[Federal Register Volume 86, Number 225 (Friday, November 26, 2021)]
[Notices]
[Pages 67475-67478]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25760]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Resources and Services Administration


Privacy Act of 1974; System of Records

AGENCY: Health Resources and Services Administration (HRSA), Department 
of Health and Human Services (HHS).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the HHS is establishing a new system of records to be 
maintained by HHS's HRSA, 09-15-0093, ``Provider Support Records.'' The 
new system of records will include payment-related records containing 
information about any sole proprietor health care providers (including 
health care-practitioners and suppliers) who applied for payments or 
reimbursements, received a payment, attested to a payment, reported on 
the use of a payment, or otherwise participated in one of HRSA's 
provider support programs, and about patients identified in certain 
claims records submitted to HRSA for payment by entity providers and 
sole proprietor providers. The records are used to support the health 
care population and administer the programs.

DATES: The new system of records is applicable November 26, 2021, 
subject to a 30-day period in which to comment on the routine uses. 
Submit any comments by December 27, 2021.

ADDRESSES: The public should address written comments by email to 
[email protected] or by mail to Executive Officer, Provider 
Support, HRSA, 5600 Fishers Lane, Room 9N21, Rockville, MD, 20857.

FOR FURTHER INFORMATION CONTACT: General questions about the new system 
of records may be submitted to Executive Officer, Provider Support, 
HRSA, 5600 Fishers Lane, Room 9N21, Rockville, MD, 20857, or to 
[email protected].

SUPPLEMENTARY INFORMATION: New system of records 09-15-0093 will cover 
records HRSA uses to reimburse claims and make payments to healthcare 
providers and to receive reports on the use of funds for activities 
under the following programs:
     COVID-19 Claims Reimbursement to Health Care Providers and 
Facilities for Testing, Treatment and Vaccine Administration for the 
Uninsured (Uninsured Program).
     COVID-19 Coverage Assistance Fund (CAF).
     Provider Relief Fund (PRF), including American Rescue Plan 
Act (ARPA) Rural Payments.
    The records used by HRSA in these programs include patient and 
provider information needed to administer the programs. HHS provided 
advance notice of the new system of records to the Office of Management 
and Budget and

[[Page 67476]]

Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

Diana Espinosa,
Acting Administrator.

SYSTEM NAME AND NUMBER:
    Provider Support Records, 09-15-0093.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The address of the HHS component responsible for this system of 
records (i.e., HRSA) is shown in the System Manager(s) section, below.

SYSTEM MANAGER(S):
    The System Manager is Executive Officer, Provider Support, HRSA, 
5600 Fishers Lane, Rockville, MD, 20857, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authorities include the following appropriations laws. Collection 
of participating providers' Taxpayer Identification Numbers is required 
by 31 U.S.C. 7701(c).
     Uninsured Program: ``The Families First Coronavirus 
Response Act or FFCRA (P.L. 116-127) and the Paycheck Protection 
Program and Health Care Enhancement Act or PPPHCEA (P.L. 116-139), 
which each appropriated $1 billion to reimburse providers for 
conducting COVID-19 testing for uninsured individuals''
     Provider Relief Fund: ``The Coronavirus Aid, Relief, and 
Economic Security (CARES) Act (P.L. 116-136), which provided $100 
billion in relief funds, including to hospitals and other health care 
providers on the front lines of the COVID-19 response; the Paycheck 
Protection Program and Health Care Enhancement Act or PPPHCEA (P.L. 
116-139), which appropriated an additional $75 billion in relief funds; 
and the Coronavirus Response and Relief Supplemental Appropriations Act 
(CRRSA) (P.L. 116-260), which appropriated an additional $3 billion 
(collectively, the Provider Relief Fund).
     Uninsured program, continued: Within the Provider Relief 
Fund, a portion of the funding supports health care-related expenses 
attributable to COVID-19 testing for the uninsured and treatment of 
uninsured individuals with COVID-19. A portion of the funding is also 
used to reimburse providers for administering Food and Drug 
Administration (FDA)-authorized or licensed COVID-19 vaccines to 
uninsured individuals.
     Uninsured program, continued: The American Rescue Plan Act 
of 2021 (ARPA, P.L. 117-2), which allocated funding to reimburse 
providers for COVID-19 testing of the uninsured.
     ARPA Rural Payments: The American Rescue Plan Act of 2021 
(ARPA, P.L. 117-2). ARPA amends the SSA. The citation to Section 1150C 
of ARPA can be found at 42 U.S.C. 1320b-26.
     Coverage Assistance Fund: The HRSA COVID-19 CAF is a 
program established by and administered by HRSA, using funds 
appropriated by Congress under the PRF.

PURPOSE(S) OF THE SYSTEM:
    Relevant agency personnel and contractors use records about 
individuals from this system of records on a need to know basis to 
administer the provider support programs, which support the resilience 
of the healthcare population. Such programs include:
     COVID-19 Claims Reimbursement to Health Care Providers and 
Facilities for Testing, Treatment and Vaccine Administration for the 
Uninsured (Uninsured Program).
     COVID-19 CAF Program.
     Provider Relief Fund, including the ARPA Rural payments.
    Specific purposes include:
    1. To obtain marketing and communication information for providers 
who submitted applications to make them aware of policy and funding 
opportunities.
    2. To make payments and reimburse claims to eligible healthcare 
providers under the above-identified programs.
    3. To assist the HHS Program Support Center (PSC), the Department 
of Justice (DOJ), and other government entities in the collection of 
program debts.
    4. To respond to inquiries from providers, their attorneys or other 
authorized representatives, and Congressional representatives.
    5. To compile and generate managerial and statistical reports.
    6. To perform program administrative activities, including, but not 
limited to, payment tracking, monitoring a provider's compliance with 
the Terms and Conditions of payment, receipt of provider reports on the 
use of funds, and other program requirements, and recoupment 
determinations.
    7. To transfer information to the HHS central accounting system(s) 
covered by system of records 09-90-0024, HHS Financial Management 
System Records, maintained by the Office of the Assistant Secretary for 
Financial Resources, for purposes of effecting program payments and 
preparing and maintaining financial management and accounting 
documentation related to obligations and disbursements of funds 
(including providing required notifications to the Department of the 
Treasury) related to payments to, or on behalf of, healthcare 
providers. Information transferred to the Office of the Assistant 
Secretary for Financial Resources for these purposes is limited to the 
individual's name, address, SSN, and other information necessary for 
identification and processing of the payment.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The records are about these categories of individuals:
     Sole proprietor providers who submit claims under the 
programs mentioned above.
     Patients identified in claims and claims-related records 
submitted to HRSA by entity providers and sole proprietor providers.
     Sole proprietor providers who applied for or who have 
received payments under the programs mentioned above.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records are provider claims, claims-related 
records, payment applications, reports on the use of funds, and other 
records used by HRSA to process the claims, applications, and payments. 
Contents include the provider's name, address(es), telephone number(s), 
and email address(es); National Provider Identifier; Taxpayer 
Identification Number (TIN) (which could be a Social Security Number 
(SSN)); CMS Credentialing Number; tax, audit, and revenue data; banking 
information; payment data and supporting documentation; repayment/
recoupment information; claims forms (including patient-related 
information, such as principal diagnosis code, admitting diagnosis 
code, procedure codes, date(s) of service and charges); and each 
applicable patient's name, control number, patient identification 
number; health insurance policy member identification number; gender, 
date of birth, zip code, state, and county.

RECORD SOURCE CATEGORIES:
    The information in the system of records is obtained from payment 
applications, claims, reports on the use of funds, and other 
information submitted to HRSA by providers; from other HHS components; 
from commercial and other payers; and from any relevant federal, state, 
territorial, local, or tribal agencies. Other agencies and HHS 
components may provide information to HRSA needed to verify provider 
eligibility; validate provider-

[[Page 67477]]

submitted information; determine payment distribution or claims 
reimbursement amounts; and approve payments and claims.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to other disclosures authorized directly in the Privacy 
Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), HHS may 
disclose records about a subject individual (provider or patient) from 
this system of records to parties outside HHS as described in these 
routine uses, without the individual's prior written consent:
    1. To any agent or contractor (including another federal agency) 
engaged by HHS to assist in accomplishment of an HHS function relating 
to the purposes of this system of records, if the agent or contractor 
needs to have access to the records in order to provide the assistance. 
For example, HHS may disclose records consisting of a provider's or 
patient's name, SSN, TIN, mailing address, email address, or telephone 
number, to Department contractors and subcontractors who assist with 
the implementation of the above-identified programs, for the purposes 
of distributing funds; collecting, compiling, aggregating, analyzing, 
or refining records in the system of records; or improving program 
operations. Any agent or contractor will be required to comply with the 
requirements of the Privacy Act, as amended, with respect to the 
records, and to ensure that any subcontractors also maintain Privacy 
Act safeguards with respect to the records.
    2. To another federal, state, or local agency about a provider who 
fails to return payments identified for recoupment at the direction of 
HHS, to ensure that the provider does not receive federal funds for 
which the provider is ineligible. Disclosure will be limited to the 
provider's name, address, SSN, TIN, inclusion on the Do Not Pay List, 
and any other information necessary to identify them.
    3. To another federal, state, local, territorial, or Tribal agency 
to contribute to the accuracy of HHS' proper payment of health care 
providers' payment requests and claims (such as to determine a 
provider's eligibility for a distribution, validate a provider's tax 
identification number, or confirm a patient's uninsured status).
    4. To another federal agency or an instrumentality of any 
governmental jurisdiction within or under the control of the United 
States (including any state, local, or Tribal governmental agency) that 
administers, or that has the authority to investigate potential fraud 
or abuse in, a health care payment program funded in whole or in part 
by federal funds, when the disclosure is deemed reasonably necessary by 
HHS to prevent, deter, discover, detect, investigate, examine, 
prosecute, sue with respect to, defend against, correct, remedy, or 
otherwise combat fraud or abuse in such programs.
    5. To a congressional office from the record of an individual in 
response to a written inquiry from the congressional office made at the 
written request of that individual. If a congressional inquiry on 
behalf of a patient seeks disclosure of any information about the 
patient's provider which is or could be proprietary information of that 
provider, the congressional request must be accompanied by an 
authorization form signed by the provider.
    6. To DOJ or to a court or other adjudicative body in litigation or 
other proceedings when HHS or any of its components, or any employee of 
HHS acting in the employee's official capacity, or any employee of HHS 
acting in the employee's individual capacity where the DOJ or HHS has 
agreed to represent the employee, or the United States Government, is a 
party to the proceedings or has an interest in the proceedings and, by 
careful review, HHS determines that the records are both relevant and 
necessary to the proceedings.
    7. To representatives of the National Archives and Records 
Administration (NARA) during records management inspections conducted 
pursuant to 44 U.S.C. 2904 and 2906.
    8. To appropriate agencies, entities, and persons when (1) HHS 
suspects or has confirmed that there has been a breach of the system of 
records, (2) HHS has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HHS (including 
its information systems, programs, and operations), the federal 
government, or national security, and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HHS's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    9. To another federal agency or federal entity, when HHS determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the federal 
government, or national security, resulting from a suspected or 
confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained in electronic database servers and backup 
servers.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by a provider's or patient's name, TIN, or 
other identifying number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records are not currently scheduled, so are retained 
indefinitely pending scheduling with the NARA. HRSA anticipates 
proposing a retention period of at least 6 years to NARA for the 
records, for consistency with General Records Schedule 1.1, Financial 
Management and Reporting Records, which provides for such records to be 
retained for 6 years after final payment or cancellation, or longer if 
required for business use.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Safeguards conform to the HHS Information Security and Privacy 
Program, https://www.hhs.gov/ocio/securityprivacy/index.html. HHS 
safeguards these records in accordance with applicable laws, rules and 
policies, including the HHS Information Technology Security Program 
Handbook; the E-Government Act of 2002, which includes the Federal 
Information Security Management Act of 2002, 44 U.S.C. 3541-3549, as 
amended by the Federal Information Security Modernization act of 2014, 
44 U.S.C. 3551-3558; pertinent National Institutes of Standards and 
Technology (NIST) publications; and OMB Circular A-130, Managing 
Information as a Strategic Resource. HHS protects the records from 
unauthorized access through appropriate administrative, physical, and 
technical safeguards. These safeguards include protecting the 
facilities where records are stored or accessed with security guards, 
badges and cameras; controlling access to physical locations where 
records are maintained and used by means of combination locks and 
identification badges issued only to authorized users; limiting access 
to electronic databases to authorized users based on roles and either 
two-factor authentication or password protection; using a secured 
operating system protected by encryption, firewalls, and intrusion

[[Page 67478]]

detection systems; and training personnel in Privacy Act and 
information security requirements. After the records have been 
scheduled with NARA, records that are eligible for destruction will be 
disposed of in accordance with the applicable schedule, using secure 
destruction methods prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:
    An individual seeking access to records about that individual in 
this system of records must submit a written access request to the 
applicable System Manager identified in the ``System Manager'' section 
of this System of Records Notice (SORN). The request must contain the 
requester's full name, address, and signature. The request should also 
contain sufficient identifying particulars (such as, the provider's 
National Provider Identifier, TIN, or patient medical record number, or 
the patient's patient identifier or SSN to enable HHS to locate the 
requested records. So that HHS may verify the requester's identity, the 
requester's signature must be notarized or the request must include the 
requester's written certification that the requester is the individual 
who the requester claims to be and that the requester understands that 
the knowing and willful request for or acquisition of a record 
pertaining to an individual under false pretenses is a criminal offense 
subject to a fine of up to $5,000.
    If an access request by a patient seeks disclosure of any 
information about the patient's provider which is or could be 
proprietary information of that provider, the request must be 
accompanied by a disclosure authorization form signed by the provider.

CONTESTING RECORD PROCEDURES:
    An individual seeking to amend a record about that individual in 
this system of records must submit an amendment request to the 
applicable System Manager identified in the ``System Manager'' section 
of this SORN, containing the same information required for an access 
request. The request must include verification of the requester's 
identity in the same manner required for an access request; must 
reasonably identify the record and specify the information contested, 
the corrective action sought, and the reasons for requesting the 
correction; and should include supporting information to show how the 
record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:
    An individual who wishes to know if this system of records contains 
records about that individual should submit a notification request to 
the applicable System Manager identified in in the ``System Manager'' 
section of this SORN. The request must contain the same information 
required for an access request and must include verification of the 
requester's identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

[FR Doc. 2021-25760 Filed 11-24-21; 8:45 am]
BILLING CODE 4160-15-P