[Federal Register Volume 84, Number 119 (Thursday, June 20, 2019)] [Notices] [Pages 28823-28829] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2019-13112] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Privacy Act of 1974; System of Records AGENCY: Department of Health and Human Services. ACTION: Notice of a new system of records, and rescindment of related systems. ----------------------------------------------------------------------- SUMMARY: In accordance with the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is establishing a new department-wide system of records, titled HHS Correspondence, Customer Service, and Contact List Records, system no. 09-90-1901. The new system of records replaces 13 existing systems of records which are rescinded in this notice, and it includes additional records not currently covered by any SORN. Two other related systems of records are also rescinded in this notice, but not replaced by the new SORN, because those records no longer exist. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable June 20, 2019, subject to a 30-day period in which to comment on the routine uses, described below. Please submit any comments by July 22, 2019. ADDRESSES: The public should submit written comments on this notice, by mail or email, to Beth Kramer, HHS Privacy Act Officer, 200 Independence Ave. SW, Suite 729H, Washington, DC 20201, or [email protected]. Comments will be available for public viewing at the same location. To review comments in person, please contact Beth Kramer at [email protected] or 202-690-6941. FOR FURTHER INFORMATION CONTACT: General questions may be submitted to Beth Kramer, HHS Privacy Act Officer, at 200 Independence Ave. SW, Suite 729H, Washington, DC 20201, or [email protected], or 202-690- 6941. SUPPLEMENTARY INFORMATION: I. Background on New SORN 09-90-1901 HHS is establishing this new department-wide system of records to cover records about individuals within or outside HHS which are retrieved by personal identifier and used in managing HHS correspondence and customer service functions, including help desk and call center activities, dissemination of publications, studies, opinions, unrestricted datasets, and other information, and mailing and contact lists, unless covered by a more specific system of records notice (SORN). It will include the records currently covered in 13 related SORNs, in order to replace and rescind those SORNs, but with revisions where needed to provide updated descriptions of those records. It will also include other functionally similar records not currently covered by any SORN. The up-to-date records descriptions used in the new SORN differ from the descriptions used in the replaced SORNs in these respects:The System Manager contact information has been updated and is grouped by record type. The System Location section refers to the contact information shown in the System Manager section. The Authorities section now cites 5 U.S.C. 301, 305; 21 U.S.C. 301 et seq.; 31 U.S.C. 1115(b)(6); 40 U.S.C. 11313; 42 U.S.C. 201 et seq.; 44 U.S.C. 3101; E.O. 11583; and E.O. 13571. This differs from the authorities cited in each replaced SORN as follows: a. OS SORNs 09-37-0001, 09-90-0027, 09-90-0037, 09-90-0038, and 09- 90-0072 and HRSA SORN 09-15-0059 cited only one of the authorities cited in the new SORN, 5 U.S.C. 301. b. NIH SORN 09-25-0106 cited two authorities cited in the new SORN, 5 U.S.C. 301 and 44 U.S.C. 3101. c. OS SORN 09-90-0001 cited 5 U.S.C. 301 and one authority not cited in the new SORN: 40 U.S.C. 486(c). d. FDA SORN 09-10-0004 cited 42 U.S.C. 201 et seq., which is cited in the new SORN, and two authorities not cited in the new SORN: 21 U.S.C. 321 et seq. and 21 CFR part 5. e. SAMHSA SORN 09-30-0033 cited portions of title 42 of the United States Code, which is cited in the new SORN, and these authorities not cited in the new SORN: 8 U.S.C. 1522 note, as amended by sec. 501(c) of Public Law 96-422; E.O. 12341; and sec. 413 of Public Law 93-288 as amended and redesignated as sec. 416 by Public Law 100-107 [sic; probably should be Public Law 101-707, amending 42 U.S.C. 5183]. f. These SORNs cited none of the authorities cited in the new SORN: i. OS SORN 09-90-0161 cited 42 U.S.C. 300u-6; ii. CDC SORN 09-20-0059 cited 29 U.S.C. 670; iii. CMS SORN 09-70-3005 cited 42 U.S.C. 1306(a) and 42 CFR 401.101-401.148; and iv. SAMHSA SORN 09-30-0051 cited sec. 501 of the Public Health Service Act (42 U.S.C. 290a) as amended by Public Law 102-321 and Public Law 106-310. The new SORN provides broader and more detailed descriptions of the categories of records and the purposes for which the records are used than were in each replaced SORN, in recognition that some of the records interrelate with each other and may be maintained and used together, and by more than one office, to achieve certain purposes. Each replaced SORN [[Page 28824]] described how a particular office or component used a particular set of records. The categories of individuals are effectively the same as in the replaced SORNs, except that the description in the new SORN is not limited to individuals who are the subject of a particular set of records, yet is worded to avoid including individuals who don't qualify as record subjects for Privacy Act purposes. For example, it does not include individuals whose personal identifiers are used to retrieve records that are not, in fact, about them, which was an error in OS SORNs 09-90-0027 and 09-90-0072. Unnecessary routine uses (e.g., for disclosures that would be made with consent or that are not in fact made) are not included. Routine uses 3 and 4 are worded to apply to only certain records; the other routine uses apply to all records in the new SORN, but were not in some of the replaced SORNs; i.e.: a. Routine use 10 was not in any of the replaced SORNs. b. Routine use 2 was not in FDA SORN 09-10-0004. c. Routine uses 6 and 8 were not in OS SORN 09-90-0027. d. Routine uses 2, 6, and 8 were not in OS SORNs 09-90-0037, 09-90- 0038, and 09-90-0072; HRSA SORN 09-15-005; CDC SORN 09-20-0059; SAMHSA SORN 09-30-0051; and CMS SORN 09-70-3005. e. Routine uses 2, 5, 6, and 8 were not in OS SORNs 09-90-0001 and 09-90-0161. f. Routine uses 1, 2, 6, and 8 were not in OS SORN 09-37-0001, NIH SORN 09-25-0106, and SAMHSA SORN 09-30-0036. The disposal section identifies applicable disposition schedules (some of the replaced SORNs did not). The storage and safeguards sections are up-to-date, and were not up-to-date in some of the replaced SORNs. II. Background on the Rescinded SORNs A. HHS is rescinding the following two systems of records because the records no longer exist: 1. 09-90-1201 ONC Health IT Dashboard. This SORN covered records containing identifying information, retrieved by National Provider Identifier (NPI), about health care providers who registered to receive health IT implementation assistance from grantees of the Office of the National Coordinator for Health IT (ONC), which were used by the grantees to provide that assistance and by HHS/ONC to evaluate the status of electronic health record implementation and validate grantees' claims for grant payments. The SORN reflected that the records would be retained for approximately two years after the completion of the grant program. The grant program ended in 2014, and the records that were retrieved by NPI were destroyed when business use ceased. 2. 09-90-0041 Consumer Mailing List. This SORN was established by an office which was transferred from the Office of the Secretary (OS) to the Centers for Medicare & Medicaid Services (CMS) in 2011 and renamed the Center for Consumer Information and Insurance Oversight (CCIIO). It covered a list which was used to distribute information on current consumer topics to consumers, academicians, librarians, business and government officials, and the media. The list is no longer maintained, and the records no longer exist. B. HHS is rescinding these 13 systems of records and replacing them with the new department-wide SORN 09-90-1901: 3. 09-37-0001 OASH Correspondence Control System. These records pertain to individuals who have contacted, or have been contacted in writing by, the Assistant Secretary for Health (OASH) or a subordinate official. The records consist of copies of correspondence and tracking records which are used to control, track, and ensure timely and appropriate attention to correspondence addressed to or initiated by such officials. The routine uses authorize disclosures to contractors and other non-employees engaged to perform functions for HHS and disclosures for purposes of responding to or handling litigation and security incidents. 4. 09-90-0001 Telephone Directory/Locator System. This SORN covers HHS office contact records for HHS employees, other federal agency employees, and HHS contractor personnel located at HHS, which are retrieved by the personnel members' names and used to locate the individuals, route mail, and produce departmental telephone (and now also email) directories. The routine uses authorize disclosures to contractors and other non-employees engaged to perform functions for HHS and disclosures for purposes of responding to or handling litigation and security incidents. 5. 09-90-0027 Congressional Correspondence Unit. This SORN covers records of constituent requests received from members of Congress and HHS' responses to same, and any associated work papers, which are about individual constituents and retrieved by constituent name (the SORN misdescribes them as being about members of Congress and as retrieved by only member of Congress name). The records are maintained by the Assistant Secretary for Legislation (ASL). The routine uses authorize disclosures to contractors and other non-employees engaged to perform functions for HHS, to another federal agency in order to route a misdirected request to that agency for response, to the member of Congress in responding to the request, to the Department of Justice for litigation purposes, and to other federal agencies and parties in responding to security incidents. 6. 09-90-0037 Secretariat's Correspondence Control System. These department-wide records, which were formerly maintained by the Immediate Office of the Secretary (OS/IOS), are now maintained by HHS' Administration for Children and Families (ACF), and are now retrieved by the subject individual's first or last name, city or state, or correspondence tracking number. The records are about individuals who have contacted, or have been contacted in writing by, an HHS official, and consist of control information from official correspondence, including a narrative subject description, organization drafting the response, and type of action required from the Department. The routine uses authorize disclosures to contractors and other non-employees engaged to perform functions for HHS and disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 7. 09-90-0038 Secretary's Official Files. These records are about individuals who have contacted, or have been contacted in writing by, the Secretary or Under Secretary (currently referred to as the Deputy Secretary), and include copies of documents signed or initialed by one of those officials. The routine uses authorize disclosures to contractors and other non-employees engaged to perform functions for HHS and disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 8. 09-90-0072 Congressional Grants Notification Unit. This SORN covers correspondence maintained by the Assistant Secretary for Legislation (ASL) notifying members of Congress of grants and other contracts that HHS has awarded to recipients in their districts. (The SORN erroneously states that the records are about members of Congress; however, the records are about awardees, not members of Congress.) The routine uses authorize disclosures [[Page 28825]] to contractors and other non-employees engaged to perform functions for HHS, to members of Congress in responding to constituent inquiries, to the Department of Justice for litigation purposes, and to other federal agencies and parties for purposes of responding to security incidents. 9. 09-90-0161 Minority Health Information Services. These records are used by the Office of Minority Health (OMH) within the Office of the Assistant Secretary for Health (OASH) to track and respond to requests from members of the public who ask to receive health information in the form of OMH's electronic newsletter and intermittent email updates. At times, OMH may also maintain records about individuals who volunteer to serve as resource persons to provide pro bono technical assistance to community organizations or government agencies working on aspects of minority health or in an OMH campaign. The routine uses in this SORN authorize disclosures to (and web postings meant to reach) parties seeking assistance from a resource person; disclosures to contractors; and disclosures for the purposes of responding to or handling litigation and security incidents. 10. 09-10-0004 [FDA] Communications (Oral and Written) with the Public. This SORN covers records of information requests, consumer complaints, and other correspondence from or about individuals (other than employees of Food & Drug Administration (FDA)-regulated enterprises) who communicate with or are the subject of communications with FDA. The records include FDA-related Secretarial correspondence and congressional correspondence which is also covered in other SORNs listed above. The records are retrieved by the correspondent's (or other individual record subject's) name, and are used to track and respond to the correspondence. The routine uses authorize disclosures to refer potential law violations to the Department of Justice, a state food and drug enforcement health agency or licensing authority or the government of a foreign country for investigation; to a member of Congress for purposes of responding to a constituent request; to the Department of Justice for litigation purposes; and to other federal agencies and parties for purposes of responding to a security incident. 11. 09-15-0059 [HRSA] Strategic Work Information and Folder Transfer System (SWIFT). The records covered by this SORN are about individuals who have contacted, or have been contacted, in writing by the Administrator of the Health Resources and Services Administration (HRSA) or a subordinate official (excluding FOIA and Privacy Act access request-related correspondence, which is maintained in the SWIFT information technology system but is covered under a more specific SORN, 09-90-0058 Tracking Records and Case Files for FOIA and Privacy Act Requests and Appeals). The records are retrieved by the correspondent's (or other record subject's) name, and are used to control and track the correspondence to ensure the correspondence receives timely and appropriate attention. The routine uses authorize disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 12. 09-20-0059 [CDC] Division of Training Mailing List. This SORN covers a mailing list maintained by the Centers for Disease Control and Prevention's National Institute for Occupational Safety and Health (CDC/NIOSH), which contains the name, mailing address, and student number of each individual who has taken a NIOSH training course or who has asked to be placed on the list. The records are retrieved by student name and number. The list is used to advise the individuals of upcoming NIOSH training courses. The routine uses authorize disclosures to contractors providing computer support for the system of records and disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 13. 09-25-0106 Administration: Office of the NIH Director and Institute/Center Correspondence Records. These records consist of correspondence, other supporting documents, and mailing lists pertaining to individuals who have contacted, or who have been contacted in writing by, the Director of the National Institutes of Health (NIH) or a subordinate. The records include NIH-related Secretarial correspondence and congressional correspondence which is also covered in other SORNs listed above. The records are retrieved by the correspondent's name and are used to control, address and track the correspondence to assure timely and appropriate attention. The routine uses authorize disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 14. 09-30-0033 [SAMHSA] Correspondence Files. This SORN covers records of correspondence from individuals who request information about Substance Abuse and Mental Health Services Administration (SAMHSA) programs, and includes SAMHSA-related Secretarial correspondence and congressional correspondence which is also covered in other SORNs listed above. The records are retrieved by the correspondent's name and are used for reference purposes and to assure timely and appropriate attention. The routine uses authorize disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 15. 09-30-0051 SAMHSA Information Mailing System (SIMS). This SORN covers records of correspondence from individuals who request publications and other information from the SAMHSA internet site, which is used to maintain a mailing list for purposes of providing the individuals with SAMHSA publications and other print materials they have identified as of interest to them and to inform them of new and upcoming publications. The records contain the individual's name (which is used for retrieval), contact information, title, occupation, organization type, ethnic group, level of education, and SAMHSA topics or areas of interest. The routine uses authorize disclosures to SAMHSA contractors, experts, and consultants and disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. 16. 09-70-3005 [CMS] Correspondence Tracking Management System (CTMS). This SORN covers records of correspondence from or about individuals who request information about Centers for Medicare & Medicaid Services (CMS) programs or who are the subject of such correspondence from others. These records include CMS-related Secretarial correspondence and congressional correspondence which is also covered in other SORNs listed above. The records are retrieved by the correspondent's (or other record subject's) name and are used to track the correspondence and to support regulatory, reimbursement, and policy functions. The routine uses authorize disclosures to agency contractors and consultants and disclosures for purposes of responding to or handling congressional inquiries, litigation, and security incidents. Dated: May 30, 2019. Michael S. Marquis, Director, FOIA/Privacy Act Division, Office of Assistant Secretary for Public Affairs. SYSTEM NAME AND NUMBER: HHS Correspondence, Customer Service, and Contact List Records, 09- 90-1901. [[Page 28826]] SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: The address of each agency component responsible for this system of records is as shown in the System Manager(s) section below. SYSTEM MANAGER(S): The System Managers are as follows: Congressional correspondence: HHS Assistant Secretary for Legislation, Congressional Liaison Office, Rm. 406G, 200 Independence Ave. SW, Washington, DC 20201, (202) 690-7627. HHS Secretarial and Deputy Secretary correspondence: HHS Executive Secretariat, Rm. 603H, 200 Independence Ave. SW, Washington, DC 20201, (202) 690-7000. Other official correspondence (managed by ACF for HHS): Administration for Children and Families Executive Secretariat Office, Deputy Director, 330 C St. SW, Washington, DC 20201, [email protected]. Information product ordering and distribution records: a. AHRQ: Director, Office of Communications and Knowledge Transfer, Agency for Healthcare Research and Quality, 5600 Fishers Ln., 7th Floor, Rockville, MD 20857, (301) 427-1364. b. CMS: Director, Office of Communications, Centers for Medicare & Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786- 1338. c. FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900. d. SAMHSA: Director, Office of Communications, Substance Abuse and Mental Health Services Administration, 5600 Fishers Ln., Rockville, MD 20857, (240) 276-2201. Call center, ombudsman, and help desk records: a. ONE-DHHS: FedResponse Service Director, Program Support Center, 7700 Wisconsin Ave., Bethesda, MD 20814, (877) 696-6775. b. FDA Call Centers: FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900. Mailing list and contact list records: a. OASH/OMH mailing and contact list records: Office of Minority Health, The Tower Building, 1101 Wootton Pkwy, Suite 600, Rockville, MD 20852, (240) 453-2882. b. FDA mailing and contact list records: FDA Privacy Act Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900. Any other records not accounted for above: see ONE-DHHS contact information, under Call center, above. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 5 U.S.C. 301, 305; 21 U.S.C. 301 et seq.; 31 U.S.C. 1115(b)(6); 40 U.S.C. 11313; 42 U.S.C. 201 et seq.; 44 U.S.C. 3101; E.O. 11583; E.O. 13571. PURPOSE(S) OF THE SYSTEM: The records in this system of records are used for the purpose of managing HHS correspondence, information dissemination, and customer service functions; i.e., to maintain, track, control, route, and locate information and documents created, received, requested, and used in managing those functions, in order to provide timely and appropriate actions, responses, notices, services, coordination, referrals, or other follow-up, avoid duplicate entries, and ensure consistency. Correspondence, information dissemination, and customer service functions include non-law enforcement-related help desk and call center activities; handling of consumer complaints; dissemination of publications, unrestricted datasets, and other information; and maintenance of mailing and contact lists. The records may also be used to compile aggregate statistics for the purpose of evaluating and improving these functions. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The records are about individuals within and outside HHS who contact HHS to request or offer information, information products, or services or to communicate a complaint or other information, or who receive correspondence from HHS, or who are the author or subject of such publications, communications, or correspondence by or with HHS, or who are included in mailing and contact lists maintained by HHS, when the records are used to support HHS correspondence, customer service, and/or contact and mailing list functions and are retrieved by the individuals' names or other personal identifiers (unless the records are covered by a more specific system of records notice (SORN)). CATEGORIES OF RECORDS IN THE SYSTEM: The categories of records include: Secretarial and other official correspondence, congressional correspondence, and other correspondence. These records include copies of requests or other communications addressed or routed to an HHS official for response or other follow-up; copies of correspondence initialed or signed by an HHS official; tracking and control records (indicating, e.g., the date and subject of the correspondence; the name of the correspondent and/or other individual record subject--for example, a constituent identified in congressional correspondence; the action required; the organization drafting the response); and associated work papers. Records used in disseminating or filling orders for publications, stock photographs, audio visual productions, unrestricted datasets, and other information products. These include indexes to repositories of informational materials, request records, and order fulfilment records. Indexes may contain names of individuals (such as authors or subjects) used to retrieve materials when needed for distribution or to fulfill a request. Request records identify the date of the request, the product requested, the requester, and the address to use for delivery. Order fulfillment records contain proof of delivery, including the delivery date and address used for delivery, which may be a mailing address or email address if delivery was through a public access web portal or link. Any associated payment records (if a fee is charged for the information product) are covered by system of records 09-90-0024 HHS Financial Management System Records. Call center and help desk records. These include contact records (containing the name of the individual who contacted the call center or help desk, his or her contact information, and location information if relevant, unless the individual wishes to be anonymous) and request records (containing the date and nature of the request, complaint, or report, the name of the call center staff member who handled the request, complaint, or report, and actions taken, such as providing an answer from a call center script, documenting the report, or assigning and routing the request to the appropriate program office to handle). Note that recordings of ONE-DHHS telephone calls are destroyed after 90 days and are not retrieved by personal identifier so are not covered by this SORN. Mailing list records. These include the lists and any records used to compile and maintain the lists (e.g., existing contact lists; invitations to join and requests to be added to or removed from a list; address changes) containing an individual's contact information (e.g., mailing address or email address) and indicating the particular information or notices the individual [[Page 28827]] would receive or would like to receive from HHS (e.g., publications on particular health topics; an electronic newsletter; notice of upcoming training courses; notice when new material is added to a website). The records may also include information that the particular program requires or requests individuals to provide about themselves (e.g., characteristics such as profession, employing organization, educational level, practice setting, geographic location, age, ethnicity) to enable the agency to aggregate or organize the information or compile statistics on the types of individuals receiving the information distributed through the list. Contact list records. These include the lists and any records used to compile and maintain the lists, containing names, contact information, and any other relevant information (e.g., expertise type, primary language, geographic region) for individuals who HHS regularly contacts (such as, authors and sole proprietor media stakeholders) and/or individuals who have agreed to be included on or have asked to be removed from a particular list of contacts HHS maintains and distributes or posts for HHS and/or non-HHS parties to use to obtain assistance from or share information with the individuals on the list (for example, outside medical and research experts who wish to exchange knowledge and best practices and share studies, opinions, and training materials with each other); and any written consents from subject individuals permitting HHS to disclose their contact or other information to specific types of non-HHS parties, or to the public, for specific purposes. RECORD SOURCE CATEGORIES: Most information is obtained directly from the individual who contacts or is contacted by HHS. Information may also be obtained from a third party who contacts HHS about or on behalf of a subject individual, or from records HHS compiles or persons HHS consults in order to provide a response, provide assistance, or otherwise follow up on the request or communication. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(4) through (11), information about an individual may be disclosed from this system of records to parties outside HHS without the individual's prior, written consent, for these routine uses: 1. Records may be disclosed to agency contractors and to student volunteers, interns, and other individuals who do not have the status of agency employees but have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS. Such individuals and contractors will be required to comply with the requirements of the Privacy Act. 2. Records may be disclosed to other federal agencies and HHS partner agencies and organizations for the purpose of referring a request or issue to them for handling or obtaining their assistance with a response or issue. 3. Notice of an award that HHS has made to an individual awardee in a particular congressional district may be disclosed to the member of Congress serving that district. 4. Names of and biographical information about the individuals who authored, created, appear in, or are the subjects of information products may be disclosed with the products or in descriptions of the products used to publicize them, but would be disclosed without consent only if and to the extent that the names and biographical information would be required to be released to a requester under the Freedom of Information Act (FOIA). 5. Records may be disclosed to a member of Congress or a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained. The congressional office does not have any greater authority to obtain records than the individual would have if requesting the records directly. 6. Records may be disclosed to representatives of the National Archives and Records Administration during records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906. 7. Information may be disclosed to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings, when: a. HHS or any of its component thereof, or b. any employee of HHS acting in the employee's official capacity, or c. any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or d. the United States Government, is a party to the proceeding or has an interest in such proceeding and, by careful review, HHS determines that the records are both relevant and necessary to the proceeding. 8. Where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or by regulation, rule, or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the agency concerned, whether federal, state, local, tribal, territorial, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or the rule, regulation, or order issued pursuant thereto. 9. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. 10. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. 11. Records may be disclosed to the Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: The records are stored in hard-copy files and/or electronic media. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: Records are retrieved by the individual requester's, correspondent's, [[Page 28828]] author's, or other record subject's name or other personal identifier, such as email address, request tracking number, user ID number, or other unique identifying number. Call center records may be retrieved by the name of the individual who contacted the call center. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: I. Official Correspondence (Including Significant White House and Congressional Correspondence) Official correspondence and tracking records are transferred to the custody of the National Archives in four-year blocks and permanently retained. See, for example, these schedules: A. Office of the Secretary (OS): DAA-0468-2011-0006-0003 (IOS); N1- 468-10-0001 (DAB); DAA-0468-2012-0003 (OMHA); DAA-0468-2011-0007 (ONC); N1-514-92-1 (OASH); DAA-0468-2013-009 (other OS Staff Divisions). B. Other Operating Divisions: DAA-0292-2016-0008 (ACF); DAA-510- 2017-003 and N1-510-94-1, Item 9 (AHRQ); DAA-0440-2015-0001, Item 1.2.2 (CMS); N1-088-06-03, Items 4.1 and 4.2 (FDA); DAA-0512-2014-004, Item 6.3 (HRSA); N1-513-92-005, Items 6-1 and 6-12 (IHS); DAA-0443-2017- 0003, Item 0001 (NIH). II. Nonsignificant or Routine Correspondence: A. OS: a. OASH: N1-514-92-1, Item 9. Routine congressional correspondence: Destroy when 7 years old, unless needed longer due to incumbent's continuance in office. Other routine correspondence: Cut off annually, and destroy when 5 years old. b. ONC: DAA-0468-2011-0007-003. Administrative correspondence files: Destroy 5 years after cutoff. c. OMHA: DAA-0468-2012-0003-0003. Working correspondence files: Destroy 3 years after cutoff. d. All other OS staff divisions: DAA-0468-2013-0009-0002. Routine files: destroy 5 years after cutoff. B. Other Operating Divisions: a. ACF and AHRQ: Treated as official correspondence; see I.B. for schedules. b. CMS: DAA-0440-2015-0002-0002. Cut off at end of calendar year, and destroy no sooner than 3 years after cutoff; longer retention is authorized. c. FDA: N1-088-06-03. Cut off at end of calendar year, and destroy 10 years after cutoff (Item 1.1.2) or 5 years after cutoff (Item 1.2.2). d. HRSA: DAA-0512-2014-004, Items 6.3.1.2 and 6.3.1.3: Correspondence: Cut off at end of calendar year, and destroy 7 years after cutoff. Tracking records: Retain permanently. e. IHS: N1-513-92-005, Item s 6-1 b., 6-1 c., 6-12 b., and 11-12. Destroy when 6 years old if at the division level or higher. Destroy when 2 years old if below the division level. f. NIH: DAA-0443-2012-0007, Item 0003. Cut off annually at termination of project/program, and destroy 7 years after cutoff. g. CDC and SAMHSA: See OASH schedule N1-514-92-1, Item 9 (3) (CDC and SAMHSA were once part of OASH). III. Call Center, Help Desk, and Similar Customer Service Records FDA Ombudsman records: N1-088-05-001, Item 2. Case files maintained by the Center Ombudsman Office (Item 2.3): Cut off 3 months after the end of the calendar year in which the case is closed or the appeal is completed, and destroy 3 years after cutoff. All other case files (Item 2.1) and finding aids (Item 2.2): Cut off at the end of the calendar year in which the final action is taken or the appeal is completed, and destroy 10 years after cutoff. Other customer service operations records: GRS 6.5 Item 010 and GRS 5.8 Item 0101. Destroy 1 year after resolved or when no longer needed for business use, whichever is appropriate. IV. Mailing and Contact List Records GRS 6.5 Item 020. Delete when superseded or obsolete or when the customer requests that the agency remove the records. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information As a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, requiring encryption for records stored on removable media, and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction are disposed of using destruction methods prescribed by NIST SP 800-88. RECORD ACCESS PROCEDURES: An individual seeking access to records about him or her in this system of records must submit a written request to the relevant System Manager indicated above. An access request must contain the name and address of the requester, email address or other identifying information, and his/her signature. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that he/she is the person he/she claims to be and that he/she understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. An individual may also request an accounting of disclosures that have been made of the records about him or her, if any. CONTESTING RECORD PROCEDURES: An individual seeking to amend a record about him or her in this system of records must submit a written request to the relevant System Manager indicated above. An amendment request must include verification of the requester's identity in the same manner required for an access request, and must reasonably identify the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. NOTIFICATION PROCEDURES: An individual who wishes to know if this system of records contains records about him or her must submit a written request to the relevant System Manager indicated above and verify his or her identity in the same manner required for an access request. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. HISTORY: None. Notice of Rescindment For the reasons explained in the SUPPLEMENTARY INFORMATION section at [[Page 28829]] II., the following 15 systems of records are rescinded: These two SORNs are rescinded because the records no longer exist: SYSTEM NAME AND NUMBER: ONC Health IT Dashboard, 09-90-1201 HISTORY: 76 FR 79685 (Dec. 22, 2011); updated 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Consumer Mailing List, 09-90-0041 HISTORY: 47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 FR 6591 (Feb. 14, 2018) These 13 SORNs are rescinded because they have been replaced by new SORN 09-90-1901: SYSTEM NAME AND NUMBER: OASH Correspondence Control System, 09-37-0001 HISTORY: 51 FR 42352 (Nov. 24, 1986); updated 53 FR 47302 (Nov. 22, 1988), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Telephone Directory/Locator System, 09-90-0001 HISTORY: 47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Congressional Correspondence Unit, 09-90-0027 HISTORY: 47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Secretariat's Correspondence Control System, 09-90-0037 HISTORY: 47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Secretary's Official Files, 09-90-0038 HISTORY: 47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Congressional Grants Notification Unit, 09-90-0072 HISTORY: 47 FR 45514 (Oct. 13, 1982); updated 59 FR 55845 (Nov. 9, 1994), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: Minority Health Information Services, 09-90-0161 HISTORY: 75 FR 18837 (Apr. 13, 2010); updated 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: [FDA] Communications (Oral and Written) with the Public, 09-10-0004 HISTORY: 51 FR 42524 (Nov. 24, 1986); updated 54 FR 47912 (Nov. 17, 1989), 79 FR 36536 (June 17, 2014), 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: [HRSA] Strategic Work Information and Folder Transfer System (SWIFT), 09-15-0059 HISTORY: 75 FR 57806 (Sept. 22, 2010); updated 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: [CDC] Division of Training Mailing List, 09-20-0059 HISTORY: 51 FR 42449 (Nov. 24, 1986); updated 58 FR 69048 (Dec. 29, 1993); 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: [NIH] Administration: Office of the NIH Director and Institute/ Center Correspondence Records, 09-25-0106 HISTORY: 67 FR 60742 at 60758 (Sept. 26, 2002); updated 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: [SAMHSA] Correspondence Files, 09-30-0033 HISTORY: 75 FR 28268 (May 20, 2010); 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: SAMHSA Information Mailing System (SIMS), 09-30-0051 HISTORY: 75 FR 28272 (May 20, 2010); updated 83 FR 6591 (Feb. 14, 2018) SYSTEM NAME AND NUMBER: CMS Correspondence Tracking Management System (CTMS), 09-70-3005 HISTORY: 67 FR 57020 (Sept. 6, 2002); updated 83 FR 6591 (Feb. 14, 2018) [FR Doc. 2019-13112 Filed 6-19-19; 8:45 am] BILLING CODE 4150-25-P