[Federal Register Volume 84, Number 98 (Tuesday, May 21, 2019)]
[Notices]
[Pages 23057-23060]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-10478]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Modified Systems of Records Notice for State-Provided Physician 
Records (Renamed Health Professional Service Delivery Data), 09-15-
0066; Privacy Act of 1974; System of Records

AGENCY: Health Resources and Services Administration (HRSA), Department 
of Health and Human Services (HHS).

ACTION: Notice of a Modified System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with requirements of the Privacy Act of 1974, as 
amended, the Department of Health and Human Services (HHS) is updating 
an existing system of records maintained by the Health Resources and 
Services Administration (HRSA), System No. 09-15-0066 ``State-Provided 
Physician Records for the Application Submission & Processing System.'' 
The system of records covers service delivery data pertaining to 
individual health care providers practicing in eligible primary care, 
mental health, and dental disciplines, which is used by state partners 
to apply for, and by HRSA to designate, health professional shortage 
areas and medically underserved areas and populations. The 
modifications include adding a unique identifier for providers, known 
as the National Provider Identifier; and changing the system name to 
``Health Professional Service Delivery Data Used to Designate Health 
Professional Shortage Areas (HPSAs) and Medically Underserved Areas and 
Populations (MUA/Ps).''

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
applicable May 21, 2019, subject to a 30-day period in which to comment 
on the new and revised routine uses, described below. Please submit any 
comments by June 20, 2019.

ADDRESSES: Written comments may be submitted by email to [email protected] 
or by mail, addressed to: ATTN: HRSA/BHW/DPSD, 5600 Fishers Ln., 
Rockville, MD 20857.

FOR FURTHER INFORMATION CONTACT: General questions about the revised 
system of records may be submitted by email to [email protected], or 
telephone to 301-594-5968, or by mail addressed to Dr. Janelle 
McCutchen, Division of Policy and Shortage Designation, Bureau of 
Health Workforce (BHW), Health Resources and Services Administration 
(HRSA), 5600 Fishers Ln., Rockville, MD 20857.

SUPPLEMENTARY INFORMATION: This system of records was established in 
2005 (see 70 FR 1724) and was last comprehensively updated in 2010 (see 
75 FR 19652). The primary reason for updating the system of records 
again is to add a unique identifier for providers, known as the 
National Provider Identifier, which HRSA will obtain from CMS' National 
Plan and Provider Enumeration System (NPPES), System No. 09-70-0555 
(formerly 09-70-0008; the number was changed to 09-70-0555 in 2010). On 
behalf of the Secretary of HHS, NPPES collects and maintains 
information needed to uniquely identify an individual physician or non-
physician practitioner, assign a National Provider Identifier (NPI) to 
that physician or non-physician practitioner, and maintain and update 
the information in that health care provider's record in NPPES.
    In addition to reformatting the System of Records Notice to comply 
with OMB Circular A-108 and updating office names in the System 
Location and System Manager sections, modifications made to the system 
of records include the following substantive changes:
    1. The system name has been changed to ``Health Professional 
Service Delivery Data Used to Designate Health Professional Shortage 
Areas (HPSAs) and Medically Underserved Areas and Populations (MUA/
Ps)'' to more clearly indicate the nature of the records.
    2. Section 330 of the Public Health Service Act (PHSA) (42 U.S.C. 
254b) and the U.S. Code citation for Section 332 of the PHSA (42 U.S.C. 
254e) have been added to the Authorities section.
    3. The Purposes section has been expanded to include additional 
purposes for which records may be used, such as: (1) Creation of 
aggregate datasets to use in conducting workforce analyses; and (2) 
granting Organizational Points of Contact access to the system to 
validate provider data.
    4. The Categories of Individuals section has been updated to 
specify that the collection of health professional service delivery 
data is limited to providers who are assigned a National Provider 
Identifier by the NPPES.
    5. The Categories of Records section now states a record category 
and includes an updated list of data elements.
    6. The Record Source Categories section now includes the new data 
source, NPPES.
    7. The Routine Uses section, which formerly contained four routine 
uses, now contains 11 routine uses, of which two are revised and seven 
are new. Specifically:
     Routine use 1 (authorizing disclosures to HRSA's state 
partners) was revised to be consistent with each

[[Page 23058]]

state partner's ownership rights in the data it provides. The 
limitation on each state partner's ability to use and share data 
provided by another state partner is also defined.
     Former routine uses 2 and 3 (which authorized disclosures 
to HHS contractors for particular purposes) are now combined as revised 
routine use 2. This routine use was broadened to cover any purpose of 
the system of records for which a contractor may be engaged to assist 
HHS and require access to the records.
     Routine uses 3 through 7 and 10 are new; they authorize 
disclosures which are not for direct program purposes, but are for 
related purposes which might arise in any system of records; i.e., to 
congressional offices for the purpose of responding to constituent 
requests; to the U.S. Department of Justice for litigation purposes; to 
law enforcement agencies for law enforcement purposes, when a record 
indicates a violation or potential violation of law; to volunteers and 
others who function akin to agency employees, but lack employee status; 
to the National Archives and Records Administration during records 
management inspections; and to the Department of Homeland Security for 
cybersecurity monitoring purposes.
     Routine use 11 is also new; it defines a new group--
Organizational Points of Contact (OPOCs) of automatically designated 
health facilities--to which records may be disclosed, for the purpose 
of validating clinician services hours to corroborate health 
professional shortage.
    8. The Retrieval section previously stated that records were 
retrieved by personal identifier, and now specifies the personal 
identifiers used for retrieval.
    9. The Retention and Disposal section previously indicated a record 
disposition schedule was in the process of being developed, and now 
identifies the applicable schedule. Because some of these changes are 
significant, a report on the modified system of records was sent to OMB 
and Congress in accordance with 5 U.S.C. 552a(r).
System Name and Number
    Health Professional Service Delivery Data Used to Designate Health 
Professional Shortage Areas (HPSAs) and Medically Underserved Areas and 
Populations (MUA/Ps), System Number 09-15-0066.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: Division of Policy and Shortage Designation, Bureau of 
Health Workforce (BHW), Health Resources and Services Administration 
(HRSA), 5600 Fishers Ln., Rockville MD 20857.

SYSTEM MANAGER(S):
    The System Manager for the system of records is the following 
Policy-Coordinating Official: Dr. Janelle McCutchen, Division of Policy 
and Shortage Designation, Bureau of Health Workforce (BHW), Health 
Resources and Services Administration (HRSA), 5600 Fishers Ln., 
Rockville MD 20857, [email protected], (301) 594-5168.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 332 of the Public Health Service Act (PHSA) (42 U.S.C. 
254e) provides that the Secretary of Health and Human Services shall 
designate Health Professional Shortage Areas (HPSAs), based on criteria 
established by regulation. Section 330 of the PHSA (42 U.S.C. 254b) 
authorizes the Secretary to designate Medically Underserved Areas 
(MUAs) and Medically Underserved Populations (MUPs). The authority for 
shortage designation is delegated to the Bureau of Health Workforce 
Division of Policy and Shortage Designation, Shortage Designation 
Branch (SDB). The approval process and designation criteria used for 
shortage designations were developed in accordance with requirements of 
secs. 330 and 332 of the PHSA. To accomplish this task, the SDB relies 
on data specified in 42 CFR part 5, which implements sec. 332 of the 
PHSA and outlines HPSA criteria, to for the review of applications 
submitted by State Primary Care Offices (PCO) and their affiliates for 
designation status.

PURPOSE(S) OF THE SYSTEM:
    Health professional service delivery data for individual providers 
is used by HRSA, its state partners, and Organizational Points of 
Contact for the following purposes:
     State partners use the data to assess and determine if an 
area or specific population group is experiencing a shortage in health 
professionals, in order to apply for such areas or groups to be 
designated as Health Professional Shortage Areas (HPSAs), Medically 
Underserved Areas (MUAs), or Medically Underserved Populations (MUPs).
     Organizational Points of Contact use the data to validate 
clinician service hours in order to corroborate health professional 
shortage.
     HRSA uses the data to designate HPSAs, MUAs, and MUPs.
     HRSA also uses the data to create aggregate datasets, 
which are used by HRSA and state partners to conduct workforce 
analyses.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The data pertains to individual health care providers who are 
assigned a National Provider Identifier by the Centers for Medicare & 
Medicaid Services (CMS), National Plan and Provider Enumeration System 
(NPPES), and are practicing in eligible primary care, mental health, 
and dental disciplines relevant to HPSA, MUA, or MUP applications and 
designations.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records consist of health professional service delivery 
information for subject health care providers as provided by state 
partners. The data elements include, but are not necessarily limited 
to:
    National Provider Identifier *
    License Number *
    Date of Birth *
    Taxonomy *
    Discipline
    Specialty
    Address (Business Practice Location) *
    City (Business Practice Location) *
    State (Business Practice Location) *
    Postal Code (Business Practice Location) *
    Dental Auxiliaries (Dental Providers Only)
    Direct Tour Hours
    Employed by a Correctional Facility?
    Employed by a State/County Mental Hospital?
    Annual Medicaid Claims
    Patient Percent--Medicaid
    Patient Percent--Homeless
    Patient Percent--Migrant Farmworker
    Patient Percent--Native American
    Patient Percent--Sliding Fee Scale
    Patient Percent--Migrant Seasonal Farmworker
    Resident/Intern
    J1 Visa Waiver Holder Status
    Federal Provider Status
    National Health Service Core Participant

    * Sourced from The Centers for Medicare & Medicaid Services (CMS) 
National Plan and Provider Enumeration System (NPPES).

RECORD SOURCE CATEGORIES:
    Data about providers is obtained from two sources and combined in 
HRSA's Shortage Designation Management System (SDMS):
     State Partners: State Primary Care Office (PCO) grantees 
of state

[[Page 23059]]

departments of health and other public or private entities a PCO has 
entered into a contractual agreement with, such as State Primary Care 
Associations.
     The Centers for Medicare & Medicaid Services (CMS) 
National Plan and Provider Enumeration System (NPPES).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    HHS may disclose a record about a health care provider from this 
system of records to parties outside HHS, without the provider's prior 
written consent, pursuant to these routine uses:
    1. Records may be disclosed to state partners that have been 
granted access to the information technology system in which HRSA 
maintains provider records (currently known as the Shortage Designation 
Management System). Each state partner's access to provider records 
maintained in the system will be limited to providers practicing in the 
partner's respective state. State partners are granted access to these 
records for the sole purpose of entering provider service delivery data 
for HPSA and MUA/P administrative and designation purposes. State 
partners include Primary Care Office (PCO) grantees of state 
departments of health and other public or private entities a PCO has 
entered into a contractual agreement with, such as State Primary Care 
Associations. Each state partner retains rights to the data it enters 
about providers in its state and is explicitly prohibited from 
extracting data contributed by other states for its own use or 
dissemination to a third party without obtaining prior permission from 
the appropriate PCO.
    2. Records may be disclosed to HHS grantees, contractors, and 
subcontractors that have been engaged to assist HHS in the 
accomplishment of a HHS function relating to the purposes of this 
system of records and that need to have access to the records in order 
to assist HHS in performing the activity. All grantees, contractors and 
subcontractors shall be required to comply with the Privacy Act with 
respect to such records.
    3. Records may be disclosed to a member of Congress or 
congressional staff member in response to a written inquiry of the 
congressional office made at the written request of the constituent 
about whom the record is maintained. The congressional office does not 
have any greater authority to obtain records than the individual would 
have if requesting the records directly.
    4. Records may be disclosed to the U.S. Department of Justice 
(DOJ), or to a court or other tribunal, when:
    a. HHS or any of its components; or
    b. any employee of HHS acting in the employee's official capacity; 
or
    c. any employee of HHS acting in the employee's individual capacity 
where DOJ has agreed to represent the employee; or
    d. the United States Government, is a party to litigation or has an 
interest in litigation and, by careful review, HHS determines that the 
records are both relevant and necessary to the litigation.
    5. Where a record, either alone or in conjunction with other 
information, indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general statute or particular program statute, or by regulation, 
rule, or order issued pursuant thereto, the relevant records in the 
system of records may be referred, as a routine use, to the appropriate 
public authority, whether federal, state, local, tribal, territorial, 
foreign, or otherwise, charged with the responsibility of enforcing, 
investigating, or prosecuting the violation or charged with enforcing 
or implementing the statute, rule, regulation, or order issued pursuant 
thereto, if the information disclosed is relevant to the enforcement, 
regulatory, investigative, or prosecutorial responsibility of the 
receiving entity.
    6. Records may be disclosed to student volunteers, individuals 
working under a personal services contract, and other individuals 
performing functions relating to the purposes of this system of records 
for the Department but technically not having the status of agency 
employees, if they need access to the records in order to perform their 
assigned agency functions.
    7. Records may be disclosed to representatives of the National 
Archives and Records Administration during records management 
inspections conducted pursuant to 44 U.S.C. 2904 and 2906.
    8. Records may be disclosed to appropriate agencies, entities, and 
persons when (1) HHS suspects or has confirmed that there has been a 
breach of the system of records, (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the federal government, or national security, and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    9. Records may be disclosed to another federal agency or federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the federal government, or national 
security, resulting from a suspected or confirmed breach.
    10. Records may be disclosed to the U.S. Department of Homeland 
Security (DHS) if captured in an intrusion detection system used by HHS 
and DHS pursuant to a DHS cybersecurity program that monitors internet 
traffic to and from federal government computer networks to prevent a 
variety of types of cybersecurity incidents.
    11. Records may be disclosed to Organizational Points of Contact 
(OPOCs) of health facilities that are automatically designated as 
serving a health professional shortage area. OPOCs use the data to 
validate clinician service hours to corroborate health professional 
shortage. Automatically designated facility HPSAs include:
     health centers (funded under sec. 330);
     health center look-alikes;
     Tribally-run clinics;
     urban Indian organizations;
     dual-funded Tribal health centers;
     federally-run Indian health service clinics; and,
     rural health clinics as deemed by the Secretary of HHS.

    The disclosures authorized by publication of the above routine uses 
pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and 
(b)(4)-(11).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are maintained in database servers. Servers for 
the database are currently located at the Center for Information 
Technology, National Institutes of Health, Bethesda, MD. Historical 
paper files for program records, which may include data for providers, 
are archived at the Washington National Records Center in Suitland, MD.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    System records are retrieved by using a provider's National 
Provider

[[Page 23060]]

Identifier. Other system search filters such as last name or first name 
can also be used to retrieve provider records.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are destroyed 18 years after the date of the applicable 
letter of determination, per disposition authority number DAA-0512-
2014-0004, item 2.9 (formerly N1-512-92-01, item 2). This retention 
schedule is media neutral (applies to all media, including paper).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to HHS Information Security and Privacy Program, 
https://www.hhs.gov/ocio/securityprivacy/index.html. Information is 
safeguarded in accordance with applicable laws, rules and policies, 
including the HHS Information Technology Security Program Handbook, all 
pertinent National Institutes of Standards and Technology (NIST) 
publications, and OMB Circular A-130, Managing Information as a 
Strategic Resource.
    Administrative Safeguards: Access to paper and electronic records 
is limited to persons authorized to update, view, or maintain provider 
records. Authorized users include internal users such as government and 
contractor personnel and external users such as state partners. 
Internal users must attend security training and sign a Rules of 
Behavior, which is renewed annually. All external users must also sign 
a Rules of Behavior and register to receive approval to access system 
records. All users are given role-based access to the system on a 
limited need-to-know basis. Approved users' access to system records is 
controlled by two factor authentication. Physical and logical access to 
the system is removed upon termination of employment or other change in 
the user's role.
    Technical Safeguards: Electronic records are protected from 
unauthorized access by encryption, intrusion detection, and firewalls. 
Routine system security scans are run to detect web and architecture 
vulnerabilities.
    Physical Safeguards: Servers and other computer equipment used to 
process identifiable data are located in secured areas and use physical 
access devices (e.g., keys, locks, combinations, card readers) and/or 
security guards to control entries into the facility. All facilities 
housing HRSA information systems maintain fire suppression and 
detection devices/systems (e.g., sprinkler systems, handheld fire 
extinguishers, fixed fire hoses, and/or smoke detectors) that are 
activated in the event of a fire. The same physical safeguards are 
utilized at the federal records center where older paper records are 
stored.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to records about themselves in this 
system of records must submit a written request to the System Manager/
Policy Coordinating Official at the address specified in the ``System 
Manager'' section above. The requester must verify his or her identity 
by providing either a notarization of the request or a written 
certification that the requester is who he or she claims to be and 
understands that the knowing and willful request for access to a record 
pertaining to an individual from an agency under false pretenses is a 
criminal offense under the Privacy Act, subject to a five thousand 
dollar fine. Requesters may also ask for an accounting of disclosures 
that have been made of their records, if any.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend a record about him or her in this 
system of records must submit a written request to the System Manager 
indicated above, verify his or her identity in the same manner as is 
required for an access request, and reasonably identify the record and 
specify the information being contested, the corrective action sought, 
and the reasons for requesting the correction, along with any 
supporting documentation. The right to contest records is limited to 
information that is incomplete, incorrect, untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about him or her must submit a written request to the System 
Manager indicated above, and must verify his or her identity in the 
same manner as is required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    75 FR 19652 (Apr. 15, 2010), 83 FR 6591 (Feb. 14, 2018).

    Dated: May 14, 2019.
George Sigounas,
Administrator.
[FR Doc. 2019-10478 Filed 5-20-19; 8:45 am]
BILLING CODE 4160-15-P