[Federal Register Volume 74, Number 99 (Tuesday, May 26, 2009)]
[Notices]
[Pages 24891-24893]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-12146]


-----------------------------------------------------------------------

DEPARTMENT OF STATE

[Public Notice 6631]


State-24, Medical Records

SUMMARY: Notice is hereby given that the Department of State proposes 
to alter an existing system of records, Medical Records, State-24, 
pursuant to the provisions of the Privacy Act of 1974, as amended (5 
U.S.C. 552a) and Office of Management and Budget Circular No. A-130, 
Appendix I. The Department's report was filed with the Office of 
Management and Budget on May 18, 2009.
    It is proposed that the current system will retain the name 
``Medical Records.'' It is also proposed that due to the expanded scope 
of the current system, the altered system description will include 
revisions and/or additions to the following sections: Categories of 
Individuals Covered by the Systems, Categories of Records in the 
System, Purpose, Safeguards and Retrievability.
    Any persons interested in commenting on the altered system of 
records may do so by submitting comments in writing to Margaret P. 
Grafeld, Director; Office of Information Programs and Services; A/GIS/
IPS; Department of State, SA-2; 515 22nd Street, Washington, DC 20522-
8001. This system of records will be effective 40 days from the date of 
publication, unless we receive comments that will result in a contrary 
determination.
    The altered system description, ``Medical Records, State-24,'' will 
read as set forth below.

    Dated: May 18, 2009.
Steven J. Rodriguez,
Deputy Assistant Secretary of Operations, Bureau of Administration, 
Department of State.
STATE-24

System name:
    Medical Records.

System location:
    Department of State, Office of Medical Services, 2401 E Street, 
NW., Washington, DC 20522, and Health Units at Overseas Posts.

Categories of individuals covered by the system:
    U.S. Government employees, family members, and any other 
individuals

[[Page 24892]]

eligible to participate in the health care program of the U.S. 
Department of State as authorized by either section 904 of the Foreign 
Service Act of 1980 (22 U.S.C. 4084) or other legal authority.

Categories of records in the system:
    Includes name, social security number, date of birth, address to 
include email and phone number; reports of medical examinations and 
related documents; reports of treatments and other health services 
rendered to individuals; narrative summaries of hospital treatments; 
personal medical histories; reports of on-the-job injuries or 
illnesses; and reports on medical evacuation, and/or any other types of 
individually identifiable health information generated or used in the 
course of conducting ``health care operations'' as this term is defined 
at 45 CFR 164.501. This system includes records that contain 
``protected health information'' as this term is defined at 45 CFR 
164.501, and accordingly, does not include records maintained by the 
Department of State and/or other employers in their capacity as 
employers. This system also includes certain records maintained as part 
of the Department's Employee Assistance Program pursuant to 5 CFR Part 
792.

Authority for maintenance of the system:
    22 U.S.C. 4084, 42 U.S.C. 290dd-1, Public Law 99-570 Sec. Sec.  
7361-7362; 5 CFR Part 792.

Purpose:
    The information contained in these records is used to administer 
the Department of State's medical program. These records are utilized 
and reviewed by medical and administrative personnel of the Office of 
Medical Services (MED) in providing health care to the individuals 
eligible to participate in the health care program.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    Routine use of information from these files includes any use 
permitted by the Health Insurance Portability and Accountability Act 
(HIPAA) Privacy Rule at 45 CFR Part 164 for which no authorization or 
opportunity to agree or object is required by the subject of the 
information. Specifically, we may disclose the information:
    --To a ``business associate,'' as that term is defined at 45 CFR 
160.103; to another health care provider; or to a group health plan or 
health insurance issuer or Health Maintenance Organization for purposes 
of carrying out treatment, payment or health care operations;
    --To a parent, guardian or other person acting in loco parentis 
with respect to the subject of the information;
    --To a health oversight agency or public health authority 
authorized by law to investigate or otherwise oversee the relevant 
conduct or conditions of the Department of State's medical program, or 
for such oversight activities as audits; civil, administrative, or 
criminal proceedings or actions; inspections; licensure or disciplinary 
actions;
    --To a public health authority (domestic or foreign) that is 
authorized by law to collect or receive protected health information 
for the purpose of preventing or controlling disease, injury, or 
disability, including, but not limited to, the reporting of disease, 
injury, vital events such as birth or death, and the conduct of public 
health surveillance, public health investigations, and public health 
interventions;
    --To the U.S. Department of Health and Human Services (HHS), when 
required by the Secretary of HHS in order to investigate or determine 
compliance with the HIPAA;
    --To a public health authority or other appropriate government 
authority (domestic or foreign) authorized by law to receive reports of 
child abuse or neglect;
    --To a person subject to the jurisdiction of the Food and Drug 
Administration (FDA) with respect to an FDA-regulated product or 
activity for which that person has responsibility, for the purpose of 
activities related to the quality, safety or effectiveness of such FDA-
regulated product or activity;
    --To a person who may have been exposed to a communicable disease 
or may otherwise be at risk of contracting or spreading a disease or 
condition, to the extent MED is authorized by law to notify such person 
as necessary in the conduct of a public health intervention or 
investigation;
    --To a government authority (domestic or foreign), including a 
social service or protective services agency, authorized by law to 
receive reports of abuse, neglect or domestic violence, (1) To the 
extent such a disclosure is required by law; (2) where in the exercise 
of professional judgment, the disclosure is necessary to prevent 
serious harm to the individual or other potential victims; or (3) 
where, if the subject of the information is incapacitated, a law 
enforcement, or other public official authorized to receive the report, 
represents that the information sought is not intended to be used 
against the individual and that an immediate enforcement activity that 
depends upon the disclosure would be adversely affected by waiting 
until the individual is able to agree to the disclosure;
    --In the course of any judicial or administrative proceeding in 
response to an order of a court or administrative tribunal;
    --To a law enforcement official (1) As required by law or in 
compliance with a court order or court-ordered warrant, or a subpoena 
or summons issued by a judicial officer, or a grand jury subpoena, or 
an administrative request, including an administrative subpoena or 
summons; (2) in response to a request for the purposes of identifying 
or locating a suspect, fugitive, material witness or missing person; in 
response to a request for such information about an individual who is 
or is suspected to be a victim of a crime; (3) where it is believed 
that in good faith that such information constitutes evidence of 
criminal conduct; or (4) in response to an emergency, where it is 
believed such disclosure is necessary to alert law enforcement to the 
commission and nature of a crime, the location of such crime or of the 
victim(s) of such crime, and the identity, description and location of 
the perpetrator of such crime;
    --As necessary in order to prevent or lessen a serious and imminent 
threat to the health or safety of a person or the public, to a person 
or persons reasonably able to prevent or lessen the threat, including 
the target of the threat;
    --To authorized federal officials for the conduct of lawful 
intelligence, counter-intelligence, and other national security 
activities authorized by the National Security Act (50 U.S.C. 401, et 
seq.) and implementing authority (e.g., Executive Order 12333);
    --To authorized federal officials for the provision of protective 
services to the President or other persons authorized by 18 U.S.C. 
3056, or to foreign heads of state or other persons authorized by 22 
U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 
18 U.S.C. 871 and 879.
    --To make medical suitability determinations and disclose whether 
or not an individual is determined to be medically suitable to the 
officials in the Department of State who need access to such 
information (1) For the purposes of a national security clearance 
conducted pursuant to Executive Orders 10450 and 12698; (2) as 
necessary to determine worldwide availability, suitability for 
particular assignments, suitability for mandatory service abroad under 
sections 101(a)(4) and 504 of the Foreign Service Act; or (3) for a 
family to accompany a Foreign Service member

[[Page 24893]]

abroad, consistent with section 101(b)(5) and 904 of the Foreign 
Service Act.
    --To a correctional institution or a law enforcement official 
having lawful custody of an individual, if the correctional institution 
or law enforcement official represents that such information is 
necessary for the provision of health care to such individual, the 
health and safety of other individuals or others at the correctional 
institution, or the administration and maintenance of the safety, 
security, and good order of the correctional institution;
    --To appropriate domestic or foreign government officials 
(including but not limited to the U.S. Department of Labor), as 
authorized by and to the extent necessary to comply with laws relating 
to workers' compensation or other similar programs, established by law, 
that provide benefits for work-related injuries or illnesses without 
regard to fault.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:

Storage:

    Records are stored in hard copy and computer media.

Retrievability:

    By individual name and date of birth.

Safeguards:

    All users are given information system security awareness training, 
including the procedures for handling Sensitive but Unclassified and 
personally identifiable information. Annual refresher training is 
mandatory. Before being granted access to Medical Records, a user must 
first be granted access to the Department of State computer system.
    Remote access to the Department of State network from non-
Department owned systems is only authorized through a Department 
approved access program. Remote access to the network is configured 
with the Office of Management and Budget Memorandum M-07-16 security 
requirements of two factor authentication and time out function.
    All Department of State employees and contractors with authorized 
access have undergone a thorough background security investigation. 
Access to the Department of State, its annexes and posts overseas is 
controlled by security guards and admission is limited to those 
individuals possessing a valid identification card or individuals under 
proper escort. All records containing Medical Records information are 
maintained in secured file cabinets in restricted areas, access to 
which is limited to authorized personnel. Access to computerized files 
is password-protected and under the direct supervision of the system 
manager. The system manager has the capability of printing audit trails 
of access from the computer media, thereby permitting regular and ad 
hoc monitoring of computer usage.
    When it is determined that a user no longer needs access, the user 
accounted is disabled.

Retention and disposal:

    Records are retired or destroyed in accordance with published 
schedules of the Department of State. More specific information may be 
obtained by writing the Director of Medical Records, Office of Medical 
Services, 2401 E Street, NW., Washington, DC 20522.

System manager(s) and address:

    Executive Officer, Medical Services, Room 2270, Department of 
State, 2401 E Street, NW., Washington, DC 20522.

Notification procedure:

    Individuals who have cause to believe that the Office of Medical 
Services might have records pertaining to them should write to Medical 
Records, Office of Medical Services, Department of State, 2401 E Street 
NW., Washington, DC 20522. The individual must include: Name; date and 
place of birth; current mailing address and zip code; signature; the 
agency served by the medical program with which the individual was or 
is an employee or a dependent, and the approximate dates of such 
employment or dependency.

Record access procedures:

    Individuals who wish to gain access to or amend records pertaining 
to them should write to the Director of Medical Records (Address 
above).

Contesting record procedures:

    (See Record access procedure, above).

Record source categories:

    Information contained in these records comes from the individual; 
hospitals; clinics; private physicians; employers; and medical 
professionals employed by the Department of State.

System exempted from certain provisions under the Privacy Act:

    None.
[FR Doc. E9-12146 Filed 5-22-09; 8:45 am]
BILLING CODE 4710-24-P