[Federal Register Volume 86, Number 41 (Thursday, March 4, 2021)]
[Notices]
[Pages 12699-12704]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-04463]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Privacy Act of 1974; System of Records

AGENCY: Department of Health and Human Services.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
Department of Health and Human Services (HHS) is modifying a 
department-wide system of records titled HHS Correspondence, Customer 
Service, and Contact List Records, system no. 09-90-1901, to make 
certain updates and to more clearly include records about individuals 
who provide comments and supporting documents to HHS in response to HHS 
rulemakings and other docketed proceedings. The modifications include 
changing the name of the system of records to HHS Correspondence, 
Comment, Customer Service, and Contact List Records.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is 
applicable March 4, 2021, subject to a 30-day period in which to 
comment on the new and revised routine uses, described below. Please 
submit any comments by April 5, 2021.

ADDRESSES: The public should submit written comments on this notice, by 
mail or email, to Beth Kramer, HHS Privacy Act Officer, 200 
Independence Ave. SW, Suite 729H, Washington, DC 20201, or 
[email protected]. Comments will be available for public viewing at 
the same location. To review comments in person, please contact Beth 
Kramer at [email protected] or 202-690-6941.

FOR FURTHER INFORMATION CONTACT: General questions may be submitted to 
Beth Kramer, HHS Privacy Act Officer, at 200 Independence Ave. SW, 
Suite 729H, Washington, DC 20201, or [email protected], or 202-690-
6941.

SUPPLEMENTARY INFORMATION:

I. Background on System of Records Notice (SORN) 09-90-1901

    This department-wide system of records covers records about 
individuals within or outside HHS which are used in managing HHS 
correspondence, public comments in docketed proceedings, and customer 
service functions, including help desk and call center activities, 
dissemination of publications, studies, opinions, unrestricted 
datasets, and other information, and mailing and contact lists. SORN 
09-90-1901 applies to such records if they are retrieved by personal 
identifier and are not covered by a more specific SORN.
    Examples of the records covered in SORN 09-90-1901 include:
     Telephone and email directories containing office contact 
records about HHS employees, contractor personnel, and other personnel 
working at HHS, which are retrieved by the individuals' names and used 
to locate them, route mail to them, and communicate with them regarding 
work matters.
     Official correspondence records about individuals who 
contact, or are contacted by, the Secretary or Deputy Secretary of HHS 
or another HHS official, or are the subject of the correspondence, 
which are retrieved by the correspondent's or subject's name and used 
to control, track, and ensure timely and appropriate attention to and 
documentation of the correspondence. Particular subsets of these 
records include, for example:
    [cir] Records about individuals who submit comments and supporting 
documents in response to HHS rulemakings and other docketed proceedings 
and public notices, which are retrieved by commenter name;
    [cir] Correspondence notifying members of Congress of grants and 
other contracts that HHS has awarded to individual recipients in their 
districts, which are retrieved by awardee name; and
    [cir] Records of requests about individual constituents received 
from members of Congress, which are retrieved by constituent name and 
used to track and respond to the requests.
     Mailing and contact list records used to track and respond 
to requests from, or otherwise interact with, individual members of the 
public, when the records are retrieved by personal identifier. Examples 
include:
    [cir] Email lists and other contact lists about individuals who ask 
to receive health information from HHS in print form, or to be notified 
of new and upcoming publications or web postings, or to subscribe to an 
online newsletter issued by HHS.
    [cir] Customer engagement workflow platform records containing 
account records (i.e., contact information) and case records (e.g., 
request processing records) about frequent customers of particular HHS 
offices, such as sole proprietor members of the media who are frequent 
customers of HHS public affairs offices.
     Contact records about individuals who volunteer to serve 
as resource persons to provide pro bono technical assistance to 
community organizations and government agencies working on particular 
health-related matters or campaigns
    Examples of more specific SORNs, which will continue to apply to 
particular types of correspondence records, contact list records, and 
customer service records, include:
     Debt collection correspondence: SORN 09-40-0012, Debt 
Management and Collection System.
     Correspondence about complaints filed with the HHS Office 
of Civil Rights: SORN 09-90-0052, Program Information Management System 
(PIMS).
     Freedom of Information Act and Privacy Act Correspondence: 
SORN 09-90-0058, Tracking Records and Case Files for FOIA and Privacy 
Act Requests and Appeals.
     Medicare Customer Service records: SORN 09-70-0535, 1-800 
Medicare (HELPLINE).
     List(s) of individuals ordering provider educational 
materials or registering for computer/Web-based training courses, 
satellite broadcasts and train-the-trainer sessions: SORN 09-70-0542, 
Medicare Learning Network (MLN).
     List of consultants available for use in evaluation of 
National Heart, Lung, and Blood Institute special grants and contracts: 
SORN 09-25-0078, Administration: Consultant File.

II. Modifications to SORN 09-90-1901

    HHS is modifying the SORN to update it and to ensure that it 
clearly and adequately covers records about individuals who submit 
comments and supporting documents to HHS in response to HHS rulemakings 
and other docketed proceedings. HHS is also expressly including 
customer engagement platform records. The modifications include:
     Including the word ``Comment'' in the name of the system 
of records.
     Referring to ``comments'' or ``commenters'' in the 
Categories of Individuals, Categories of Records, Purpose(s), and 
Retrieval sections, and referring to ``customer engagement'' records in 
the System Manager(s) and Categories of Records sections.
     Including the General Services Administration (GSA) in the 
System Location section as the shared services provider that operates 
systems HHS uses to manage certain docket records.

[[Page 12700]]

     Indicating which System Managers apply to comment records 
and customer engagement records.
     Citing additional statutes (5 U.S.C. 553 and 44 U.S.C. 
1505) in the Authority section which, in addition to 5 U.S.C. 301, 
apply to docket records.
     Revising routine use 1, which authorizes disclosures to 
agency contractors, to indicate that such contractors include ``another 
federal agency functioning as a shared service provider or other 
contractor to HHS.''
     Adding a new routine use, numbered as routine use 4, 
authorizing comment records to be made public, to the extent of 
information that would be required to be released to a requester under 
the Freedom of Information Act (FOIA), e.g., that would not result in a 
clearly unwarranted invasion of privacy.
     Adding a new routine use, numbered as routine use 5, 
authorizing work contact information for HHS personnel to be made 
public, e.g., in a public directory or on relevant HHS websites, 
limited to information that would be required to be released to a 
requester under the FOIA.
     Adding the explanatory phrase ``e.g., would not result in 
a clearly unwarranted invasion of privacy'' to routine use 6 (formerly 
numbered as routine use 4), which authorizes the names of and 
biographical information about individuals who author, create, appear 
in, or are the subjects of information products HHS disseminates to be 
disclosed with the products and in publicizing the products to the 
extent that the information would be required to be released to a 
requester under the FOIA.
     Citing additional or different disposition schedules for 
certain correspondence records, comment records, and staff locator 
records, in the Retention section.
     Adding one security control (i.e., ``reviewing security 
controls on a periodic basis'') to the Safeguards section.
    Because some of these changes are significant, HHS provided advance 
notice of the modified system of records to the Office of Management 
and Budget (OMB) and Congress as required by 5 U.S.C. 552a(r) and OMB 
Circular A-108.

Brandon Gaylord,
Director, FOIA/Privacy Act Division, Office of the Assistant Secretary 
for Public Affairs.

SYSTEM NAME AND NUMBER:
    HHS Correspondence, Comment, Customer Service, and Contact List 
Records, 09-90-1901.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of each HHS component responsible for this system of 
records is as shown in the System Manager(s) section below. The General 
Services Administration (GSA), 1800 F St. NW, Washington, DC 20006, 
serves as system administrator for shared services systems (the Federal 
Docket Management System (FDMS) and www.regulations.gov) which contain 
comment records for HHS rulemakings and certain other docketed 
proceedings.

SYSTEM MANAGER(S):
    The System Managers are as follows:
     Congressional correspondence: HHS Assistant Secretary for 
Legislation, Congressional Liaison Office, Rm. 406G, 200 Independence 
Ave. SW, Washington, DC 20201, (202) 690-7627.
     HHS Secretarial and Deputy Secretary correspondence, and 
docket records for the Office of the Secretary (OS): HHS Executive 
Secretariat, Rm. 603H, 200 Independence Ave. SW, Washington, DC 20201, 
(202) 690-7000.
     Other correspondence and docket records:
    a. Administration for Children and Families (ACF) Executive 
Secretariat Office, Director, 330 C St. SW, Washington, DC 20201, 
[email protected].
    b. Administration for Community Living (ACL) Executive Secretariat 
Office, Chief of Staff/Executive Secretariat, 330 C St. SW, Rm. 1004B, 
Washington, DC 20201, (202) 795-7415.
    c. Agency for Healthcare Research and Quality (AHRQ) Executive 
Secretariat Office, Director, 5600 Fishers Ln., Rm. 07N90C, Rockville, 
MD 20857, (301) 427-1216.
    d. Centers for Disease Control and Prevention/Agency for Toxic 
Substances and Disease Registry (CDC/ATSDR) Executive Secretariat 
Office, Executive Secretariat, 1600 Clifton Rd., MS H21-10, Atlanta, GA 
30329, (404) 639-7483, [email protected].
    e. Centers for Medicare & Medicaid Services (CMS) Office of 
Strategic Operations and Regulatory Affairs, Director, 7500 Security 
Blvd., Baltimore, MD 21244-1850, (410) 786-3200.
    f. FDA Privacy Act Coordinator, Food and Drug Administration, 5630 
Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.
    g. Health Resources and Services Administration (HRSA) Executive 
Secretariat Office, Director, 5600 Fishers Ln., Rm. 13N82, Rockville, 
MD 20857 (301) 443-1785.
    h. Indian Health Service (IHS), Executive Secretariat Office, 
Director, 5600 Fishers Ln., Rm. 08E86, Rockville, MD, (301) 443-1011.
    i. National Institutes of Health (NIH), Executive Secretariat 
Office, Director, Shannon Bldg (Bldg. 1), Room B1-56, 1 Center Drive, 
Bethesda, MD 20892-0122, (301) 496-1461.
    j. Substance Abuse and Mental Health Services Administration 
(SAMHSA) Executive Secretariat Office, Branch Chief, 5600 Fishers Ln., 
Rockville, MD 20857, (877) 726-4727.
     Information product ordering and distribution records:
    a. AHRQ: Director, Office of Communications and Knowledge Transfer, 
Agency for Healthcare Research and Quality, 5600 Fishers Ln., 7th 
Floor, Rockville, MD 20857, (301) 427-1364.
    b. CMS: Director, Office of Communications, Centers for Medicare & 
Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-
1338.
    c. FDA Privacy Act Coordinator, Food and Drug Administration, 5630 
Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 796-3900.
    d. SAMHSA: Director, Office of Communications, Substance Abuse and 
Mental Health Services Administration, 5600 Fishers Ln., Rockville, MD 
20857, (240) 276-2201.
     Call center, ombudsman, and help desk records:
    a. ONE-DHHS: FedResponse Service Director, Program Support Center, 
7700 Wisconsin Ave., Bethesda, MD 20814, (877) 696-6775.
    b. FDA Call Centers: FDA Privacy Act Coordinator, Food and Drug 
Administration, 5630 Fishers Ln., Rm. 1035, Rockville, MD 20857, (301) 
796-3900.
     Mailing list and contact list records:
    a. HHS Employee Directory: Same as ONE-DHHS contact information, 
under Call center, above.
    b. OASH/OMH mailing and contact list records: Office of Minority 
Health, The Tower Building, 1101 Wootton Pkwy., Suite 600, Rockville, 
MD 20852, (240) 453-2882.
    c. FDA mailing and contact list records: FDA Privacy Act 
Coordinator, Food and Drug Administration, 5630 Fishers Ln., Rm. 1035, 
Rockville, MD 20857, (301) 796-3900.
     Customer engagement workflow platform records:
    a. The Office of the Chief Product Officer (OCPO), 2501 Ardennes 
Ave., Rockville, MD 20852, (202) 945-2152.
     Any other records not accounted for above: See ONE-DHHS 
contact information, under Call center, above.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301, 305, 553; 21 U.S.C. 301 et seq.; 31 U.S.C. 
1115(b)(6); 40 U.S.C.

[[Page 12701]]

11313; 42 U.S.C. 201 et seq.; 44 U.S.C. 3101, 1505; E.O. 11583; E.O. 
13571.

PURPOSE(S) OF THE SYSTEM:
    The records in this system of records are used for the purpose of 
managing HHS correspondence, information dissemination, and customer 
service functions; i.e., to maintain, track, control, route, and locate 
information and documents created, received, requested, and used in 
managing those functions, in order to provide timely and appropriate 
actions, responses, notices, services, coordination, referrals, or 
other follow-up, avoid duplicate entries, and ensure consistency. 
Correspondence, information dissemination, and customer service 
functions include, for example, managing comments received on 
rulemakings and other public notices; non-law enforcement-related help 
desk and call center activities; handling of consumer complaints; 
dissemination of publications, unrestricted datasets, and other 
information; and maintenance of mailing and contact lists. The records 
may also be used to compile aggregate statistics for the purpose of 
evaluating and improving these functions.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records are about individuals within and outside HHS who 
contact HHS to request or offer information, information products, 
comments, suggestions, or services or to communicate a complaint or 
other information, or who receive correspondence from HHS, or who are 
the author or subject of such publications, communications, or 
correspondence by or with HHS, or who are included in mailing and 
contact lists maintained by HHS, when the records are used to support 
HHS correspondence, information dissemination, and/or customer service 
functions and are retrieved by the individuals' names or other personal 
identifiers (unless the records are covered by a more specific system 
of records notice (SORN)).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records include:
     Secretarial and other official correspondence, docket 
records, congressional correspondence, and other correspondence. These 
records include copies of requests, comments, or other communications 
addressed or routed to an HHS official for response or other follow-up; 
copies of correspondence initialed or signed by an HHS official; 
tracking and control records (indicating, e.g., the date and subject of 
the correspondence; the name of the correspondent and/or other 
individual record subject--for example, a constituent identified in 
congressional correspondence; the action required; the organization 
drafting the response); and associated work papers.
     Records used in disseminating or filling orders for 
publications, stock photographs, audio visual productions, unrestricted 
datasets, and other information products. These include indexes to 
repositories of informational materials, request records, and order 
fulfilment records. Indexes may contain names of individuals (such as 
authors or subjects) used to retrieve materials when needed for 
distribution or to fulfill a request. Request records identify the date 
of the request, the product requested, the requester, and the address 
to use for delivery. Order fulfillment records contain proof of 
delivery, including the delivery date and address used for delivery, 
which may be a mailing address or email address if delivery was through 
a public access web portal or link. Any associated payment records (if 
a fee is charged for the information product) are covered by system of 
records 09-90-0024 HHS Financial Management System Records.
     Call center and help desk records. These include contact 
records (containing the name of the individual who contacted the call 
center or help desk, his or her contact information, and location 
information if relevant, unless the individual wishes to be anonymous) 
and request records (containing the date and nature of the request, 
complaint, or report, the name of the call center staff member who 
handled the request, complaint, or report, and actions taken, such as 
providing an answer from a call center script, documenting the report, 
or assigning and routing the request to the appropriate program office 
to handle). Note that recordings of ONE-DHHS telephone calls are 
destroyed after 90 days and are not retrieved by personal identifier so 
are not covered by this SORN.
     Mailing list records. These include the lists and any 
records used to compile and maintain the lists (e.g., existing contact 
lists; invitations to join and requests to be added to or removed from 
a list; address changes) containing an individual's contact information 
(e.g., mailing address or email address) and indicating the particular 
information or notices the individual would receive or would like to 
receive from HHS (e.g., publications on particular health topics; an 
electronic newsletter; notice of upcoming training courses; notice when 
new material is added to a website). The records may also include 
information that the particular program requires or requests 
individuals to provide about themselves (e.g., characteristics such as 
profession, employing organization, educational level, practice 
setting, geographic location, age, ethnicity) to enable the agency to 
aggregate or organize the information or compile statistics on the 
types of individuals receiving the information distributed through the 
list.
     Contact list records. These include the lists and any 
records used to compile and maintain the lists, containing names, 
contact information, and any other relevant information (e.g., 
expertise type, primary language, geographic region) for individuals 
who HHS regularly contacts or otherwise interacts with (such as, 
authors; sole proprietor media stakeholders; HHS personnel) and/or 
individuals who have agreed to be included on or have asked to be 
removed from a particular list of contacts HHS maintains and may in 
some cases distribute or post for HHS and/or non-HHS parties to use to 
obtain assistance from or share information with the individuals on the 
list (for example, outside medical and research experts who wish to 
exchange knowledge and best practices and share studies, opinions, and 
training materials with each other); and any written consents from 
subject individuals permitting HHS to disclose their contact or other 
information to specific types of non-HHS parties, or to the public, for 
specific purposes.
     Customer engagement workflow platform records. These 
include account records containing the same types of information as 
contact lists, described above, and case records containing request 
processing records, which are used to track and respond to requests 
from or otherwise interact with frequent customers or business partners 
of particular HHS offices. The case files are linked to the applicable 
account record and contain information describing the customer's 
requests or interactions and any supporting information the customer 
provided.

RECORD SOURCE CATEGORIES:
    Most information is obtained directly from the subject individual. 
Information may also be obtained from a third party who contacts HHS 
about or on behalf of a subject individual, or from records HHS 
compiles or persons HHS consults in order to provide a response, 
provide assistance, or otherwise follow up on the request or 
communication.

[[Page 12702]]

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to other disclosures authorized directly in the Privacy 
Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), information 
about an individual may be disclosed from this system of records to 
parties outside HHS without the individual's prior, written consent, 
for these routine uses:
    1. Records may be disclosed to agency contractors (including 
another federal agency functioning as a shared service provider or 
other contractor to HHS) and to student volunteers, interns, and other 
individuals who do not have the status of agency employees but have 
been engaged by HHS to assist in accomplishment of an HHS function 
relating to the purposes of this system of records and who need to have 
access to the records in order to assist HHS. Such individuals and 
contractors will be required to comply with the requirements of the 
Privacy Act.
    2. Records may be disclosed to other federal agencies and HHS 
partner agencies and organizations for the purpose of referring a 
request or issue to them for handling or obtaining their assistance 
with a response or issue.
    3. Notice of an award that HHS has made to an individual awardee in 
a particular congressional district may be disclosed to the member of 
Congress serving that district.
    4. HHS makes publicly available the name(s), contact information, 
comments, and any supporting documents provided by individuals who 
comment on docketed proceedings (provided that the information would be 
required to be released to a requester under the Freedom of Information 
Act (FOIA); e.g., would not result in a clearly unwarranted invasion of 
privacy). For rulemaking proceedings, HHS makes the information 
publicly available in www.regulations.gov. For other docketed 
proceedings, HHS makes the information publicly available in 
www.regulations.gov or available for public inspection at an HHS 
location specified in the applicable notice, by appointment or as 
otherwise specified in the notice.
    5. HHS makes certain work contact information for HHS personnel 
publicly available (for example, in a searchable public directory, and 
on relevant HHS websites), but only to the extent that the information 
would be required to be released to a requester under the FOIA.
    6. Names of and biographical information about the individuals who 
authored, created, appear in, or are the subjects of information 
products may be disclosed with the products or in descriptions of the 
products used to publicize them, but would be disclosed without consent 
only if and to the extent that the names and biographical information 
would be required to be released to a requester under the FOIA (e.g., 
would not result in a clearly unwarranted invasion of privacy).
    7. Records may be disclosed to a member of Congress or a 
congressional staff member in response to a written inquiry of the 
congressional office made at the written request of the constituent 
about whom the record is maintained. The congressional office does not 
have any greater authority to obtain records than the individual would 
have if requesting the records directly.
    8. Records may be disclosed to representatives of the National 
Archives and Records Administration during records management 
inspections conducted pursuant to 44 U.S.C. 2904 and 2906.
    9. Information may be disclosed to the Department of Justice (DOJ) 
or to a court or other adjudicative body in litigation or other 
proceedings, when:
    a. HHS or any of its component thereof, or
    b. any employee of HHS acting in the employee's official capacity, 
or
    c. any employee of HHS acting in the employee's individual capacity 
where the DOJ or HHS has agreed to represent the employee, or
    d. the United States Government, is a party to the proceeding or 
has an interest in such proceeding and, by careful review, HHS 
determines that the records are both relevant and necessary to the 
proceeding.
    10. Where a record, either alone or in conjunction with other 
information, indicates a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general statute or by regulation, rule, or order issued pursuant 
thereto, the relevant records in the system of records may be referred, 
as a routine use, to the agency concerned, whether federal, state, 
local, tribal, territorial, or foreign, charged with the responsibility 
of investigating or prosecuting such violation or charged with 
enforcing or implementing the statute, or the rule, regulation, or 
order issued pursuant thereto.
    11. Records may be disclosed to appropriate agencies, entities, and 
persons when (1) HHS suspects or has confirmed that there has been a 
breach of the system of records, (2) HHS has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, HHS (including its information systems, programs, and 
operations), the Federal Government, or national security, and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with HHS efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    12. Records may be disclosed to another federal agency or federal 
entity, when HHS determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    13. Records may be disclosed to the Department of Homeland Security 
(DHS) if captured in an intrusion detection system used by HHS and DHS 
pursuant to a DHS cybersecurity program that monitors internet traffic 
to and from federal government computer networks to prevent a variety 
of types of cybersecurity incidents.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are stored in hard-copy files and/or electronic systems 
or media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the individual requester's, 
correspondent's, commenter's, author's, or other record subject's name 
or by another personal identifier contained in the records (such as-
email address, request tracking number, user ID number). Call center 
records may be retrieved by the name of the individual who contacted 
the call center.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    I. Permanently retained official correspondence (including 
significant White House and congressional correspondence):
    Official correspondence and tracking records are retained by HHS 
while needed for agency business and are then transferred to the 
custody of the National Archives and permanently retained. See these 
schedules:
    A. Office of the Secretary (OS): DAA-0468-2011-0006-0003 (IOS); N1-
468-10-0001 (DAB); DAA-0468-2012-0003 (OMHA); DAA-0468-2011-0007 (ONC); 
N1-514-92-1 (OASH); DAA-0468-2013-009 (other OS Staff Divisions).

[[Page 12703]]

    B. Other Operating Divisions: DAA-0292-2016-0008 and DAA-0292-2016-
0014-0008 (ACF); N1-439-06-001, Item 1.a; a new schedule is pending 
(ACL); DAA-0510-2017-0003 (AHRQ); N1-442-93-001, Item 27.A (CDC/ATSDR); 
DAA-0440-2015-0001, Item 1.2.2 (CMS); N1-088-06-03, Items 4.1 and 4.2 
(FDA); DAA-0512-2014-004, Item 6.3 (HRSA); N1-513-92-005, Items 6-1 and 
6-12 (IHS); DAA-0443-2017-0003, Item 0001 (NIH); NC1-090-76-5, Item 11 
(SAMHSA).
    II. Other correspondence:
    A. OS:
    a. OASH: N1-514-92-1, Item 9.b.2. ASH General Correspondence: Cut 
off annually, and destroy when 5 years old. N1-514-92-1, Item 9.b.3 
Routine Correspondence: Destroy when 5 years old.
    b. ONC: DAA-0468-2011-0007-003. Administrative correspondence 
files: Destroy 5 years after cutoff.
    c. OMHA: DAA-0468-2012-0003-0003. Working correspondence files: 
Destroy 3 years after cutoff.
    d. All Other OS Staff Divisions: DAA-0468-2013-0009-0002. Routine 
files: Cut off at the close of calendar year in which created or 
received, and destroy 5 years after cutoff.
    B. Other Operating Divisions:
    a. ACF: DAA-0292-2016-0014, Item 1, Routine Correspondence: Cut off 
at the end of the fiscal year, and destroy 5 years after cutoff. NC1-
292-84-7, Item B.33, OCSE Public Inquiry Correspondence: Destroy after 
2 years.
    b. ACL: N1-439-06-001, Item 2; a new schedule is pending.
    c. AHRQ: Not scheduled separately from official correspondence.
    d. CDC/ATSDR: NC1-090-82-4, Item 1.a, Routine Administrative Files: 
Destroy when 5 years old. NC1-090-78-1, Item 7, Congressional 
Correspondence: Destroy when 10 years old. NC1-090-78-1, Item 8, 
General Correspondence: Destroy after 1 year.
    e. CMS: DAA-0440-2015-0002-0002. Cut off at end of calendar year, 
and destroy no sooner than 3 years after cutoff; longer retention is 
authorized.
    f. FDA: N1-088-06-03. Cut off at end of calendar year, and destroy 
10 years after cutoff (Item 1.1.2) or 5 years after cutoff (Item 
1.2.2).
    g. HRSA: DAA-0512-2014-004, Items 6.3.1.2 and 6.3.1.3, 
Correspondence: Cut off at end of calendar year, and destroy 7 years 
after cutoff. Tracking records: Retain permanently.
    h. IHS: N1-513-92-005, Items 6-1 b., 6-1 c., 6-12 b., and 11-12: 
Destroy when 6 years old if at the division level or higher; destroy 
when 2 years old if below the division level.
    i. NIH: DAA-0443-2012-0007, Item 0003. Cut off annually at 
termination of project/program, and destroy 7 years after cutoff.
    j. SAMHSA: NC1-90-76-5, Item 21, Controlled Correspondence Files: 
Cut off at the end of each calendar year, retain for 5 years, and then 
destroy. NC1-90-76-5, Item 47, Executive Secretariat Files: Withdraw 
pertinent material and destroy when 10 years old; destroy other 
material when 2 years old; and destroy control forms when 1 year old.
    III. Comment records:
     Individual comments on proposed and final rules: See GRS 
6.6 Item 030 and these agency-specific schedules:
    [cir] ACF: DAA-0292-2016-0005, Items 0001 and 0002, Adopted Rules 
and Rules Not Adopted: Cut off adopted regulations at end of FY after 
publication of the final rule, and destroy 10 years after cutoff. Cut 
off regulations not adopted at end of FY after decision not to adopt 
proposed rule, and destroy 3 years after cutoff. NC1-292-84-7, Item 
B.7, OCSE Regulation Files: Review annually and destroy when no longer 
needed for reference.
    [cir] IHS: DAA-0513-2013-0001, Items 0001 and 0002, Adopted Rules 
and Rules Not Adopted: Cut off adopted rules at end of FY after 
publication of final rule, and destroy 10 years after cutoff. Cut off 
rules not adopted at end of FY after decision not to adopt proposed 
rule, and destroy 3 years after cutoff.
    [cir] SAMHSA: NC1-90-76-5, Item 27, Regulation Files: Destroy when 
10 years old; destroy duplicate and reference material when no longer 
needed.
     Individual comments on other Federal Register notices: See 
GRS 6.6 Item 040 and other General Records Schedules listed therein.
    IV. Call center, help desk, and similar customer service records:
     FDA Ombudsman records: N1-088-05-001, Item 2. Case files 
maintained by the Center Ombudsman Office (Item 2.3): Cut off 3 months 
after the end of the calendar year in which the case is closed or the 
appeal is completed, and destroy 3 years after cutoff. All other case 
files (Item 2.1) and finding aids (Item 2.2): Cut off at the end of the 
calendar year in which the final action is taken or the appeal is 
completed, and destroy 10 years after cutoff.
     Other customer service operations records: GRS 6.5 Item 
010 and GRS 5.8 Item 010. Destroy 1 year after resolved or when no 
longer needed for business use, whichever is appropriate.
    V. Mailing and contact list records:
     GRS 5.1 Item 010, Staff locator records: Destroy when 
business use ceases.
     GRS 6.5 Item 020, Customer/client records: Delete when 
superseded or obsolete or when the customer requests that the agency 
remove the records.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the HHS Information Security and Privacy 
Program, https://www.hhs.gov/ocio/securityprivacy/index.html. 
Information is safeguarded in accordance with applicable laws, rules 
and policies, including the HHS Information Technology Security Program 
Handbook; all pertinent National Institutes of Standards and Technology 
(NIST) publications, and OMB Circular A-130, Managing Information As a 
Strategic Resource. Records are protected from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
These safeguards include protecting the facilities where records are 
stored or accessed with security guards, badges and cameras, securing 
hard-copy records in locked file cabinets, file rooms or offices during 
off-duty hours, limiting access to electronic databases to authorized 
users based on roles and either two-factor authentication or user ID 
and password (as appropriate), using a secured operating system 
protected by encryption, firewalls, and intrusion detection systems, 
requiring encryption for records stored on removable media, training 
personnel in Privacy Act and information security requirements, and 
reviewing security controls on a periodic basis. Records that are 
eligible for destruction are disposed of using destruction methods 
prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to records about the individual in 
this system of records must submit a written request to the relevant 
System Manager indicated above. An access request must contain the 
requesting individual's name and address, email address or other 
identifying information, and signature. To verify the requester's 
identity, the signature must be notarized or the request must include 
the requester's written certification that the requester is the person 
the requester claims to be and understands that the knowing and willful 
request for or acquisition of a record pertaining to an individual 
under false pretenses is a criminal offense subject to a fine of up to 
$5,000. To access the records in person, the requester should request 
an appointment, and may be accompanied by a person of the requester's 
choosing if the requester provides written

[[Page 12704]]

authorization for agency personnel to discuss the records in that 
person's presensce. An individual may also request an accounting of 
disclosures that have been made of the records about the individual, if 
any.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend a record about the individual in 
this system of records must submit a written request to the relevant 
System Manager indicated above. An amendment request must include 
verification of the requester's identity in the same manner required 
for an access request, and must reasonably identify the record and 
specify the information being contested, the corrective action sought, 
and the reasons for requesting the correction, along with supporting 
information to show how the record is inaccurate, incomplete, untimely, 
or irrelevant.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about the individual must submit a written request to the 
relevant System Manager indicated above and verify identity in the same 
manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    84 FR 28823 (June 20, 2019).

[FR Doc. 2021-04463 Filed 3-3-21; 8:45 am]
BILLING CODE 4150-25-P