[Federal Register Volume 76, Number 246 (Thursday, December 22, 2011)]
[Notices]
[Pages 79685-79688]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-32791]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
Privacy Act of 1974; System of Records Notice
AGENCY: Department of Health and Human Services (HHS), Office of the
Secretary (OS), Office of the National Coordinator for Health
Information Technology (ONC).
ACTION: Notice to establish a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, HHS/OS/ONC is establishing a new system of records, ``ONC Health
IT Dashboard,'' to create datasets that will be used by ONC and its
partners (including grantees in the Health IT Extension Center program
and ONC program evaluation contractors) to assess, improve, and
publicize the effectiveness of ONC health IT grants to States and
State-designated entities. The datasets will enable ONC to (1) Evaluate
the state of health IT implementation by parties registered to receive
(i.e., who have received or could receive) electronic health record
implementation assistance from ONC grantees, (2) compare the
evaluations to grantees' progress reports in order to validate claims
submitted for grant payments, (3) share the evaluations with the
grantees to help improve grant performance, and (4) make aggregate data
(e.g., national and State-level implementation estimates) publicly
available on ONC's Web site at http://www.healthit.hhs.gov.
The parties receiving grants and health IT implementation
assistance from ONC grantees include health care providers (not only
provider-entities such as hospitals, but individual providers such as
individual physicians), community colleges, State-designated entities,
and other entities. Information about an individual provider (e.g., an
individual physician as opposed to a hospital, corporation or other
organization) is protected by the Privacy Act. Privacy Act-protected
information about each individual provider will consist of the
provider's health IT implementation information, demographic
information, and contact information, retrieved by his or her National
Provider Identifier (NPI). The system will not contain information
about patients. The system of records is more thoroughly described in
the Supplementary Information section and System of Records Notice
(SORN), below.
DATES: Effective Dates: Effective 30 days after publication. Written
comments should be submitted on or before the effective date. HHS/OS/
ONC may publish an amended System of Records Notice (SORN) in light of
any comments received.
ADDRESSES: The public should send written comments to: ONC Dashboard
Administrator, [email protected], 200 Independence Ave. SW.,
Washington, DC 20201.
FOR FURTHER INFORMATION CONTACT: Email: [email protected], Telephone:
1-(202) 690-7151, 200 Independence Ave. SW., Washington, DC 20201.
SUPPLEMENTARY INFORMATION:
I. ONC Health IT Dashboard
The Office of the National Coordinator is establishing the ``ONC
Health IT Dashboard'' system as part of the U.S. Department of Health
and Human Service's (HHS) implementation of the Open Government
Directive issued by the Office of Management and Budget (OMB) on
December 8, 2009 (OMB Memorandum M-10-06). The purpose of the system is
to advance open government principles and facilitate three programmatic
objectives: (1) Aggregate data to create national- and State-level
estimates about health IT adoption, (2) identify participants in other
HHS health IT-related programs that could be assisted by ONC grantees,
and (3) verify the integrity of grant payments made to ONC grantees.
The Dashboard system will enable ONC to create datasets using data
from two types of sources: (1) Data created during the administration
of ONC grant programs or obtained from ONC partners administering other
Federal IT-related grant programs, and (2) data procured from private
vendors that monitor health IT adoption trends and activity. The
Dashboard system is divided into two interfaces: an internal system
used by ONC researchers to create and analyze said datasets, and a
public-facing Open Government internet site that will contain de-
identified State-level summary statistics derived from said datasets,
and pre-configured graphs, charts, and maps displaying the summarized
data.
Individually-identifying information in the Dashboard system will
pertain to individual office-based health care providers who are
enrolled with the ONC Health IT Regional Extension Centers (RECs) and/
or participate in other Federal IT-related grant programs, such as the
CMS Medicare and Medicaid EHR Incentive programs. Privacy Act-protected
information in this system will consist of an individual provider's
contact information, demographic information, and health IT
implementation information, retrieved by the provider's National
Provider Identifier (NPI). Examples of records from which this
information will be obtained include:
Records from private vendors that monitor health IT
adoption trends and activity, which include provider-level information
such as contact and demographic information and characteristics of the
electronic health records (EHR) systems and functionalities in use at
the provider's site.
ONC REC Program grant administration records, which
contains the NPI, contact information, and demographic information for
providers that are enrolled with ONC RECs.
[[Page 79686]]
Centers for Medicare & Mediaid Services (CMS) Electronic
Health Records (EHR) Incentive Program grant administration records,
which include registration and attestation records containing NPI,
contact information, and demographic information for providers who
register to participate in that program.
Some of the datasets to be created and used by ONC and shared with ONC
grantees and partners will necessarily include identifying information
pertaining to particular participants in ONC and other Federal IT-
related grant programs (including individual health care providers,
identified by NPI); however, datasets that will be made publicly
available on the ONC Web site will contain only aggregated data that
cannot be identified with particular participants. Examples of both
types of datasets (identifiable and aggregate) are described below:
The system will create datasets containing NPI for use by
ONC researchers, to validate the accuracy of claims for grant payment
by ONC grantees.
ONC may share versions of the above datasets containing
NPI with ONC partners and grantees, to help grantees better assist
registered parties in implementing health IT. An ONC partner or ONC
grantee will be able to access datasets created in the system via a
secure login to an internet portal. Accordingly, ONC partners and ONC
grantees will only have access to data specifically pertaining to the
achievement of that entity's grant or contract purpose. Further, an ONC
grantee will only receive or have access to individually-identifying
data about health care providers who are within the grantee's
geographic area.
The system will enable ONC to create aggregated summary
tables from the above datasets that examine patterns of grants
participation and health IT implementation using summary categories
deriving from the provider's geography (e.g., by state, region, urban/
rural classification) or demographic data (e.g., health care provider
type, such as office-based provider, hospital or pharmacy) and not by
NPI, for posting to ONC's Web site.
II. The Privacy Act
The Privacy Act (5 U.S.C. 552a) governs the means by which the U.S.
Government collects, maintains, and uses information about individuals
in a system of records. A ``system of records'' is a group of any
records under the control of a Federal agency from which information
about an individual is retrieved by the individual's name or other
personal identifier. The Privacy Act requires each agency to publish in
the Federal Register a system of records notice (SORN) identifying and
describing each system of records the agency maintains, including the
purposes for which the agency uses information about individuals in the
system, the routine uses for which the agency discloses such
information outside the agency, and how individual record subjects can
exercise their rights under the Privacy Act (e.g., to determine if the
system contains information about them).
SYSTEM NUMBER:
09-90-1201
SYSTEM NAME:
ONC Health IT Dashboard, HHS/OS/ONC.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The server infrastructure for the system will be located at Managed
Application Hosting Facility (MAHC Core Site), Reston Virginia.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system will contain information about individual office-based
health care providers who are enrolled with the ONC Health IT Regional
Extension Centers (REC) and/or participate in other Federal health IT-
related grant programs, including the CMS EHR Incentive Programs.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system will contain the following records about individual
health care providers:
IT implementation information, such as the functionalities
that are being used within a provider's electronic health record
system;
Demographic records, such as gender and ethnicity;
Contact information, such as name, address, and phone
number; and
National Provider Identifier (NPI).
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
The Health Information Technology for Economic and Clinical Health
(HITECH) Act, enacted as part of the American Recovery and Reinvestment
Act of 2009 (ARRA) (Pub. L. 111-5), codified at 42 U.S.C. 300jj.
PURPOSE(S) OF THE SYSTEM:
HHS/ONC personnel will use the system to create and use datasets to
assess, improve, and publicize the effectiveness of ONC health IT
grants made to States and State-designated entities. Some of the
datasets will contain individually identifying information about health
care providers who are registered to receive health IT implementation
assistance from ONC grantees. HHS/ONC personnel will use individually
identifying information in the system, on a need to know basis, to (1)
Evaluate the state of health IT implementation by parties registered to
receive electronic health record implementation assistance from ONC
grantees, (2) compare grantees' progress reports in order to validate
claims submitted for grant payments, (3) share the evaluations with the
grantees to help improve grant performance, and (4) make aggregate data
(e.g., national and State-level implementation estimates) publicly
available on ONC's Web site.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
The ONC Health IT Dashboard system will or may disclose datasets
containing individually identifying information about providers to the
following parties outside the agency, for the following routine uses:
1. To ONC grantees to help them improve grant performance and to
ONC contractors that help evaluate the effectiveness of Federal health
IT-related grants to States and State-designated entities. The group of
ONC grantees with whom this data will be shared is available on the ONC
Web site at http://www.healthit.gov. An ONC grantee will only receive
individually identifying data about health care providers that are
within the grantee's geographic service area.
2. To agency contractors, consultants, or HHS grantees who have
been engaged by the agency to assist in accomplishment of an HHS
function relating to the purposes of this system of records and who
need to have access to the records in order to assist HHS.
3. To another Federal or State agency, agency of a State
government, agency established by State law, or its fiscal agent,
pursuant to agreements with HHS, as necessary to enable such agency to:
Contribute to the accuracy of HHS's reimbursements to
grantees;
Administer a Federal health benefits program or fulfill a
requirement of a Federal statute or regulation that implements a health
benefits program funded in whole or in part with Federal funds; and/or
Assist Federal/State Medicaid programs which may require
ONC Health IT Dashboard information for purposes related to this
system.
[[Page 79687]]
4. To the Department of Justice (DOJ), a court or an adjudicatory
body when:
The agency or any component thereof, or
Any employee of the agency in his or her official
capacity, or
Any employee of the agency in his or her individual
capacity where the DOJ has agreed to represent the employee, or
The United States Government, is a party to litigation or
has an interest in such litigation and, by careful review, HHS
determines that the records are both relevant and necessary to the
litigation and that the use of such records by the DOJ, court or
adjudicatory body is compatible with the purpose for which the agency
collected the records.
5. To another Federal agency or an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any State or local governmental agency), that
administers or has the authority to investigate potential fraud, waste
or abuse in a health benefits program funded in whole or in part by
Federal funds, when disclosure is deemed reasonably necessary by HHS to
prevent, deter, discover, detect, investigate, examine, prosecute, sue
with respect to, defend against, correct, remedy, or otherwise combat
fraud, waste or abuse in such programs.
6. To appropriate Federal agencies and Department contractors that
have a need to know the information for the purpose of assisting the
Department's efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in this
system of records, when the information disclosed is relevant and
necessary for that assistance.
7. To the Department of Justice (DOJ) and/or the Office of
Government Information Services (OGIS) for the purposes of determining
whether disclosure is required under the Freedom of Information Act
(FOIA), resolving disputes between FOIA requesters and Federal
agencies, and reviewing agencies' FOIA policies, procedures and
compliance in order to recommend policy changes to Congress and the
President.
8. To the National Archives and Records Administration (NARA) in
records management inspections conducted under the authority of 44
U.S.C. 2904 and 2906.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM--
STORAGE:
Electronic records will be stored on an ONC infrastructure servers
maintained at a contracted IT services unit of HHS. Electronic records
containing source data, including individually identifiable
information, can only be accessed from secure computer stations inside
the HHS/ONC workspace by authorized users. Aggregated datasets
including national and State-level EHR implementation estimates that do
not include individually identifiable information will be available
through the ONC Web site, http://healthIT.gov.
RETRIEVABILITY:
Records will be retrieved, compared and cross-checked using the
National Provider Identifier (NPI).
SAFEGUARDS:
Appropriate physical, technical, and administrative safeguards will
be in place to protect against unauthorized access to or disclosure of
individually identifiable information from this system. The system will
be secured and protected using standards established through the
Federal Information Security Management Act of 2002 (44 U.S.C. 3541)
and standards established by the National Institutes for Standards in
Technology (NIST) for certifying and accrediting IT systems.
Furthermore, access to the system's internal ONC interface (which
provides the only available access to individually-identifying data)
will be limited to a small group of authorized HHS/ONC researchers, and
within that group, individual datasets will be micromanaged to ensure
that access is restricted to the subset of ONC staff with the bona fide
need to use the information. Access to any portion of the internal ONC
system and or source datasets is predicated on successful user
registration with the HHS IT help desk and the user's ability to abide
by the HHS IT security terms of use.
Datasets created in the system for provided to an ONC grantee or
contractor will contain only data specifically pertaining to that
entities grant or contract purpose. Further, an ONC grantee or
contractor will only receive or have access to individually-
identifiable data about health care providers who are within the
grantee's geographic area. An ONC partner or ONC grantee will be able
to access datasets created in the system via a secure login to an
internet portal. No records will be maintained in hard-copy files.
RETENTION AND DISPOSAL:
The records are currently unscheduled; the records disposition
schedule will provide for records to be destroyed approximately two
years after the completion of the applicable ONC health IT-related
grant program that was evaluated using the records.
SYSTEM MANAGER AND ADDRESS:
ONC Dashboard Administrator, Office of the National Coordinator for
Health IT, 200 Independence Avenue SW., Washington, DC 20201.
NOTIFICATION PROCEDURE:
An individual provider who wishes to know if this system contains
records about him or her should write to the System Manager and include
his or her National Provider Identifier (NPI).
RECORD ACCESS PROCEDURE:
An individual provider seeking access to records about him or her
in this system should follow the same instructions indicated under
``Notification Procedure.'' The request should reasonably identify the
record contents to which access is sought. (These procedures are in
accordance with Department regulation 45 CFR 5b.5 (a)(2).)
CONTESTING RECORD PROCEDURES:
An individual provider seeking to contest the content of
information about him or her in this system should follow the same
instructions indicated under ``Notification Procedure.'' The request
should reasonably identify the record, specify the information
contested, state the corrective action sought, and provide the reasons
for the correction, with supporting justification. (These procedures
are in accordance with Department regulation 45 CFR 5b.7.) The right to
contest records is limited to information that is incomplete,
irrelevant, incorrect, or untimely (i.e., obsolete).
RECORD SOURCE CATEGORIES:
The system will use data procured from private vendors that monitor
health IT adoption trends and activity and grant administrative data
already collected or generated in administering ONC and other Federal
health IT-related grant programs. Datasets created by this system, from
those sources, will be cross-checked against certain data in other HHS
systems (such as the PECOS system), to ensure the datasets are valid,
accurate and reliable for use in evaluating ONC grants. Most of the
data used will come from records collected
[[Page 79688]]
directly from participants in the grant programs.
EXEMPTIONS CLAIMED FOR THIS SYSTEM:
None.
Dated: December 5, 2011.
Michael Furukawa,
Acting Director, Office of Economic Analysis, Evaluation and Modeling,
Office of the National Coordinator for Health IT, U.S. Department of
Health and Human Services.
[FR Doc. 2011-32791 Filed 12-21-11; 8:45 am]
BILLING CODE 199R-EC-P