confidentiality because the promise of confidentiality made to a 
witness is an agreement with that individual, and such disclosure would 
be both a violation of that agreement and counterproductive to law 
enforcement efforts, as it would discourage individuals from coming 
forward to supply information about alleged misconduct. 45 CFR 5b.11(b) 
gives the responsible Department official discretion to grant 
notification of access to a record in a system of records which is 
exempt under 45 CFR 5b.11(b), unless disclosure to the general public 
is otherwise prohibited by law. The department does not intend to 
exercise its discretion to disclose identifying

[[Page 55774]]

information about sources who furnish information under an express 
promise of confidentiality.
    Comment: Commenters requested that the exemptions be narrowed or 
clarified by defining the terms ``investigative materials'' and ``law 
enforcement purposes,'' including differentiating among kinds of 
records within each system that constitute ``investigatory materials,'' 
as well as describing agency uses that are not consistent with ``law 
enforcement purposes.'' A commenter suggested that CMS implement 
regulatory definitions, criteria, guidelines or other means to 
effectuate a confidentiality promise to an informant and to recognize 
whether or not one has been effectuated for purposes of compliance with 
subsection (k)(2) of the Privacy Act.
    Response: We believe that with respect to clarifying what 
constitutes a confidentiality promise, we continue to rely upon the 
following language in subsection (k)(2) of the Privacy Act (5 U.S.C 
552a), which permits exemptions from certain subsections of the Privacy 
Act:

    [I]nvestigatory material compiled for law enforcement purposes, 
other than material within the scope of subsection (j)(2) of this 
section [the Privacy Act]: Provided, however, That if any individual 
is denied any right, privilege, or benefit that he would otherwise 
be entitled by Federal law, or for which he would otherwise be 
eligible, as a result of the maintenance of such material, such 
material shall be provided to such individual, except to the extent 
that the disclosure of such material would reveal the identity of a 
source who furnished information to the Government under an express 
promise that the identity of the source would be held in confidence, 
or, prior to the effective date of this section, [September 27, 
1975] under an implied promise that the identity of the source would 
be held in confidence;

The (k)(2) exemption covers: (1) Material compiled for criminal 
investigative law enforcement purposes by an entity that does not have 
as its principal function the enforcement of criminal law and (2) 
investigative material compiled for law enforcement purposes that does 
not fall into the scope of the exemption under 5 U.S.C. 552(j)(2). The 
material must be investigative and compiled for some ``law 
enforcement'' purpose, such as a civil investigation, or a criminal 
investigation by an agency that does not perform as its principal 
function the enforcement of criminal law.
    Further, since the information in the SORs at issue was collected 
on or after September 27, 1975, we believe that, with respect to 
investigative material that would reveal the identity of a confidential 
source, only express promises to a source that his or her identity 
would not be revealed will be implicated here. An example of an express 
promise could occur when a source expressly requests that his or her 
identity not be revealed as a condition of furnishing the information, 
and CMS agrees to that condition and documents that promise in writing.
    The four SORs at issue were established after September 27, 1975, 
the effective date of the Privacy Act, as follows:
     The CMS Fraud Investigation Database (FID) was published 
under its previous name, ``HCFA Utilization Review Investigatory 
Files,'' on December 29, 1988 (53 FR 52792) and republished under its 
current name on October 28, 2002 (67 FR 65795 ).
     The Automated Survey Processing Environment (ASPEN). 
Complaints/Incidents Tracking System (ACTS) was first established on 
August 22, 2003 (68 FR 50795).
     The Health Insurance Portability and Accountability 
Act(HIPAA) Information Tracking System (HITS) was first established on 
July 6, 2005 (70 FR 38944).
     The Organ Procurement Organizations System (OPOS) was 
first established on May 22, 2006 (71 FR 29336).
    Further information about this exemption can be found in the Office 
of Management and Budget's Privacy Act Guidelines, (see the July 9, 
1975 Federal Register (40 FR 28972 through 28973)).

IV. Provisions of the Final Rule

    After review of the public comments, we are finalizing the 
provisions of the proposed rule with minor technical changes. We are 
revising the paragraphs in Sec.  5b.11(b)(2)(ii) so that the SORs are 
listed in chronological order by the date established.

V. Collection of Information Requirements

    This final rule does not impose information collection and 
recordkeeping requirements. Consequently, it need not be reviewed by 
the Office of Management and Budget under the authority of the 
Paperwork Reduction Act of 1995 (44 U.S.C. 35).

VI. Regulatory Impact Statement

    We have examined the impact of this rule as required by Executive 
Order 12866 (September 1993, Regulatory Planning and Review), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), 
section 1102(b) of the Social Security Act (the Act), the Unfunded 
Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). A regulatory impact 
analysis (RIA) must be prepared for regulating actions with 
economically significant effects ($100 million or more in any one year 
or other substantial adverse economic effects) known as ``major 
rules''. This rule does not meet the ``major rule'' criteria therefore 
we are not preparing an RIA.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses. For purposes of the RFA, small entities include 
small businesses, nonprofit organizations, and small governmental 
jurisdictions. Most hospitals and most other providers and suppliers 
are small entities, either by nonprofit status or by having revenues of 
$6 million to $29 million in any one year. Individuals and States are 
not included in the definition of a small entity. We are not preparing 
an analysis for the RFA because we have determined that this rule will 
not have a significant economic impact on a substantial number of small 
entities.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 604 of the RFA. For 
purposes of section 1102(b) of the Act, we define a small rural 
hospital as a hospital that is located outside of a Metropolitan 
Statistical Area and has fewer than 100 beds. We are not preparing an 
analysis for section 1102(b) of the Act because we have determined that 
this rule will not have a significant impact on the operations of a 
substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any one year of 
$100 million in 1995 dollars, updated annually for inflation. That 
threshold level is currently approximately $120 million. This final 
rule will have no consequential effect on State, local, or tribal 
governments or on the private sector.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final

[[Page 55775]]

rule) that imposes substantial direct requirement costs on State and 
local governments, preempts State law, or otherwise has Federalism 
implications. Since this regulation does not impose any costs on State 
or local governments, the requirements of Executive Order 13132 are not 
applicable.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

List of Subjects for 45 CFR Part 5b Privacy.

0
For the reasons set forth in the preamble, the Department of Health and 
Human Services amends 45 CFR part 5b as set forth below:

PART 5b--PRIVACY ACT REGULATIONS

0
1. The authority citation for part 5b continues to read as follows:

    Authority: 5 U.S.C. 301, 5 U.S.C. 552a.


0
2. Section 5b.11 is revised by adding paragraphs (b)(2)(ii)(H), (I), 
(J), and (K) to read as follows:


Sec.  5b.11  Exempt Systems

* * * * *
    (b) * * *
    (2) * * *
    (ii) * * *
    (H) Investigative materials compiled for law enforcement purposes 
from the CMS Fraud Investigation Database (FID), HHS/CMS.
    (I) Investigative materials compiled for law enforcement purposes 
from the Automated Survey Processing Environment (ASPEN) Complaints/ 
Incidents Tracking System (ACTS), HHS/CMS.
    (J) Investigative materials compiled for law enforcement purposes 
from the Health Insurance Portability and Accountability Act (HIPAA) 
Information Tracking System (HITS), HHS/CMS.
    (K) Investigative materials compiled for law enforcement purposes 
from the Organ Procurement Organizations System (OPOS), HHS/CMS.
* * * * *

    Dated: November 20, 2007.
Kerry Weems,
Acting Administrator, Centers for Medicare & Medicaid Services.
    Approved: June 13, 2008.
Michael O. Leavitt,
Secretary.

    Editorial Note: This document was received at the Office of the 
Federal Register on September 16, 2008.
 [FR Doc. E8-21909 Filed 9-25-08; 8:45 am]
BILLING CODE 4120-01-P