[Federal Register Volume 76, Number 168 (Tuesday, August 30, 2011)]
[Notices]
[Pages 53921-53924]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-22169]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Office of the Secretary
[Docket No. DHS-2011-0081]
Privacy Act of 1974; Department of Homeland Security ALL--034
Emergency Care Medical Records System of Records Notice
AGENCY: Privacy Office, DHS.
ACTION: Notice of Privacy Act system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, the Department of
Homeland Security proposes to establish a new Department of Homeland
Security system of records titled, ``Department of Homeland Security/
ALL--034 Emergency Care Medical Records System of Records Notice.''
This system of records will allow the Department of Homeland Security
Office of Health Affairs to collect and maintain records on individuals
who receive emergency care from Department Emergency Medical Services
providers. Individuals in this system include anyone who experiences a
medical emergency and is treated by an on-duty Departmental Emergency
Medical Services medical care provider. This newly established system
will be included in the Department of Homeland Security's inventory of
record systems.
DATES: Submit comments on or before September 29, 2011. This new system
will be effective September 29, 2011.
ADDRESSES: You may submit comments, identified by docket number DHS-
2011-0081 by one of the following methods:
Federal e-Rulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Fax: 703-483-2999.
Mail: Mary Ellen Callahan, Chief Privacy Officer, Privacy
Office, Department of Homeland Security, Washington, DC 20528.
Instructions: All submissions received must include the
agency name and docket number for this rulemaking. All comments
received will be posted without change to http://www.regulations.gov,
including any personal information provided.
Docket: For access to the docket to read background
documents or comments received go to http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: For questions please contact: Mary
Ellen Callahan (703-235-0780), Chief Privacy Officer, Privacy Office,
Department of Homeland Security, Washington, DC 20528.
SUPPLEMENTARY INFORMATION:
I. Background
In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the
Department of Homeland Security (DHS) Office of Health Affairs (OHA)
proposes to establish a new DHS system of records titled, ``DHS/ALL--
034 Emergency Care Medical Records.''
The Assistant Secretary for Health Affairs and Chief Medical
Officer (ASHA/CMO) exercises oversight over all medical and public
health activities of DHS, with the exception of U.S. Coast Guard (USCG)
medical and public health activities. Throughout its components, the
DHS workforce includes approximately 3,500 Emergency Medical Service
(EMS) healthcare providers rendering emergency medical care in the pre-
hospital environment, primarily to DHS employees and, when necessary,
to individuals encountered in the course of duty in need of emergency
care. These DHS EMS healthcare providers are employed by the following
DHS components: U.S. Customs and Border Protection (CBP), U.S.
Immigration and Customs Enforcement (ICE), the United States Secret
Service (USSS), Transportation Security Administration (TSA), U.S.
Citizenship and Immigration Services (USCIS), Federal Law Enforcement
Training Center (FLETC), Federal Emergency Management Agency (FEMA),
and Science & Technology Directorate (S&T).
OHA administers oversight of DHS EMS healthcare providers through
its Medical Quality Management (MQM) program, to ensure DHS EMS
providers deliver consistent, quality medical care. To support MQM, OHA
operates the electronic Patient Care Record (ePCR), an electronic
encounter-based database designed for EMS management. After
administering emergency care, DHS
[[Page 53922]]
EMS medical care providers manually enter emergency medical care
information into ePCR. ePCR captures all aspects of patient care, from
the initial dispatch of a vehicle and personnel to a designated site,
demographics, vital signs (initial assessment), treatment, and transfer
of care and/or patient transport. The system captures patient data such
as name, date of birth, and medical information. Concurrent with the
publication of this notice, DHS is publishing a Privacy Impact
Assessment (PIA) describing the ePCR system. This PIA will be available
at the DHS Privacy Office Web site at http://www.dhs.gov/privacy. ePCR
improves MQM at the Department by allowing OHA to track and trend data
quality, including documentation review, clinical performance, and
performance improvement initiatives. This system assists OHA in
assessing overall quality of care provided while ensuring that a high
standard of care is continually met.
This includes electronic data in ePCR operated by OHA as well as
those same EMS encounter records when kept by the EMS provider, in
paper form. Individuals covered by this system include members of the
public who are treated by on-duty DHS Emergency Medical Services (EMS)
healthcare provider. When patients are DHS or other federal employees,
their records are considered part of the OPM/GOVT-10--Employee Medical
File System Records, 71 FR 3560 (Jun. 19, 2006.) When patients are not
Federal employees, such as members of the public, their records are
considered part of this system.
OHA has primary responsibility within the Department for ``ensuring
internal and external coordination of all medical preparedness and
response activities of the Department, including training, exercises,
and equipment support.'' See Section 516(c)(3) of the Post Katrina
Emergency Management and Reform Act, Public Law109-295, 6 U.S.C.
321e(c). In addition, the Secretary has delegated to OHA responsibility
for providing oversight for all medical and health activities of the
Department. See DHS Delegation to the Assistant Secretary of Health
Affairs and Chief Medical Officer, No. 5001 (signed July 28, 2008). As
per internal DHS directive, OHA ensures the MQM program is
appropriately implemented within the department and that health care
service standards are consistently applied across the department. This
includes exercising oversight for development of quality assurance
activities (quality improvement, risk management documentation, and
medical record management) within DHS. The responsibility of MQM
necessitates a patient care reporting system to gather records of pre-
hospital emergency medical care rendered by DHS employees, as part of
their official DHS duties.
Due to the sensitive and private nature of patient medical records,
ePCR has been evaluated to identify risks and corresponding mitigation
strategies. Risks may include unauthorized disclosures, incorrect data
entry, software viruses, unauthorized access to the system, sharing of
data with private sector entities, and data security breaches.
Mitigation activities involve privacy and security awareness training
for all users, enforcement of role-based access to varied aspects of
ePCR (e.g., end-users have access only to their component-specific
patient data and any other patient encounter reports for which they
have been identified as providing care).
Designated persons (Component Medical Director, Component EMS
Coordinators, and ePCR Administrator) within the components will have
full administrative review access to all records for quality assurance
purposes. The OHA Medical Quality Management Branch and the OHA Medical
First Responder Coordination Branch will have rights to run ad hoc
reports and query data as it relates to quality assurance tracking and
trending indicators (completeness of record, adherence to standards of
care/protocols and training) on all component data. Audit logs are
periodically reviewed for inconsistencies. Any inconsistencies are
immediately addressed through the Component Medical Director, EMS
coordinators, or Component Information Technology (IT) and Security
Compliance Officer to correct or resolve any issues and concerns. The
purpose of ePCR is to support OHA's MQM program, and this purpose is
supported by routine uses for sharing this data for notification of
medical hazard, worker's compensation claims, through formal legal
channels, and other limited administrative purposes.
This newly established system will be included in DHS's inventory
of record systems.
II. Privacy Act
The Privacy Act embodies fair information practice principles in a
statutory framework governing the means by which the U.S. Government
collects, maintains, uses, and disseminates individuals' records. The
Privacy Act applies to information that is maintained in a ``system of
records.'' A ``system of records'' is a group of any records under the
control of an agency for which information is retrieved by the name of
an individual or by some identifying number, symbol, or other
identifying particular assigned to the individual. In the Privacy Act,
an individual is defined to encompass U.S. citizens and lawful
permanent residents. As a matter of policy, DHS extends administrative
Privacy Act protections to all individuals where systems of records
maintain information on U.S. citizens, lawful permanent residents, and
visitors.
Below is the description of the DHS/OHA-002 Emergency Care Medical
Records System of Records.
In accordance with 5 U.S.C. 552a(r), DHS has provided a report of
this system of records to the Office of Management and Budget and to
Congress.
III. Health Insurance Portability and Accountability Act
For this collection of health information, OHA and participating
components are not subject to the provisions of the Health Insurance
Portability and Accountability Act (HIPAA) of 1996 regulation,
``Standards for Privacy of Individually Identifiable Health
Information'' (Privacy Rule), 45 CFR parts 160 and 164. OHA does not
meet the statutory definition of a covered entity under HIPAA, 42
U.S.C. 1320d-1. Because OHA and participating components are not a
covered entity, the restrictions prescribed by the HIPAA Privacy Rule
are not applicable.
System of Records
Department of Homeland Security (DHS)/Office of Health Affairs (OHA)--
002 Emergency Care Medical Records (ECMR)
System name:
DHS/OHA--002 Emergency Care Medical Records.
Security classification:
Unclassified.
System location:
Records are maintained in the electronic Patient Care Record (ePCR)
system at the OHA Headquarters in Washington, DC.
Categories of individuals covered by the system:
Individuals covered by this system include members of the public,
including federal contractors, who are treated by an on-duty DHS
Emergency Medical Services (EMS) healthcare provider. When patients are
DHS or other federal employees, their records are considered part of
the OPM/GOVT-
[[Page 53923]]
10--Employee Medical File System Records, 71 FR 35360 (Jun. 19, 2006.)
Categories of records in the system:
Patient name.
Patient case/identification number (not Social Security
Number).
Account of the illness or injury.
Date of birth and age.
Gender.
Location.
Address (residential or business, if/as relevant).
Type of injury.
Current medications.
Allergies.
Past medical history.
Assessment of injury.
Chief complaint.
Vital signs.
Treatment provided and/or procedures.
Transfer of care, refusal of care, and/or transportation
mode and destination.
Medication dispensed.
Discharge instructions for follow-on care.
If necessary, patient's guardian or legal representative.
Patient's health insurance information, if any.
Authority for maintenance of the system:
OHA has primary responsibility within the Department for ``ensuring
internal and external coordination of all medical preparedness and
response activities of the Department, including training, exercises,
and equipment support.'' See Section 516(c)(3) of the Post Katrina
Emergency Management and Reform Act, Pub. L. 109-295, 6 U.S.C. 321e(c).
In addition, the Secretary has delegated to OHA responsibility for
providing oversight for all medical and health activities of the
Department. See DHS Delegation to the Assistant Secretary of Health
Affairs and Chief Medical Officer, No. 5001 (signed July 28, 2008). As
per internal DHS directive, OHA ensures the MQM program is
appropriately implemented within the department and that health care
service standards are consistently applied across the department. This
includes exercising oversight for development of quality assurance
activities (quality improvement, risk management documentation, and
medical record management) within DHS. The responsibility of MQM
necessitates a patient care reporting system to gather records of pre-
hospital emergency medical care rendered by DHS employees, as part of
their official DHS duties.
Purpose(s):
The purpose of this system is to support MQM oversight to ensure
consistent quality medical care and standardize the documentation of
care rendered by DHS EMS medical care providers in diverse
environments.
Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b) of the Privacy Act, all or a portion of the records or
information contained in this system may be disclosed outside DHS as a
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
A. To the Department of Justice (DOJ), including U.S. Attorney
Offices, or other federal agency conducting litigation or in
proceedings before any court, adjudicative or administrative body, when
it is necessary to the litigation and one of the following is a party
to the litigation or has an interest in such litigation:
1. DHS or any component thereof;
2. Any employee of DHS in his/her official capacity;
3. Any employee of DHS in his/her individual capacity where DOJ or
DHS has agreed to represent the employee; or
4. The U.S. or any agency thereof, is a party to the litigation or
has an interest in such litigation, and DHS determines that the records
are both relevant and necessary to the litigation and the use of such
records is compatible with the purpose for which DHS collected the
records.
B. To a congressional office from the record of an individual in
response to an inquiry from that congressional office made at the
request of the individual to whom the record pertains.
C. To the National Archives and Records Administration (NARA) or
other federal government agencies pursuant to records management
inspections being conducted under the authority of 44 U.S.C. 2904 and
2906.
D. To an agency, organization, or individual for the purpose of
performing audit or oversight operations as authorized by law, but only
such information as is necessary and relevant to such audit or
oversight function.
E. To appropriate agencies, entities, and persons when:
1. DHS suspects or has confirmed that the security or
confidentiality of information in the system of records has been
compromised;
2. DHS has determined that as a result of the suspected or
confirmed compromise there is a risk of harm to economic or property
interests, identity theft or fraud, or harm to the security or
integrity of this system or other systems or programs (whether
maintained by DHS or another agency or entity) or harm to the
individual that rely upon the compromised information; and
3. The disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with DHS's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
F. To contractors and their agents, grantees, experts, consultants,
and others performing or working on a contract, service, grant,
cooperative agreement, or other assignment for DHS, when necessary to
accomplish an agency function related to this system of records.
Individuals provided information under this routine use are subject to
the same Privacy Act requirements and limitations on disclosure as are
applicable to DHS officers and employees.
G. To appropriate federal, State, local, tribal, or foreign
governmental agencies or multilateral governmental organizations for
the purpose of protecting the vital interests of a data subject or
other persons or to comply with laws governing reporting of
communicable disease, including to assist such agencies or
organizations in preventing exposure to or transmission of a
communicable or quarantinable disease or to combat other significant
public health threats; appropriate notice will be provided of any
identified health threat or risk.
H. To hospitals, physicians, medical laboratories and testing
facilities, and other medical service providers, for the purpose of
diagnosing and treating medical conditions or arranging the care of
patients who have been treated by DHS EMS providers.
I. To foreign governments for the purpose of coordinating and
conducting the removal or return of aliens from the United States to
other nations when disclosure of information about the alien's health
is necessary or advisable to safeguard the public health, to facilitate
transportation of the alien, to obtain travel documents for the alien,
to ensure continuity of medical care for the alien, or is otherwise
required by international agreement or law.
J. To immediate family members and attorneys or other agents acting
on behalf of a patient to assist those individuals in determining the
current medical condition and/or location of a patient to whom DHS has
provided emergency medical care, provided they can present adequate
verification of a familial or agency relationship with the patient.
K. To independent standardization and medical quality management
[[Page 53924]]
repositories, such as the National Emergency Medical Services
Information System (NEMSIS), in de-identified, aggregate form only, to
promote DHS compliance with emergency medical care industry standards
and best practices.
L. To any person who is responsible for the care of the individual,
to the extent necessary to assure payment of benefits to which the
individual is entitled, when an individual to whom a record pertains is
mentally incompetent or under other legal disability.
M. To the patient's health insurance company to facilitate any
payment and billing negotiations between the patient, the insurance
carrier and the agency.
Disclosure to consumer reporting agencies:
None.
Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
Records in this system are stored electronically or on paper in
secure facilities in a locked drawer behind a locked door. The records
are stored on magnetic disc, tape, digital media, and CD-ROM.
Retrievability:
Records may be retrieved by any of the fields listed in the
Categories of Records listed above.
Safeguards:
Records in this system are safeguarded in accordance with
applicable rules and policies, including all applicable DHS automated
systems security and access policies. Strict controls have been imposed
to minimize the risk of compromising the information that is being
stored. Access to the computer system containing the records in this
system is limited to those individuals who have a need to know the
information for the performance of their official duties and who have
appropriate clearances or permissions.
Retention and disposal:
Based on the most conservative industry standards advised to
implement Medical Quality Management, OHA will propose a retention
schedule of ten (10) years from the date of the EMS provider encounter.
Records will be retained pending the final approval by the National
Archives and Records Administration of this records schedule.
System Manager and address:
Director, Workforce Health and Medical Support Division, Office of
Health Affairs, Department of Homeland Security, Washington, DC 20528.
Notification procedure:
Individuals seeking notification of and access to any record
contained in this system of records, or seeking to contest its content,
may submit a request in writing to the Headquarters FOIA Officer, whose
contact information can be found at http://www.dhs.gov/foia under
``contacts.'' If an individual believes more than one component
maintains Privacy Act records concerning him or her the individual may
submit the request to the Chief Privacy Officer and Chief Freedom of
Information Act Officer, Department of Homeland Security, 245 Murray
Drive, SW., Building 410, STOP-0655, Washington, DC 20528.
When seeking records about yourself from this system of records or
any other Departmental system of records your request must conform with
the Privacy Act regulations set forth in 6 CFR part 5. You must first
verify your identity, meaning that you must provide your full name,
current address and date and place of birth. You must sign your
request, and your signature must either be notarized or submitted under
28 U.S.C. 1746, a law that permits statements to be made under penalty
of perjury as a substitute for notarization. While no specific form is
required, you may obtain forms for this purpose from the Chief Privacy
Officer and Chief Freedom of Information Act Officer, http://www.dhs.gov or 1-866-431-0486. In addition you should provide the
following:
An explanation of why you believe the Department would
have information on you;
Identify which component(s) of the Department you believe
may have the information about you;
Specify when you believe the records would have been
created;
Provide any other information that will help the FOIA
staff determine which DHS component agency may have responsive records;
and
If your request is seeking records pertaining to another
living individual, you must include a statement from that individual
certifying his/her agreement for you to access his/her records.
Without this bulleted information the component(s) may not be able
to conduct an effective search, and your request may be denied due to
lack of specificity or lack of compliance with applicable regulations.
Consistent with 6 CFR 5.22(f) Release of Medical Records, and pursuant
to 5 U.S.C. 552a(f)(3), where requests are made for access to medical
records, including psychological records, the decision to release
directly to the individual, or to withhold direct release, shall be
made by a medical practitioner. Where the medical practitioner has
ruled that direct release will cause harm to the individual who is
requesting access, normal release through the individual's chosen
medical practitioner will be recommended. Final review and decision on
appeals of disapprovals of direct release will rest with the General
Counsel.
Record access procedures:
See ``Notification procedure'' above.
Contesting record procedures:
See ``Notification procedure'' above.
Record source categories:
Records are obtained from DHS EMS medical care providers and their
patients, either in the care and custody of the Department, at the DHS
workplace, or in conjunction with a medical emergency where an on-duty
DHS EMS is the medical care provider.
Exemptions claimed for the system:
None.
Dated: August 23, 2011.
Mary Ellen Callahan,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2011-22169 Filed 8-29-11; 8:45 am]
BILLING CODE 4410-9K-P