[Federal Register Volume 88, Number 133 (Thursday, July 13, 2023)]
[Notices]
[Pages 44823-44827]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-14877]


-----------------------------------------------------------------------

DEPARTMENT OF THE INTERIOR

Bureau of Indian Affairs

[DOI-2023-0009; 2341A2100DD/AAKC0010130/A0A501010.999900]


Privacy Act of 1974; System of Records

AGENCY: Bureau of Indian Affairs, Interior.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, as amended, the 
Department of the Interior (DOI) is issuing a public notice of its 
intent to create the Bureau of Indian Affairs (BIA) Privacy Act system 
of records, INTERIOR/BIA-35, Behavioral Health and Wellness Program. 
This system helps the Behavioral Health and Wellness Program (BHWP) 
provide immediate behavioral health crisis support, clinical counseling 
services, crisis care coordination, and communication with the client 
and appropriate points of contact for referrals and continued service 
delivery or emergency care. This newly established system will be 
included in DOI's inventory of systems of records.

DATES: This new system will be effective upon publication on July 13, 
2023. New routine uses will be effective August 14, 2023. Submit 
comments on or before August 14, 2023.

ADDRESSES: You may send comments identified by docket number [DOI-2023-
0009] by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.
     Email: [email protected]. Include docket number 
[DOI-2023-0009] in the subject line of the message.
     U.S. mail or hand-delivery: Teri Barnett, Departmental 
Privacy Officer, U.S. Department of the Interior, 1849 C Street NW, 
Room 7112, Washington, DC 20240.
    Instructions: All submissions received must include the agency name 
and docket number [DOI-2023-0009]. All comments received will be posted 
without change to https://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Richard Gibbs, Associate Privacy 
Officer, Assistant Secretary--Indian Affairs, 1011 Indian School Road 
NW,

[[Page 44824]]

Room 164, Albuquerque, New Mexico 87104, [email protected] or 
(505) 563-5023.

SUPPLEMENTARY INFORMATION: 

I. Background

    The DOI is establishing a new system of records for the INTERIOR/
BIA-35, Behavioral Health and Wellness Program. The Assistant 
Secretary--Indian Affairs consists of two bureaus, which are the BIA 
and Bureau of Indian Education (BIE). The BIA supports the functions of 
the BIE and is publishing this notice to describe the purpose of the 
BHWP that provides immediate behavioral health crisis support, clinical 
counseling services, crisis care coordination, and facilitates 
communication between clients and appropriate points of contact for 
referrals and continued service delivery or emergency care.
    The BIE is responsible for providing quality educational 
opportunities from early childhood through adulthood in accordance with 
Federal trust responsibilities for approximately 43,000 students. The 
BIE funds 183 elementary, secondary, and residential schools across 64 
Indian reservations and 23 states. Of these, 53 are BIE-operated and 
130 are tribally-controlled. Additionally, BIE directly operates two 
post-secondary institutions and funds and/or operates off-reservation 
boarding schools and peripheral dormitories near reservations for 
students attending public schools. The BIE also serves many American 
Indian and Alaska Native post-secondary students through higher 
education scholarships and support funding for tribal colleges and 
universities.
    The BIE identified the need for comprehensive behavioral health and 
wellness services at a multitude of Bureau-funded schools, dormitories, 
colleges, and universities. The BIE is committed to creating positive, 
safe, and culturally relevant learning environments where students can 
gain knowledge, skills, and behaviors necessary for physical, mental, 
and emotional wellbeing. The BIE established the BHWP to address the 
significant mental health needs of students and staff at all BIE-funded 
institutions including BIE-operated schools, tribally-controlled 
schools, post-secondary institutions, and tribal colleges and 
universities.

II. Privacy Act

    The Privacy Act of 1974, as amended, embodies fair information 
practice principles in a statutory framework governing the means by 
which Federal agencies collect, maintain, use, and disseminate 
individuals' records. The Privacy Act applies to records about 
individuals that are maintained in a ``system of records.'' A ``system 
of records'' is a group of any records under the control of an agency 
from which information is retrieved by the name of an individual or by 
some identifying number, symbol, or other identifying particular 
assigned to the individual. The Privacy Act defines an individual as a 
United States citizen or lawful permanent resident. Individuals may 
request access to their own records that are maintained in a system of 
records in the possession or under the control of DOI by complying with 
DOI Privacy Act regulations at 43 CFR part 2, subpart K, and following 
the procedures outlined in the Records Access, Contesting Record, and 
Notification Procedures sections of this notice.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the existence and character of each 
system of records that the agency maintains, and the routine uses of 
each system. The INTERIOR/BIA-35, Behavioral Health and Wellness 
Program, system of records notice is published in its entirety below. 
In accordance with 5 U.S.C. 552a(r), DOI has provided a report of this 
system of records to the Office of Management and Budget and to 
Congress.

III. Public Participation

    You should be aware your entire comment including your personally 
identifiable information, such as your address, phone number, email 
address, or any other personal information in your comment, may be made 
publicly available at any time. While you may request to withhold your 
personally identifiable information from public review, we cannot 
guarantee we will be able to do so.

SYSTEM NAME AND NUMBER:
    INTERIOR/BIA-35, Behavioral Health and Wellness Program.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained by the Office of the Director, Bureau of 
Indian Education, 1849 C Street NW, MIB-3621, Washington, DC 20240, and 
at BIE contractor facilities. A current listing of contractor 
facilities may be obtained by writing to the System Manager identified 
below.

SYSTEM MANAGER(S):
    Student Health Program Specialist, Office of the Director, Bureau 
of Indian Education, 1849 C Street NW, MIB-3621, Washington, DC 20240.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Every Student Succeeds Act, Public Law 114-95; Indian Education 
Policies, 25 CFR part 32; Expenditure of appropriations by Bureau, 25 
U.S.C. 2006; Congressional statement of findings, 25 U.S.C. 5301; 
Indian Child Welfare Act of 1978, Public Law 95-60825 U.S.C. 1901; 
Confidentiality of Substance Use Disorder Patient Records, 42 CFR part 
2; Enforcement of Nondiscrimination on the Basis of Handicap in 
Programs or Activities Conducted by the Department of the Interior, 43 
CFR Subpart E; Rehabilitation Act of 1973, as amended, Public Law 93-
112, Section 504, 29 U.S.C. 794; Tribally Controlled Schools Act of 
1988, 25 U.S.C. 2501 et seq.; Indian Self-Determination and Education 
Assistance Act, 25 U.S.C. 5301 et seq.; Health Insurance Portability 
and Accountability Act of 1996 (HIPAA), Public Law 104-191; Individuals 
with Disabilities Act (IDEA), 20 U.S.C. 1400 et seq.; and Maintenance 
and Control of Student Records in Bureau Schools, 25 CFR part 43.

PURPOSE(S) OF THE SYSTEM:
    The primary purposes of the system are to provide immediate 
behavioral health crisis support, clinical counseling services and 
crisis care coordination, and to facilitate communication between the 
client and appropriate points of contact for referrals and continued 
service delivery or emergency care.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by the system include current and former BIE 
employees, contractors, students, parents, guardians or caretakers of 
students, and staff at BIE-operated K-12 schools, BIE-operated post-
secondary institutions, tribally-controlled schools operated pursuant 
to a grant under the Tribally Controlled Schools Act of 1988 or a 
contract under the Indian Self-Determination and Education Assistance 
Act, and tribal colleges and universities. These individuals are 
collectively referred to as clients for purposes of this program.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The categories of records in the system include information 
collected on forms from BHWP clients as follows:
    (1) Student Information. Name, date of birth, mailing address, 
physical address, home and cell phone number, email address, parent, 
guardian, or caretaker information, emergency

[[Page 44825]]

contact information, school of enrollment, grade level, tribe of 
enrollment and disability information such as a client's Individualized 
Education Plan (IEP) or 504 Plan. Information about clinical services 
provided by the service provider may be maintained in the student's 
records and may be viewed by the Student Health Program Specialist, as 
authorized and necessary to facilitate behavioral health, counseling or 
crisis care coordination or referrals for this program.
    (2) Parent, Guardian, or Caretaker Information. Name, relationship 
to student, mailing address, email address, physical address, home and/
or cell phone number, and tribe of enrollment.
    (3) BIE Staff/Employee Information. Name, date of birth, mailing 
address, physical address, home and/or cell phone number, email 
address, school affiliation, tribe of enrollment, and emergency contact 
information.
    (4) School Level Staff and Employee Information. Name, date of 
birth, mailing address, physical address, home and/or cell phone 
number, email address, school affiliation, tribe of enrollment, and 
emergency contact information.
    (5) Tribal Staff and Employee Information. Name, date of birth, 
mailing address, physical address, home and/phone number, email 
address, school affiliation, tribe of enrollment, and emergency contact 
information.
    (6) Emergency Contact Person. Contact name, relationship to client, 
and emergency contact phone, cell phone number, and email address.
    (7) In the case of a critical incident, sentinel event, death, or 
crisis incident, the PII may also include client name, age, date of 
birth, address, parent, guardian, or caretaker information if 
applicable, emergency contact information, manner of death or incident 
type, location of death or incident, date and time of death or 
incident, any known witness or collateral contact, and their contact 
information at time of client death or client related incident. This 
information may be shared with appropriate local, tribal, city, county, 
state, or Federal law enforcement officials and first responders for 
immediate emergency response engagement, medical centers for emergency 
medical care, and social services or other agencies in the event of 
abuse or neglect. This information may be shared with appropriate BIE 
and BHWP officials and administrators as needed, as well as tribal 
officials for appropriate critical incident or sentinel event 
reporting.

RECORD SOURCE CATEGORIES:
    Information comes primarily from BHWP Care Coordinators and BHWP 
licensed providers from the school point of contact at time of client 
referral, directly from the client, and the client's parent, guardian, 
emergency contact or caretaker when necessary.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DOI as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (DOJ), including Offices of the 
U.S. Attorneys, or other Federal agency conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    (1) DOI or any component of DOI;
    (2) Any other Federal agency appearing before the Office of 
Hearings and Appeals;
    (3) Any DOI employee or former employee acting in his or her 
official capacity;
    (4) Any DOI employee or former employee acting in his or her 
individual capacity when DOI or DOJ has agreed to represent that 
employee or pay for private representation of the employee; or
    (5) The United States Government or any agency thereof, when DOJ 
determines that DOI is likely to be affected by the proceeding.
    B. To a congressional office when requesting information on behalf 
of, and at the request of, the individual who is the subject of the 
record.
    C. To the Executive Office of the President in response to an 
inquiry from that office made at the request of the subject of a record 
or a third party on that person's behalf, or for a purpose compatible 
with the reason for which the records are collected or maintained.
    D. To any criminal, civil, or regulatory law enforcement authority 
(whether Federal, state, territorial, local, Tribal, or foreign) when a 
record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--criminal, civil, 
or regulatory in nature, and the disclosure is compatible with the 
purpose for which the records were compiled.
    E. To an official of another Federal agency to provide information 
needed in the performance of official duties related to reconciling or 
reconstructing data files or to enable that agency to respond to an 
inquiry by the individual to whom the record pertains.
    F. To Federal, state, territorial, local, tribal, or foreign 
agencies that have requested information relevant or necessary to the 
hiring, firing or retention of an employee or contractor, or the 
issuance of a security clearance, license, contract, grant, or other 
benefit, when the disclosure is compatible with the purpose for which 
the records were compiled.
    G. To representatives of the National Archives and Records 
Administration (NARA) to conduct records management inspections under 
the authority of 44 U.S.C. 2904 and 2906.
    H. To state, territorial, and local governments and tribal 
organizations to provide information needed in response to court order 
and/or discovery purposes related to litigation, when the disclosure is 
compatible with the purpose for which the records were compiled.
    I. To an expert, consultant, grantee, shared service provider, or 
contractor (including employees of the contractor) of DOI that performs 
services requiring access to these records on DOI's behalf to carry out 
the purposes of the system.
    J. To appropriate agencies, entities, and persons when:
    (1) DOI suspects or has confirmed that there has been a breach of 
the system of records;
    (2) DOI has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DOI (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and
    (3) the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with DOI's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm.
    K. To another Federal agency or Federal entity, when DOI determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in:
    (1) responding to a suspected or confirmed breach; or
    (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    L. To the Office of Management and Budget (OMB) during the 
coordination

[[Page 44826]]

and clearance process in connection with legislative affairs as 
mandated by OMB Circular A-19.
    M. To the Department of the Treasury to recover debts owed to the 
United States.
    N. To the news media and the public, with the approval of the 
Public Affairs Officer in consultation with counsel and the Senior 
Agency Official for Privacy, where there exists a legitimate public 
interest in the disclosure of the information, except to the extent it 
is determined that release of the specific information in the context 
of a particular case would constitute an unwarranted invasion of 
personal privacy.
    O. To a parent or guardian, medical facility, service provider, 
BIE-funded school official, or appropriate parties to provide immediate 
behavioral health crisis support, clinical counseling services and 
crisis care coordination, and to facilitate communication between the 
client and appropriate points of contact for referrals and continued 
service delivery or emergency care pursuant to the Individuals with 
Disabilities Education Act (IDEA), 20 U.S.C. 1400 et seq.; Maintenance 
and Control of Student Records in Bureau Schools, 25 CFR part 43; 
Confidentiality of Substance Use Disorder Patient Records, 42 CFR part 
2; and other applicable laws and regulations.
    P. To Federal, tribal, state, local, or private agencies for 
referral to continue providing services, to report, investigate, and 
treat any incidents of suspected abuse or neglect pursuant to the 
Indian Child Protection and Family Violence Prevention Act, Public Law 
101-630, or in the event of any critical incident as required by 25 CFR 
part 43, other applicable laws, and BHWP policy and procedures.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Paper records are contained in file folders stored within filing 
cabinets in secured rooms. Electronic records are stored on electronic 
media at a Federal Risk and Authorization Management Program (FedRAMP) 
approved cloud service provider.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information from the BHWP is retrievable by client name, age, 
gender, school affiliation, address, call type, and client identified 
record number by authorized users of the system. Additionally, de-
identified aggregate data, such as diagnosis codes, numbers of 
encounters, and types of encounters, and general demographics may be 
retrieved.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records retention schedules for the BHWP are being developed and 
will be submitted to NARA for scheduling and approval. These records 
will be treated as permanent until the records are scheduled and have 
been approved by NARA. Upon termination of the BHWP service contract 
with the Contracting Agency, the contractor will transfer all 
electronic health record information to the BIE for appropriate record 
keeping and storage in alignment with all Federal requirements.
    BHWP system usage records are covered by the Departmental Records 
Schedule 1.4A, Short Term Information Technology Records, System 
Maintenance and Use Records (DAA-0048-2013-0001-0013), which was 
approved by NARA. These records include system operations reports, 
login and password files, audit trail records and backup files. The 
disposition is temporary. Records are cut-off when superseded or 
obsolete and destroyed no later than three years after cut-off. Records 
associated with a 42 CFR part 2 program that is discontinued or is 
taken over or acquired by another program will be processed in 
accordance with 42 CFR 2.16, Security for records, and 2.19, 
Disposition of records by discontinued programs.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Access to records in the system is limited to authorized personnel 
who have a need to access the records in the performance of their 
official duties, and each user's access is restricted to only the 
functions and data necessary to perform that person's job 
responsibilities. System administrators and authorized users are 
trained and required to follow established internal security protocols 
and must complete all security, privacy, and records management 
training and sign the DOI Rules of Behavior.
    The records contained in this system are safeguarded in accordance 
with 43 CFR 2.226 and other applicable security and privacy rules and 
policies. Paper records are maintained in locked file cabinets and/or 
safes under the control of authorized personnel during normal hours of 
operation. Computer servers on which electronic records are stored are 
located at a FedRAMP-approved cloud service provider with physical, 
technical, and administrative levels of security to prevent 
unauthorized access to the system and information assets. The cloud 
service provider implements protections, controls and access 
restrictions as required to maintain the necessary FedRAMP 
certification and to mitigate the privacy risks. Authorized DOI and 
contractor personnel must complete mandatory security, privacy, records 
management, and HIPAA training specific to their roles to ensure they 
are knowledgeable about how to protect personally identifiable 
information before they are granted access to the system of records.
    Computerized records systems follow the National Institute of 
Standards and Technology privacy and security standards as developed to 
comply with the Privacy Act of 1974, as amended, 5 U.S.C. 552a; 
Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq.; the Federal 
Information Security Modernization Act of 2014, 44 U.S.C. 3551 et seq.; 
and the Federal Information Processing Standards 199: Standards for 
Security Categorization of Federal Information and Information Systems. 
Security controls include user identification, multi-factor 
authentication, database permissions, encryption, firewalls, audit 
logs, and network system security monitoring, and software controls 
which establish access levels according to the type of user. Access to 
records in the system is limited to authorized personnel who have a 
need to access the records in the performance of their official duties, 
and each user's access is restricted to only the functions and data 
necessary to perform that person's job responsibilities. Audit trails 
are maintained and reviewed periodically to identify unauthorized 
access or use. A Privacy Impact Assessment was conducted on the 
Behavioral Health and Wellness Program System to ensure that Privacy 
Act requirements are met, and appropriate privacy controls were 
implemented to safeguard the personally identifiable information 
contained in the system.

RECORD ACCESS PROCEDURES:
    An individual requesting access to their records should send a 
written inquiry to the applicable System Manager identified above. DOI 
forms and instructions for submitting a Privacy Act request may be 
obtained from the DOI Privacy Act Requests website at https://www.doi.gov/privacy/privacy-act-requests. The request must include a 
general description of the records sought and the requester's full 
name, current address, and sufficient identifying information such as 
date of birth or other information required for verification of the 
requester's identity. The request must be signed and dated and be 
either notarized or submitted under penalty of perjury in accordance 
with 28 U.S.C. 1746. Requests submitted

[[Page 44827]]

by mail must be clearly marked ``PRIVACY ACT REQUEST FOR ACCESS'' on 
both the envelope and letter. A request for access must meet the 
requirements of 43 CFR 2.238.

CONTESTING RECORD PROCEDURES:
    An individual requesting amendment of their records should send a 
written request to the applicable System Manager as identified above. 
DOI instructions for submitting a request for amendment of records are 
available on the DOI Privacy Act Requests website at https://www.doi.gov/privacy/privacy-act-requests. The request must clearly 
identify the records for which amendment is being sought, the reasons 
for requesting the amendment, and the proposed amendment to the record. 
The request must include the requester's full name, current address, 
and sufficient identifying information such as date of birth or other 
information required for verification of the requester's identity. The 
request must be signed and dated and be either notarized or submitted 
under penalty of perjury in accordance with 28 U.S.C. 1746. Requests 
submitted by mail must be clearly marked ``PRIVACY ACT REQUEST FOR 
AMENDMENT'' on both the envelope and letter. A request for amendment 
must meet the requirements of 43 CFR 2.246.

NOTIFICATION PROCEDURES:
    An individual requesting notification of the existence of records 
about them should send a written inquiry to the applicable System 
Manager as identified above. DOI instructions for submitting a request 
for notification are available on the DOI Privacy Act Requests website 
at https://www.doi.gov/privacy/privacy-act-requests. The request must 
include a general description of the records and the requester's full 
name, current address, and sufficient identifying information such as 
date of birth or other information required for verification of the 
requester's identity. The request must be signed and dated and be 
either notarized or submitted under penalty of perjury in accordance 
with 28 U.S.C. 1746. Requests submitted by mail must be clearly marked 
``PRIVACY ACT INQUIRY'' on both the envelope and letter. A request for 
notification must meet the requirements of 43 CFR 2.235.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

    Signed:
Teri Barnett,
Departmental Privacy Officer, Department of the Interior.
[FR Doc. 2023-14877 Filed 7-12-23; 8:45 am]
BILLING CODE 4337-15-P