[Federal Register Volume 74, Number 122 (Friday, June 26, 2009)]
[Notices]
[Pages 30606-30608]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-15192]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Addition of a New Routine Use

AGENCY: Department of Health and Human Services (HHS), Centers for 
Medicare & Medicaid Services (CMS).

ACTION: Notice to add a new routine use to all CMS systems of records 
(SOR).

-----------------------------------------------------------------------

SUMMARY: CMS proposes to add a new routine use to its inventory of SOR 
subject to the Privacy Act of 1974 (Title 5 United States Code (U.S.C.) 
552a) authorizing disclosure of individually identifiable information 
to assist in efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in these 
systems of records. The new routine use will be prioritized in the next 
consecutive numbered order of routine uses in each system notice and 
will be included in the next published notice as part of our normal SOR 
review process. The new routine use will read as follows:
    1. To appropriate Federal agencies, Department officials and Agency 
contractors that need access to identifiable information to provide 
assistance to the Department's efforts to respond to a suspected or 
confirmed breach of the security or confidentiality of information. In 
order to receive the information, CMS must:
    a. Determines that the use or disclosure does not violate legal

[[Page 30607]]

limitations under which the record was provided, collected, or 
obtained;
    b. Determines that the purpose for which the disclosure is to be 
made:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form,
    (2) is of sufficient importance to warrant the effect and/or risk 
on the privacy of the individual that additional exposure of the record 
might bring, and
    (3) there is reasonable probability that the objective for the use 
would be accomplished;
    c. Requires the recipient of the information to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record, and
    (2) remove or destroy the information that allows the individual to 
be identified at the earliest time at which removal or destruction can 
be accomplished consistent with the purpose of the disclosure, and
    (3) Make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual, or
    (b) When required by law.
    d. Secures a written statement attesting to the information 
recipient's understanding of and willingness to abide by these 
provisions and complete a Data Use Agreement (CMS Form 0235) in 
accordance with current CMS policies.
    The reason for this routine use is as follows:
    Other Federal agencies, Department officials and contractors, as 
well as CMS contractors may need access to identifiable information 
that is both relevant and necessary to provide assistance to all 
efforts to respond to a suspected or confirmed breach of the security 
or confidentiality of information maintained in these systems of 
records.

DATES: Effective Date: The new routine use will be effective on < DATE 
.

ADDRESSES: The public should address comments to: CMS Privacy Officer, 
Division of Privacy Compliance, Enterprise Architecture and Strategy 
Group, Office of Information Services, CMS, Room N2-04-27, 7500 
Security Boulevard, Baltimore, Maryland 21244-1850. The telephone 
number is (410) 786-5357. Comments received will be available for 
review at this location, by appointment, during regular business hours, 
Monday through Friday from 9 a.m.-3 p.m., Eastern Time zone.

SUPPLEMENTARY INFORMATION: On May 22, 2007, the Office of Management 
and Budget (OMB) released Memoranda (M) 07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information. HHS 
convened a leadership committee composed of members from the Office of 
the Chief Information Officer (OICO), the Office of Assistant Secretary 
for Public Affairs (ASPA), and the Office of the Assistant Secretary 
for Planning and Evaluation (ASPE) in order to formulate a response 
plan for the newly established requirements. The final response plan 
was signed by the HHS Chief Information Officer (CIO), Mike Carleton 
and submitted to OMB on September 19, 2007. As required by the 
memoranda, to comply with the ``Incident Reporting and Handling 
Requirements,'' all Operations and Staff Divisions are instructed to 
incorporate the suggested routine use language as part of their normal 
SOR review process.

    Dated: June 16, 2009.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid 
Services.

                              Attachment A
------------------------------------------------------------------------
       SOR No.             Title                  FR published
------------------------------------------------------------------------
09-70-0500..........  Health Plan      71 FR 60718, 10/16/2006
                       Management
                       System (HPMS).
09-70-0501..........  Medicare Multi-  71 FR 64968, 11/06/2006
                       Carrier Claims
                       Systems (MCS).
09-70-0502..........  Enrollment Data  73 FR 10249, 02/26/2008
                       Base (EDB).
09-70-0503..........  Fiscal           71 FR 64961, 11/06/2006
                       Intermediary
                       Shared System
                       (FISS).
09-70-0514..........  Medicare         71 FR 17470, 04/06/2006
                       Provider
                       Analysis and
                       Review
                       (MEDPAR).
09-70-0519..........  Medicare         71 FR 60722, 10/16/2006
                       Current
                       Beneficiary
                       Survey (MCBS).
09-70-0520..........  ESRD Program     72 FR 26126, 5/8/2007
                       Management and
                       Medical
                       Information
                       System (PMMIS).
09-70-0521..........  Inpatient        71 FR 67143, 11/20/2006
                       Rehabilitation
                       Facilities--Pa
                       tient
                       Assessment
                       Instrument
                       (IRF-PAI).
09-70-0522..........  Home Health      72 FR 63906, 11/13/2007
                       Agency Outcome
                       and Assessment
                       Information
                       Set (OASIS).
09-70-0526..........  Common Working   71 FR 64955, 11/06/2006
                       File (CWF).
09-70-0528..........  Long Term Care-  72 FR 12801, 3/19/2007
                       Minimum Data
                       Set (LTC MDS).
09-70-0532..........  Provider         71 FR 60536, 10/13/2006
                       Enrollment
                       Chain and
                       Ownership
                       System (PECOS).
09-70-0536..........  Medicare         71 FR 11420, 03/07/2006
                       Beneficiary
                       Database (MBD).
09-70-0538..........  Individuals       72 FR 63902, 11/13/2007
                       Authorized
                       Access to the
                       CMS Computer
                       Services
                       (IACS).
09-70-0541..........  Medicaid         71 FR 65527, 11/08/2006
                       Statistical
                       Information
                       System (MSIS).
09-70-0550..........  Retiree Drug     70 FR 41035, 7/15/2005
                       Subsidy
                       Program (RDSP).
09-70-0553..........  Medicare Drug    70 FR 58436, 10/06/2005
                       Data
                       Processing
                       System (DDPS).
09-70-0558..........  National Claims  71 FR 67137, 11/20/2006
                       History File
                       (NCH).
09-70-0568..........  One Program      71 FR64530, 11/02/2006
                       Integrity Data
                       Repository
                       (ODR).
09-70-0569..........  Post Acute Care  72 FR 55225, 09/28/2007
                       Payment Reform/
                       Continuity
                       Assessment
                       Report
                       Demonstration
                       and Evaluation
                       (PAC-CARE).
09-70-0571..........  Medicare         71 FR 64530, 11/02/2006
                       Integrated
                       Data
                       Repository
                       (IDR).
09-70-0573..........  Chronic          71 FR 54495, 09/15/2006
                       Condition Data
                       Repository
                       (CCDR).
09-70-4001..........  Medicare         70 FR 60530, 10/18/2005
                       Advantage
                       Prescription
                       Drug (MARx).
09-70-0575..........  Organ            71 FR 29336, 05/22/2006
                       Procurement
                       Organizations
                       System (OPOS).
09-70-0594..........  Minimum Data     72 FR 72733, 12/21/2007
                       Set (MDS) for
                       Home and
                       Community
                       Based
                       Alternatives
                       (CBA) to
                       Psychiatric
                       Residential
                       Treatment)
                       Facilities
                       (PRTF) (CBA-
                       PRTF).
------------------------------------------------------------------------


[[Page 30608]]

[FR Doc. E9-15192 Filed 6-25-09; 8:45 am]
BILLING CODE 4120-03-P