[Federal Register Volume 84, Number 70 (Thursday, April 11, 2019)]
[Rules and Regulations]
[Pages 14622-14624]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-07122]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Part 5b

RIN 0991-AC10


Privacy Act; Implementation

AGENCY: Department of Health and Human Services (HHS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or 
Department) is issuing this final rule to make effective the exemptions 
that HHS proposed for certain records covered in a new Privacy Act 
system of records, System No. 09-90-1701, HHS Insider Threat Program 
Records.

DATES: This final rule is effective April 11, 2019.

FOR FURTHER INFORMATION CONTACT: Michael W. Schmoyer, Assistant Deputy 
Secretary for National Security by email at [email protected] or 
telephone at (202) 690-5756, or by mail to the HHS Office of Security 
and Strategic Information (OSSI), 200 Independence Ave. SW, Washington, 
DC 20201.

SUPPLEMENTARY INFORMATION: In accordance with 5 U.S.C. 552a (Privacy 
Act or Act), the exemptions were described in a Notice of Proposed 
Rulemaking (NPRM) published for public notice and comment at 83 FR 
42627 (Aug. 23, 2018). The new system of records is described in a 
System of Records Notice (SORN) which was published for public notice 
and comment the same day, at 83 FR 42667 (Aug 23, 2018). Only law 
enforcement investigatory material and classified intelligence 
information were proposed to be exempted, based on subsections (k)(1) 
and (k)(2) of the Act, from the requirements contained in subsections 
(c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (H), and (I), and (f) of the 
Act, which require the agency to provide an accounting of disclosures; 
provide notification, access, and amendment rights, rules, and 
procedures; maintain only relevant and necessary information; and 
identify categories of record sources. The NPRM also explained that if 
the HHS Insider Threat Program obtains law enforcement investigatory 
material from another Privacy Act system of records that has been 
exempted from Privacy Act requirements based on subsection (j)(2) of 
the Act, that material will be exempt in System No. 09-90-1701 to the 
same extent it is exempt in the source system, so it may be exempt from 
requirements in any of these subsections of the Act: (c)(3)-(4); 
(d)(1)-(4); (e)(1)-(3), (e)(4)(G)-(I), (e)(5), (e)(8), (e)(12); (f); 
(g); and (h).
    The comment period for the SORN and NPRM was open through September 
24, 2018. No comments were received on the NPRM and no comments were 
received on the SORN. No changes to the proposed exemptions or to the 
SORN were made following the public comment period.
    The specific rationales that support the exemptions as to each 
affected Privacy Act provision, remain as stated in the NPRM; the 
exemptions from the particular subsections are necessary and 
appropriate, and justified for the following reasons:
     5 U.S.C. 552a(c)(3) (the requirement to provide 
accountings of disclosures) and 5 U.S.C. 552a(d)(1)-(4) (requirements 
addressing notification, access, and amendment rights, collectively 
referred to herein as access requirements). Providing individual record 
subjects with accountings of disclosures and with notification, access, 
and amendment rights with respect to Insider Threat Program records 
could reveal the existence of an investigation, investigative interest, 
investigative techniques, details about an investigation, security-
sensitive information such as information about security measures and 
security vulnerabilities, information that must remain non-public to 
protect national security or personal privacy-identities of law 
enforcement personnel, or other sensitive or classified information. 
Revealing such information to record subjects would thwart or impede 
pending and future law enforcement investigations and efforts to 
protect national security, and would violate personal privacy. 
Revealing the information would enable record subjects or other persons 
to evade detection and apprehension by security and law enforcement 
personnel; destroy, conceal, or tamper with evidence or fabricate 
testimony; or harass, intimidate, harm, coerce, or retaliate against 
witnesses, complainants, investigators, security personnel, law 
enforcement personnel, or their family members, their employees, or 
other individuals. With

[[Page 14623]]

respect to investigatory material compiled for law enforcement 
purposes, the exemption pursuant to 5 U.S.C. 552a(k)(2) from access 
requirements in subsection (d) of the Act is statutorily limited. If 
any individual is denied a right, privilege, or benefit to which the 
individual would otherwise be entitled by federal law or for which the 
individual would otherwise be eligible, access will be granted, except 
to the extent that the disclosure would reveal the identity of a source 
who furnished information to the Government under an express promise of 
confidentiality.
     5 U.S.C. 552a(e)(1) (the requirement to maintain only 
relevant and necessary information authorized by statute or Executive 
Order). It will not always be possible to determine at the time 
information is received or compiled in this system of records whether 
the information is or will be relevant and necessary to a law 
enforcement investigation or to protecting national security. For 
example, a tip or lead that does not appear relevant or necessary to 
uncovering an insider threat by itself or at the time the tip or lead 
is received may prove to be relevant and necessary when combined with 
other information that reveals a pattern or that comes to light later.
     5 U.S.C. 552a(e)(4)(G) and (H) (the requirements to 
describe procedures by which subjects may be notified of whether the 
system of records contains records about them and seek access or 
amendment of a record). These requirements concern individual access to 
records, and the records are exempt under (c) and (d), as described 
above. To the extent that (e)(4)(G) and (H) are interpreted to require 
more detailed procedures regarding record notification, access, or 
amendment than have been published in the Federal Register, exemption 
from those provisions is necessary for the same rationale as applies to 
(c) and (d).
     5 U.S.C. 552a(e)(4)(I) (the requirement to describe the 
categories of record sources). To the extent that this subsection is 
interpreted to require a more detailed description regarding the record 
sources in this system than has been published in the Federal Register, 
exemption from this provision is necessary to protect the sources of 
law enforcement and intelligence information and to protect the privacy 
and safety of witnesses and informants and others who provide 
information to HHS. Further, greater specificity of sources of properly 
classified records could compromise national security. Moreover, 
because records used in the Insider Threat Program could come from any 
source, it is not possible to know every category in advance in order 
to list them all in the SORN. Some record source categories may not be 
appropriate to make public in the SORN if, for example, revealing them 
could enable record subjects or other individuals to discover 
investigative techniques and devise ways to bypass them to evade 
detection and apprehension.
     5 U.S.C. 552a(f) (the requirement to promulgate rules to 
implement provisions of the Privacy Act). To the extent that this 
subsection is interpreted to require agency rules addressing the above 
exempted requirements, exemption from this provision is also necessary 
to protect the sources of law enforcement and intelligence information 
and to protect the privacy and safety of witnesses and informants and 
others who provide information to HHS. Greater specificity in 
rulemaking regarding properly classified records could compromise 
national security.
    Accordingly, based on 5 U.S.C. 552a(k)(1) and (k)(2) and the 
specific rationales indicated above, HHS is now exempting law 
enforcement investigatory material and classified intelligence 
information in system of records 09-90-1701 HHS Insider Threat Program 
Records from subsections (c)(3), (d)(1)-(4), (e)(1), (e)(4)(G), (H), 
and (I), and (f) of the Act, which contain requirements to provide an 
accounting of disclosures; provide notification, access, and amendment 
rights, rules, and procedures; maintain only relevant and necessary 
information; and identify categories of record sources. In addition, 
HHS affirms that if the HHS Insider Threat Program obtains law 
enforcement investigatory material from another Privacy Act system of 
records that has been exempted from Privacy Act requirements based on 
subsection (j)(2) of the Act, that material will be exempt in System 
No. 09-90-1701 to the same extent it is exempt in the source system.
    Notwithstanding these exemptions, consideration will be given to 
any requests for notification, access, and amendment that are addressed 
to the System Manager, as provided in the SORN for system of records 
09-90-1701, and to accounting of disclosure requests. Where HHS 
determines that compliance with a request would not interfere with or 
adversely affect the purpose of this system of records to detect, 
deter, or mitigate insider threats, the applicable exemption may be 
waived by HHS in its sole discretion.
    The Federal Register notice containing the SORN proposed for new 
system of records 09-90-1701 provides for that SORN to be effective 
upon publication of this final rule. No changes were made to the SORN 
as a result of public comments and, therefore, the SORN, as published 
at 83 FR 42667 (Aug. 23, 2018), is now effective.

Analysis of Impacts

    The agency has reviewed this rule under Executive Orders 12866 and 
13563, which direct agencies to assess costs and benefits of available 
regulatory alternatives and, if regulation is necessary, to maximize 
the net benefits. The agency believes that this rule is not a 
significant regulatory action under Executive Order 12866, and 
therefore does not constitute an Executive Order 13771 regulatory 
action, because it will not (1) have an annual effect on the economy of 
$100 million or more or adversely affect in a material way the economy, 
a sector of the economy, productivity, competition, jobs, the 
environment, public health or safety, or state, local or tribal 
governments or communities; (2) create a serious inconsistency or 
otherwise interfere with an action taken or planned by another agency; 
(3) materially alter the budgetary impact of entitlements, grants, user 
fees or loan programs, or the rights and obligations of recipients 
thereof; or (4) raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
Executive Order 12866.
    The Regulatory Flexibility Act requires agencies to analyze 
regulatory options that would minimize any significant impact of a rule 
on small entities. Because the rule imposes no duties or obligations on 
small entities, the Department certifies that the rule will not have a 
significant economic impact on a substantial number of small entities.
    Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires 
that agencies prepare a written statement, which includes an assessment 
of anticipated costs and benefits, before proposing ``any rule that 
includes any Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100,000,000 or more (adjusted annually for 
inflation) in any one year.'' The current threshold after adjustment 
for inflation is $144 million, using the most current (2015) Implicit 
Price Deflator for the Gross Domestic Product. The Department does not 
expect that this final rule would result in any one-year expenditure 
that would meet or exceed this amount.

List of Subjects in 45 CFR Part 5b

    Privacy.


[[Page 14624]]


    For the reasons stated in the preamble, the Department amends part 
5b of title 45 of the Code of Federal Regulations as follows:

PART 5b--PRIVACY ACT REGULATIONS

0
1. The authority citation for part 5b continues to read as follows:

    Authority: 5 U.S.C. 301, 5 U.S.C. 552a.

0
2. Section 5b.11 is amended by adding paragraph (b)(2)(viii)(A) and 
reserved paragraph (b)(2)(viii)(B) to read as follows:


Sec.  5b.11   Exempt systems.

* * * * *
    (b) * * *
    (2) * * *
    (viii) Pursuant to subsections (k)(1) and (k)(2) of the Act:
    (A) HHS Insider Threat Program Records, 09-90-1701.
    (B) [Reserved]
* * * * *

Michael Schmoyer,
Assistant Deputy Secretary for National Security.
    Dated: April 4, 2019.
Alex M. Azar II,
Secretary.
[FR Doc. 2019-07122 Filed 4-10-19; 8:45 am]
 BILLING CODE 4151-17-P