[Federal Register Volume 78, Number 210 (Wednesday, October 30, 2013)]
[Notices]
[Pages 65011-65014]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-25725]


-----------------------------------------------------------------------

OFFICE OF PERSONNEL MANAGEMENT


Privacy Act of 1974: New System of Records

AGENCY: U.S. Office of Personnel Management (OPM).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Office of Personnel Management (OPM) proposes to add 
OPM/Central-19: External Review Records for Multi-State Plan (MSP) 
Program to its inventory of records systems subject to the Privacy Act 
of 1974 (5 U.S.C. 552a), as amended. This action is necessary to meet 
the requirements of the Privacy Act to publish in the Federal Register 
notice of the existence and character of records maintained by the 
agency. 5 U.S.C. 552a(e)(4).

DATES: This action will be effective without further notice on December 
9, 2013 unless comments are received that would result in a contrary 
determination.

ADDRESSES: Send written comments to the Office of Personnel Management, 
ATTN: Padma Shah, U.S. Office of Personnel Management, 1900 E Street 
NW., Room 2347, Washington, DC 20415.

FOR FURTHER INFORMATION CONTACT: Padma Shah by telephone at 202-606-
2128, or by email at [email protected].

SUPPLEMENTARY INFORMATION: The Patient Protection and Affordable Care 
Act, Public Law 111-148, was enacted on March 23, 2010, and the Health 
Care and Education Reconciliation Act, Public Law 111-152, was enacted 
on March 30, 2010 (collectively referred to as ``the Affordable Care 
Act'').
    Section 1334 of the Affordable Care Act and its implementing 
regulations (codified at 45 CFR part 800) direct OPM to establish the 
Multi-State Plan (MSP) Program to foster competition among plans 
offering coverage on the individual and small group health insurance 
markets on the Affordable Insurance Exchanges (referred to as 
``Exchanges'' or ``Health Insurance Marketplaces''). Specifically, OPM 
must contract with private health insurance issuers to offer at least 
two MSP options on each of the Exchanges in the 50 States and the 
District of Columbia, in which issuers may phase in coverage over a 
period of 4 years.
    Under section 1334(a)(4) of the Affordable Care Act, OPM must 
administer the MSP Program ``in a manner similar to the manner in 
which'' it implements the contracting provisions of the Federal 
Employees Health Benefits (FEHB) Program under 5 U.S.C. 8901 et seq. In 
the MSP Program final rule (78 FR 15560, March 11, 2013), OPM 
interpreted section 1334(a)(4) of the Affordable Care Act to require 
implementation of a uniform, nationally applicable external review 
process for MSP options, consistent with the requirements of section 
2719 of the Public Health Service Act and similar to the process 
administered by OPM under the FEHB Program. This process will ensure 
that MSP Program contracts are administered consistently throughout all 
51 jurisdictions that would be served by an MSP option. Specifically, 
under 45 CFR 800.503, OPM is authorized to conduct external review of 
adverse benefit determinations by MSP issuers using a process similar 
to the FEHB Program disputed claims process. In addition to requests 
for external review, we anticipate that MSP enrollees may contact OPM 
about inquiries or complaints regarding MSP options, which may have to 
be referred to other appropriate entities such as State insurance 
departments, State consumer assistance programs, and the U.S. 
Department of Health and Human Services.
    The purpose of this system of records is to provide a central 
database through which OPM may conduct external review of adverse 
benefit determinations under the MSP Program, refer MSP enrollees to 
other entities about their inquiries or complaints, and correspond with 
MSP enrollees. OPM will collect, manage, and analyze health services 
data that MSP enrollees, MSP issuers, health care providers, and others 
will furnish through secure data transfer. The information contained in 
the database will help ensure that (1) MSP enrollees have adequate 
access to independent review of adverse benefit determinations, (2) MSP 
enrollees are referred to appropriate entities about their inquiries or 
complaints, (3) OPM corresponds with MSP enrollees, and (4) OPM 
collects the information necessary for the enforcement of MSP Program 
contracts and implementation of the program.
    OPM will use identifiable data to create records that are necessary 
to facilitate external review of MSP issuer adverse benefit 
determinations by OPM analysts and independent review organizations. 
Likewise, OPM will use identifiable data to create records about MSP 
enrollee inquiries or complaints, which may have to be referred to 
other State and Federal Government agencies. However, OPM and external 
analysts using the database for analysis purposes will have access only 
to de-identified data.

U.S. Office of Personnel Management.
Elaine Kaplan,
Acting Director.

OPM CENTRAL-19

SYSTEM NAME:
    External Review Records for Multi-State Plan (MSP) Program

SYSTEM LOCATION:
    Office of Personnel Management, 1900 E Street NW., Washington, DC 
20415.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    This system will contain records on MSP enrollees who request 
external review of adverse benefit determinations, and MSP enrollees 
who contact OPM about an inquiry or complaint.

CATEGORIES OF RECORDS IN THE SYSTEM:
    In order to process a request for external review, OPM may require 
an MSP enrollee or an authorized representative to submit the following 
information about the enrollee, which OPM may also collect, as 
necessary, to process enrollee inquiries and complaints:
    a. The adverse benefit determination that the individual received 
from the MSP issuer.
    b. Name.
    c. Date of birth.
    d. Gender.
    e. Social Security Number.
    f. Phone number(s), postal address(es) (current and mailing), and 
email address(es).
    g. Insurance identification (ID) number.
    h. Group number.
    i. Scanned copy of insurance ID card.
    j. The State and county of coverage.
    k. An indication of whether the external review request is for an 
urgent claim.
    l. A brief statement of the reason for the external review request.
    m. The MSP issuer's name.
    n. The name of the MSP option that covers the MSP enrollee.
    o. The claim number.
    p. Subscriber's information: Name, Social Security Number, date of 
birth, gender, phone number(s), postal address(es) (current and 
mailing), and email address(es).

[[Page 65012]]

    q. In cases where an authorized representative requests external 
review, evidence of authorization and the following information about 
the authorized representative: name, phone number(s), postal 
address(es) (current and mailing), and email address(es).
    r. Name of health care provider.
    s. Health care provider address(es).
    t. Any additional information necessary to process the request for 
external review.
    In addition, MSP enrollees may choose to submit additional 
information that will become part of the system of records. This 
information may include, but is not limited to, the following:
    a. A statement about why the MSP enrollee believes the MSP issuer's 
adverse benefit determination was wrong, based on specific benefit 
provisions in the plan brochure, contract, or statement of benefits.
    b. Copies of documents that support the request for external 
review, such as physicians' letters, operative reports, bills, medical 
records, and explanation of benefits (EOB) forms.
    c. Copies of all letters the MSP enrollee sent to the MSP issuer 
about the claim.
    d. Copies of all letters the MSP issuer sent to the MSP enrollee 
about the claim.
    MSP issuers will provide additional information and documentation. 
Consequently, the records in the system may include the following 
information about the MSP enrollee:
    a. Personal identifying information (name, Social Security Number, 
date of birth, gender, phone number, etc.).
    b. Postal address(es) (current and mailing).
    c. Dependent information (spouse, dependents and their addresses).
    d. Employment information.
    e. Health care provider information.
    f. Health care coverage information.
    g. Health care procedure information.
    h. Health care diagnoses information.
    i. Provider charges and reimbursement information on coverage, 
procedures and diagnoses.
    j. Any other letters or other documents submitted in connection 
with the adverse benefit determination by MSP enrollees, health care 
providers, or MSP issuers.
    The aforementioned information may also be collected, as necessary, 
to process MSP enrollee inquiries and complaints.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    OPM has authority to administer the MSP Program under section 1334 
of the Affordable Care Act (42 U.S.C. 18054).

PURPOSE:
    OPM operates this system of records to support the administration 
of the MSP Program. The primary purpose of this system of records is to 
aid in the administration of external review of adverse benefit 
determinations for MSP enrollees. OPM must have the capacity to 
collect, manage, and access health insurance benefits appeals 
information and documents on an ongoing basis in order for OPM to:
    a. Determine eligibility for the MSP Program external review 
process.
    b. Review adverse benefit determinations by MSP issuers to provide 
effective external review.
    c. Track the progress of individual requests for external review 
and ensure that MSP enrollees do not submit duplicative requests.
    d. Make information available for any subsequent litigation related 
to a disputed external review decision.
    e. Monitor whether MSP issuers are providing benefits to which MSP 
enrollees are entitled under the terms of the applicable MSP Program 
contract.
    f. Maintain records for parties to the dispute so that the MSP 
enrollee and MSP issuer can obtain a record of past external reviews in 
which they were involved.
    g. Track and report information about the administration of the MSP 
Program.
    h. Refer MSP enrollees to appropriate entities about their 
inquiries or complaints.
    i. Correspond with MSP enrollees.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures otherwise permitted under 5 U.S.C. 
552a(b), all or a portion of the records or information contained in 
this system may be disclosed outside of OPM, for a routine use under 5 
U.S.C. 552a(b)(3) as follows:
    a. For Claims Adjudication--To disclose information to agency 
contractors conducting claim reviews for the purpose of adjudicating an 
appeal.
    b. For Law Enforcement Purposes--To disclose pertinent information 
to the appropriate Federal, State, or local agency responsible for 
investigating, prosecuting, enforcing, or implementing a statute, rule, 
regulation, or order, where OPM becomes aware of an indication of a 
violation or potential violation of civil or criminal law or 
regulation.
    c. For Congressional Inquiry--To provide information to a 
Congressional office from the record of an individual in response to an 
inquiry from that Congressional office made at the request of that 
individual.
    d. For Judicial/Administrative Proceedings--To disclose information 
to another Federal agency, to a court, or a party in litigation before 
a court or in an administrative proceeding being conducted by a Federal 
agency, when the Government is a party to the judicial or 
administrative proceeding. In those cases where the Government is not a 
party to the processing, records may be disclosed if a subpoena has 
been signed by a judge.
    e. For the National Archives and Records Administration or the 
General Services Administration--To disclose information to the 
National Archives and Records Administration (NARA) or General Services 
Administration for use in records management inspections conducted 
pursuant to 44 U.S.C. 2904 and 2906.
    f. For Litigation--To disclose to the Department of Justice or in a 
proceeding before a court, adjudicative body, or other administrative 
body before which OPM is authorized to appear, when--
    (1) OPM, or any component thereof; or
    (2) Any employee of OPM in his or her official capacity; or
    (3) Any employee of OPM in his or her individual capacity where the 
Department of Justice or OPM has agreed to represent the employee; or
    (4) The United States, when OPM determines that litigation is 
likely to affect OPM or any of its components--
    is a party to litigation or has an interest in such litigation, and 
the use of such records by the Department of Justice or OPM is deemed 
by OPM to be relevant and necessary to the litigation, provided, 
however, that the disclosure is compatible with the purpose for which 
records were collected.
    g. For Non-Federal Personnel--To disclose information to 
contractors, grantees, or volunteers performing or working on a 
contract, service, grant, cooperative agreement, or job for the Federal 
Government, where the disclosure is compatible with the purpose for 
which records are collected.
    h. In the Event of a Data Breach--In the event of a data breach, 
records may be disclosed to appropriate Federal agencies and agency 
contractors that have a need to know the information for the purpose of 
assisting the agency's efforts to respond to a suspected or confirmed 
breach of the security or confidentiality of information maintained in 
this system of records, and the information disclosed is relevant and 
necessary for that assistance.

[[Page 65013]]

    i. To researchers inside and outside the Federal Government, 
approved in advance by OPM on the basis of demonstrated aptitude and a 
written research plan, for the purpose of conducting analysis of health 
care and health insurance trends and topical health-related issues 
compatible with the purposes for which the records were collected and 
formulating health care program changes and enhancements to limit cost 
growth, improve outcomes, increase accountability, and improve 
efficiency in program administration. In all cases, researchers 
external to OPM will access a public use file that will be maintained 
for such purposes; will contain only de-identified data; and will be 
structured, where appropriate, to protect MSP enrollee confidentiality 
where identities may be discerned because there are fewer records under 
certain demographic or other variables. In all disclosures to analysts 
under this routine use, only de-identified data will be disclosed.
    j. If OPM determines that jurisdiction over an MSP enrollee's 
inquiry or complaint lies with another Federal or State agency, 
information in this system of records may be disclosed to other 
agencies, such as a State insurance department, a State Consumer 
Assistance Program, or the U.S. Department of Health and Human 
Services.

POLICIES AND PRACTICES OF STORING, RETRIEVING, SAFEGUARDING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Paper records will be maintained in locked file cabinets within OPM 
and/or any contractors. Any electronic records will be maintained in 
electronic systems.

RETRIEVABILITY:
    Records will primarily be manipulated, managed and summarized using 
a unique number assigned to each external review or case about an 
inquiry or complaint. However, information may also be accessible by 
other identifying information, including name, date of birth, or Social 
Security Number.

SAFEGUARDS:
    OPM will maintain records within its secure headquarters in 
Washington, DC. Electronic records will be maintained on password-
protected computers and systems. Computer firewalls will be maintained 
to prevent access by unauthorized personnel. Any paper records will be 
delivered to a locked P.O. Box and kept in locked file cabinets.
    Federal employees and employees of Federal contractors are required 
to have been the subject of a favorable adjudication following an 
appropriate background investigation before they are allowed physical 
access to OPM and access to any records. OPM's environment is equipped 
with electronic badge readers restricting access to authorized 
personnel only and has safeguards in place to alert security personnel 
if unauthorized personnel attempt to gain access to OPM's environment. 
OPM employs armed physical security guards 365 days a year, 24 hours a 
day, who patrol OPM headquarters, including entry and exit points. 
Closed Circuit Video cameras are strategically located on every floor 
and external to the facility.
    The system will employ National Institute of Standards and 
Technology (NIST) Security Controls identified in the most recent 
version of Special Publication SP 800-53. NIST 800-53 security controls 
are the management, operational, and technical safeguards or 
countermeasures employed within an organizational information system to 
protect the confidentiality, integrity, and availability of the system 
and its information. OPM will perform a Security Assessment and 
Authorization (SA&A) following the NIST 800-53 standard in order to 
obtain an Authority to Operate (ATO). The system will employ role-based 
access controls to further restrict access to data, based on the 
functions that users are authorized to perform. The system will be 
fully compliant with all applicable provisions of the Privacy Act, 
Health Insurance Portability and Accountability Act (HIPAA), Federal 
Information Security Management Act (FISMA), Federal Records Act, 
Office of Management and Budget (OMB) guidance, and NIST guidance.

RETENTION AND DISPOSAL:
    The records in this system will be retained for at least 6 years. 
Records may be retained for a longer period for the system purposes 
established in this system of records notice, or for other purposes as 
required under law (e.g., for purposes of litigation). A records 
retention schedule will be established with NARA, and no records will 
be destroyed until that schedule has been established. Once that 
schedule is established, it will set forth methods for disposing 
records that would no longer be eligible for retention.

SYSTEM MANAGERS AND ADDRESSES:
    The system manager is Edward M. DeHarde, U.S. Office of Personnel 
Management, Healthcare and Insurance, 1900 E Street NW., Room 2347, 
Washington, DC 20415.

NOTIFICATION AND RECORD ACCESS PROCEDURE:
    Individuals wishing to determine whether this system of records 
contains information about them may do so by writing to the U.S. Office 
of Personnel Management, FOIA/PA Requester Service Center, 1900 E 
Street NW., Room 5415, Washington, DC 20415-7900 or by emailing 
[email protected].
    Individuals must furnish the following information for their 
records to be located:
    1. Full name.
    2. Date and place of birth.
    3. Social Security Number.
    4. Signature.
    5. Available information regarding the type of information 
requested, including the name of the MSP issuer involved in any 
external review and the approximate date of the request for external 
review.
    6. The reason why the individual believes this system contains 
information about him/her.
    7. The address to which the information should be sent.
    Individuals requesting access must also comply with OPM's Privacy 
Act regulations regarding verification of identity and access to 
records (5 CFR part 297). In addition, the requester must provide a 
notarized statement or an unsworn declaration made in accordance with 
28 U.S.C. 1746, in the following format:
     If executed outside the United States: ``I declare (or 
certify, verify, or state) under penalty of perjury under the laws of 
the United States of America that the foregoing is true and correct. 
Executed on [date]. [Signature].''
     If executed within the United States, its territories, 
possessions, or commonwealths: ``I declare (or certify, verify, or 
state) under penalty of perjury that the foregoing is true and correct. 
Executed on [date]. [Signature].''

CONTESTING RECORD PROCEDURE:
    Individuals wishing to request amendment of records about them 
should write to the U.S. Office of Personnel Management, FOIA/PA 
Requester Service Center, 1900 E Street NW., Room 5415, Washington, DC 
20415-7900. ATTN: Healthcare and Insurance, National Healthcare 
Operations.
    Individuals must furnish the following information in writing for 
their records to be located:
    1. Full name.
    2. Date and place of birth.
    3. Social Security Number.
    4. Signature.

[[Page 65014]]

    5. Available information regarding the type of information that the 
individual seeks to have amended, including the name of the MSP issuer 
involved in any external review and the approximate date of the request 
for external review.
    Individuals requesting access must also comply with OPM's Privacy 
Act regulations regarding verification of identity and access to 
records (5 CFR part 297). In addition, the requester must provide a 
notarized statement or an unsworn declaration made in accordance with 
28 U.S.C. 1746, in the following format:
     If executed outside the United States: ``I declare (or 
certify, verify, or state) under penalty of perjury under the laws of 
the United States of America that the foregoing is true and correct. 
Executed on [date]. [Signature].''
     If executed within the United States, its territories, 
possessions, or commonwealths: ``I declare (or certify, verify, or 
state) under penalty of perjury that the foregoing is true and correct. 
Executed on [date]. [Signature].''

RECORD SOURCE CATEGORIES:
    Information in this system of records is obtained from:
    a. MSP enrollees who request external review, or who contact OPM 
about an inquiry or complaint.
    b. Authorized representatives of MSP enrollees.
    c. Health care providers.
    d. MSP issuers.
    e. Medical professionals providing expert medical review under 
contract with OPM.

SYSTEM EXEMPTIONS:
    None.

[FR Doc. 2013-25725 Filed 10-29-13; 8:45 am]
BILLING CODE 6325-38-P