[Federal Register Volume 85, Number 139 (Monday, July 20, 2020)]
[Notices]
[Pages 43859-43862]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-15564]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: Department of Health and Human Services.

ACTION: Notice of a New System of Records, and Rescindment of a System 
of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the Department of Health and Human Services (HHS) is 
establishing a new department-wide system of records, 09-90-2001, 
Records Used for Surveillance and Study of Epidemics, Preventable 
Diseases and Problems. The new system of records replaces, and is 
broader than, a similar system of records maintained by HHS' Centers 
for Disease Control and Prevention (CDC), which HHS is rescinding in 
this notice, 09-20-0113 Epidemic Investigation Case Records.

DATES: The new department-wide system of records is applicable July 20, 
2020, subject to a 30-day period in which to comment on the routine 
uses. The rescindment of the CDC system of records is applicable August 
19, 2020. Submit any comments by August 19, 2020.

ADDRESSES: The public should address written comments by email to 
[email protected] or by mail to Beth Kramer, HHS Privacy Act Officer, 
FOIA/Privacy Act Division, Office of the Assistant Secretary for Public 
Affairs, 200 Independence Ave. SW, Washington, DC 20201.

FOR FURTHER INFORMATION CONTACT: General questions about the new system 
of records and the related rescindments may be submitted by email to 
[email protected] or by mail to Beth Kramer, HHS Privacy Act Officer, 
FOIA/Privacy Act Division, Office of the Assistant Secretary for Public 
Affairs, 200 Independence Ave. SW, Washington, DC 20201.

SUPPLEMENTARY INFORMATION: In the winter and spring of 2020, spread of 
the novel coronavirus, SARS-CoV-2, which causes the disease known as 
COVID-19, required HHS to expand its recordkeeping in order to respond 
to the pandemic. Prior to 2020, CDC maintained records about 
epidemiological studies and surveillance of disease problems. However, 
HHS' experience during the COVID-19 pandemic made clear that other 
components, not just CDC, must collect epidemiologic and public health 
surveillance records about individuals to support the Department's 
response. For example, the Office of the Assistant Secretary for Health 
(OASH) is managing records about tests for COVID-19 or its antibodies, 
some of which are subject to the Privacy Act.
    Therefore, the Department has decided to expand the existing system 
of records of the CDC, 09-20-0113 Epidemic Investigation Case Records, 
and re-establish it under a new system number and name as a department-
wide system of records covering all parts of the Department that may 
maintain epidemiological and surveillance records necessary to support 
the Department's response to the pandemic.
    The new department-wide system of records includes the records 
covered in CDC system of records 09-20-0113, which HHS rescinds in this 
notice, but is broader in that it covers records used for surveillance 
and investigation of epidemics, preventable diseases and health 
problems maintained by any component of HHS, not just CDC. This 
department-wide system of records notice (SORN) differs from the CDC 
SORN it is replacing in these additional respects:
     It is formatted to comply with OMB Circular A-108.
     The System Manager section includes updated contacts for 
CDC records, and adds contacts for OASH records and ``records 
maintained by other HHS components.''
     The Authorities section includes one additional authority 
not included in the CDC SORN: 42 U.S.C. 247d-6d.
     The Purpose description is department-wide.
     The Categories of Individuals section uses different 
wording from, but identifies the same categories of individuals as, the 
CDC SORN.
     The Categories of Records section identifies the 
categories as ``medical records and related documents,'' including 
``case reports, lab requisition

[[Page 43860]]

forms, patient consent forms, assurance statements, analytical testing 
data, questionnaires, and contact tracing reports.'' The CDC SORN lists 
only medical histories and case reports.
     The Record Source Categories section includes these 
additional categories not listed in the CDC SORN: Subject individuals' 
family members or other caregivers; Tribal health departments; health 
care providers and laboratories; and contractors (for example, call 
centers) engaged by HHS.
     The Routine Uses section establishes these routine uses, 
similar versions of which are in the CDC SORN:
    [cir] Routine use 3 (authorizing disclosures to state, local, and 
Tribal health departments and authorities and to patients' private 
health care providers); routine use 5 (authorizing disclosures to a 
congressional office in responding to constituent inquiries); routine 
use 6 (authorizing disclosures to the Department of Justice in 
litigation); and routine uses 8 and 9 (authorizing disclosures to 
relevant agencies in order to respond to a privacy or security incident 
experienced by HHS or another federal agency).
     The Routine Uses section also establishes these routine 
uses which are not in the CDC SORN:
    [cir] Routine use 1 (authorizing disclosures to HHS contractors and 
agents);
    [cir] Routine use 2 (authorizing disclosures to student volunteers 
and other non-employees functioning akin to HHS employees);
    [cir] Routine use 4 (authorizing disclosures to researchers for 
research purposes); and
    [cir] Routine use 7 (authorizing disclosures to the National 
Archives and Records Administration (NARA) in records management 
inspections).
     The Storage section describes the storage media as ``hard 
copy files and electronic media.'' The CDC SORN includes some now 
outdated forms of electronic storage media.
     The Retrieval section identifies not only name but ``any 
assigned identification number'' as the personal identifiers used for 
retrieval.
     The Retention section identifies several CDC records 
disposition schedules approved by NARA and one General Records Schedule 
applicable to other records, and makes clear that the Department will 
retain unscheduled records indefinitely until NARA approves schedules 
for the records. The CDC SORN describes one retention period 
(``maintained in agency for four years [and] destroyed. . .when 20 
years old, unless needed for further study'').
     The Safeguards section describes department-wide 
procedures.
     The procedures for making an access request, amendment 
request, or notification request state that the request must be made in 
writing to the applicable System Manager, and list these additional 
identifying particulars to include in a request: Address; date of 
birth; and any assigned identification number (if known).
    Because HHS is replacing CDC system of records 09-20-0113 with new 
HHS system of records 09-90-2001, HHS is rescinding CDC system of 
records 09-20-0113 as duplicative of 09-90-2001. The CDC records 
described in CDC SORN 09-20-0113 that are still maintained will, upon 
rescindment of that SORN, be maintained under new system of records 09-
90-2001.
    HHS provided advance notice of the new system of records and the 
related rescindment to the Office of Management and Budget and Congress 
as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

Beth Kramer,
HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the 
Assistant Secretary for Public Affairs.

SYSTEM NAME AND NUMBER:
    Records Used for Surveillance and Study of Epidemics, Preventable 
Diseases and Problems, 09-90-2001.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The addresses of the HHS components responsible for this system of 
records are as shown in the System Manager(s) section, below.

SYSTEM MANAGER(S):
    The System Managers are:
     For records maintained by the Centers for Disease Control 
and Prevention (CDC):
    [cir] Information Systems Security Officer (ISSO), National Center 
for Emerging and Zoonotic Infectious Diseases (NCEZID), Mailstop H16-5, 
1600 Clifton Rd. NE, Atlanta, GA 30333, (800) 232-4636 (800-CDC-INFO).
    [cir] Information Systems Security Officer (ISSO), Center for 
Surveillance, Epidemiology, and Laboratory Services (CSELS), Mailstop 
V24-6, 2400 Century Pkwy., Atlanta, GA 30345, (800) 232-4636 (800-CDC-
INFO).
     For records maintained by the Office of the Assistant 
Secretary for Health (OASH):
    [cir] Deputy Chief Information Officer, Office of the Assistant 
Secretary for Health (OASH), 200 Independence Ave. SW, Washington, DC 
20201, (202) 821-5116, [email protected].
     For records maintained by other HHS components:
    [cir] HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of 
the Assistant Secretary for Public Affairs (ASPA), 200 Independence 
Ave. SW, Washington, DC 20201, (202) 690-7453, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Public Health Service Act, sec. 301, Research and Investigation (42 
U.S.C. 241); secs. 304, 306, and 308(d), which discuss authority to 
grant assurances of confidentiality for health research and related 
activities (42 U.S.C. 242b, 242k, and 242m(d)); sec. 361, Quarantine 
and Inspection, Control of Communicable Diseases (42 U.S.C. 264); and 
sec. 361F-3, Public Readiness and Emergency Preparedness Act (42 U.S.C. 
247d-6d).

PURPOSE(S) OF THE SYSTEM:
    The system of records enables HHS to understand disease patterns in 
the United States, develop programs for prevention and control of 
health problems, and communicate new knowledge to the health community.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records are about these categories of individuals:
     Individuals who have been diagnosed with, are suspected of 
having, or are at risk of having a disease or preventable condition of 
public health significance, their contacts, and others with possible 
exposure.
     Individuals who are control group participants.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records are medical records and related 
documents, including: Case reports, lab requisition forms, patient 
consent forms, assurance statements, analytical testing data, 
questionnaires, and contact tracing reports.

RECORD SOURCE CATEGORIES:
    The records or information in the records is obtained directly from 
the subject individuals or their family members or other caregivers, or 
is obtained from state, local, and Tribal health departments; 
physicians, laboratories, and other health care providers; or 
contractors (for example, call centers) engaged by HHS.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to other disclosures authorized directly in the Privacy 
Act at

[[Page 43861]]

5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), HHS may disclose 
records about an individual from this system of records to parties 
outside HHS as described in these routine uses, without the subject 
individual's prior written consent.
    Routine uses 3 through 9 do not apply to records maintained under 
an assurance of confidentiality provided under section 308(d) of the 
Public Health Service Act (42 U.S.C. 242m(d)); such disclosures would 
be made of such records only if expressly authorized in the 
individual's consent form or stipulated in the Assurance Statement.
    1. Records may be disclosed to HHS contractors, consultants, 
agents, or others (including other federal agencies) engaged by HHS to 
assist with accomplishment of an HHS function relating to the purposes 
of this system of records and who need to have access to the records in 
order to assist HHS.
    2. Records may be disclosed to student volunteers, individuals 
working under a personal services contract, and other individuals 
performing functions for HHS who do not technically have the status of 
agency employees, if they need the records in the performance of their 
agency functions.
    3. Records may be disclosed to federal, state, local, and Tribal 
health departments, other cooperating medical authorities, or other 
appropriate entities or organizations assisting or coordinating with 
HHS, including patients' private health care providers, in order for 
them to take measures to control, prevent, or treat disease; to conduct 
follow-up activities with patients and others contacted, or tested 
during investigations; and to carry out program activities or 
collaborative efforts to deal more effectively with diseases and 
conditions of public health significance.
    4. A record may be disclosed for a research purpose to a federal, 
state or Tribal agency or grantee organization, or a research entity 
(e.g., university, hospital, clinic, research foundation, national 
association or coordinating center), when HHS:
    (A) Has determined that the use or disclosure does not violate 
legal or policy limitations under which the record was provided, 
collected, or obtained.
    (B) Has determined that the research purpose:
    (1) Cannot be reasonably accomplished unless the record is provided 
in individually identifiable form, and
    (2) warrants the risk to the privacy of the individual that 
additional exposure of the record might bring.
    (C) Has required the recipient to:
    (1) Establish reasonable administrative, technical, and physical 
safeguards to prevent unauthorized use or disclosure of the record,
    (2) remove or destroy the information that identifies the 
individual at the earliest time at which removal or destruction can be 
accomplished consistent with the purpose of the research project, 
unless the recipient has presented adequate justification of a research 
or health nature for retaining such information, and
    (3) make no further use or disclosure of the record except:
    (a) In emergency circumstances affecting the health or safety of 
any individual,
    (b) for use in another research project, under these same 
conditions, and with written authorization of HHS,
    (c) for disclosure to a properly identified person for the purpose 
of an audit related to the research project, if information that would 
enable research subjects to be identified is removed or destroyed at 
the earliest opportunity consistent with the purpose of the audit, or
    (d) when required by law; and
    (D) Has secured a written statement attesting to the recipient's 
understanding of, and willingness to abide by these provisions.
    5. Disclosure may be made to a congressional office from the record 
of an individual in response to a verified inquiry from the 
congressional office made at the written request of that individual.
    6. Information may be disclosed to the Department of Justice (DOJ) 
or to a court or other adjudicative body in litigation or other 
proceedings when:
    a. HHS or any of its components, or
    b. any employee of HHS acting in the employee's official capacity, 
or
    c. any employee of HHS acting in the employee's individual capacity 
where the DOJ or HHS has agreed to represent the employee, or
    d. the United States Government, is a party to the proceeding or 
has an interest in the proceeding and, by careful review, HHS 
determines that the records are both relevant and necessary to the 
proceeding.
    7. Records may be disclosed to representatives of the National 
Archives and Records Administration during records management 
inspections conducted pursuant to 44 U.S.C. 2904 and 2906.
    8. Records may be disclosed to appropriate agencies, entities, and 
persons when (1) HHS suspects or has confirmed that there has been a 
breach of the system of records, (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the federal government, or national security, and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    9. Records may be disclosed to another federal agency or federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the federal government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in hard copy files and electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the individual record subject's name or 
assigned identification number, if any.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are retained and disposed of in accordance with applicable 
disposition schedules. Any unscheduled records will be retained 
indefinitely, until they have been scheduled with the National Archives 
and Records Administration and have become eligible for disposition 
under those schedules.
    Disposition schedule applicable to certain short-term OASH records:
     Transitory Records, General Records Schedule 5.2, item 
010: Destroyed when no longer needed for business use, or according to 
agency predetermined time period or business rule.
    Disposition schedules applicable to CDC records:
     Passenger Manifest Records, N1-442-08-001: Maintained for 
one year after the records are retired or the investigation is no 
longer active, and destroyed in quarterly cycles.
     Scientific and Research Project Records, N1-442-09-001: 
Precedent-setting projects: Permanently retained. Significant and/or 
secondary projects:

[[Page 43862]]

Retained for at least 11 years and not longer than 30 years after 
retired or no longer needed on-site.
     Survey Records, N1-442-88-001: Destroyed after nine years, 
or earlier. Pre-test questionnaires are destroyed two years after pre-
test or after any analysis is complete, whichever is earlier. Research 
supporting documents are destroyed when no longer needed, or after five 
years.
     National Health and Nutrition Examination Survey (NHANES 
I) Epidemiological Follow Up Study Records (NHFES), N1-442-90-001: 
Source documents are retained for 30 years.
     Human Immunodeficiency Virus/Acquired Immunodeficiency 
Syndrome (HIV/AIDS) Surveillance Database Records, N1-442-91-001: 
Permanently retained.
     Epidemiologic Databases, N1-442-91-002: Permanently 
retained.
     Specimen Handling for Testing Databases and Related 
Records, N1-442-91-005: Records used in answering inquiries about test 
results are destroyed when no longer needed for administrative 
purposes.
     Swine Flu Program Records, N1-442-91-006: Retained 
permanently or for 20 years.
     Poliomyelitis and Vaccine Files, N1-442-91-008: Destroyed 
when no longer needed for research or administrative purposes.
     Center for Infectious Diseases Electronic Systems and 
Related Records, N1-442-91-012: Depending on the nature of the record, 
records are permanently retained, or are destroyed when 10 years old, 
when 20 years old, or when no longer needed for administrative 
purposes.
     Acquired Immune Deficiency Syndrome (AIDS) Epidemic 
Charts, N1-442-94-001: Permanently retained.
     National Immunization Program Records, N1-442-97-001: 
Depending on the nature of the record, records are permanently retained 
or are destroyed when no longer needed for administrative, scientific, 
and legal purposes or when 30 years old.
     Smallpox Eradication Program Records, N1-442-99-001: 
Permanently retained.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the HHS Information Security and Privacy 
Program, http://www.hhs.gov/ocio/securityprivacy/index.html. HHS 
safeguards these records in accordance with applicable laws, rules and 
policies, including the HHS Information Technology Security Program 
Handbook; the E-Government Act of 2002, which includes the Federal 
Information Security Management Act of 2002 (FISMA), 44 U.S.C. 3541-
3549, as amended by the Federal Information Security Modernization act 
of 2014, 44 U.S.C. 3551-3558; pertinent National Institutes of 
Standards and Technology (NIST) publications; and OMB Circular A-130, 
Managing Information as a Strategic Resource. HHS protects the records 
from unauthorized access through appropriate administrative, physical, 
and technical safeguards. These safeguards include protecting the 
facilities where records are stored or accessed with security guards, 
badges and cameras; securing hard-copy records in locked file cabinets, 
file rooms or offices during off-duty hours; controlling access to 
physical locations where records are maintained and used by means of 
combination locks and identification badges issued only to authorized 
users; limiting access to electronic databases to authorized users 
based on roles and either two-factor authentication or password 
protection; using a secured operating system protected by encryption, 
firewalls, and intrusion detection systems; requiring encryption for 
records stored on removable media; and training personnel in Privacy 
Act and information security requirements. Records that are eligible 
for destruction are disposed of using secure destruction methods 
prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to records about that individual in 
this system of records must submit a written access request to the 
applicable System Manager identified in the ``System Manager'' section 
of this SORN. The request must contain the requester's full name, 
address, and signature, and should also include helpful identifying 
particulars, such as: The requester's date of birth, any assigned 
identification number (if known), and the approximate date, place, and 
nature of the questionnaire, test, study, or other activity in which 
the requester participated. So that HHS may verify the requester's 
identity, the requester's signature must be notarized or the request 
must include the requester's written certification that the requester 
is the individual who the requester claims to be and that the requester 
understands that the knowing and willful request for or acquisition of 
a record pertaining to an individual under false pretenses is a 
criminal offense subject to a fine of up to $5,000.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend a record about that individual in 
this system of records must submit an amendment request to the 
applicable System Manager identified in the ``System Manager'' section 
of this SORN, containing the same information required for an access 
request. The request must include verification of the requester's 
identity in the same manner required for an access request; must 
reasonably identify the record and specify the information contested, 
the corrective action sought, and the reasons for requesting the 
correction; and should include supporting information to show how the 
record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about that individual should submit a notification request to 
the applicable System Manager identified in the ``System Manager'' 
section of this SORN. The request must contain the same information 
required for an access request, and must include verification of the 
requester's identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

NOTICE OF RESCINDMENT:
    For the reasons explained at the end of the Supplementary 
Information section, HHS rescinds the following system of records as 
duplicative of new system of records 09-90-2001:

SYSTEM NAME AND NUMBER:
    Epidemic Investigation Case Records, 09-20-0113.

HISTORY:
    51 FR 42449 (Nov. 24, 1986); updated in part at 54 FR 47904 (Nov. 
17, 1989), 56 FR 66733 (Dec. 24, 1991), 57 FR 62811 (Dec. 31, 1992), 58 
FR 69048 (Dec. 29, 1993), 76 FR 4452 (Jan. 25, 2011), 83 FR 6591 (Feb. 
14, 2018).

[FR Doc. 2020-15564 Filed 7-17-20; 8:45 am]
BILLING CODE 4150-28-P