[Federal Register Volume 75, Number 106 (Thursday, June 3, 2010)]
[Notices]
[Pages 31440-31445]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-13178]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; Report of a New System of Records

AGENCY: Department of Health and Human Services (HHS).

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, the U.S. Department of Health & Human Services (HHS) is proposing 
to establish a new system of records (SOR) titled ``Early Retirement 
Reinsurance Program (ERRP),'' System No. 09-90-0250. Under authority of 
Section 1102 of the Patient Protection and Affordable Care Act (the 
Affordable Care Act) (Pub. L. 111-148) the Early Retiree Reinsurance 
Program is established. The program provides reimbursement to 
participating employment-based plans for a portion of the cost of 
health benefits for early retirees and their spouses, surviving spouses 
and dependents. The system will collect and maintain information on 
individuals associated with plan sponsors who perform key tasks on 
behalf of the sponsor in order for the sponsor to participate in and 
receive reimbursement under the program. The system will also collect 
and maintain information on early retirees, and their spouses, etc., so 
that sponsors' eligibility to receive reimbursement for the claims of 
such specific individuals can be verified. The system will also collect 
and maintain information related to the documentation of actual medical 
costs of claims for health benefits submitted to the Department, to 
ensure accurate reimbursement under the program.
    The purpose of this system is to collect and maintain information 
on individuals who are early retirees (and spouses, etc.) such that 
sponsors' eligibility to receive reimbursement for the claims of such 
specific individuals can be verified, to collect and maintain 
information on individuals who are associated with plan sponsors who 
perform key tasks on behalf of the sponsor, so that the sponsor can 
participate in and get reimbursement under the program, and to collect 
and maintain documentation of the actual costs of medical claims, so 
that accurate and timely reimbursements may be made to plan sponsors 
who continue to offer qualifying health benefits to early retirees (and 
spouses, etc.). Information

[[Page 31441]]

maintained in this system will also be disclosed to: (1) Support 
regulatory, reimbursement, and policy functions performed by an HHS 
contractor, consultant or grantee; (2) assist another Federal or State 
agency, agency of a State government, an agency established by State 
law, or its fiscal agent; (3) support litigation involving the 
Department; (4) combat fraud and abuse in certain health benefits 
programs; and (5) assist efforts to respond to a suspected or confirmed 
breach of the security or confidentiality of information maintained in 
this system of records. We have provided background information about 
the modified system in the ``Supplementary Information'' section below. 
Although the Privacy Act requires only that HHS provide an opportunity 
for interested persons to comment on the proposed routine uses, HHS 
invites comments on all portions of this notice. See ``Effective 
Dates'' section for comment period.

DATES: Effective Dates: HHS filed a new system report with the Chair of 
the House Committee on Government Reform and Oversight, the Chair of 
the Senate Committee on Homeland Security & Governmental Affairs, and 
the Administrator, Office of Information and Regulatory Affairs, Office 
of Management and Budget (OMB) on May 19, 2010. To ensure that all 
parties have adequate time in which to comment, the new system, 
including routine uses, will become effective 30 days from the 
publication of the notice, or 40 days from the date it was submitted to 
OMB and Congress, whichever is later, unless HHS receives comments that 
require alterations to this notice.

ADDRESSES: The public should address comments to: HHS Privacy Officer, 
Office of the Secretary, Office of the Assistant Secretary for Public 
Affairs (ASPA), Freedom of Information/Privacy Acts Division, 330 ``C'' 
Street, SW., Washington, DC 20201. Telephone number: (202) 690-7453. 
Comments received will be available for review at this location, by 
appointment, during regular business hours, Monday through Friday from 
9 a.m.-3 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: David Mlawsky, Office of Consumer 
Information and Insurance Oversight (OCIIO), Office of the Secretary, 
Department of Health and Human Services. He can be reached at (410) 
786-6851, or contact via e-mail at [email protected].

SUPPLEMENTARY INFORMATION: Rising costs have made it more difficult for 
employers to provide quality, affordable health insurance for workers 
and retirees. People in the early retiree age group often face 
difficulties obtaining insurance in the individual market because of 
age or chronic conditions that make coverage unaffordable and 
inaccessible. The program provides needed financial help for employer-
based plans to continue to provide valuable coverage to plan 
participants.
    Section 1102(a)(2)(B) of the Affordable Care Act defines 
``employment-based plan'' to include a group benefits plan providing 
health benefits that is maintained by private employers, State or local 
governments, employee organizations, voluntary employees' beneficiary 
association, a committee or board of individuals appointed to 
administer such plan, or a multiemployer plan (as defined by Employee 
Retirement Income Security Act, or ERISA). Section 1102 does not 
differentiate between health benefits provided by self-funded plans or 
through the purchase of insurance.
    The statute at section 1102(a)(2)(C) defines ``early retirees'' as 
individuals who are age 55 and older but are not eligible for coverage 
under Medicare, and who are not active employees of an employer 
maintaining, or currently contributing to, the employment-based plan or 
of any employer that has made substantial contributions to fund such 
plan. The definition of early retiree in the program's implementing 
regulation at 45 CFR 149.2 clarifies that spouses, surviving spouses, 
and dependents are also included in the definition of early retiree. 
This definition accommodates the language in section 1102(a)(1) of the 
statute, which states that reimbursement under the program is made to 
cover a portion of the costs of providing health coverage to early 
retirees and to the eligible spouses, surviving spouses, and dependents 
of such retirees. Reimbursement can be made under the program for the 
health benefit costs of eligible spouses, surviving spouses, and 
dependents of such retirees, even if they are under the age of 55, and/
or are eligible for Medicare.
    When submitting claims for reimbursement, employment-based plans 
(or their insurers) will submit documentation of the actual costs of 
the medical claims, indicating the health benefit provided, the 
provider or supplier, the incurred date, the individual for whom the 
health benefit was provided, the date and amount of payment net any 
known negotiated price concessions, and the employment-based plan and 
benefit option under which the health benefit was provided.
    The Congress appropriated funding of $5 billion for the temporary 
program. The Secretary will reimburse plans 80 percent of the costs for 
health benefits for valid claims between $15,000 and $90,000 (with 
those amounts being indexed for plan years starting on or after October 
1, 2011). Section 1102(a)(1) required the Secretary to establish this 
temporary program not later than 90 days after enactment of the 
statute, which is June 21, 2010. The Secretary has established an 
effective date of June 1, 2010. The program ends no later than January 
1, 2014.

I. Description of the Proposed System of Records

A. Statutory and Regulatory Basis for System

    Authority for the collection, maintenance, and disclosures from 
this system is given under provisions of Sec.  1102 of the Affordable 
Care Act and its implementing regulations codified at Title 45 Code of 
Federal Regulations (CFR) Part 149.

B. Collection and Maintenance of Data in the System

    Information in this system is maintained on early retirees and 
their spouses, surviving spouses, and dependents that are enrolled in 
employment-based plans that participate in the program. Information 
maintained in this system includes, but is not limited to, first name, 
last name, middle initial, date of birth, Social Security Number (SSN), 
gender, standard data for identification such as Plan Sponsor 
Identification Number, Application Identification Number, Benefit 
Option Identifier, and relationship to early retiree.
    Information in this system is also maintained on individuals 
associated with plan sponsors who perform key tasks on behalf of the 
sponsor, so that the sponsor can participate in and get reimbursement 
under the program. Information maintained in the system regarding these 
individuals includes, but is not limited to, standard data for 
identification such as Plan Sponsor Identification Number, Application 
Identification Number, Benefit Option Identifier, the individual's 
first name, middle initial, last name, job title, date of birth, social 
security number, e-mail address, telephone number, fax number, employer 
name, and business address. When submitting claims to the Department 
for reimbursement, employment-based plans (or their insurers) will 
submit documentation of the actual costs of the medical claims, 
including the health benefit provided, the provider or supplier, the 
incurred date, the individual for whom the health benefit was provided, 
the date and

[[Page 31442]]

amount of payment net any known negotiated price concessions, and the 
employment-based plan and benefit option under which the health benefit 
was provided. Thus, such information is maintained in this system.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

    A. The Privacy Act permits us to disclose information without an 
individual's consent if the information is to be used for a purpose 
that is compatible with the purpose(s) for which the information was 
collected. Any such disclosure of data is known as a ``routine use.'' 
The government will only release ERRP information that can be 
associated with an individual as provided for under ``Section III. 
Proposed Routine Use Disclosures of Data in the System.'' Both 
identifiable and non-identifiable data may be disclosed under a routine 
use.
    We will only disclose the minimum personal data necessary to 
achieve the purpose of ERRP. HHS has the following policies and 
procedures concerning disclosures of information that will be 
maintained in the system. In general, disclosure of information from 
the system will be approved only for the minimum information necessary 
to accomplish the purpose of the disclosure and only after HHS:
    1. Determines that the use or disclosure is consistent with the 
reason that the data is being collected, e.g., to collect, maintain, 
and process information necessary to effectively and efficiently 
administer the ERRP;
    2. Determines that:
    a. The purpose for which the disclosure is to be made can only be 
accomplished if the record is provided in individually identifiable 
form;
    b. The purpose for which the disclosure is to be made is of 
sufficient importance to warrant the effect and/or risk on the privacy 
of the individual that additional exposure of the record might bring; 
and
    c. There is a strong probability that the proposed use of the data 
would in fact accomplish the stated purpose(s).
    3. Requires the information recipient to:
    a. Establish administrative, technical, and physical safeguards to 
prevent unauthorized use of disclosure of the record;
    b. Remove or destroy at the earliest time all individually-
identifiable information; and
    c. Agree to not use or disclose the information for any purpose 
other than the stated purpose under which the information was 
disclosed.
    4. Determines that the data are valid and reliable.

III. Proposed Routine Use Disclosures of Data in the System

A. Entities Who May Receive Disclosures Under Routine Use

    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which HHS may 
release information from the ERRP without the consent of the individual 
to whom such information pertains. Each proposed disclosure of 
information under these routine uses will be evaluated to ensure that 
the disclosure is legally permissible, including but not limited to 
ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish the following routine use disclosures of information 
maintained in the system:
    1. To support HHS contractors, consultants, or HHS grantees who 
have been engaged by HHS to assist in accomplishment of an HHS function 
relating to the purposes for this SOR and who need to have access to 
the records in order to assist HHS.
    We contemplate disclosing information under this routine use only 
in situations in which HHS may enter into a contractual or similar 
agreement with a third party to assist in accomplishing an HHS function 
relating to purposes for this SOR.
    HHS occasionally contracts out certain of its functions when doing 
so would contribute to effective and efficient operations. HHS will 
give a contractor, consultant, or HHS grantee the information necessary 
for the contractor or consultant to fulfill its duties. In these 
situations, safeguards are provided in the contract prohibiting the 
contractor, consultant, or grantee from using or disclosing the 
information for any purpose other than that described in the contract 
and requires the contractor, consultant, or grantee to return or 
destroy all information at the completion of the contract. Contractors 
are also required to provide the appropriate management, operational, 
and technical controls to secure the data.
    2. To assist another Federal or State agency, agency of a State 
government, an agency established by State law, or its fiscal agent 
pursuant to agreements with HHS to:
    a. Contribute to the accuracy of HHS''s reimbursement to sponsors 
under the ERRP;
    b. Enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation that implements a health benefits 
program funded in whole or in part with Federal funds, and/or
    c. Assist Federal/State Medicaid programs which may require ERRP 
information for purposes related to this system.
    Other Federal or State agencies in their administration of a 
Federal health program may require ERRP information in order to support 
evaluations and monitoring of claims information of beneficiaries, 
including proper reimbursement for services provided.
    3. To support the Department of Justice (DOJ), court, or 
adjudicatory body when:
    a. The Department or any component thereof, or
    b. Any employee of HHS in his or her official capacity, or
    c. Any employee of HHS in his or her individual capacity where the 
DOJ has agreed to represent the employee, or
    d. The United States Government, is a party to litigation or has an 
interest in such litigation, and by careful review, HHS determines that 
the records are both relevant and necessary to the litigation and that 
the use of such records by the DOJ, court or adjudicatory body is 
compatible with the purpose for which the agency collected the records.
    Whenever HHS is involved in litigation, or occasionally when 
another party is involved in litigation and HHS's policies or 
operations could be affected by the outcome of the litigation, HHS 
would be able to disclose information to the DOJ, court, or 
adjudicatory body involved.
    4. To assist an HHS contractor (including, but not limited to 
fiscal intermediaries and carriers) that assists in the administration 
of an HHS-administered health benefits program, or to a grantee of an 
HHS-administered grant program, when disclosure is deemed reasonably 
necessary by HHS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program.
    We contemplate disclosing information under this routine use only 
in situations in which HHS may enter into a contract or grant with a 
third party to assist in accomplishing HHS functions relating to the 
purpose of combating fraud, waste or abuse.
    HHS occasionally contracts out certain of its functions when doing 
so would contribute to effective and efficient operations. HHS must be 
able to give a contractor or grantee whatever

[[Page 31443]]

information is necessary for the contractor or grantee to fulfill its 
duties. In these situations, safeguards are provided in the contract 
prohibiting the contractor or grantee from using or disclosing the 
information for any purpose other than that described in the contract 
and requiring the contractor or grantee to return or destroy all 
information.
    5. To assist another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any State or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by HHS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    Other agencies may require ERRP information for the purpose of 
combating fraud, waste or abuse in such Federally-funded programs.
    6. To assist appropriate Federal agencies and Department 
contractors that have a need to know the information for the purpose of 
assisting the Department's efforts to respond to a suspected or 
confirmed breach of the security or confidentiality of information 
maintained in this system of records, and the information disclosed is 
relevant and unnecessary for the assistance.
    Other agencies may require ERRP information for the purpose of 
assisting the Department's efforts to respond to a suspected or 
confirmed breach of the security or confidentiality of information 
maintained in this system of records.

B. Additional Circumstances Affecting Routine Use Disclosures

    Our policy will be to prohibit release even of data not directly 
identifiable, except pursuant to one of the routine uses or if required 
by law, if we determine there is a possibility that an individual can 
be identified through implicit deduction based on small cell sizes 
(instances where the patient population is so small that individuals 
could, because of the small size, use this information to deduce the 
identity of the individual).

IV. Safeguards

    HHS has safeguards in place for authorized users and monitors such 
users to ensure against unauthorized use. Personnel having access to 
the system have been trained in the Privacy Act and information 
security requirements. Employees who maintain records in this system 
are instructed not to release data until the intended recipient agrees 
to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal and HHS policies and standards as they relate 
to information security and data privacy. These laws and regulations 
include but are not limited to: The Privacy Act of 1974; the Federal 
Information Security Management Act of 2002; the Computer Fraud and 
Abuse Act of 1986; the E-Government Act of 2002, and the Clinger-Cohen 
Act of 1996; OMB Circular A-130, Management of Federal Resources, 
Appendix III, Security of Federal Automated Information Resources also 
applies. Federal and HHS policies and standards include but are not 
limited to: All pertinent National Institute of Standards and 
Technology publications; and the HHS Information Systems Program 
Handbook.

V. Effects of the New System on the Rights of Individuals

    HHS proposes to establish this system in accordance with the 
principles and requirements of the Privacy Act and will collect, use, 
and disseminate information only as prescribed therein. We will only 
disclose the minimum personal data necessary to achieve the purpose of 
ERRP. Disclosure of information from the system will be approved only 
to the extent necessary to accomplish the purpose of the disclosure. 
HHS has assigned a higher level of security clearance for the 
information maintained in this system in an effort to provide added 
security and protection of data in this system.
    HHS will take precautionary measures to minimize the risks of 
unauthorized access to the records and the potential harm to individual 
privacy or other personal or property rights. HHS will collect only 
that information necessary to perform the system's functions. In 
addition, HHS will make disclosure from the proposed system only with 
consent of the subject individual, or his/her legal representative, or 
in accordance with an applicable exception provision of the Privacy 
Act.
    HHS, therefore, does not anticipate an unfavorable effect on 
individual privacy as a result of the disclosure of information 
relating to individuals.

    Dated: May 20, 2010.
Jay Angoff,
Director Office of Consumer Information and Insurance Oversight.
SYSTEM NUMBER: 09-90-0250

SYSTEM NAME:
    ``Early Retirement Reinsurance Program (ERRP),'' OCIIO, OS/HHS.

SECURITY CLASSIFICATION:
    Level Three Privacy Act Sensitive.

SYSTEM LOCATION:
    Office of Consumer Information and Insurance Oversight, U.S. 
Department of Health & Human Services, 200 Independence Avenue, SW., 
Suite 738F, Washington, DC 20201.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Information in this system is maintained on individuals associated 
with plan sponsors who perform key tasks on behalf of the sponsor, so 
that the sponsor can participate in and get reimbursement under the 
program. Information in this system is also maintained on early 
retirees and their spouses, surviving spouses, and dependents that are 
enrolled in employment-based plans that participate in the program. 
With respect to medical claims submitted by plan sponsors for 
reimbursement, information in this system is maintained on early 
retirees and their spouses, surviving spouses, and dependents with 
respect to those medical claims, including the health benefit provided, 
the provider or supplier, the incurred date, the individual for whom 
the health benefit was provided, the date and amount of payment net any 
known negotiated price concessions, and the employment-based plan and 
benefit option under which the health benefit was provided.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information in this system is maintained on early retirees and 
their spouses, surviving spouses, and dependents that are enrolled in 
employment-based plans that participate in the program. Information 
maintained in this system includes, but is not limited to, first name, 
last name, middle initial, date of birth, Social Security Number (SSN), 
gender, standard data for identification such as Plan Sponsor 
Identification Number, Application Identification Number, Benefit 
Option Identifier, and relationship to early retiree. Information in 
this system is maintained on

[[Page 31444]]

individuals associated with plan sponsors who perform key tasks on 
behalf of the sponsor, so that the sponsor can participate in and get 
reimbursement under the program. Information maintained in the system 
regarding these individuals includes, but is not limited to, standard 
data for identification such as Plan Sponsor Identification Number, 
Application Identification Number, Benefit Option Identifier, the 
individual's first name, middle initial, last name, job title, date of 
birth, social security number, e-mail address, telephone number, fax 
number, employer name, and business address. With respect to medical 
claims submitted by plan sponsors for reimbursement, information in 
this system is maintained on early retirees and their spouses, 
surviving spouses, and dependents with respect to those medical claims, 
including the health benefit provided, the provider or supplier, the 
incurred date, the individual for whom the health benefit was provided, 
the date and amount of payment net any known negotiated price 
concessions, and the employment-based plan and benefit option under 
which the health benefit was provided.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the collection, maintenance, and disclosures from 
this system is given under provisions of Sec.  1102 of the Affordable 
Care Act and its implementing regulations codified at Title 45 Code of 
Federal Regulations (CFR) Part 149.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to collect and maintain information 
on individuals who are early retirees (and spouses, etc.), to collect 
and maintain information on individuals who are associated with plan 
sponsors who perform key tasks on behalf of the sponsor, and to collect 
and maintain information on medical claims submitted to the U.S. 
Department of Health & Human Services (HHS) for reimbursement, so that 
accurate and timely reimbursements may be made to plan sponsors who 
continue to offer qualifying health benefits to such individuals. 
Information maintained in this system will also be disclosed to: 
(1)Support regulatory, reimbursement, and policy functions performed by 
an HHS contractor, consultant or grantee; (2) assist another Federal or 
State agency, agency of a State government, an agency established by 
State law, or its fiscal agent; (3) support litigation involving the 
Department; (4) combat fraud and abuse in certain health benefits 
programs; and (5) assist efforts to respond to a suspected or confirmed 
breach of the security or confidentiality of information maintained in 
this system of records.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
B. Entities Who May Receive Disclosures Under Routine Use

    These routine uses specify circumstances, in addition to those 
provided by statute in the Privacy Act of 1974, under which HHS may 
release information from the ERRP without the consent of the individual 
to whom such information pertains. Each proposed disclosure of 
information under these routine uses will be evaluated to ensure that 
the disclosure is legally permissible, including but not limited to 
ensuring that the purpose of the disclosure is compatible with the 
purpose for which the information was collected. We propose to 
establish or modify the following routine use disclosures of 
information maintained in the system:
    1. To support Agency contractors, consultants, or HHS grantees who 
have been engaged by the Agency to assist in accomplishment of an HHS 
function relating to the purposes for this SOR and who need to have 
access to the records in order to assist HHS.
    2. To assist another Federal or State agency, agency of a State 
government, an agency established by State law, or its fiscal agent 
pursuant to agreements with HHS to:
    a. Contribute to the accuracy of HHS's reimbursement to sponsors 
under the ERRP,
    b. Enable such agency to administer a Federal health benefits 
program, or as necessary to enable such agency to fulfill a requirement 
of a Federal statute or regulation that implements a health benefits 
program funded in whole or in part with Federal funds, and/or
    c. Assist Federal/State Medicaid programs which may require ERRP 
information for purposes related to this system.
    3. To the Department of Justice (DOJ), court, or adjudicatory body 
when:
    b. The Agency or any component thereof, or
    e. Any employee of the Agency in his or her official capacity, or
    f. Any employee of the Agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    g. The United States Government, is a party to litigation or has an 
interest in such litigation, and by careful review, HHS determines that 
the records are both relevant and necessary to the litigation and that 
the use of such records by the DOJ, court or adjudicatory body is 
compatible with the purpose for which the agency collected the records.
    4. To assist an HHS contractor (including, but not limited to 
fiscal intermediaries and carriers) that assists in the administration 
of an HHS-administered health benefits program, or to a grantee of an 
HHS-administered grant program, when disclosure is deemed reasonably 
necessary by HHS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud, waste or abuse in such program.
    5. To assist another Federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any State or local governmental agency), that 
administers, or that has the authority to investigate potential fraud, 
waste or abuse in a health benefits program funded in whole or in part 
by Federal funds, when disclosure is deemed reasonably necessary by HHS 
to prevent, deter, discover, detect, investigate, examine, prosecute, 
sue with respect to, defend against, correct, remedy, or otherwise 
combat fraud, waste or abuse in such programs.
    6. To appropriate Federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information disclosed is relevant 
and necessary for that assistance.

C. Additional Circumstances Affecting Routine Use Disclosures

    Our policy will be to prohibit release even of data not directly 
identifiable, except pursuant to one of the routine uses or if required 
by law, if we determine there is a possibility that an individual can 
be identified through implicit deduction based on small cell sizes 
(instances where the patient population is so small that individuals 
could, because of the small size, use this information to deduce the 
identity of the beneficiary).

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    We will be storing records in hardcopy files and various electronic 
storage media (including DB2, Oracle, and other relational data 
structures).

[[Page 31445]]

RETRIEVABILITY:
    Information is most frequently retrieved by first name, last name, 
middle initial, date of birth, or Social Security Number (SSN).

SAFEGUARDS:
    HHS has safeguards in place for authorized users and monitors such 
users to ensure against unauthorized use. Personnel having access to 
the system have been trained in the Privacy Act and information 
security requirements. Employees who maintain records in this system 
are instructed not to release data until the intended recipient agrees 
to implement appropriate management, operational and technical 
safeguards sufficient to protect the confidentiality, integrity and 
availability of the information and information systems and to prevent 
unauthorized access.
    This system will conform to all applicable Federal laws and 
regulations and Federal, HHS, and HHS policies and standards as they 
relate to information security and data privacy. These laws and 
regulations include but are not limited to: The Privacy Act of 1974; 
the Federal Information Security Management Act of 2002; the Computer 
Fraud and Abuse Act of 1986; the E-Government Act of 2002, and the 
Clinger-Cohen Act of 1996. OMB Circular A-130, Management of Federal 
Resources, Appendix III, Security of Federal Automated Information 
Resources also applies. Federal, HHS, and HHS policies and standards 
include but are not limited to: all pertinent National Institute of 
Standards and Technology publications; and the HHS Information Systems 
Program Handbook. HHS will give a contractor, consultant, or HHS 
grantee the information necessary for the contractor or consultant to 
fulfill its duties. In these situations, safeguards are provided in the 
contract prohibiting the contractor, consultant, or grantee from using 
or disclosing the information for any purpose other than that described 
in the contract and requires the contractor, consultant, or grantee to 
return or destroy all information at the completion of the contract. 
Contractors are also required to provide the appropriate management, 
operational, and technical controls to secure the data.

RETENTION AND DISPOSAL:
    Records are maintained with identifiers for all transactions after 
they are entered into the system for a period of 10 years. Records are 
housed in both active and archival files in accordance with HHS data 
and document management policies and standards. All sponsor 
applications, claims, and other program-related records are encompassed 
by the document preservation order and will be retained until 
notification is received from the Department of Justice.

SYSTEM MANAGER AND ADDRESS:
    David Gardner, Acting Director, Early Retiree Reinsurance Division, 
Office of Insurance Programs, Office of Consumer Information and 
Insurance Oversight, U.S. Department of Health & Human Services, 200 
Independence Avenue, SW., Suite 738F, Washington, DC 20201.

NOTIFICATION PROCEDURE:
    For purpose of notification, the subject individual should write to 
the system manager who will require the system name, and the retrieval 
selection criteria (e.g., name, SSN, etc.).

RECORD ACCESS PROCEDURE:
    For purpose of access, use the same procedures outlined in 
Notification Procedures above. Requestors should also reasonably 
specify the record contents being sought. (These procedures are in 
accordance with Department regulation 45 CFR 5b.5(a)(2)).

CONTESTING RECORD PROCEDURES:
    The subject individual should contact the system manager named 
above, and reasonably identify the record and specify the information 
to be contested. State the corrective action sought and the reasons for 
the correction with supporting justification. (These procedures are in 
accordance with Department regulation 45 CFR 5b.7).

RECORD SOURCE CATEGORIES:
    Record source categories include program participants, individuals 
on whose behalf reimbursements are being sought, and those who 
voluntarily submit data and personal information for the ERRP program.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.
[FR Doc. 2010-13178 Filed 6-2-10; 8:45 am]
BILLING CODE 4150-65-P