Office of the Assistant Secretary for Preparedness and Response, HHS.
Notice of a Revised Privacy Act System of Records (SOR).
In accordance with the Privacy Act of 1974, we are proposing to revise the new Privacy Act System of Records (SOR) entitled, “The National Disaster Medical System (NDMS) Patient Treatment and Tracking Records System,” System Number 09-90-0040, in response to public comments received. The primary purpose of the NDMS Patient Treatment and Tracking Records System is to collect and store data about individuals who are served by the medical care response capabilities provided by the Department of Health and Human Services (HHS) through the NDMS, and through other HHS medical personnel. The proposed system will cover the collection, storage and sharing of personally identifiable data in accordance with the Privacy Act.End Preamble Start Supplemental Information
In a Federal Register Notice [72 FR 35052-35055] published on June 26, 2007, the HHS, ASPR, OPEO, NDMS proposed to establish the NDMS Patient Treatment and Tracking Record System. This system will collect demographic and health care data from individuals treated by the medical response personnel of HHS and in particular, ASPR. The HHS notice included reasons why this system is necessary as well as routine uses for disclosures. HHS received comments from private, non-profit organizations regarding the privacy protections that apply to information about individuals treated by HHS medical personnel. The comments suggested that the notice lacked clarity. The following paragraphs summarize the comments, recommendations and the agency's responses. We are also making other editorial changes to the System of Records Notice at this time.
B. Comments and Responses
Comment: There was an overall comment that the notice lacked adequate discussion of whether this system would be maintained in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It was recommended that compliance with the HIPAA Privacy Rule be “spelled out in the notice.”
Response: While ASPR, in operating NDMS, provides medical care to individuals who are victims of disasters, emergencies, public health emergencies, and events of national significance, ASPR is not a covered entity or a health care component of a covered entity, and therefore is not subject to the HIPAA Privacy Rule. Congress provided that these HIPAA standards only apply to health care providers that transmit health information electronically in connection with a transaction for which the Secretary of HHS has adopted standards (i.e., the standards provided for in the HIPAA Transactions Rule at 45 CFR Part 162). NDMS health care providers, operating under ASPR auspices, do not engage in these electronic transactions. However, the records within the NDMS Patient Treatment and Tracking Records System are protected by the Privacy Act.
Comment: The organizations which commented on the notice wanted to make it clear that there will be “no routine uses that are in violation of HIPAA.”
Response: As explained above, while ASPR provides medical care to individuals who are victims of disasters, emergencies, public health emergencies, and events of national significance, ASPR is not subject to the HIPAA Privacy Rule. The routine uses will comply with the provisions of the Privacy Act.
Comment: There was a comment regarding clarifying the use of data by NDMS's federal partners.
Response: The language has been clarified. Disclosure of personally identifiable information between federal partners will be limited to what is needed to support patient care and medical transport.
Comment: There is a concern that routine disclosure of patient location, especially when the patient is a victim of domestic violence, should be changed.
Response: Agree. The routine disclosure to family members regarding patient location and status has been revised to state that disclosure is not permitted when there is a reasonable belief that such information could endanger the life, safety, health, or well-being of the patient. Start Printed Page 16308
1. The Categories of Individuals Covered by the System section in the System of Records Notice (SORN) is revised to include other HHS personnel who may treat individuals. The section is revised as follows:
The individuals covered by the system are all persons and owners of animals treated by NDMS and other HHS medical personnel when the NDMS Disaster Medical Assistance Teams (DMATs), National Veterinary Response Teams (NVRTs), or other HHS medical personnel are activated to respond to emergency situations, or as a response to any other situation for which they are activated.
2. The Purpose(s) section in the SORN is revised to include other HHS personnel who may treat individuals. The first sentence of that section is revised to read:
Medical and demographic information is collected on all patients seen and/or treated by NDMS or other HHS personnel.
3. Routine Use No. 1 in the SORN is revised to clarify that it refers to sharing information between NDMS partner agencies, and to include a discussion, at the end of the routine use, of the relationship between all of the NDMS partners regarding the use of medical records as follows:
NDMS is a coordinated effort between HHS, the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Department of Veterans Affairs (VA). As such, the medical treatment and movement of patients is a shared responsibility between these partnership agencies. The medical and demographic information collected during the treatment of a patient is shared with the partners to ensure that patients treated through NDMS receive the appropriate level of health care. The health information disclosed among the partners is limited to what is needed for continuity of health care operations.
4. Routine Use No. 4 in the SORN is revised to include volunteers as follows:
Disclosure to agency contractors, consultants, grantees, or volunteers who have been engaged by the agency to assist in the performance of a service related to this collection and who have a need to have access to the records in order to perform the activity.
5. Routine Use No. 6 in the SORN is revised to include a discussion, at the end of the routine use, of the circumstances when the agency will not disclose the patient's location or status to family members as follows:
Disclosure of a patient's location or status is not permitted when there is a reasonable belief that disclosing such information could endanger the life, safety, health, or well-being of the patient.
6. In the SORN, in the Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System, in the Disposition authority subsection, the first two sentences are revised as follows:
Patient Care Forms or other Medical Records created by the Federal Medical Station(s) (FMS) or by any component of HHS/ASPR inclusive of NDMS during a response to an event while caring for victims of that event are cutoff at the end of the response activity by the Federal Medical Station(s) or HHS/ASPR component for a particular event. Cutoff refers to breaking, or ending files at regular intervals, usually at the close of a fiscal or calendar year, to permit their disposal or transfer in complete blocks and, in this case, cutoff is at the end of the response activity. The cutoff date marks the beginning of the records retention period.Start Signature
Dated: March 3, 2008.
Deputy Assistant Secretary, Director, Office of Preparedness and Emergency Operations.
[FR Doc. E8-6238 Filed 3-26-08; 8:45 am]
BILLING CODE 4150-37-P