[Federal Register Volume 83, Number 32 (Thursday, February 15, 2018)]
[Notices]
[Pages 6875-6878]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-03143]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

[Docket No. FR-7009-N-03]


HUD Supportive Services Demonstration/Integrated Wellness in 
Supportive Housing: Privacy Act of 1974; System of Records

AGENCY: Office of Policy Development and Research, HUD.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, as amended, notice is 
hereby given that the Office of Policy Development and Research (PD&R), 
U.S. Department of Housing and Urban Development (HUD), provides public 
notice regarding its System of Records for the HUD Supportive Services 
Demonstration (SSD)/Integrated Wellness in Supportive Housing (IWISH). 
The demonstration will test a model of housing and supportive services 
in HUD-assisted Multifamily housing with the potential to delay or 
avoid nursing home care for low-income elderly residents in HUD-
assisted housing. Primary data collection includes a Resident 
Assessment and uses a standardized, web-based platform to capture and 
store self-reported demographic and health and social status 
information from demonstration participants, including personally 
identifying information (PII) and protected health information (PHI). A 
more detailed description of the proposed system of records is 
contained in the purpose section of this notice.

DATES: This notice will become applicable March 19, 2018.

ADDRESSES: You may submit comments, identified by docket number and 
title by one of the following methods: Interested persons are invited 
to submit comments regarding this notice to the Rules Docket Clerk, 
Office of General Counsel, Department of Housing and Urban Development, 
451 Seventh Street SW, Room 10276, Washington, DC 20410. Comments may 
be filed electronically by accessing: www.regulations.gov. 
Regulations.gov provides clear instructions on how to submit a public 
comment on a rule. Communications should refer to the above docket 
number and title. Faxed comments are not accepted. A copy of each 
communication submitted will be available for public inspection and 
copying between 8 a.m. and 5 p.m. weekdays at the above address.

FOR FURTHER INFORMATION CONTACT: John Bravacos, Senior Agency Official 
for Privacy, at 451 7th Street SW, Room 10139; U.S. Department of 
Housing and Urban Development; Washington, DC 20410-0001; telephone 
number 202-708-3054 (this is not a toll-free number). Individuals who 
are hearing- or speech-impaired may access this telephone number via 
TTY by calling the Federal Relay Service at 800-877-8339 (this is a 
toll-free number).

SUPPLEMENTARY INFORMATION: The new System of Records will encompass 
data collected by PD&R to implement the HUD Supportive Services 
Demonstration (SSD)/Integrated Wellness in Supportive Housing (IWISH). 
HUD's Office of Policy Development and Research and Office of 
Multifamily Housing, are launching the Supportive Services 
Demonstration (SSD), which was authorized under the Fiscal Year 2014 
Consolidated Appropriations Act.
    The demonstration will test a model of housing and supportive 
services with the potential to delay or avoid nursing home care for 
low-income elderly residents in HUD-assisted Multifamily housing. The 
3-year demonstration will be implemented in 40 HUD-assisted multifamily 
properties in California, Illinois, Maryland, Massachusetts, Michigan, 
New Jersey, and South Carolina. Each property will enter into a 
cooperative agreement with HUD's Office of Multifamily Housing and 
receive funds to employ a Resident Wellness Director and Wellness Nurse 
to assess elderly residents' social service and healthcare needs, 
connect residents with services, and liaise with providers.
    The Resident Wellness Director and Wellness Nurse teams will 
conduct a Resident Assessment and use a standardized, web-based 
platform to capture and store self-reported demographic and health and 
social status information from demonstration participants, including 
personally identifying information (PII) and protected health 
information (PHI). The web-based platform, Population Health Logistics 
(PHL), is provided by Preferred Population Health Management, LLC 
(PPHM). HUD has a contract with The Lewin Group to support the 
implementation of the Supportive Services Demonstration; The Lewin 
Group has a subcontract with PPHM to use PHL for the demonstration.
    The new notice states the name and location of the record system, 
the authority for and manner of its operations, the categories of 
individuals that it covers, the type of records that it contains, the 
sources of the information for the records, the routine uses made of 
the records, and the types of exemptions in place for the records. The 
notice also includes the business address of the HUD officials who will 
inform interested persons of how they may gain access to and/or request 
amendments to records pertaining to themselves.
    Publication of this notice allows the Department to provide new 
information about its system of records notices in a clear and cohesive 
format. The new system of records will incorporate Federal privacy 
requirements and Department's policy requirements. The Privacy Act 
places on Federal agencies principal responsibility for compliance with 
its provisions, by requiring Federal agencies to safeguard an 
individual's records against an invasion of personal privacy; protect 
the records contained in an agency system of records from unauthorized 
disclosure; ensure that the records collected are relevant, necessary, 
current, and collected only for their intended use; and adequately

[[Page 6876]]

safeguard the records to prevent misuse of such information. In 
addition, this notice demonstrates the Department's focus on industry 
best practices to protect the personal privacy of the individuals 
covered by this SORN.
    Pursuant to the Privacy Act and the Office of Management and Budget 
(OMB) guidelines, a report of the system of records was submitted to 
OMB, the Senate Committee on Homeland Security and Governmental 
Affairs, and the House Committee on Oversight and Government Reform, as 
instructed by paragraph 7a of OMB Circular No. A-108, ``Federal 
Agencies Responsibilities for Review, Reporting, and Publication under 
the Privacy Act,'' December 23, 2016.
System Name and Number
    HUDIPHL Supportive Services Demonstration Data Collection Platform.

SECURITY CLASSIFICATION:
    No information in the system is classified.

SYSTEM LOCATION:
    Records are stored on Microsoft Azure secure cloud servers 
administered by Preferred Population Health Management, LLC (PPHM). All 
data is stored in the Microsoft Azure platform. The primary datacenter 
is located in Chicago, while the geo-redundant datacenter is in 
California.

System Manager(s):
    Carol S. Star, Program Evaluation Division, Office of Policy 
Development and Research, U.S. Department of Housing and Urban 
Development, 451 7th Street SW, Washington, DC 20410; telephone number 
202-402-6139 (this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Sec. 501 and 502 of the Housing and Urban Development Act of 1970 
(Pub. L. 91-609), 12 U.S.C. 1701z-1, 1701z-2.

PURPOSE(S) OF THE SYSTEM:
    As an essential part of the Supportive Services Demonstration, 
Resident Wellness Director and Wellness Nurse teams will conduct a 
Resident Assessment and use a standardized, third-party web-based 
platform to capture and store self-reported demographic and health and 
social status information from demonstration participants, including 
personally identifying information (PII) and protected health 
information (PHI).
    Use of this platform is essential to the successful implementation 
of the demonstration because Resident Wellness Directors and Wellness 
Nurses must be able to adequately assess and track residents' needs, 
monitor referrals, and ensure access to providers.
    The demonstration also requires a web-based platform to support 
program development and performance monitoring, as well as evaluation 
efforts. This requires standardized, adaptable, accessible and easy to 
use web-based platform to administer assessments, securely house and 
track data, quality assurance measures and outcomes, and produce 
reports throughout the three-year demonstration period.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Data will be collected from residents who live in 40 HUD-assisted 
Multifamily housing properties in California, Illinois, Maryland, 
Massachusetts, Michigan, New Jersey and South Carolina. The vast 
majority of individuals will be HUD-assisted seniors aged 62 or older.

CATEGORIES OF RECORDS IN THE SYSTEM:
     Participant Details: Full Name, Address, Phone, Email, 
Date of Birth, Social Security Number, Ethnicity, Race, Gender, Marital 
Status, Spoken Language, Veteran Status, Consent Form Status
     Household Members
     Emergency Contacts
     Advanced Directives and Powers of Attorney
     Insurance Information
     Clinician Information
     Specialist Information
     Hospital Information
     Service Needs
     Case Manager Information
     Caregiver Information
     Pre-Screens
     Medications
     Health Conditions
     Surgical History Conditions
     Allergies
     Immunizations
     Vitals
     Pain Scale
     Vision/Dental Health/Foot Practice Assessment
     Functional Assessment
     Smoking Assessment
     Nutrition Assessment
     Falls Risk Assessment
     Additional Depression Screening Using the PHQ-9 or the 
GDS-S
     Generalized Anxiety Disorder Scale (GAD-7)
     Drug and Alcohol Screening Tool (DAST-10)
     Short Michigan Alcoholism Screening Test--Geriatric 
Version (SMAST-G)
     Mini-Cog

RECORD SOURCE CATEGORIES:
    Residents in HUD-assisted Multifamily 40 housing properties in 
California, Illinois, Maryland, Massachusetts, Michigan, New Jersey and 
South Carolina who have agreed to participate in the Demonstration.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
Section 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside HUD as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    To appropriate agencies, entities, and persons for disclosures 
compatible with the purpose for which the records in this system were 
collected, as set forth by Appendix I--HUD's Routine Use Inventory 
Notice, 80 FR 81837 (December 31, 2015).
    1. To the National Archives and Records Administration or to the 
General Services Administration for records having enough historical or 
other value to warrant continued preservation by the United States 
Government, or for inspection under Title 44 U.S.C. 2904 and 2906.
    2. To a congressional office from the record of an individual, in 
response to an inquiry from that congressional office made at the 
request of that individual.
    3. To contractors performing or working under a contract with HUD, 
when necessary to accomplish an agency function related to this system 
of records. Disclosure requirements are limited to only those data 
elements considered relevant to accomplishing an agency function. 
Individuals provided information under these routine use conditions are 
subject to Privacy Act requirements and disclosure limitations imposed 
on the Department.
    4. To the Department of Justice (DOJ) when seeking legal advice for 
a HUD initiative or in response to DOD's request for the information, 
after either HUD or DOJ determine that such information relates to 
DOJ's representation of the United States or any other components in 
legal proceedings before a court or adjudicative body, provided that, 
in each case, the agency also determines prior to disclosure that 
disclosure of the records to DOJ is a .use of the information in the 
records that is compatible with the purpose for which HUD collected the 
records. HUD on its own may disclose records in this system of records 
in legal proceedings before a court or administrative body after 
determining that the disclosure of the records to the court or 
administrative body is a use of the information

[[Page 6877]]

contained in the records that is compatible with the purpose for which 
HUD collected the records.
    5. To contractors, grantees, experts, consultants, Federal 
agencies, and non-Federal entities including but not limited to state 
and local governments, with whom I-IUD has a contract, service 
agreement, grant, or cooperative agreement. The records may not be used 
to make decisions concerning the rights, benefits, or privileges of 
specific individuals, or providers of services with respect to a 
homeless individual's efforts.
    6. To appropriate agencies, entities, and persons when: (a) HUD 
suspects or has confirmed that the security or confidentiality of 
information in a system of records has been compromised; (b) HUD has 
determined that, as a result of the suspected or confirmed compromise, 
there is a risk of harm to economic or property interests, identity 
theft or fraud, or harm to the security or integrity of systems or 
programs (whether maintained by HUD or another agency or entity) that 
rely upon the compromised information; and (c) the disclosure made to 
such agencies, entities, and persons is reasonably necessary to assist 
in connection with HUD's efforts to respond to the suspected or 
confirmed compromise and prevent, minimize, or remedy such harm for 
purposes of facilitating responses and remediation efforts in the event 
of a data breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored on Microsoft Azure secure cloud servers 
administered by Preferred Population Health Management, LLC (PPHM). All 
data is stored in a secure datacenter. The primary datacenter is 
located in Chicago, while the geo-redundant datacenter is in 
California. The data management at the facility is built with multiple 
layers of security and follows best practices for securing sensitive 
data. Any paper-based records (e.g. printed Resident Assessment forms) 
will be stored in a locked file cabinet, in private offices, at the 
housing property. Staff will be trained on proper confidentiality and 
privacy acts prior to enrolling participants.
    Records in PHL will be retained throughout the 3-year demonstration 
period and destroyed at the end of the implementation contract. Prior 
to destruction of the data, housing property sites will be given an 
opportunity to continue using PHL outside of the demonstration, with no 
further involvement from HUD. Many housing providers use similar data 
platforms to collect resident PII. If housing sites elect to use PHL 
after the demonstration period, they may do so, but will have to enter 
in to their own licensing agreements with PHL. Resident Wellness 
Directors may retain their own records in accordance with Chapter 8 of 
the Office of Multifamily Housing Management Agent Handbook, which 
covers the roles and responsibilities of the traditional Service 
Coordinator Program.
    As part of the contract supporting the implementation of the SSD, 
the implementation contractor is expected to fully cooperate with the 
evaluation team and share data as necessary. Privacy and security 
measures governing any data that is transferred to the evaluation 
contractor will be covered in the evaluation contract and associated 
SORN.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records will be retrieved by SSD staff (Resident Wellness Directors 
and Wellness Nurses) to maintain accuracy of data and to verify various 
program components. Staff will have unique identifiers which will 
provide them access to only the participants within their property. PHL 
user logins are tracked and each login is given a unique session ID. 
Sessions are marked inactive when users log out of the system.
    Records will also be retrieved by HUD funded contractors to monitor 
program performance and model fidelity for the duration of the 
demonstration. HUD contractors will have unique identifiers which will 
provide them access to both property and participant-level records.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records in PIE, will be retained throughout the three-year 
demonstration period and destroyed at the end of the implementation 
contract. Prior to destruction of the data, housing property sites will 
be given an opportunity to continue using PHL outside of the 
demonstration, with no further involvement from HUD. If housing sites 
elect to use PHL after the demonstration period, they may do so, but 
will have to enter in to their own licensing agreements with PHL. 
Resident Wellness Directors may retain their own records in accordance 
with Chapter 8 of the Office of Multifamily Housing Management Agent 
Handbook, which covers the roles and responsibilities of the 
traditional Service Coordinator Program.
    As part of the contract supporting the implementation of SSD, the 
implementation contract is expected to fully cooperate with the 
evaluation team and share data as necessary. Privacy and security 
measures governing any data that are transferred to the evaluation 
contractor are covered by the evaluation contract.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    The data management at the facility is built with multiple layers 
of security and follows best practices for securing sensitive data. The 
main levels of security include: Media and server physical security in 
the data center, data user access controls, and virtual server 
security. The data center is physically located within a building 
having limited, electronic passkey access in addition to physical sign 
in and identification with security staff. Physical access to the data 
center is limited to data center staff and few key personnel. Physical 
access requires photo identification, access cards and passwords along 
with manual sign in and sign out procedures. The data center is 
monitored on a 24x7 basis. Desktop computers and laptops in offices 
outside the data center do not store any data. These user end-points 
are encrypted, password protected, protected by hardware firewalls and 
antivirus software. Periodic security audits of all computers are 
performed along with vulnerability audits. Access to the data on the 
servers that reside inside the datacenter is limited to access through 
secure Virtual Private Networks (VPNs).
    Access to any server, security, storage, backup, and infrastructure 
equipment is monitored, restricted to only those with a need-to-have 
system access, including being secured by administrative password and 
authentication methods. Data access is limited to data analysts and key 
members of the IT staff. Prior to receiving PHI access, all staff 
members will receive HIPAA training and abide by security procedures 
developed by the management. Each user (e.g., Resident Wellness 
Directors and Wellness Nurses) are assigned as user type that 
administrators are able to assign to individual users; users will only 
have access to the data of the residents they are working with, and no 
access to data from other sites. PHL also records the user, time, and 
items clicked on or visited throughout PHL. All staff members are 
required to sign and abide by data security and privacy agreements 
required by PHL, as well as HUD policies.

RECORD ACCESS PROCEDURES:
    For information, assistance, or inquiry about records, contact John 
Bravacos,

[[Page 6878]]

Senior Agency Official for Privacy, at 451 7th Street SW, Room 10139; 
U.S. Department of Housing and Urban Development; Washington, DC 20410-
0001, telephone number 202-708-3054 (this is not a toll-free number). 
When seeking records about yourself from this system of records or any 
other Housing and Urban Development (HUD) system of records, your 
request must conform with the Privacy Act regulations set forth in 24 
CFR part 16. You must first verify your identity, meaning that you must 
provide your full name, address, and date and place of birth. You must 
sign your request, and your signature must either be notarized or 
submitted under 28 U.S.C. 1746, a law that permits statements to be 
made, under penalty of perjury, as a substitute for notarization. In 
addition, your request should: Explain why you believe HUD would have 
information on you.
    a. Identify which Office of HUD you believe has the records about 
you.
    c. Specify when you believe the records would have been created.
    d. Provide any other information that will help the Freedom of 
Information Act (FOIA) staff determine which HUD office may have 
responsive records.
    If your request is seeking records pertaining to another living 
individual, you must include a statement from that individual 
certifying their agreement for you to access their records. Without the 
above information, the HUD FOIA Office may not conduct an effective 
search, and your request may be denied due to lack of specificity or 
lack of compliance with regulations.

CONTESTING RECORD PROCEDURES:
    The Department's rules for contesting contents of records and 
appealing initial denials appear in 24 CFR part 16, Procedures for 
Inquiries. Additional assistance may be obtained by contacting John 
Bravacos, Senior Agency Official for Privacy, at 451 7th Street SW, 
Room 10139; U.S. Department of Housing and Urban Development; 
Washington, DC 20410-0001, or the HUD Departmental Privacy Appeals 
Officers; Office of General Counsel; U.S. Department of Housing and 
Urban Development; 451 7th Street SW, Washington DC 20410-0001.

NOTIFICATION PROCEDURES:
    Individual wishing to determine to whether this system of records 
contains information about them may do so by contacting their lending 
institutions or contacting HUD's Privacy Officer or Freedom of 
Information Act Office at the addresses above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.
    History: None.

    Dated: February 8, 2018.
John Bravacos,
Senior Agency Official for Privacy.
[FR Doc. 2018-03143 Filed 2-14-18; 8:45 am]
BILLING CODE 4210-67-P