[Federal Register Volume 78, Number 249 (Friday, December 27, 2013)]
[Notices]
[Pages 78959-78962]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-31118]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records Notice

AGENCY: National Disaster Medical System (NDMS), Office of Emergency 
Management (OEM), Office of the Assistant Secretary for Preparedness 
and Response (ASPR), Department of Health and Human Services (HHS).

ACTION: Notice to revise an existing system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended (5 U.S.C. 552a), HHS is altering an existing system of 
records, ``National Disaster Medical System (NDMS) Patient Treatment 
and Tracking,'' system number 09-90-0040. The system of records was 
originally published June 26, 2007 (see 72 FR 35052) and previously 
revised March 27, 2008 (see 73 FR 16307). The alterations include: (1) 
Changing the system name to ``National Disaster Medical System (NDMS) 
Disaster Medical Information Suite (DMIS);'' (2) revising the 
categories of individuals to reflect that patients may include disaster 
workers and others who are provided medical countermeasures; (3) 
dividing the records into three categories (patient treatment, patient 
tracking, and veterinarian treatment) instead of two (patient treatment 
and veterinarian treatment); (4) adding, as a purpose for which 
information from this system is used, that the system provides HHS' 
NDMS claims processing system with records needed to reimburse NDMS 
providers for their services; (5) revising the first routine use to 
include these additional disclosure recipients: state and city 
governmental agencies, Non-Governmental Organizations (NGOs; e.g., 
American Red Cross), and hospitals that provide care to NDMS patients; 
and (6) adding one new routine use, pertaining to security breach 
response.

DATES: Effective Dates: Effective 30 days after publication. Written 
comments should be submitted on or before the effective date. HHS/ASPR/
OEM/NDMS may publish an amended System of Records Notice (SORN) in 
light of any comments received.

ADDRESSES: The public should address written comments to: NDMS 
Director, National Disaster Medical System, 200 C Street SW., 
Washington, DC 20024. To review comments in person, please contact the 
Director NDMS, 200 C Street SW., Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: CDR Sumner Bossler, NDMS Disaster 
Medical Information Suite (DMIS), IT Program Manager, ASPR/OEM/NDMS, 
200 C Street SW., C1L07, Washington, DC 20024. [email protected].

SUPPLEMENTARY INFORMATION:

I. National Disaster Medical System (NDMS) Disaster Medical Information 
Suite (DMIS)

    This system was established pursuant to Section 2812 of the Public 
Health Service (PHS) Act (42 U.S.C. 300hh-11), as amended, and resides 
in HHS/ASPR/OEM. Under section 2801 of the PHS Act, the HHS Secretary 
leads all Federal public health and medical response to public health 
emergencies and incidents covered by the National Response Framework, 
or any successor plan. The Secretary delegates to ASPR the leadership 
role for all health and medical services support functions in a health 
emergency or public health event, including National Special Security 
Events. In such events, ASPR

[[Page 78960]]

may deploy this system, Field Medical Station assets, and other HHS 
employees under the control of the Secretary and provide operational 
oversight over officers of the U.S. Public Health Service Commissioned 
Corps and other Federal public health and medical personnel. Under the 
National Response Framework, HHS is the lead agency for Emergency 
Support Function 8, Public Health and Medical. HHS uses this system to 
collect medical records and share them with the other Federal agencies 
and departments that share ESF 8 responsibilities with HHS. The ESF 8 
agencies have shared statutory authority to collect and use medical 
information as needed to coordinate the following three key functions 
with Federal, state, local and private partners, to augment public 
health and medical activities of State and local governments in 
disaster or public health emergency situations:
     Medical response--this function involves activation and 
deployment of Federal response teams comprised of medical and 
logistical personnel, to assess the health and medical needs of 
disaster victims and to provide physical and mental health care during 
a public health emergency, including National Special Security Events.
     Patient evacuation--this function involves establishment 
of communications, transportation, patient tracking, and a medical 
regulating system to evacuate and move patients from a staging center 
near a disaster site to patient reception sites known as Federal 
Coordinating Centers (FCCs). The Department of Defense (DOD) and 
Veterans Administration (VA) have the prime responsibility for 
activating and managing the FCCs. In turn, upon receiving the patients, 
the FCCs have the authority to arrange for necessary referrals and 
admissions of evacuated patients.
    The information collected by the NDMS-DMIS system and the purposes 
for which the information is used and disclosed by HHS are described in 
more detail in the revised SORN that follows below. Because some of the 
revisions constitute significant changes, HHS provided adequate advance 
notice of the altered SORN to the Office of Management and Budget (OMB) 
and Congress as required by the Privacy Act at 5 U.S.C. 552a(r).

II. The Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the U.S. 
Government collects, maintains, and uses information about individuals 
in a system of records. A ``system of records'' is a group of any 
records under the control of a Federal agency from which information 
about an individual is retrieved by the individual's name or other 
personal identifier. The Privacy Act requires each agency to publish in 
the Federal Register a system of records notice (SORN) identifying and 
describing each system of records the agency maintains, including the 
purposes for which the agency uses information about individuals in the 
system, the routine uses for which the agency discloses such 
information outside the agency, and how individual record subjects can 
exercise their rights under the Privacy Act (e.g., to determine if the 
system contains information about them).

System Number:
    09-90-0040

System name:
    National Disaster Medical System (NDMS) Disaster Medical 
Information Suite (DMIS).

Security classification:
    Unclassified.

System location:
    Paper records are stored at NDMS headquarters, 200 C. Street SW., 
Washington, DC 20024. The electronic database and server where 
information is entered and stored is maintained at the MAHC data center 
in Reston, Virginia.

Categories of individuals covered by the system:
    Records in this system pertain to:
     patients who are treated and evacuated by Federal public 
health and medical personnel, including NDMS and PHS teams, that are 
activated to respond to an emergency or other situation; and
     owners of animals that are treated and evacuated by NDMS 
and PHS teams.
    Patients may include disaster workers/responders and others who are 
provided medical countermeasures; however, this SORN excludes patient 
treatment records for federal employee-workers to the extent such 
records are covered under the Office of Personnel Management (OPM) SORN 
titled ``Employee Medical File System Records'' (OPM/GOVT-10). Patient 
records may include information about patients' family members and non-
medical attendants, but only the patients--not their family members and 
non-medical attendants--are considered record subjects.

Categories of records in the system:
    The system includes the following categories of records containing 
personally identifiable information about patients or owners of 
animals:

Category A:
    Completed Patient Treatment Record that includes
    1. Team/personnel identification record, for patients who are 
disaster workers/responders on NDMS teams or other Federal public 
health and medical teams.
    2. Patient treatment record.
    a. Chart Number.
    b. Time and Date Patient seeks treatment.
    c. Triage Category and health status.
    d. Location where Patient is seen and transferred.
    e. Patient Identification: Name, Address, City, State, Zip, Date of 
Birth, Phone Number, Employment, Weight, Next of Kin.
    f. Complaints/Symptoms.
    g. Patient Acuity, health status, Vital Signs/Treatment Recommended 
and/or Prescribed, laboratory tests
    h. Reported Medications and allergies
    i. History of present illness and reported past medical history
    j. Digital Images of patient and non-medical attendant for 
Identification
    k. Digital images, audio or video used for medical assessment
    l. Discharge--Time, Date, Disposition, Recommendations.
    3. Patient Authorization--Requires Patient Signature in Front of 
Witness and Witness Verification through Signature.
    4. Any potential attachments such as X-rays and laboratory reports 
showing test results.

Category B:
    Completed Patient Tracking Record that includes
    1. Patient Tracking Record.
    a. Patient Identification: Name, gender, and Address, City, State, 
Zip, Date of Birth, Phone Number, Employment, Weight, Next of Kin, 
unique ID.
    b. Attendant Identification: Name, gender, Address, City, State, 
Zip, Date of Birth, Phone Number, Next of Kin, email address, unique ID
    c. Triage Category and health status.
    d. Location where Patient is seen and transferred.
    e. Patient Acuity, health status
    f. Digital Images of patient and non-medical attendant for 
Identification
    g. Discharge: Time, Date, Disposition

Category C:
    Veterinarian Treatment Records on animals
    1. Privacy Act Data such as the name, address and telephone contact

[[Page 78961]]

information of owners of animals will be maintained to be associated 
with the animal patient. However, animal treatment records themselves 
are not subject to the Privacy Act protections.

Authority for maintenance of the system:
    The PHS Act, primarily section 2812 (42 U.S.C. 300hh-11); Title VI 
of the Civil Rights Act of 1964 (42 U.S.C. 2000d et seq.); and Section 
504 of the Rehabilitation Act of 1973 (29 U.S.C. 794).

Purposes(s):
    NDMS staff and other relevant HHS personnel use personally 
identifiable information from this system, on a need to know basis, for 
the following purposes:
     To document medical treatment rendered to patients, e.g., 
for use if questions of liability arise about the treatment or the 
subsequent condition of the patient while under the care of NDMS.
     To conduct medical quality assurance reviews and establish 
a quality improvement process (QIP), by reviewing medical treatment on 
a specific deployment, spotting best practices and developing process 
improvements for future deployments.
     For research projects related to the prevention of disease 
or disability as a result of a disaster and for situational awareness 
required for ASPR operations during disasters.
     To provide HHS' NDMS claims processing system with records 
needed to reimburse NDMS providers for their services.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a (b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to parties 
outside HHS as follows:
    1. To Federal agencies that are ESF 8 partners, including but not 
limited to DHS, DoD, and the VA, or that participate in National 
Special Security Events; state and city governmental agencies; Non-
Governmental Organizations such as the American Red Cross; and 
hospitals providing care to NDMS patients; which share responsibility 
with HHS for the medical treatment and movement of patients (including 
responders), decedents, and animals, for the purpose of discharging 
those responsibilities, including ensuring that patients treated 
receive the maximum level of health care possible. The medical and 
demographic information collected during the treatment of a patient is 
shared with relevant partners to ensure that patients treated through 
NDMS-DMIS receive the appropriate level of health care. The health 
information disclosed among the partners is limited to what is needed 
for continuity of health care operations.
    2. To a member of Congress or a Congressional staff member in 
response to an inquiry from the Congressional office made at the 
written request of the constituent about whom the record is maintained.
    3. To the Department of Justice (DOJ), a court, or an adjudicatory 
body when the following situations arise:
    a. The agency or any component thereof, or
    b. Any employee of the agency whether in his/her official or 
individual capacity, where DOJ has agreed to represent the employee, or
    c. The United States government, is a party to litigation or has an 
interest in such litigation and, after careful review, the agency deems 
that the records requested are relevant and necessary to the litigation 
and that the use of such records by DOJ, the court or the adjudicatory 
body is compliant with the purposes for which the agency collected the 
records.
    4. To contractors, consultants, grantees, or volunteers that have 
been engaged by HHS to assist in the performance of a service related 
to this collection and who have a need to have access to the records in 
order to perform the activity.
    5. To assist another federal or state agency, or its fiscal agent:
    a. To establish the benefit entitlement of the patient.
    b. To establish the relationship between the existing state benefit 
and the benefit funded in whole or part with federal funds, such as the 
one associated with the NDMS definitive care.
    c. To collaborate with the state and state agencies on behalf of 
family members regarding the current location and placement of their 
evacuated family member or patient population.
    6. To family members of a patient, to provide them with information 
about the location or the status of the patient. Disclosure of a 
patient's location or status is not permitted when there is a 
reasonable belief that disclosing such information could endanger the 
life, safety, health, or well-being of the patient.
    7. To appropriate Federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting HHS's 
efforts to respond to a suspected or confirmed breach of the security 
or confidentiality of information maintained in this system of records, 
provided the information disclosed is relevant and necessary for that 
assistance.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system--
Storage:
    Records are stored in paper files kept at NDMS headquarters and in 
an electronic database housed in Reston, Virginia.

Retrievability:
    Records are organized by event, location, and date of treatment. 
Data are retrieved by name and other demographic information provided 
by the patient (or for veterinary records, by animal owner), as well as 
by location of treatment, diagnosis, and other data fields within the 
database.

Safeguards:
    Information in this system is safeguarded in accordance with 
applicable laws, rules and policies, including the HHS Information 
Technology Security Program Handbook, all pertinent National Institutes 
of Standards and Technology publications and OMB Circular A-130, 
Management of Federal Resources. Records are protected from 
unauthorized access through appropriate administrative, physical, and 
technical safeguards. These safeguards include restricting access to 
authorized personnel who have need-to-know, using physical locks in the 
office environment, and the process of authentication using user IDs 
and passwords function as identification protection features. HHS file 
areas are locked after normal duty hours and the facilities are 
protected from the outside by security personnel. Personnel with 
authorized access to the system have been trained in the Privacy Act 
and information security requirements for both paper copies and 
electronically stored information.

Retention and Disposal:
    Records are retained in accordance with records disposition 
schedule N1-468-07-1, approved by the National Archives and Records 
Administration (NARA) for the Office of Public Health and Emergency 
Preparedness (OPHEP); the Pandemic and All Hazards Preparedness Act 
(Pub. L. 109-417) established the ASPR to serve in a similar capacity 
as OPHEP for medical disaster response. Schedule N1-486-08-1 covers 
Patient Care Forms or other Medical Records regulated under the Health 
Insurance Portability and

[[Page 78962]]

Accountability Act (HIPAA), created by the Federal Medical Station(s) 
or by any component of HHS/ASPR during a response to an event while 
caring for victims of that event, and provides the following 
disposition authority:
    Cutoff is at the end of the response activity by the Federal 
Medical Station(s) for a particular event. Retire to the Washington 
National Records Center 2 years after cutoff. Destroy 75 years after 
cutoff.
    Cutoff refers to breaking, or ending files at regular intervals, 
usually at the close of a fiscal or calendar year, to permit their 
disposal or transfer in complete blocks and, in this case, cutoff is at 
the end of the response activity. The cutoff date marks the beginning 
of the records retention period. Veterinarian treatment records 
pertaining to animals and their owners are not included in the above 
schedule, and cannot be destroyed until NARA approves a disposition 
schedule for them.

System manager and address:
    NDMS Director, 200 C. Street SW., Washington, DC 20024.

Notification procedure:
    Individuals seeking to know if this system contains records about 
them must submit a written request to the System Manager at the above 
mailing address, clearly marked as a ``Privacy Act Request'' on the 
envelope and letter (see, generally, HHS Privacy Act regulations found 
at 45 CFR Part 5b). Requests pertaining to patients should include the 
full name of the patient, appropriate verification of identity, current 
address of the patient and the name of the requester, appropriate 
verification of identity, current address of the requester, and the 
nature of the record sought, as required by HHS Privacy Act regulations 
at 45 CFR 5b.5. Requests pertaining to owners of animals should include 
the full name of the owner and the animal, appropriate verification of 
identity, current address of the requester, and the nature of the 
record sought, as required by HHS Privacy Act regulations at 45 CFR 
5b.5

Record access procedures:
    Same as the notification procedure above.

Contesting record procedures:
    Same as the notification procedure above; the request should also 
clearly and concisely describe the information contested, the reasons 
for contesting it, and the proposed amendment sought, pursuant to HHS 
Privacy Act regulations at 45 CFR 5b.7.

Record source categories:
    Information in patient treatment and tracking records is obtained 
directly from the patients and from medical or clinical personnel 
treating or evacuating the patients or accessing their personal health 
records (PHR). In the case of minors or other patients who are unable 
to explain symptoms, information may be obtained from a parent or 
guardian, or other family members or individuals attending. Information 
in veterinarian treatment records about owners of animals is obtained 
from NDMS veterinary personnel and/or the owners or caretakers of the 
animals.

System exempted from certain provision of the Privacy Act:
    None.

    Dated: December 6, 2013.
Nicole Lurie,
Assistant Secretary for Preparedness and Response.
[FR Doc. 2013-31118 Filed 12-26-13; 8:45 am]
BILLING CODE 4150-37-P