Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).
Notice to add a new routine use to all CMS systems of records (SOR).
CMS proposes to add a new routine use to its inventory of SOR subject to the Privacy Act of 1974 (Title 5 United States Code (U.S.C.) 552a) authorizing disclosure of individually identifiable information to assist in efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in these systems of records. The new routine use will be prioritized in the next consecutive numbered order of routine uses in each system notice and will be included in the next published notice as part of our normal SOR review process. The new routine use will read as follows:
1. To appropriate Federal agencies, Department officials and Agency contractors that need access to identifiable information to provide assistance to the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information. In order to receive the information, CMS must:
a. Determines that the use or disclosure does not violate legal Start Printed Page 30607limitations under which the record was provided, collected, or obtained;
b. Determines that the purpose for which the disclosure is to be made:
(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form,
(2) is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and
(3) there is reasonable probability that the objective for the use would be accomplished;
c. Requires the recipient of the information to:
(1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, and
(2) remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the disclosure, and
(3) Make no further use or disclosure of the record except:
(a) In emergency circumstances affecting the health or safety of any individual, or
(b) When required by law.
d. Secures a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions and complete a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.
The reason for this routine use is as follows:
Other Federal agencies, Department officials and contractors, as well as CMS contractors may need access to identifiable information that is both relevant and necessary to provide assistance to all efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in these systems of records.
Effective Date: The new routine use will be effective on < DATE >.
The public should address comments to: CMS Privacy Officer, Division of Privacy Compliance, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Room N2-04-27, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is (410) 786-5357. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., Eastern Time zone.End Preamble Start Supplemental Information
On May 22, 2007, the Office of Management and Budget (OMB) released Memoranda (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. HHS convened a leadership committee composed of members from the Office of the Chief Information Officer (OICO), the Office of Assistant Secretary for Public Affairs (ASPA), and the Office of the Assistant Secretary for Planning and Evaluation (ASPE) in order to formulate a response plan for the newly established requirements. The final response plan was signed by the HHS Chief Information Officer (CIO), Mike Carleton and submitted to OMB on September 19, 2007. As required by the memoranda, to comply with the “Incident Reporting and Handling Requirements,” all Operations and Staff Divisions are instructed to incorporate the suggested routine use language as part of their normal SOR review process.Start Signature
Dated: June 16, 2009.
Deputy Chief Operating Officer, Centers for Medicare & Medicaid Services.
|SOR No.||Title||FR published|
|09-70-0500||Health Plan Management System (HPMS)||71 FR 60718, 10/16/2006|
|09-70-0501||Medicare Multi-Carrier Claims Systems (MCS)||71 FR 64968, 11/06/2006|
|09-70-0502||Enrollment Data Base (EDB)||73 FR 10249, 02/26/2008|
|09-70-0503||Fiscal Intermediary Shared System (FISS)||71 FR 64961, 11/06/2006|
|09-70-0514||Medicare Provider Analysis and Review (MEDPAR)||71 FR 17470, 04/06/2006|
|09-70-0519||Medicare Current Beneficiary Survey (MCBS)||71 FR 60722, 10/16/2006|
|09-70-0520||ESRD Program Management and Medical Information System (PMMIS)||72 FR 26126, 5/8/2007|
|09-70-0521||Inpatient Rehabilitation Facilities—Patient Assessment Instrument (IRF-PAI)||71 FR 67143, 11/20/2006|
|09-70-0522||Home Health Agency Outcome and Assessment Information Set (OASIS)||72 FR 63906, 11/13/2007|
|09-70-0526||Common Working File (CWF)||71 FR 64955, 11/06/2006|
|09-70-0528||Long Term Care-Minimum Data Set (LTC MDS)||72 FR 12801, 3/19/2007|
|09-70-0532||Provider Enrollment Chain and Ownership System (PECOS)||71 FR 60536, 10/13/2006|
|09-70-0536||Medicare Beneficiary Database (MBD)||71 FR 11420, 03/07/2006|
|09-70-0538||Individuals Authorized Access to the CMS Computer Services (IACS)||72 FR 63902, 11/13/2007|
|09-70-0541||Medicaid Statistical Information System (MSIS)||71 FR 65527, 11/08/2006|
|09-70-0550||Retiree Drug Subsidy Program (RDSP)||70 FR 41035, 7/15/2005|
|09-70-0553||Medicare Drug Data Processing System (DDPS)||70 FR 58436, 10/06/2005|
|09-70-0558||National Claims History File (NCH)||71 FR 67137, 11/20/2006|
|09-70-0568||One Program Integrity Data Repository (ODR)||71 FR64530, 11/02/2006|
|09-70-0569||Post Acute Care Payment Reform/Continuity Assessment Report Demonstration and Evaluation (PAC-CARE)||72 FR 55225, 09/28/2007|
|09-70-0571||Medicare Integrated Data Repository (IDR)||71 FR 64530, 11/02/2006|
|09-70-0573||Chronic Condition Data Repository (CCDR)||71 FR 54495, 09/15/2006|
|09-70-4001||Medicare Advantage Prescription Drug (MARx)||70 FR 60530, 10/18/2005|
|09-70-0575||Organ Procurement Organizations System (OPOS)||71 FR 29336, 05/22/2006|
|09-70-0594||Minimum Data Set (MDS) for Home and Community Based Alternatives (CBA) to Psychiatric Residential Treatment) Facilities (PRTF) (CBA-PRTF)||72 FR 72733, 12/21/2007|
[FR Doc. E9-15192 Filed 6-25-09; 8:45 am]
BILLING CODE 4120-03-P