[Federal Register Volume 78, Number 78 (Tuesday, April 23, 2013)]
[Notices]
[Pages 23938-23939]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-09511]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services


Privacy Act of 1974; Report of a New Routine Use for Selected CMS 
Systems of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Altered Systems Notice, Adding a New Routine Use to Selected 
CMS Systems of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
(5 U.S.C. 552a), CMS is adding a new routine use for emergency 
preparedness and response to eight CMS systems of records. The new 
routine use will authorize CMS to disclose beneficiary-identifiable 
records to public health authorities and entities acting under a 
delegation of authority of a public health authority requesting such 
information for the purpose of identifying vulnerable individuals who 
may need health assistance in the event of an incident, emergency or 
disaster, and for purposes of planning and providing such assistance. 
Disclosures made pursuant to the new routine use will be limited to the 
minimum data necessary to carry out statutorily-authorized public 
health-related emergency preparedness and response activities, as 
provided in Section 1106 of the Social Security Act (42 U.S.C. 1306) 
and the HIPAA Privacy Rule at 45 CFR Sec. Sec.  154.502, 164.512(b), 
164.502(b) and 164.514(d)(3)(iii)(A). Requests and disclosures made 
pursuant to the routine use will be coordinated through HHS' Office of 
the Assistant Secretary for Preparedness and Response (ASPR). The eight 
systems of records that will include the new routine use are: the 
National Claims History (NCH), System No. 09-70-0558; Medicare 
Integrated Data Repository (IDR), System No. 09-70-0571; Common Working 
Files (CWF), System No. 09-70-0526; Enrollment Database (EDB), System 
No. 09-70-0502; Medicare Beneficiary Database (MBD), System No. 09-70-
0536; Medicare Drug Data Processing System (DDPS), System No. 09-70-
0553; Long Term Care-Minimum Data Set (MDS), System No. 09-70-0528; and 
Home Health Agency (HHA) Outcome and Assessment Information Set 
(OASIS), System No. 09-70-0522.

DATES: Effective Date: The new routine use described in this notice 
will become effective without further notice 30 days after publication 
of this notice in the Federal Register, unless comments received on or 
before that date result in revisions to this notice.

ADDRESSES: The public should send comments to: CMS Privacy Officer, 
Division of Privacy Policy, Privacy Policy and Compliance Group, Office 
of E-Health Standards & Services, Office of Enterprise Management, CMS, 
Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. 
Comments received will be available for review at this location, by 
appointment, during regular business hours, Monday through Friday from 
9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT: Kristen P. Finne, Senior Program 
Analyst U.S. Department of Health and Human Services, Office of the 
Assistant Secretary for Preparedness and Response (ASPR), Office of 
Policy and Planning, Division of Health System Policy (HSP), Patriots 
Plaza, 375 E Street SW., Office 11-1701, Washington DC 20024, Office 
telephone: 202-691-2013, Blackberry: 202-439-1140, Email: 
[email protected].

SUPPLEMENTARY INFORMATION:  The new routine use will improve the 
ability of HHS' Assistant Secretary for Preparedness and Response 
(ASPR), in partnership with HHS' Centers for Medicare & Medicaid 
Services, to assist public health authorities and entities acting under 
a delegation of authority of a public health authority in identifying 
vulnerable individuals who may need health assistance prior to, during, 
and in the aftermath of an incident, emergency or disaster that poses 
an adverse health

[[Page 23939]]

and/or public health impact, and in planning and providing such 
assistance. Disclosing beneficiary-identifiable records for public 
health-related emergency preparedness and response purposes is a 
necessary and proper use of the information in the systems of records 
being modified; the new routine use is compatible with the health care 
purposes for which the information was collected in the CMS systems of 
records. Disclosure purposes could include emergency planning for 
outreach to at-risk populations and individuals during a public health 
emergency. For example, a public health agency could match the records 
with publicly available power outage data from another department or 
agency. In the event of a public health emergency that involves power 
outages, the public health agency would then be able to use the results 
of the matched data to identify individuals in the affected community 
who are dependent on energy for meeting their medical needs, for 
example individuals living in the community who are dependent on 
dialysis. The term ``public health authority'' and the concepts of 
``public health activity'' and ``minimum necessary'' disclosures are 
defined in the HIPAA Privacy Rule at 45 CFR Sec. Sec.  154.502, 
164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A).
    For the reasons described above, the following routine use is added 
to the eight systems of records listed below:

    To disclose beneficiary-identifiable information to public 
health authorities, and those entities acting under a delegation of 
authority from a public health authority, when requesting such 
information to carry out statutorily-authorized public health 
activities pertaining to emergency preparedness and response. 
Disclosures under this routine use will be limited to ``public 
health authorities,'' ``public health activities,'' and ``minimum 
necessary data'' as defined in the HIPAA Privacy Rule (45 CFR 
Sec. Sec.  154.502, 164.512(b), 164.502(b) and 
164.514(d)(3)(iii)(A)).

    1. National Claims History (NCH), System No. 09-70-0588, published 
at 71 Federal Register (Fed. Reg.), 67137 (November 20, 2006).
    2. Medicare Integrated Data Repository (IDR), System No. 09-70-
0571, published at 71 Fed. Reg., 74915 (December 13, 2006).
    3. Common Working Files (CWF), System No. 09-70-0526, published at 
71 Fed. Reg., 64955 (November 6, 2006).
    4. Enrollment Database (EDB), System No. 09-70-0502, published at 
73 Fed. Reg., 10249 (February 26, 2008).
    5. Medicare Beneficiary Database (MBD), System No. 09-70-0536, 
published at 71 Fed. Reg., 70396 (December 4, 2006).
    6. Medicare Drug Data Processing System (DDPS), System No. 09-70-
0553, published at 73 Fed. Reg., 30943 (May 29, 2008).
    7. Long Term Care (LTC)-Minimum Data Set (MDS), System No. 09-70-
0528, published at 72 Fed. Reg., 12801 (March 19, 2007).
    8. Home Health Agency (HHA) Outcome and Assessment Information Set 
(OASIS), System No. 09-70-0522, published at 72 Fed. Reg. 63906 
(November 13, 2007).

    Dated: April 11, 2013.
Michelle Snyder,
Deputy Chief Operating Officer, Centers for Medicare & Medicaid 
Services.
[FR Doc. 2013-09511 Filed 4-22-13; 8:45 am]
BILLING CODE 4120-01-P