Federal Register, Volume 84 Issue 119 (Thursday, June 20, 2019)

[Federal Register Volume 84, Number 119 (Thursday, June 20, 2019)]
[Notices]
[Pages 28823-28829]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-13112]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: Department of Health and Human Services.

ACTION: Notice of a new system of records, and rescindment of related 
systems.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
Department of Health and Human Services (HHS) is establishing a new 
department-wide system of records, titled HHS Correspondence, Customer 
Service, and Contact List Records, system no. 09-90-1901. The new 
system of records replaces 13 existing systems of records which are 
rescinded in this notice, and it includes additional records not 
currently covered by any SORN. Two other related systems of records are 
also rescinded in this notice, but not replaced by the new SORN, 
because those records no longer exist.

DATES:  In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
applicable June 20, 2019, subject to a 30-day period in which to 
comment on the routine uses, described below. Please submit any 
comments by July 22, 2019.

ADDRESSES:  The public should submit written comments on this notice, 
by mail or email, to Beth Kramer, HHS Privacy Act Officer, 200 
Independence Ave. SW, Suite 729H, Washington, DC 20201, or 
[email protected]. Comments will be available for public viewing at 
the same location. To review comments in person, please contact Beth 
Kramer at [email protected] or 202-690-6941.

FOR FURTHER INFORMATION CONTACT:  General questions may be submitted to 
Beth Kramer, HHS Privacy Act Officer, at 200 Independence Ave. SW, 
Suite 729H, Washington, DC 20201, or [email protected], or 202-690-
6941.

SUPPLEMENTARY INFORMATION:

I. Background on New SORN 09-90-1901

    HHS is establishing this new department-wide system of records to 
cover records about individuals within or outside HHS which are 
retrieved by personal identifier and used in managing HHS 
correspondence and customer service functions, including help desk and 
call center activities, dissemination of publications, studies, 
opinions, unrestricted datasets, and other information, and mailing and 
contact lists, unless covered by a more specific system of records 
notice (SORN). It will include the records currently covered in 13 
related SORNs, in order to replace and rescind those SORNs, but with 
revisions where needed to provide updated descriptions of those 
records. It will also include other functionally similar records not 
currently covered by any SORN. The up-to-date records descriptions used 
in the new SORN differ from the descriptions used in the replaced SORNs 
in these respects:
     The System Manager contact information has been updated 
and is grouped by record type.
     The System Location section refers to the contact 
information shown in the System Manager section.
     The Authorities section now cites 5 U.S.C. 301, 305; 21 
U.S.C. 301 et seq.; 31 U.S.C. 1115(b)(6); 40 U.S.C. 11313; 42 U.S.C. 
201 et seq.; 44 U.S.C. 3101; E.O. 11583; and E.O. 13571. This differs 
from the authorities cited in each replaced SORN as follows:
    a. OS SORNs 09-37-0001, 09-90-0027, 09-90-0037, 09-90-0038, and 09-
90-0072 and HRSA SORN 09-15-0059 cited only one of the authorities 
cited in the new SORN, 5 U.S.C. 301.
    b. NIH SORN 09-25-0106 cited two authorities cited in the new SORN, 
5 U.S.C. 301 and 44 U.S.C. 3101.
    c. OS SORN 09-90-0001 cited 5 U.S.C. 301 and one authority not 
cited in the new SORN: 40 U.S.C. 486(c).
    d. FDA SORN 09-10-0004 cited 42 U.S.C. 201 et seq., which is cited 
in the new SORN, and two authorities not cited in the new SORN: 21 
U.S.C. 321 et seq. and 21 CFR part 5.
    e. SAMHSA SORN 09-30-0033 cited portions of title 42 of the United 
States Code, which is cited in the new SORN, and these authorities not 
cited in the new SORN: 8 U.S.C. 1522 note, as amended by sec. 501(c) of 
Public Law 96-422; E.O. 12341; and sec. 413 of Public Law 93-288 as 
amended and redesignated as sec. 416 by Public Law 100-107 [sic; 
probably should be Public Law 101-707, amending 42 U.S.C. 5183].
    f. These SORNs cited none of the authorities cited in the new SORN:
    i. OS SORN 09-90-0161 cited 42 U.S.C. 300u-6;
    ii. CDC SORN 09-20-0059 cited 29 U.S.C. 670;
    iii. CMS SORN 09-70-3005 cited 42 U.S.C. 1306(a) and 42 CFR 
401.101-401.148; and
    iv. SAMHSA SORN 09-30-0051 cited sec. 501 of the Public Health 
Service Act (42 U.S.C. 290a) as amended by Public Law 102-321 and 
Public Law 106-310.
     The new SORN provides broader and more detailed 
descriptions of the categories of records and the purposes for which 
the records are used than were in each replaced SORN, in recognition 
that some of the records interrelate with each other and may be 
maintained and used together, and by more than one office, to achieve 
certain purposes. Each replaced SORN

[[Page 28824]]

described how a particular office or component used a particular set of 
records.
     The categories of individuals are effectively the same as 
in the replaced SORNs, except that the description in the new SORN is 
not limited to individuals who are the subject of a particular set of 
records, yet is worded to avoid including individuals who don't qualify 
as record subjects for Privacy Act purposes. For example, it does not 
include individuals whose personal identifiers are used to retrieve 
records that are not, in fact, about them, which was an error in OS 
SORNs 09-90-0027 and 09-90-0072.
     Unnecessary routine uses (e.g., for disclosures that would 
be made with consent or that are not in fact made) are not included. 
Routine uses 3 and 4 are worded to apply to only certain records; the 
other routine uses apply to all records in the new SORN, but were not 
in some of the replaced SORNs; i.e.:
    a. Routine use 10 was not in any of the replaced SORNs.
    b. Routine use 2 was not in FDA SORN 09-10-0004.
    c. Routine uses 6 and 8 were not in OS SORN 09-90-0027.
    d. Routine uses 2, 6, and 8 were not in OS SORNs 09-90-0037, 09-90-
0038, and 09-90-0072; HRSA SORN 09-15-005; CDC SORN 09-20-0059; SAMHSA 
SORN 09-30-0051; and CMS SORN 09-70-3005.
    e. Routine uses 2, 5, 6, and 8 were not in OS SORNs 09-90-0001 and 
09-90-0161.
    f. Routine uses 1, 2, 6, and 8 were not in OS SORN 09-37-0001, NIH 
SORN 09-25-0106, and SAMHSA SORN 09-30-0036.
     The disposal section identifies applicable disposition 
schedules (some of the replaced SORNs did not).
     The storage and safeguards sections are up-to-date, and 
were not up-to-date in some of the replaced SORNs.

II. Background on the Rescinded SORNs

    A. HHS is rescinding the following two systems of records because 
the records no longer exist:
    1. 09-90-1201 ONC Health IT Dashboard. This SORN covered records 
containing identifying information, retrieved by National Provider 
Identifier (NPI), about health care providers who registered to receive 
health IT implementation assistance from grantees of the Office of the 
National Coordinator for Health IT (ONC), which were used by the 
grantees to provide that assistance and by HHS/ONC to evaluate the 
status of electronic health record implementation and validate 
grantees' claims for grant payments. The SORN reflected that the 
records would be retained for approximately two years after the 
completion of the grant program. The grant program ended in 2014, and 
the records that were retrieved by NPI were destroyed when business use 
ceased.
    2. 09-90-0041 Consumer Mailing List. This SORN was established by 
an office which was transferred from the Office of the Secretary (OS) 
to the Centers for Medicare & Medicaid Services (CMS) in 2011 and 
renamed the Center for Consumer Information and Insurance Oversight 
(CCIIO). It covered a list which was used to distribute information on 
current consumer topics to consumers, academicians, librarians, 
business and government officials, and the media. The list is no longer 
maintained, and the records no longer exist.
    B. HHS is rescinding these 13 systems of records and replacing them 
with the new department-wide SORN 09-90-1901:
    3. 09-37-0001 OASH Correspondence Control System. These records 
pertain to individuals who have contacted, or have been contacted in 
writing by, the Assistant Secretary for Health (OASH) or a subordinate 
official. The records consist of copies of correspondence and tracking 
records which are used to control, track, and ensure timely and 
appropriate attention to correspondence addressed to or initiated by 
such officials. The routine uses authorize disclosures to contractors 
and other non-employees engaged to perform functions for HHS and 
disclosures for purposes of responding to or handling litigation and 
security incidents.
    4. 09-90-0001 Telephone Directory/Locator System. This SORN covers 
HHS office contact records for HHS employees, other federal agency 
employees, and HHS contractor personnel located at HHS, which are 
retrieved by the personnel members' names and used to locate the 
individuals, route mail, and produce departmental telephone (and now 
also email) directories. The routine uses authorize disclosures to 
contractors and other non-employees engaged to perform functions for 
HHS and disclosures for purposes of responding to or handling 
litigation and security incidents.
    5. 09-90-0027 Congressional Correspondence Unit. This SORN covers 
records of constituent requests received from members of Congress and 
HHS' responses to same, and any associated work papers, which are about 
individual constituents and retrieved by constituent name (the SORN 
misdescribes them as being about members of Congress and as retrieved 
by only member of Congress name). The records are maintained by the 
Assistant Secretary for Legislation (ASL). The routine uses authorize 
disclosures to contractors and other non-employees engaged to perform 
functions for HHS, to another federal agency in order to route a 
misdirected request to that agency for response, to the member of 
Congress in responding to the request, to the Department of Justice for 
litigation purposes, and to other federal agencies and parties in 
responding to security incidents.
    6. 09-90-0037 Secretariat's Correspondence Control System. These 
department-wide records, which were formerly maintained by the 
Immediate Office of the Secretary (OS/IOS), are now maintained by HHS' 
Administration for Children and Families (ACF), and are now retrieved 
by the subject individual's first or last name, city or state, or 
correspondence tracking number. The records are about individuals who 
have contacted, or have been contacted in writing by, an HHS official, 
and consist of control information from official correspondence, 
including a narrative subject description, organization drafting the 
response, and type of action required from the Department. The routine 
uses authorize disclosures to contractors and other non-employees 
engaged to perform functions for HHS and disclosures for purposes of 
responding to or handling congressional inquiries, litigation, and 
security incidents.
    7. 09-90-0038 Secretary's Official Files. These records are about 
individuals who have contacted, or have been contacted in writing by, 
the Secretary or Under Secretary (currently referred to as the Deputy 
Secretary), and include copies of documents signed or initialed by one 
of those officials. The routine uses authorize disclosures to 
contractors and other non-employees engaged to perform functions for 
HHS and disclosures for purposes of responding to or handling 
congressional inquiries, litigation, and security incidents.
    8. 09-90-0072 Congressional Grants Notification Unit. This SORN 
covers correspondence maintained by the Assistant Secretary for 
Legislation (ASL) notifying members of Congress of grants and other 
contracts that HHS has awarded to recipients in their districts. (The 
SORN erroneously states that the records are about members of Congress; 
however, the records are about awardees, not members of Congress.) The 
routine uses authorize disclosures

[[Page 28825]]

to contractors and other non-employees engaged to perform functions for 
HHS, to members of Congress in responding to constituent inquiries, to 
the Department of Justice for litigation purposes, and to other federal 
agencies and parties for purposes of responding to security incidents.
    9. 09-90-0161 Minority Health Information Services. These records 
are used by the Office of Minority Health (OMH) within the Office of 
the Assistant Secretary for Health (OASH) to track and respond to 
requests from members of the public who ask to receive health 
information in the form of OMH's electronic newsletter and intermittent 
email updates. At times, OMH may also maintain records about 
individuals who volunteer to serve as resource persons to provide pro 
bono technical assistance to community organizations or government 
agencies working on aspects of minority health or in an OMH campaign. 
The routine uses in this SORN authorize disclosures to (and web 
postings meant to reach) parties seeking assistance from a resource 
person; disclosures to contractors; and disclosures for the purposes of 
responding to or handling litigation and security incidents.
    10. 09-10-0004 [FDA] Communications (Oral and Written) with the 
Public. This SORN covers records of information requests, consumer 
complaints, and other correspondence from or about individuals (other 
than employees of Food & Drug Administration (FDA)-regulated 
enterprises) who communicate with or are the subject of communications 
with FDA. The records include FDA-related Secretarial correspondence 
and congressional correspondence which is also covered in other SORNs 
listed above. The records are retrieved by the correspondent's (or 
other individual record subject's) name, and are used to track and 
respond to the correspondence. The routine uses authorize disclosures 
to refer potential law violations to the Department of Justice, a state 
food and drug enforcement health agency or licensing authority or the 
government of a foreign country for investigation; to a member of 
Congress for purposes of responding to a constituent request; to the 
Department of Justice for litigation purposes; and to other federal 
agencies and parties for purposes of responding to a security incident.
    11. 09-15-0059 [HRSA] Strategic Work Information and Folder 
Transfer System (SWIFT). The records covered by this SORN are about 
individuals who have contacted, or have been contacted, in writing by 
the Administrator of the Health Resources and Services Administration 
(HRSA) or a subordinate official (excluding FOIA and Privacy Act access 
request-related correspondence, which is maintained in the SWIFT 
information technology system but is covered under a more specific 
SORN, 09-90-0058 Tracking Records and Case Files for FOIA and Privacy 
Act Requests and Appeals). The records are retrieved by the 
correspondent's (or other record subject's) name, and are used to 
control and track the correspondence to ensure the correspondence 
receives timely and appropriate attention. The routine uses authorize 
disclosures for purposes of responding to or handling congressional 
inquiries, litigation, and security incidents.
    12. 09-20-0059 [CDC] Division of Training Mailing List. This SORN 
covers a mailing list maintained by the Centers for Disease Control and 
Prevention's National Institute for Occupational Safety and Health 
(CDC/NIOSH), which contains the name, mailing address, and student 
number of each individual who has taken a NIOSH training course or who 
has asked to be placed on the list. The records are retrieved by 
student name and number. The list is used to advise the individuals of 
upcoming NIOSH training courses. The routine uses authorize disclosures 
to contractors providing computer support for the system of records and 
disclosures for purposes of responding to or handling congressional 
inquiries, litigation, and security incidents.
    13. 09-25-0106 Administration: Office of the NIH Director and 
Institute/Center Correspondence Records. These records consist of 
correspondence, other supporting documents, and mailing lists 
pertaining to individuals who have contacted, or who have been 
contacted in writing by, the Director of the National Institutes of 
Health (NIH) or a subordinate. The records include NIH-related 
Secretarial correspondence and congressional correspondence which is 
also covered in other SORNs listed above. The records are retrieved by 
the correspondent's name and are used to control, address and track the 
correspondence to assure timely and appropriate attention. The routine 
uses authorize disclosures for purposes of responding to or handling 
congressional inquiries, litigation, and security incidents.
    14. 09-30-0033 [SAMHSA] Correspondence Files. This SORN covers 
records of correspondence from individuals who request information 
about Substance Abuse and Mental Health Services Administration 
(SAMHSA) programs, and includes SAMHSA-related Secretarial 
correspondence and congressional correspondence which is also covered 
in other SORNs listed above. The records are retrieved by the 
correspondent's name and are used for reference purposes and to assure 
timely and appropriate attention. The routine uses authorize 
disclosures for purposes of responding to or handling congressional 
inquiries, litigation, and security incidents.
    15. 09-30-0051 SAMHSA Information Mailing System (SIMS). This SORN 
covers records of correspondence from individuals who request 
publications and other information from the SAMHSA internet site, which 
is used to maintain a mailing list for purposes of providing the 
individuals with SAMHSA publications and other print materials they 
have identified as of interest to them and to inform them of new and 
upcoming publications. The records contain the individual's name (which 
is used for retrieval), contact information, title, occupation, 
organization type, ethnic group, level of education, and SAMHSA topics 
or areas of interest. The routine uses authorize disclosures to SAMHSA 
contractors, experts, and consultants and disclosures for purposes of 
responding to or handling congressional inquiries, litigation, and 
security incidents.
    16. 09-70-3005 [CMS] Correspondence Tracking Management System 
(CTMS). This SORN covers records of correspondence from or about 
individuals who request information about Centers for Medicare & 
Medicaid Services (CMS) programs or who are the subject of such 
correspondence from others. These records include CMS-related 
Secretarial correspondence and congressional correspondence which is 
also covered in other SORNs listed above. The records are retrieved by 
the correspondent's (or other record subject's) name and are used to 
track the correspondence and to support regulatory, reimbursement, and 
policy functions. The routine uses authorize disclosures to agency 
contractors and consultants and disclosures for purposes of responding 
to or handling congressional inquiries, litigation, and security 
incidents.

     Dated: May 30, 2019.
Michael S. Marquis,
Director, FOIA/Privacy Act Division, Office of Assistant Secretary for 
Public Affairs.

SYSTEM NAME AND NUMBER:
    HHS Correspondence, Customer Service, and Contact List Records, 09-
90-1901.

[[Page 28826]]

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of each agency component responsible for this system of 
records is as shown in the System Manager(s) section below.

SYSTEM MANAGER(S):
    The System Managers are as follows:
     Congressional correspondence: HHS Assistant Secretary for 
Legislation, Congressional Liaison Office, Rm. 406G, 200 Independence 
Ave. SW, Washington, DC 20201, (202) 690-7627.
     HHS Secretarial and Deputy Secretary correspondence: HHS 
Executive Secretariat, Rm. 603H, 200 Independence Ave. SW, Washington, 
DC 20201, (202) 690-7000.
     Other official correspondence (managed by ACF for HHS): 
Administration for Children and Families Executive Secretariat Office, 
Deputy Director, 330 C St. SW, Washington, DC 20201, 
[email protected].
     Information product ordering and distribution records:
    a. AHRQ: Director, Office of Communications and Knowledge Transfer, 
Agency for Healthcare Research and Quality, 5600 Fishers Ln., 7th 
Floor, Rockville, MD 20857, (301) 427-1364.
    b. CMS: Director, Office of Communications, Centers for Medicare & 
Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-
1338.
    c. FDA Privacy Act Coordinator, Food and Drug Administration, 5630 
Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.
    d. SAMHSA: Director, Office of Communications, Substance Abuse and 
Mental Health Services Administration, 5600 Fishers Ln., Rockville, MD 
20857, (240) 276-2201.
     Call center, ombudsman, and help desk records:
    a. ONE-DHHS: FedResponse Service Director, Program Support Center, 
7700 Wisconsin Ave., Bethesda, MD 20814, (877) 696-6775.
    b. FDA Call Centers: FDA Privacy Act Coordinator, Food and Drug 
Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 
796-3900.
     Mailing list and contact list records:
    a. OASH/OMH mailing and contact list records: Office of Minority 
Health, The Tower Building, 1101 Wootton Pkwy, Suite 600, Rockville, MD 
20852, (240) 453-2882.
    b. FDA mailing and contact list records: FDA Privacy Act 
Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, 
Rockville, MD 20857, (301) 796-3900.
     Any other records not accounted for above: see ONE-DHHS 
contact information, under Call center, above.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301, 305; 21 U.S.C. 301 et seq.; 31 U.S.C. 1115(b)(6); 40 
U.S.C. 11313; 42 U.S.C. 201 et seq.; 44 U.S.C. 3101; E.O. 11583; E.O. 
13571.

PURPOSE(S) OF THE SYSTEM:
    The records in this system of records are used for the purpose of 
managing HHS correspondence, information dissemination, and customer 
service functions; i.e., to maintain, track, control, route, and locate 
information and documents created, received, requested, and used in 
managing those functions, in order to provide timely and appropriate 
actions, responses, notices, services, coordination, referrals, or 
other follow-up, avoid duplicate entries, and ensure consistency. 
Correspondence, information dissemination, and customer service 
functions include non-law enforcement-related help desk and call center 
activities; handling of consumer complaints; dissemination of 
publications, unrestricted datasets, and other information; and 
maintenance of mailing and contact lists. The records may also be used 
to compile aggregate statistics for the purpose of evaluating and 
improving these functions.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records are about individuals within and outside HHS who 
contact HHS to request or offer information, information products, or 
services or to communicate a complaint or other information, or who 
receive correspondence from HHS, or who are the author or subject of 
such publications, communications, or correspondence by or with HHS, or 
who are included in mailing and contact lists maintained by HHS, when 
the records are used to support HHS correspondence, customer service, 
and/or contact and mailing list functions and are retrieved by the 
individuals' names or other personal identifiers (unless the records 
are covered by a more specific system of records notice (SORN)).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records include:
     Secretarial and other official correspondence, 
congressional correspondence, and other correspondence. These records 
include copies of requests or other communications addressed or routed 
to an HHS official for response or other follow-up; copies of 
correspondence initialed or signed by an HHS official; tracking and 
control records (indicating, e.g., the date and subject of the 
correspondence; the name of the correspondent and/or other individual 
record subject--for example, a constituent identified in congressional 
correspondence; the action required; the organization drafting the 
response); and associated work papers.
     Records used in disseminating or filling orders for 
publications, stock photographs, audio visual productions, unrestricted 
datasets, and other information products. These include indexes to 
repositories of informational materials, request records, and order 
fulfilment records. Indexes may contain names of individuals (such as 
authors or subjects) used to retrieve materials when needed for 
distribution or to fulfill a request. Request records identify the date 
of the request, the product requested, the requester, and the address 
to use for delivery. Order fulfillment records contain proof of 
delivery, including the delivery date and address used for delivery, 
which may be a mailing address or email address if delivery was through 
a public access web portal or link. Any associated payment records (if 
a fee is charged for the information product) are covered by system of 
records 09-90-0024 HHS Financial Management System Records.
     Call center and help desk records. These include contact 
records (containing the name of the individual who contacted the call 
center or help desk, his or her contact information, and location 
information if relevant, unless the individual wishes to be anonymous) 
and request records (containing the date and nature of the request, 
complaint, or report, the name of the call center staff member who 
handled the request, complaint, or report, and actions taken, such as 
providing an answer from a call center script, documenting the report, 
or assigning and routing the request to the appropriate program office 
to handle). Note that recordings of ONE-DHHS telephone calls are 
destroyed after 90 days and are not retrieved by personal identifier so 
are not covered by this SORN.
     Mailing list records. These include the lists and any 
records used to compile and maintain the lists (e.g., existing contact 
lists; invitations to join and requests to be added to or removed from 
a list; address changes) containing an individual's contact information 
(e.g., mailing address or email address) and indicating the particular 
information or notices the individual

[[Page 28827]]

would receive or would like to receive from HHS (e.g., publications on 
particular health topics; an electronic newsletter; notice of upcoming 
training courses; notice when new material is added to a website). The 
records may also include information that the particular program 
requires or requests individuals to provide about themselves (e.g., 
characteristics such as profession, employing organization, educational 
level, practice setting, geographic location, age, ethnicity) to enable 
the agency to aggregate or organize the information or compile 
statistics on the types of individuals receiving the information 
distributed through the list.
     Contact list records. These include the lists and any 
records used to compile and maintain the lists, containing names, 
contact information, and any other relevant information (e.g., 
expertise type, primary language, geographic region) for individuals 
who HHS regularly contacts (such as, authors and sole proprietor media 
stakeholders) and/or individuals who have agreed to be included on or 
have asked to be removed from a particular list of contacts HHS 
maintains and distributes or posts for HHS and/or non-HHS parties to 
use to obtain assistance from or share information with the individuals 
on the list (for example, outside medical and research experts who wish 
to exchange knowledge and best practices and share studies, opinions, 
and training materials with each other); and any written consents from 
subject individuals permitting HHS to disclose their contact or other 
information to specific types of non-HHS parties, or to the public, for 
specific purposes.

RECORD SOURCE CATEGORIES:
    Most information is obtained directly from the individual who 
contacts or is contacted by HHS. Information may also be obtained from 
a third party who contacts HHS about or on behalf of a subject 
individual, or from records HHS compiles or persons HHS consults in 
order to provide a response, provide assistance, or otherwise follow up 
on the request or communication.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to other disclosures authorized directly in the Privacy 
Act at 5 U.S.C. 552a(b)(4) through (11), information about an 
individual may be disclosed from this system of records to parties 
outside HHS without the individual's prior, written consent, for these 
routine uses:
    1. Records may be disclosed to agency contractors and to student 
volunteers, interns, and other individuals who do not have the status 
of agency employees but have been engaged by HHS to assist in 
accomplishment of an HHS function relating to the purposes of this 
system of records and who need to have access to the records in order 
to assist HHS. Such individuals and contractors will be required to 
comply with the requirements of the Privacy Act.
    2. Records may be disclosed to other federal agencies and HHS 
partner agencies and organizations for the purpose of referring a 
request or issue to them for handling or obtaining their assistance 
with a response or issue.
    3. Notice of an award that HHS has made to an individual awardee in 
a particular congressional district may be disclosed to the member of 
Congress serving that district.
    4. Names of and biographical information about the individuals who 
authored, created, appear in, or are the subjects of information 
products may be disclosed with the products or in descriptions of the 
products used to publicize them, but would be disclosed without consent 
only if and to the extent that the names and biographical information 
would be required to be released to a requester under the Freedom of 
Information Act (FOIA).
    5. Records may be disclosed to a member of Congress or a 
congressional staff member in response to a written inquiry of the 
congressional office made at the written request of the constituent 
about whom the record is maintained. The congressional office does not 
have any greater authority to obtain records than the individual would 
have if requesting the records directly.
    6. Records may be disclosed to representatives of the National 
Archives and Records Administration during records management 
inspections conducted pursuant to 44 U.S.C. 2904 and 2906.
    7. Information may be disclosed to the Department of Justice (DOJ) 
or to a court or other adjudicative body in litigation or other 
proceedings, when:
    a. HHS or any of its component thereof, or
    b. any employee of HHS acting in the employee's official capacity, 
or
    c. any employee of HHS acting in the employee's individual capacity 
where the DOJ or HHS has agreed to represent the employee, or
    d. the United States Government, is a party to the proceeding or 
has an interest in such proceeding and, by careful review, HHS 
determines that the records are both relevant and necessary to the 
proceeding.
    8. Where a record, either alone or in conjunction with other 
information, indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general statute or by regulation, rule, or order issued pursuant 
thereto, the relevant records in the system of records may be referred, 
as a routine use, to the agency concerned, whether federal, state, 
local, tribal, territorial, or foreign, charged with the responsibility 
of investigating or prosecuting such violation or charged with 
enforcing or implementing the statute, or the rule, regulation, or 
order issued pursuant thereto.
    9. Records may be disclosed to appropriate agencies, entities, and 
persons when (1) HHS suspects or has confirmed that there has been a 
breach of the system of records, (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the Federal Government, or national security, and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    10. Records may be disclosed to another federal agency or federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    11. Records may be disclosed to the Department of Homeland Security 
(DHS) if captured in an intrusion detection system used by HHS and DHS 
pursuant to a DHS cybersecurity program that monitors internet traffic 
to and from federal government computer networks to prevent a variety 
of types of cybersecurity incidents.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored in hard-copy files and/or electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the individual requester's, 
correspondent's,

[[Page 28828]]

author's, or other record subject's name or other personal identifier, 
such as email address, request tracking number, user ID number, or 
other unique identifying number. Call center records may be retrieved 
by the name of the individual who contacted the call center.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
I. Official Correspondence (Including Significant White House and 
Congressional Correspondence)
    Official correspondence and tracking records are transferred to the 
custody of the National Archives in four-year blocks and permanently 
retained. See, for example, these schedules:
    A. Office of the Secretary (OS): DAA-0468-2011-0006-0003 (IOS); N1-
468-10-0001 (DAB); DAA-0468-2012-0003 (OMHA); DAA-0468-2011-0007 (ONC); 
N1-514-92-1 (OASH); DAA-0468-2013-009 (other OS Staff Divisions).
    B. Other Operating Divisions: DAA-0292-2016-0008 (ACF); DAA-510-
2017-003 and N1-510-94-1, Item 9 (AHRQ); DAA-0440-2015-0001, Item 1.2.2 
(CMS); N1-088-06-03, Items 4.1 and 4.2 (FDA); DAA-0512-2014-004, Item 
6.3 (HRSA); N1-513-92-005, Items 6-1 and 6-12 (IHS); DAA-0443-2017-
0003, Item 0001 (NIH).
II. Nonsignificant or Routine Correspondence:

A. OS:
    a. OASH: N1-514-92-1, Item 9. Routine congressional correspondence: 
Destroy when 7 years old, unless needed longer due to incumbent's 
continuance in office. Other routine correspondence: Cut off annually, 
and destroy when 5 years old.
    b. ONC: DAA-0468-2011-0007-003. Administrative correspondence 
files: Destroy 5 years after cutoff.
    c. OMHA: DAA-0468-2012-0003-0003. Working correspondence files: 
Destroy 3 years after cutoff.
    d. All other OS staff divisions: DAA-0468-2013-0009-0002. Routine 
files: destroy 5 years after cutoff.

B. Other Operating Divisions:
    a. ACF and AHRQ: Treated as official correspondence; see I.B. for 
schedules.
    b. CMS: DAA-0440-2015-0002-0002. Cut off at end of calendar year, 
and destroy no sooner than 3 years after cutoff; longer retention is 
authorized.
    c. FDA: N1-088-06-03. Cut off at end of calendar year, and destroy 
10 years after cutoff (Item 1.1.2) or 5 years after cutoff (Item 
1.2.2).
    d. HRSA: DAA-0512-2014-004, Items 6.3.1.2 and 6.3.1.3: 
Correspondence: Cut off at end of calendar year, and destroy 7 years 
after cutoff. Tracking records: Retain permanently.
    e. IHS: N1-513-92-005, Item s 6-1 b., 6-1 c., 6-12 b., and 11-12. 
Destroy when 6 years old if at the division level or higher. Destroy 
when 2 years old if below the division level.
    f. NIH: DAA-0443-2012-0007, Item 0003. Cut off annually at 
termination of project/program, and destroy 7 years after cutoff.
    g. CDC and SAMHSA: See OASH schedule N1-514-92-1, Item 9 (3) (CDC 
and SAMHSA were once part of OASH).
III. Call Center, Help Desk, and Similar Customer Service Records
     FDA Ombudsman records: N1-088-05-001, Item 2. Case files 
maintained by the Center Ombudsman Office (Item 2.3): Cut off 3 months 
after the end of the calendar year in which the case is closed or the 
appeal is completed, and destroy 3 years after cutoff. All other case 
files (Item 2.1) and finding aids (Item 2.2): Cut off at the end of the 
calendar year in which the final action is taken or the appeal is 
completed, and destroy 10 years after cutoff.
     Other customer service operations records: GRS 6.5 Item 
010 and GRS 5.8 Item 0101. Destroy 1 year after resolved or when no 
longer needed for business use, whichever is appropriate.
IV. Mailing and Contact List Records
     GRS 6.5 Item 020. Delete when superseded or obsolete or 
when the customer requests that the agency remove the records.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the HHS Information Security and Privacy 
Program, https://www.hhs.gov/ocio/securityprivacy/index.html. 
Information is safeguarded in accordance with applicable laws, rules 
and policies, including the HHS Information Technology Security Program 
Handbook; all pertinent National Institutes of Standards and Technology 
(NIST) publications, and OMB Circular A-130, Managing Information As a 
Strategic Resource. Records are protected from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
These safeguards include protecting the facilities where records are 
stored or accessed with security guards, badges and cameras, securing 
hard-copy records in locked file cabinets, file rooms or offices during 
off-duty hours, limiting access to electronic databases to authorized 
users based on roles and two-factor authentication (user ID and 
password), using a secured operating system protected by encryption, 
firewalls, and intrusion detection systems, requiring encryption for 
records stored on removable media, and training personnel in Privacy 
Act and information security requirements. Records that are eligible 
for destruction are disposed of using destruction methods prescribed by 
NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to records about him or her in this 
system of records must submit a written request to the relevant System 
Manager indicated above. An access request must contain the name and 
address of the requester, email address or other identifying 
information, and his/her signature. To verify the requester's identity, 
the signature must be notarized or the request must include the 
requester's written certification that he/she is the person he/she 
claims to be and that he/she understands that the knowing and willful 
request for or acquisition of a record pertaining to an individual 
under false pretenses is a criminal offense subject to a fine of up to 
$5,000. An individual may also request an accounting of disclosures 
that have been made of the records about him or her, if any.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend a record about him or her in this 
system of records must submit a written request to the relevant System 
Manager indicated above. An amendment request must include verification 
of the requester's identity in the same manner required for an access 
request, and must reasonably identify the record and specify the 
information being contested, the corrective action sought, and the 
reasons for requesting the correction, along with supporting 
information to show how the record is inaccurate, incomplete, untimely, 
or irrelevant.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about him or her must submit a written request to the relevant 
System Manager indicated above and verify his or her identity in the 
same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Notice of Rescindment

    For the reasons explained in the SUPPLEMENTARY INFORMATION section 
at

[[Page 28829]]

II., the following 15 systems of records are rescinded:
    These two SORNs are rescinded because the records no longer exist:

SYSTEM NAME AND NUMBER:
    ONC Health IT Dashboard, 09-90-1201

HISTORY:
    76 FR 79685 (Dec. 22, 2011); updated 83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Consumer Mailing List, 09-90-0041

HISTORY:
    47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 
FR 6591 (Feb. 14, 2018)
    These 13 SORNs are rescinded because they have been replaced by new 
SORN 09-90-1901:

SYSTEM NAME AND NUMBER:
    OASH Correspondence Control System, 09-37-0001

HISTORY:
    51 FR 42352 (Nov. 24, 1986); updated 53 FR 47302 (Nov. 22, 1988), 
83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Telephone Directory/Locator System, 09-90-0001

HISTORY:
    47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 
FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Congressional Correspondence Unit, 09-90-0027

HISTORY:
    47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 
FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Secretariat's Correspondence Control System, 09-90-0037

HISTORY:
    47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 
FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Secretary's Official Files, 09-90-0038

HISTORY:
    47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 
FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Congressional Grants Notification Unit, 09-90-0072

HISTORY:
    47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 
FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    Minority Health Information Services, 09-90-0161

HISTORY:
    75 FR 18837 (Apr. 13, 2010); updated 83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    [FDA] Communications (Oral and Written) with the Public, 09-10-0004

HISTORY:
    51 FR 42524 (Nov. 24, 1986); updated 54 FR 47912 (Nov. 17, 1989), 
79 FR 36536 (June 17, 2014), 83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    [HRSA] Strategic Work Information and Folder Transfer System 
(SWIFT), 09-15-0059

HISTORY:
    75 FR 57806 (Sept. 22, 2010); updated 83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    [CDC] Division of Training Mailing List, 09-20-0059

HISTORY:
    51 FR 42449 (Nov. 24, 1986); updated 58 FR 69048 (Dec. 29, 1993); 
83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    [NIH] Administration: Office of the NIH Director and Institute/
Center Correspondence Records, 09-25-0106

HISTORY:
    67 FR 60742 at 60758 (Sept. 26, 2002); updated 83 FR 6591 (Feb. 14, 
2018)

SYSTEM NAME AND NUMBER:
    [SAMHSA] Correspondence Files, 09-30-0033

HISTORY:
    75 FR 28268 (May 20, 2010); 83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    SAMHSA Information Mailing System (SIMS), 09-30-0051

HISTORY:
    75 FR 28272 (May 20, 2010); updated 83 FR 6591 (Feb. 14, 2018)

SYSTEM NAME AND NUMBER:
    CMS Correspondence Tracking Management System (CTMS), 09-70-3005

HISTORY:
    67 FR 57020 (Sept. 6, 2002); updated 83 FR 6591 (Feb. 14, 2018)

[FR Doc. 2019-13112 Filed 6-19-19; 8:45 am]
 BILLING CODE 4150-25-P