[Federal Register Volume 84, Number 98 (Tuesday, May 21, 2019)] [Notices] [Pages 23057-23060] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2019-10478] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Modified Systems of Records Notice for State-Provided Physician Records (Renamed Health Professional Service Delivery Data), 09-15- 0066; Privacy Act of 1974; System of Records AGENCY: Health Resources and Services Administration (HRSA), Department of Health and Human Services (HHS). ACTION: Notice of a Modified System of Records. ----------------------------------------------------------------------- SUMMARY: In accordance with requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is updating an existing system of records maintained by the Health Resources and Services Administration (HRSA), System No. 09-15-0066 ``State-Provided Physician Records for the Application Submission & Processing System.'' The system of records covers service delivery data pertaining to individual health care providers practicing in eligible primary care, mental health, and dental disciplines, which is used by state partners to apply for, and by HRSA to designate, health professional shortage areas and medically underserved areas and populations. The modifications include adding a unique identifier for providers, known as the National Provider Identifier; and changing the system name to ``Health Professional Service Delivery Data Used to Designate Health Professional Shortage Areas (HPSAs) and Medically Underserved Areas and Populations (MUA/Ps).'' DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable May 21, 2019, subject to a 30-day period in which to comment on the new and revised routine uses, described below. Please submit any comments by June 20, 2019. ADDRESSES: Written comments may be submitted by email to [email protected] or by mail, addressed to: ATTN: HRSA/BHW/DPSD, 5600 Fishers Ln., Rockville, MD 20857. FOR FURTHER INFORMATION CONTACT: General questions about the revised system of records may be submitted by email to [email protected], or telephone to 301-594-5968, or by mail addressed to Dr. Janelle McCutchen, Division of Policy and Shortage Designation, Bureau of Health Workforce (BHW), Health Resources and Services Administration (HRSA), 5600 Fishers Ln., Rockville, MD 20857. SUPPLEMENTARY INFORMATION: This system of records was established in 2005 (see 70 FR 1724) and was last comprehensively updated in 2010 (see 75 FR 19652). The primary reason for updating the system of records again is to add a unique identifier for providers, known as the National Provider Identifier, which HRSA will obtain from CMS' National Plan and Provider Enumeration System (NPPES), System No. 09-70-0555 (formerly 09-70-0008; the number was changed to 09-70-0555 in 2010). On behalf of the Secretary of HHS, NPPES collects and maintains information needed to uniquely identify an individual physician or non- physician practitioner, assign a National Provider Identifier (NPI) to that physician or non-physician practitioner, and maintain and update the information in that health care provider's record in NPPES. In addition to reformatting the System of Records Notice to comply with OMB Circular A-108 and updating office names in the System Location and System Manager sections, modifications made to the system of records include the following substantive changes: 1. The system name has been changed to ``Health Professional Service Delivery Data Used to Designate Health Professional Shortage Areas (HPSAs) and Medically Underserved Areas and Populations (MUA/ Ps)'' to more clearly indicate the nature of the records. 2. Section 330 of the Public Health Service Act (PHSA) (42 U.S.C. 254b) and the U.S. Code citation for Section 332 of the PHSA (42 U.S.C. 254e) have been added to the Authorities section. 3. The Purposes section has been expanded to include additional purposes for which records may be used, such as: (1) Creation of aggregate datasets to use in conducting workforce analyses; and (2) granting Organizational Points of Contact access to the system to validate provider data. 4. The Categories of Individuals section has been updated to specify that the collection of health professional service delivery data is limited to providers who are assigned a National Provider Identifier by the NPPES. 5. The Categories of Records section now states a record category and includes an updated list of data elements. 6. The Record Source Categories section now includes the new data source, NPPES. 7. The Routine Uses section, which formerly contained four routine uses, now contains 11 routine uses, of which two are revised and seven are new. Specifically:Routine use 1 (authorizing disclosures to HRSA's state partners) was revised to be consistent with each [[Page 23058]] state partner's ownership rights in the data it provides. The limitation on each state partner's ability to use and share data provided by another state partner is also defined. Former routine uses 2 and 3 (which authorized disclosures to HHS contractors for particular purposes) are now combined as revised routine use 2. This routine use was broadened to cover any purpose of the system of records for which a contractor may be engaged to assist HHS and require access to the records. Routine uses 3 through 7 and 10 are new; they authorize disclosures which are not for direct program purposes, but are for related purposes which might arise in any system of records; i.e., to congressional offices for the purpose of responding to constituent requests; to the U.S. Department of Justice for litigation purposes; to law enforcement agencies for law enforcement purposes, when a record indicates a violation or potential violation of law; to volunteers and others who function akin to agency employees, but lack employee status; to the National Archives and Records Administration during records management inspections; and to the Department of Homeland Security for cybersecurity monitoring purposes. Routine use 11 is also new; it defines a new group-- Organizational Points of Contact (OPOCs) of automatically designated health facilities--to which records may be disclosed, for the purpose of validating clinician services hours to corroborate health professional shortage. 8. The Retrieval section previously stated that records were retrieved by personal identifier, and now specifies the personal identifiers used for retrieval. 9. The Retention and Disposal section previously indicated a record disposition schedule was in the process of being developed, and now identifies the applicable schedule. Because some of these changes are significant, a report on the modified system of records was sent to OMB and Congress in accordance with 5 U.S.C. 552a(r). System Name and Number Health Professional Service Delivery Data Used to Designate Health Professional Shortage Areas (HPSAs) and Medically Underserved Areas and Populations (MUA/Ps), System Number 09-15-0066. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of the agency component responsible for the system of records is: Division of Policy and Shortage Designation, Bureau of Health Workforce (BHW), Health Resources and Services Administration (HRSA), 5600 Fishers Ln., Rockville MD 20857. SYSTEM MANAGER(S): The System Manager for the system of records is the following Policy-Coordinating Official: Dr. Janelle McCutchen, Division of Policy and Shortage Designation, Bureau of Health Workforce (BHW), Health Resources and Services Administration (HRSA), 5600 Fishers Ln., Rockville MD 20857, [email protected], (301) 594-5168. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Section 332 of the Public Health Service Act (PHSA) (42 U.S.C. 254e) provides that the Secretary of Health and Human Services shall designate Health Professional Shortage Areas (HPSAs), based on criteria established by regulation. Section 330 of the PHSA (42 U.S.C. 254b) authorizes the Secretary to designate Medically Underserved Areas (MUAs) and Medically Underserved Populations (MUPs). The authority for shortage designation is delegated to the Bureau of Health Workforce Division of Policy and Shortage Designation, Shortage Designation Branch (SDB). The approval process and designation criteria used for shortage designations were developed in accordance with requirements of secs. 330 and 332 of the PHSA. To accomplish this task, the SDB relies on data specified in 42 CFR part 5, which implements sec. 332 of the PHSA and outlines HPSA criteria, to for the review of applications submitted by State Primary Care Offices (PCO) and their affiliates for designation status. PURPOSE(S) OF THE SYSTEM: Health professional service delivery data for individual providers is used by HRSA, its state partners, and Organizational Points of Contact for the following purposes: State partners use the data to assess and determine if an area or specific population group is experiencing a shortage in health professionals, in order to apply for such areas or groups to be designated as Health Professional Shortage Areas (HPSAs), Medically Underserved Areas (MUAs), or Medically Underserved Populations (MUPs). Organizational Points of Contact use the data to validate clinician service hours in order to corroborate health professional shortage. HRSA uses the data to designate HPSAs, MUAs, and MUPs. HRSA also uses the data to create aggregate datasets, which are used by HRSA and state partners to conduct workforce analyses. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The data pertains to individual health care providers who are assigned a National Provider Identifier by the Centers for Medicare & Medicaid Services (CMS), National Plan and Provider Enumeration System (NPPES), and are practicing in eligible primary care, mental health, and dental disciplines relevant to HPSA, MUA, or MUP applications and designations. CATEGORIES OF RECORDS IN THE SYSTEM: The records consist of health professional service delivery information for subject health care providers as provided by state partners. The data elements include, but are not necessarily limited to: National Provider Identifier * License Number * Date of Birth * Taxonomy * Discipline Specialty Address (Business Practice Location) * City (Business Practice Location) * State (Business Practice Location) * Postal Code (Business Practice Location) * Dental Auxiliaries (Dental Providers Only) Direct Tour Hours Employed by a Correctional Facility? Employed by a State/County Mental Hospital? Annual Medicaid Claims Patient Percent--Medicaid Patient Percent--Homeless Patient Percent--Migrant Farmworker Patient Percent--Native American Patient Percent--Sliding Fee Scale Patient Percent--Migrant Seasonal Farmworker Resident/Intern J1 Visa Waiver Holder Status Federal Provider Status National Health Service Core Participant * Sourced from The Centers for Medicare & Medicaid Services (CMS) National Plan and Provider Enumeration System (NPPES). RECORD SOURCE CATEGORIES: Data about providers is obtained from two sources and combined in HRSA's Shortage Designation Management System (SDMS): State Partners: State Primary Care Office (PCO) grantees of state [[Page 23059]] departments of health and other public or private entities a PCO has entered into a contractual agreement with, such as State Primary Care Associations. The Centers for Medicare & Medicaid Services (CMS) National Plan and Provider Enumeration System (NPPES). ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: HHS may disclose a record about a health care provider from this system of records to parties outside HHS, without the provider's prior written consent, pursuant to these routine uses: 1. Records may be disclosed to state partners that have been granted access to the information technology system in which HRSA maintains provider records (currently known as the Shortage Designation Management System). Each state partner's access to provider records maintained in the system will be limited to providers practicing in the partner's respective state. State partners are granted access to these records for the sole purpose of entering provider service delivery data for HPSA and MUA/P administrative and designation purposes. State partners include Primary Care Office (PCO) grantees of state departments of health and other public or private entities a PCO has entered into a contractual agreement with, such as State Primary Care Associations. Each state partner retains rights to the data it enters about providers in its state and is explicitly prohibited from extracting data contributed by other states for its own use or dissemination to a third party without obtaining prior permission from the appropriate PCO. 2. Records may be disclosed to HHS grantees, contractors, and subcontractors that have been engaged to assist HHS in the accomplishment of a HHS function relating to the purposes of this system of records and that need to have access to the records in order to assist HHS in performing the activity. All grantees, contractors and subcontractors shall be required to comply with the Privacy Act with respect to such records. 3. Records may be disclosed to a member of Congress or congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. The congressional office does not have any greater authority to obtain records than the individual would have if requesting the records directly. 4. Records may be disclosed to the U.S. Department of Justice (DOJ), or to a court or other tribunal, when: a. HHS or any of its components; or b. any employee of HHS acting in the employee's official capacity; or c. any employee of HHS acting in the employee's individual capacity where DOJ has agreed to represent the employee; or d. the United States Government, is a party to litigation or has an interest in litigation and, by careful review, HHS determines that the records are both relevant and necessary to the litigation. 5. Where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate public authority, whether federal, state, local, tribal, territorial, foreign, or otherwise, charged with the responsibility of enforcing, investigating, or prosecuting the violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to the enforcement, regulatory, investigative, or prosecutorial responsibility of the receiving entity. 6. Records may be disclosed to student volunteers, individuals working under a personal services contract, and other individuals performing functions relating to the purposes of this system of records for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions. 7. Records may be disclosed to representatives of the National Archives and Records Administration during records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906. 8. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 9. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach. 10. Records may be disclosed to the U.S. Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents. 11. Records may be disclosed to Organizational Points of Contact (OPOCs) of health facilities that are automatically designated as serving a health professional shortage area. OPOCs use the data to validate clinician service hours to corroborate health professional shortage. Automatically designated facility HPSAs include: health centers (funded under sec. 330); health center look-alikes; Tribally-run clinics; urban Indian organizations; dual-funded Tribal health centers; federally-run Indian health service clinics; and, rural health clinics as deemed by the Secretary of HHS. The disclosures authorized by publication of the above routine uses pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11). POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Electronic records are maintained in database servers. Servers for the database are currently located at the Center for Information Technology, National Institutes of Health, Bethesda, MD. Historical paper files for program records, which may include data for providers, are archived at the Washington National Records Center in Suitland, MD. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: System records are retrieved by using a provider's National Provider [[Page 23060]] Identifier. Other system search filters such as last name or first name can also be used to retrieve provider records. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Records are destroyed 18 years after the date of the applicable letter of determination, per disposition authority number DAA-0512- 2014-0004, item 2.9 (formerly N1-512-92-01, item 2). This retention schedule is media neutral (applies to all media, including paper). ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Safeguards conform to HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook, all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information as a Strategic Resource. Administrative Safeguards: Access to paper and electronic records is limited to persons authorized to update, view, or maintain provider records. Authorized users include internal users such as government and contractor personnel and external users such as state partners. Internal users must attend security training and sign a Rules of Behavior, which is renewed annually. All external users must also sign a Rules of Behavior and register to receive approval to access system records. All users are given role-based access to the system on a limited need-to-know basis. Approved users' access to system records is controlled by two factor authentication. Physical and logical access to the system is removed upon termination of employment or other change in the user's role. Technical Safeguards: Electronic records are protected from unauthorized access by encryption, intrusion detection, and firewalls. Routine system security scans are run to detect web and architecture vulnerabilities. Physical Safeguards: Servers and other computer equipment used to process identifiable data are located in secured areas and use physical access devices (e.g., keys, locks, combinations, card readers) and/or security guards to control entries into the facility. All facilities housing HRSA information systems maintain fire suppression and detection devices/systems (e.g., sprinkler systems, handheld fire extinguishers, fixed fire hoses, and/or smoke detectors) that are activated in the event of a fire. The same physical safeguards are utilized at the federal records center where older paper records are stored. RECORD ACCESS PROCEDURES: Individuals seeking access to records about themselves in this system of records must submit a written request to the System Manager/ Policy Coordinating Official at the address specified in the ``System Manager'' section above. The requester must verify his or her identity by providing either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for access to a record pertaining to an individual from an agency under false pretenses is a criminal offense under the Privacy Act, subject to a five thousand dollar fine. Requesters may also ask for an accounting of disclosures that have been made of their records, if any. CONTESTING RECORD PROCEDURES: An individual seeking to amend a record about him or her in this system of records must submit a written request to the System Manager indicated above, verify his or her identity in the same manner as is required for an access request, and reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with any supporting documentation. The right to contest records is limited to information that is incomplete, incorrect, untimely, or irrelevant. NOTIFICATION PROCEDURES: An individual who wishes to know if this system of records contains records about him or her must submit a written request to the System Manager indicated above, and must verify his or her identity in the same manner as is required for an access request. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: 75 FR 19652 (Apr. 15, 2010), 83 FR 6591 (Feb. 14, 2018). Dated: May 14, 2019. George Sigounas, Administrator. [FR Doc. 2019-10478 Filed 5-20-19; 8:45 am] BILLING CODE 4160-15-P