Privacy Act of 1974; System of Records Notice
Notice To Revise An Existing System Of Records.
In accordance with the requirements of the Privacy Act of 1974, as amended (5 U.S.C. 552a), HHS is altering an existing system of records, “National Disaster Medical System (NDMS) Patient Treatment and Tracking,” system number 09-90-0040. The system of records was originally published June 26, 2007 (see 72 FR 35052) and previously revised March 27, 2008 (see 73 FR 16307). The alterations include: (1) Changing the system name to “National Disaster Medical System (NDMS) Disaster Medical Information Suite (DMIS);” (2) revising the categories of individuals to reflect that patients may include disaster workers and others who are provided medical countermeasures; (3) dividing the records into three categories (patient treatment, patient tracking, and veterinarian treatment) instead of two (patient treatment and veterinarian treatment); (4) adding, as a purpose for which information from this system is used, that the system provides HHS' NDMS claims processing system with records needed to reimburse NDMS providers for their services; (5) revising the first routine use to include these additional disclosure recipients: state and city governmental agencies, Non-Governmental Organizations (NGOs; e.g., American Red Cross), and hospitals that provide care to NDMS patients; and (6) adding one new routine use, pertaining to security breach response.
Table of Contents Back to Top
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- I. National Disaster Medical System (NDMS) Disaster Medical Information Suite (DMIS)
- II. The Privacy Act
- System Number:
- System name:
- Security classification:
- System location:
- Categories of individuals covered by the system:
- Categories of records in the system:
- Category A:
- Category B:
- Category C:
- Authority for maintenance of the system:
- Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
- Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system—
- Retention and Disposal:
- System manager and address:
- Notification procedure:
- Record access procedures:
- Contesting record procedures:
- Record source categories:
- System exempted from certain provision of the Privacy Act:
DATES: Back to Top
Effective Dates: Effective 30 days after publication. Written comments should be submitted on or before the effective date. HHS/ASPR/OEM/NDMS may publish an amended System of Records Notice (SORN) in light of any comments received.
ADDRESSES: Back to Top
The public should address written comments to: NDMS Director, National Disaster Medical System, 200 C Street SW., Washington, DC 20024. To review comments in person, please contact the Director NDMS, 200 C Street SW., Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Back to Top
CDR Sumner Bossler, NDMS Disaster Medical Information Suite (DMIS), IT Program Manager, ASPR/OEM/NDMS, 200 C Street SW., C1L07, Washington, DC 20024. firstname.lastname@example.org.
SUPPLEMENTARY INFORMATION: Back to Top
I. National Disaster Medical System (NDMS) Disaster Medical Information Suite (DMIS) Back to Top
This system was established pursuant to Section 2812 of the Public Health Service (PHS) Act (42 U.S.C. 300hh-11), as amended, and resides in HHS/ASPR/OEM. Under section 2801 of the PHS Act, the HHS Secretary leads all Federal public health and medical response to public health emergencies and incidents covered by the National Response Framework, or any successor plan. The Secretary delegates to ASPR the leadership role for all health and medical services support functions in a health emergency or public health event, including National Special Security Events. In such events, ASPR may deploy this system, Field Medical Station assets, and other HHS employees under the control of the Secretary and provide operational oversight over officers of the U.S. Public Health Service Commissioned Corps and other Federal public health and medical personnel. Under the National Response Framework, HHS is the lead agency for Emergency Support Function 8, Public Health and Medical. HHS uses this system to collect medical records and share them with the other Federal agencies and departments that share ESF 8 responsibilities with HHS. The ESF 8 agencies have shared statutory authority to collect and use medical information as needed to coordinate the following three key functions with Federal, state, local and private partners, to augment public health and medical activities of State and local governments in disaster or public health emergency situations:
- Medical response—this function involves activation and deployment of Federal response teams comprised of medical and logistical personnel, to assess the health and medical needs of disaster victims and to provide physical and mental health care during a public health emergency, including National Special Security Events.
- Patient evacuation—this function involves establishment of communications, transportation, patient tracking, and a medical regulating system to evacuate and move patients from a staging center near a disaster site to patient reception sites known as Federal Coordinating Centers (FCCs). The Department of Defense (DOD) and Veterans Administration (VA) have the prime responsibility for activating and managing the FCCs. In turn, upon receiving the patients, the FCCs have the authority to arrange for necessary referrals and admissions of evacuated patients.
The information collected by the NDMS-DMIS system and the purposes for which the information is used and disclosed by HHS are described in more detail in the revised SORN that follows below. Because some of the revisions constitute significant changes, HHS provided adequate advance notice of the altered SORN to the Office of Management and Budget (OMB) and Congress as required by the Privacy Act at 5 U.S.C. 552a(r).
II. The Privacy Act Back to Top
The Privacy Act (5 U.S.C. 552a) governs the means by which the U.S. Government collects, maintains, and uses information about individuals in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about an individual is retrieved by the individual's name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses information about individuals in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).
National Disaster Medical System (NDMS) Disaster Medical Information Suite (DMIS).
Paper records are stored at NDMS headquarters, 200 C. Street SW., Washington, DC 20024. The electronic database and server where information is entered and stored is maintained at the MAHC data center in Reston, Virginia.
Categories of individuals covered by the system:
Records in this system pertain to:
- patients who are treated and evacuated by Federal public health and medical personnel, including NDMS and PHS teams, that are activated to respond to an emergency or other situation; and
- owners of animals that are treated and evacuated by NDMS and PHS teams.
Patients may include disaster workers/responders and others who are provided medical countermeasures; however, this SORN excludes patient treatment records for federal employee-workers to the extent such records are covered under the Office of Personnel Management (OPM) SORN titled “Employee Medical File System Records” (OPM/GOVT-10). Patient records may include information about patients' family members and non-medical attendants, but only the patients—not their family members and non-medical attendants—are considered record subjects.
Categories of records in the system:
The system includes the following categories of records containing personally identifiable information about patients or owners of animals:
Completed Patient Treatment Record that includes
1. Team/personnel identification record, for patients who are disaster workers/responders on NDMS teams or other Federal public health and medical teams.
2. Patient treatment record.
a. Chart Number.
b. Time and Date Patient seeks treatment.
c. Triage Category and health status.
d. Location where Patient is seen and transferred.
e. Patient Identification: Name, Address, City, State, Zip, Date of Birth, Phone Number, Employment, Weight, Next of Kin.
g. Patient Acuity, health status, Vital Signs/Treatment Recommended and/or Prescribed, laboratory tests
h. Reported Medications and allergies
i. History of present illness and reported past medical history
j. Digital Images of patient and non-medical attendant for Identification
k. Digital images, audio or video used for medical assessment
l. Discharge—Time, Date, Disposition, Recommendations.
3. Patient Authorization—Requires Patient Signature in Front of Witness and Witness Verification through Signature.
4. Any potential attachments such as X-rays and laboratory reports showing test results.
Completed Patient Tracking Record that includes
1. Patient Tracking Record.
a. Patient Identification: Name, gender, and Address, City, State, Zip, Date of Birth, Phone Number, Employment, Weight, Next of Kin, unique ID.
b. Attendant Identification: Name, gender, Address, City, State, Zip, Date of Birth, Phone Number, Next of Kin, email address, unique ID
c. Triage Category and health status.
d. Location where Patient is seen and transferred.
e. Patient Acuity, health status
f. Digital Images of patient and non-medical attendant for Identification
g. Discharge: Time, Date, Disposition
Veterinarian Treatment Records on animals
1. Privacy Act Data such as the name, address and telephone contact information of owners of animals will be maintained to be associated with the animal patient. However, animal treatment records themselves are not subject to the Privacy Act protections.
Authority for maintenance of the system:
NDMS staff and other relevant HHS personnel use personally identifiable information from this system, on a need to know basis, for the following purposes:
- To document medical treatment rendered to patients, e.g., for use if questions of liability arise about the treatment or the subsequent condition of the patient while under the care of NDMS.
- To conduct medical quality assurance reviews and establish a quality improvement process (QIP), by reviewing medical treatment on a specific deployment, spotting best practices and developing process improvements for future deployments.
- For research projects related to the prevention of disease or disability as a result of a disaster and for situational awareness required for ASPR operations during disasters.
- To provide HHS' NDMS claims processing system with records needed to reimburse NDMS providers for their services.
Routine uses of records maintained in the system, including categories of users and the purposes of such uses:
In addition to those disclosures generally permitted under 5 U.S.C. 552a (b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed to parties outside HHS as follows:
1. To Federal agencies that are ESF 8 partners, including but not limited to DHS, DoD, and the VA, or that participate in National Special Security Events; state and city governmental agencies; Non-Governmental Organizations such as the American Red Cross; and hospitals providing care to NDMS patients; which share responsibility with HHS for the medical treatment and movement of patients (including responders), decedents, and animals, for the purpose of discharging those responsibilities, including ensuring that patients treated receive the maximum level of health care possible. The medical and demographic information collected during the treatment of a patient is shared with relevant partners to ensure that patients treated through NDMS-DMIS receive the appropriate level of health care. The health information disclosed among the partners is limited to what is needed for continuity of health care operations.
2. To a member of Congress or a Congressional staff member in response to an inquiry from the Congressional office made at the written request of the constituent about whom the record is maintained.
3. To the Department of Justice (DOJ), a court, or an adjudicatory body when the following situations arise:
a. The agency or any component thereof, or
b. Any employee of the agency whether in his/her official or individual capacity, where DOJ has agreed to represent the employee, or
c. The United States government, is a party to litigation or has an interest in such litigation and, after careful review, the agency deems that the records requested are relevant and necessary to the litigation and that the use of such records by DOJ, the court or the adjudicatory body is compliant with the purposes for which the agency collected the records.
4. To contractors, consultants, grantees, or volunteers that have been engaged by HHS to assist in the performance of a service related to this collection and who have a need to have access to the records in order to perform the activity.
5. To assist another federal or state agency, or its fiscal agent:
a. To establish the benefit entitlement of the patient.
b. To establish the relationship between the existing state benefit and the benefit funded in whole or part with federal funds, such as the one associated with the NDMS definitive care.
c. To collaborate with the state and state agencies on behalf of family members regarding the current location and placement of their evacuated family member or patient population.
6. To family members of a patient, to provide them with information about the location or the status of the patient. Disclosure of a patient's location or status is not permitted when there is a reasonable belief that disclosing such information could endanger the life, safety, health, or well-being of the patient.
7. To appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting HHS's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, provided the information disclosed is relevant and necessary for that assistance.
Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system—
Records are stored in paper files kept at NDMS headquarters and in an electronic database housed in Reston, Virginia.
Records are organized by event, location, and date of treatment. Data are retrieved by name and other demographic information provided by the patient (or for veterinary records, by animal owner), as well as by location of treatment, diagnosis, and other data fields within the database.
Information in this system is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook, all pertinent National Institutes of Standards and Technology publications and OMB Circular A-130, Management of Federal Resources. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include restricting access to authorized personnel who have need-to-know, using physical locks in the office environment, and the process of authentication using user IDs and passwords function as identification protection features. HHS file areas are locked after normal duty hours and the facilities are protected from the outside by security personnel. Personnel with authorized access to the system have been trained in the Privacy Act and information security requirements for both paper copies and electronically stored information.
Retention and Disposal:
Records are retained in accordance with records disposition schedule N1-468-07-1, approved by the National Archives and Records Administration (NARA) for the Office of Public Health and Emergency Preparedness (OPHEP); the Pandemic and All Hazards Preparedness Act (Pub. L. 109-417) established the ASPR to serve in a similar capacity as OPHEP for medical disaster response. Schedule N1-486-08-1 covers Patient Care Forms or other Medical Records regulated under the Health Insurance Portability and Accountability Act (HIPAA), created by the Federal Medical Station(s) or by any component of HHS/ASPR during a response to an event while caring for victims of that event, and provides the following disposition authority:
Cutoff is at the end of the response activity by the Federal Medical Station(s) for a particular event. Retire to the Washington National Records Center 2 years after cutoff. Destroy 75 years after cutoff.
Cutoff refers to breaking, or ending files at regular intervals, usually at the close of a fiscal or calendar year, to permit their disposal or transfer in complete blocks and, in this case, cutoff is at the end of the response activity. The cutoff date marks the beginning of the records retention period. Veterinarian treatment records pertaining to animals and their owners are not included in the above schedule, and cannot be destroyed until NARA approves a disposition schedule for them.
System manager and address:
NDMS Director, 200 C. Street SW., Washington, DC 20024.
Individuals seeking to know if this system contains records about them must submit a written request to the System Manager at the above mailing address, clearly marked as a “Privacy Act Request” on the envelope and letter (see, generally, HHS Privacy Act regulations found at 45 CFR Part 5b). Requests pertaining to patients should include the full name of the patient, appropriate verification of identity, current address of the patient and the name of the requester, appropriate verification of identity, current address of the requester, and the nature of the record sought, as required by HHS Privacy Act regulations at 45 CFR 5b.5. Requests pertaining to owners of animals should include the full name of the owner and the animal, appropriate verification of identity, current address of the requester, and the nature of the record sought, as required by HHS Privacy Act regulations at 45 CFR 5b.5
Record access procedures:
Same as the notification procedure above.
Contesting record procedures:
Same as the notification procedure above; the request should also clearly and concisely describe the information contested, the reasons for contesting it, and the proposed amendment sought, pursuant to HHS Privacy Act regulations at 45 CFR 5b.7.
Record source categories:
Information in patient treatment and tracking records is obtained directly from the patients and from medical or clinical personnel treating or evacuating the patients or accessing their personal health records (PHR). In the case of minors or other patients who are unable to explain symptoms, information may be obtained from a parent or guardian, or other family members or individuals attending. Information in veterinarian treatment records about owners of animals is obtained from NDMS veterinary personnel and/or the owners or caretakers of the animals.
System exempted from certain provision of the Privacy Act:
Dated: December 6, 2013.
Assistant Secretary for Preparedness and Response.
[FR Doc. 2013-31118 Filed 12-26-13; 8:45 am]
BILLING CODE 4150-37-P