Federal Register, Volume 84 Issue 195 (Tuesday, October 8, 2019)

[Federal Register Volume 84, Number 195 (Tuesday, October 8, 2019)]
[Notices]
[Pages 53734-53737]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21768]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare and Medicaid Services


Privacy Act of 1974; System of Records

AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of 
Health and Human Services (HHS).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with requirements of the Privacy Act of 1974, as 
amended, the Department of Health and Human Services (HHS) is updating 
an existing system of records maintained by the Centers for Medicare & 
Medicaid Services (CMS), system No. 09-70-0550, titled ``Medicare 
Retiree Drug Subsidy Program'' (RDSP), and renaming it ``Retiree Drug 
Subsidy (RDS), HHS/CMS/CM.'' This system collects and maintains 
information about individuals who are qualifying covered retirees so 
that accurate and timely subsidy payments may be made to plan sponsors 
who continue to offer actuarially equivalent prescription drug coverage 
to the qualifying covered retirees.

DATES: In accordance with 5 United States Code (U.S.C.) 552a(e)(4) and 
(11), this notice is applicable October 8, 2019, subject to a 30-day 
period in which to comment on the new and revised routine uses, 
described below. Please submit any comments by November 7, 2019.

ADDRESSES: Written comments should be submitted by mail or email to: 
CMS Privacy Act Officer, Division of Security, Privacy Policy & 
Governance, Information Security & Privacy Group, Office of Information 
Technology, CMS, Location N1-14-56, 7500 Security Blvd., Baltimore, MD 
21244-1870, or [email protected].

[[Page 53735]]


FOR FURTHER INFORMATION CONTACT: General questions may be submitted to: 
Ivan Iveljic, Health Insurance Specialist, Medicare Plan Payment Group, 
Center for Medicare, CMS, Mail Stop C1-13-07, 7500 Security Boulevard, 
Baltimore, Maryland 21244. He can be reached at 410-786-3312 or via 
email at [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background on Records Covered by System of Records 09-70-0550

    This system of records covers records about individual retirees 
which are used in administering the Retiree Drug Subsidy, which is a 
program that offers sponsors of qualified retiree prescription drug 
plans financial assistance with a portion of their prescription drug 
costs and thereby helps employers retain and enhance their prescription 
drug coverage so that the current erosion in coverage will plateau or 
even improve. The program makes a subsidy for 28 percent of allowable 
prescription drug costs available to qualified retiree prescription 
drug plans, which significantly reduces financial liabilities 
associated with employers' retiree drug coverage and encourages 
employers to continue assisting their retirees with prescription drug 
coverage.

II. Explanation of Modifications to the System of Records Notice (SORN)

    The modifications made to the system of records include the 
following substantive changes, in addition to reformatting the SORN to 
comply with OMB Circular A-108, issued December 23, 2016:
     The name of the system of records has changed from 
``Medicare Retiree Drug Subsidy Program (RDSP), HHS/CMS/CBC'' to 
``Retiree Drug Subsidy (RDS), HHS/CMS/CM.''
     Address information in the System Location and System 
Manager(s) sections has been updated.
     The Security Classification section has been changed from 
``Level Three Privacy Act Sensitive Data'' to ``Unclassified.''
     The Authorities section has been revised to include 31 
U.S.C. 7701(c) as authority to collect Social Security Numbers from 
individuals with whom CMS is ``doing business,'' as defined by the 
statute.
     The Purpose section has been revised to omit a summary of 
the routine uses;
     The Categories of Records section has been revised to 
identify the record categories as enrollment, beneficiary, and 
financial or payment-related records.
     The list of data elements in the Categories of Records 
section has been modified to include the Medicare Beneficiary 
Identifier (MBI), which is a new individual identifier in addition to 
the Health Insurance Claim Number (HICN).
     The Routine Uses section has been updated to revise three 
routine uses and add one new routine use:
    [cir] Routine use 2, which authorizes disclosures to members of 
Congress and their staff for purposes of responding to their requests 
on behalf of constituents, has been revised to require that their 
requests be ``written.''
    [cir] Routine use 3, which authorizes disclosures to the Department 
of Justice (DOJ), court, or adjudicatory body, has been revised to omit 
unnecessary wording limiting the disclosures to uses ``compatible with 
the purpose for which the agency collected the records.'' (The wording 
is unnecessary because it restates the definition of a routine use.)
    [cir] The fraud, waste, and abuse-related routine use added May 29, 
2013 is now numbered as routine use 6. It has been revised to add 
``which are'' before the words ``defined for this purpose,'' and to 
omit an unnecessary statement that ``[d]isclosures may include provider 
and beneficiary-identifiable data.''
    [cir] The two breach response-related routine uses added February 
14, 2018 are now numbered as routine uses 7 and 8.
    [cir] Routine use number 9 is new; it authorizes disclosures to the 
U.S. Department of Homeland Security (DHS) for cybersecurity monitoring 
purposes in the event that records from this system of records are 
captured in an intrusion detection system used by HHS and DHS.
     A note at the end of the Routine Uses section has been 
shortened to remove a portion referring to ``complaints'' and 
``complainants'' (which are not involved in this system of records) and 
to releases of ``not directly identifiable [information], except 
pursuant to one of the routine uses or if required by law'' (which 
could create the misimpression that a disclosure required by law need 
not be authorized by a routine use or another exception to the consent 
requirement in 5 U.S.C. 552a(b)).
     The Retrieval section has been updated to include the 
Medicare Beneficiary Identifier (MBI) as an additional personal 
identifier used for retrieval, and to omit plan sponsor identifier and 
benefit option identifier, which are not personal identifiers.
     The Records Retention section now cites the applicable 
disposition authorities, which were revised in 2015, and corrects the 
retention period, which was previously 15 years and is now seven years 
(or longer) for enrollment records, ten years (or longer) for 
beneficiary records, and seven years (or longer) for financial or 
payment related records.
     In the Access Procedures section, the text has been 
modified to state that any identifying particulars included in a 
request would be used to distinguish between subject individuals with 
the same name, and to include the MBI as an example of an identifying 
particular.

Barbara Demopulos,
Privacy Advisor, Division of Security, Privacy Policy and Governance, 
Information Security and Privacy Group, Office of Information 
Technology, Centers for Medicare & Medicaid Services.

SYSTEM NAME AND NUMBER:
    Retiree Drug Subsidy (RDS), HHS/CMS/CM, System No. 09-70-0550.

SECURITY CLASSIFICATION:
    This system of records does not include classified information.

SYSTEM LOCATION:
    The address of the agency component responsible for the system of 
records is: Medicare Plan Payment Group, Center for Medicare, Centers 
for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, 
Maryland 21244-1850.

SYSTEM MANAGER:
    The System Manager for the system of records is: Director, Medicare 
Plan Payment Group, Center for Medicare, Centers for Medicare & 
Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-
7407.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for maintenance of this system is given under section 
1860D-22 of the Social Security Act (Title 42 United States Code 
(U.S.C.) sections 1302, 1395w-101 through 1395w-152, and 1395hh), as 
amended by section 101 of the Medicare Modernization Act (MMA). The 
collection of Social Security Numbers is authorized by 31 U.S.C. 
7701(c).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to collect and maintain information 
about individuals who are qualifying covered retirees so that accurate 
and timely subsidy payments may be made to plan sponsors who continue 
to offer actuarially equivalent prescription drug coverage to the 
retirees.

[[Page 53736]]

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Information in this system is maintained on qualifying covered 
retirees who are Medicare Part D eligible individuals covered under a 
qualified retiree prescription drug plan.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records are enrollment, beneficiary, and financial or payment 
related records used to support and calculate the amount of subsidy 
payments to plan sponsors. They contain information such as the 
following about each retiree: Standard data for identification such as 
Plan Sponsor Identification Number, Application Identification Number, 
Benefit Option Identifier, Coverage Effective Date, Coverage 
Termination Date, Health Insurance Claim Number (HICN) or Medicare 
Beneficiary Identifier (MBI), Social Security Number (SSN), gender, 
first name, last name, middle initial, date of birth, relationship to 
member, and Medicare eligibility and enrollment status.

RECORD SOURCE CATEGORIES:
    Records maintained in this system are derived from the Medicare 
Beneficiary Database (MBD) system of records, system No. 09-70-0536, 
and from plan sponsors.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OR USERS AND THE PURPOSES OF SUCH USES:
    Records about an individual retiree may be disclosed from this 
system of records to parties outside the Department of Health and Human 
Services (HHS), without the individual's prior written consent, for the 
purposes indicated in these routine uses:
    1. To agency contractors or consultants who have been engaged by 
the agency to assist in the performance of a service related to this 
system and who need to have access to the records in order to perform 
the activity.
    2. To a member of Congress or to a congressional staff member in 
response to a written inquiry of the congressional office made at the 
written request of the constituent about whom the record is maintained.
    3. To the Department of Justice (DOJ), court, or adjudicatory body 
when:
    a. the agency or any component thereof, or
    b. any employee of the agency in his or her official capacity, or
    c. any employee of the agency in his or her individual capacity 
where the DOJ has agreed to represent the employee, or
    d. the United States Government, is a party to litigation or has an 
interest in such litigation and, by careful review, CMS determines that 
the records are both relevant and necessary to the litigation.
    4. To a CMS contractor (including, but not necessarily limited to 
fiscal intermediaries and carriers) that assists in the administration 
of a CMS administered health benefits program, or to a grantee of a 
CMS-administered grant program, when disclosure is deemed reasonably 
necessary by CMS to prevent, deter, discover, detect, investigate, 
examine, prosecute, sue with respect to, defend against, correct, 
remedy, or otherwise combat fraud or abuse in such program.
    5. To another federal agency or to an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state or local governmental agency), that 
administers, or that has the authority to investigate potential fraud 
or abuse in, a health benefits program funded in whole or in part by 
federal funds, when disclosure is deemed reasonably necessary by CMS to 
prevent, deter, discover, detect, investigate, examine, prosecute, sue 
with respect to, defend against, correct, remedy, or otherwise combat 
fraud or abuse in such programs.
    6. To disclose to health plans, which are defined for this purpose 
as plans or programs that provide health benefits, whether directly, 
through insurance, or otherwise, and include--(1) a policy of health 
insurance; (2) a contract of a service benefit organization; and (3) a 
membership agreement with a health maintenance organization or other 
prepaid health plan when disclosure is deemed reasonably necessary by 
CMS to prevent, deter, discover, detect, investigate, examine, 
prosecute, sue with respect to, defend against, correct, remedy, or 
otherwise combat fraud, waste, or abuse in such programs.
    7. To appropriate agencies, entities, and persons when (1) HHS 
suspects or has confirmed that there has been a breach of the system of 
records; (2) HHS has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HHS (including 
its information systems, programs, and operations), the federal 
government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HHS's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    8. To another federal agency or federal entity, when HHS determines 
that information from this system of record is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the federal 
government, or national security, resulting from a suspected or 
confirmed breach.
    9. To the U.S. Department of Homeland Security (DHS) if captured in 
an intrusion detection system used by HHS and DHS pursuant to a DHS 
cybersecurity program that monitors internet traffic to and from 
federal government computer networks to prevent a variety of types of 
cybersecurity incidents.
    The disclosures authorized by publication of the above routine uses 
pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures 
authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and 
(b)(4)-(11).

ADDITIONAL PROVISIONS AFFECTING ROUTINE USE DISCLOSURES:
    This system contains protected health information as defined by 
Department of Health and Human Services (HHS) regulation ``Standards 
for Privacy of Individually Identifiable Health Information'' (45 Code 
of Federal Regulations (CFR) Parts 160 and 164, 65 Federal Register 
(FR) 82462 (12-28-00), Subparts A and E). Disclosures of Protected 
Health Information authorized by these routine uses may only be made 
if, and as, permitted or required by the ``Standards for Privacy of 
Individually Identifiable Health Information.''

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored in hard-copy files and/or electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information is retrieved by the retiree's Health Insurance Claim 
Number (HICN), Medicare Beneficiary Identifier (MBI), or Social 
Security Number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records are retained and disposed of in accordance with the 
following disposition schedules, which were approved by the National 
Archives and Records Administration (NARA):
     Financial or payment related records are governed by DAA-
0440-2015-0004-0001 (Bucket 3). The records retention schedule states: 
Destroy no sooner than 7 year(s) after cutoff but longer retention is 
authorized.

[[Page 53737]]

     Enrollment Records are governed by DAA-0440-2015-0006 
(Bucket 4). The records retention schedule states: Destroy no sooner 
than 7 year(s) after cutoff but longer retention is authorized.
     Beneficiary Records are governed by DAA-0440-2015-0007-
0001 (Bucket 5). The records retention schedule states: Cutoff at the 
end of the calendar year. Destroy no sooner than 10 year(s) after 
cutoff but longer retention is authorized.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the CMS Information Security and Privacy 
Program, https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html. Information is 
safeguarded in accordance with applicable laws, rules and policies, 
including the HHS Information Technology Security Program Handbook; all 
pertinent National Institutes of Standards and Technology (NIST) 
publications, and OMB Circular A-130, Managing Information as a 
Strategic Resource. Records are protected from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
These safeguards include protecting the facilities where records are 
stored or accessed with security guards, badges and cameras, securing 
hard-copy records in locked file cabinets, file rooms or offices during 
off-duty hours, limiting access to electronic databases to authorized 
users based on roles and two-factor authentication (user ID and 
password), using a secured operating system protected by encryption, 
firewalls, and intrusion detection systems, requiring encryption for 
records stored on removable media, and training personnel in Privacy 
Act and information security requirements. Records that are eligible 
for destruction are disposed of using secure destruction methods 
prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to a record about him/her in this 
system of records must submit a written request to the System Manager 
indicated above. The request must contain the individual's name and 
particulars necessary to distinguish between records on subject 
individuals with the same name, such as HICN, MBI or SSN, and should 
also reasonably specify the record(s) to which access is sought. To 
verify the requester's identity, the signature must be notarized or the 
request must include the requester's written certification that he/she 
is the person he/she claims to be and that he/she understands that the 
knowing and willful request for or acquisition of records pertaining to 
an individual from an agency under false pretenses is a criminal 
offense subject to a $5,000 fine.

CONTESTING RECORD PROCEDURES:
    Any subject individual may request that his/her record be corrected 
or amended if he/she believes that the record is not accurate, timely, 
complete, or relevant or necessary to accomplish a Department function. 
A subject individual making a request to amend or correct his record 
shall address his request to the-System Manager indicated, in writing, 
and must verify his/her identity in the same manner required for an 
access request. The subject individual shall specify in each request: 
(1) The system of records from which the record is retrieved; (2) The 
particular record and specific portion which he/she is seeking to 
correct or amend; (3) The corrective action sought (e.g., whether he/
she is seeking an addition to or a deletion or substitution of the 
record); and, (4) His/her reasons for requesting correction or 
amendment of the record. The request should include any supporting 
documentation to show how the record is inaccurate, incomplete, 
untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    Individuals wishing to know if this system contains records about 
them should write to the System Manager indicated above and follow the 
same instructions under Record Access Procedures.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    70 FR 41035 (July 15, 2005), 78 FR 32257 (May 29, 2013), 83 FR 6591 
(Feb. 14, 2018)
[FR Doc. 2019-21768 Filed 10-7-19; 8:45 am]
BILLING CODE 4120-03-P