Skip to Content


Privacy Act of 1974; Addition of a New Routine Use

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).


Notice to add a new routine use to all CMS systems of records (SOR).


CMS proposes to add a new routine use to its inventory of SOR subject to the Privacy Act of 1974 (Title 5 United States Code (U.S.C.) 552a) authorizing disclosure of individually identifiable information to assist in efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in these systems of records. The new routine use will be prioritized in the next consecutive numbered order of routine uses in each system notice and will be included in the next published notice as part of our normal SOR review process. The new routine use will read as follows:

1. To appropriate Federal agencies, Department officials and Agency contractors that need access to identifiable information to provide assistance to the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information. In order to receive the information, CMS must:

a. Determines that the use or disclosure does not violate legal Start Printed Page 30607limitations under which the record was provided, collected, or obtained;

b. Determines that the purpose for which the disclosure is to be made:

(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form,

(2) is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring, and

(3) there is reasonable probability that the objective for the use would be accomplished;

c. Requires the recipient of the information to:

(1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, and

(2) remove or destroy the information that allows the individual to be identified at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the disclosure, and

(3) Make no further use or disclosure of the record except:

(a) In emergency circumstances affecting the health or safety of any individual, or

(b) When required by law.

d. Secures a written statement attesting to the information recipient's understanding of and willingness to abide by these provisions and complete a Data Use Agreement (CMS Form 0235) in accordance with current CMS policies.

The reason for this routine use is as follows:

Other Federal agencies, Department officials and contractors, as well as CMS contractors may need access to identifiable information that is both relevant and necessary to provide assistance to all efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in these systems of records.


Effective Date: The new routine use will be effective on < DATE >.


The public should address comments to: CMS Privacy Officer, Division of Privacy Compliance, Enterprise Architecture and Strategy Group, Office of Information Services, CMS, Room N2-04-27, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. The telephone number is (410) 786-5357. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., Eastern Time zone.

End Preamble Start Supplemental Information


On May 22, 2007, the Office of Management and Budget (OMB) released Memoranda (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. HHS convened a leadership committee composed of members from the Office of the Chief Information Officer (OICO), the Office of Assistant Secretary for Public Affairs (ASPA), and the Office of the Assistant Secretary for Planning and Evaluation (ASPE) in order to formulate a response plan for the newly established requirements. The final response plan was signed by the HHS Chief Information Officer (CIO), Mike Carleton and submitted to OMB on September 19, 2007. As required by the memoranda, to comply with the “Incident Reporting and Handling Requirements,” all Operations and Staff Divisions are instructed to incorporate the suggested routine use language as part of their normal SOR review process.

Start Signature

Dated: June 16, 2009.

Michelle Snyder,

Deputy Chief Operating Officer, Centers for Medicare & Medicaid Services.

End Signature

Attachment A

SOR No.TitleFR published
09-70-0500Health Plan Management System (HPMS)71 FR 60718, 10/16/2006
09-70-0501Medicare Multi-Carrier Claims Systems (MCS)71 FR 64968, 11/06/2006
09-70-0502Enrollment Data Base (EDB)73 FR 10249, 02/26/2008
09-70-0503Fiscal Intermediary Shared System (FISS)71 FR 64961, 11/06/2006
09-70-0514Medicare Provider Analysis and Review (MEDPAR)71 FR 17470, 04/06/2006
09-70-0519Medicare Current Beneficiary Survey (MCBS)71 FR 60722, 10/16/2006
09-70-0520ESRD Program Management and Medical Information System (PMMIS)72 FR 26126, 5/8/2007
09-70-0521Inpatient Rehabilitation Facilities—Patient Assessment Instrument (IRF-PAI)71 FR 67143, 11/20/2006
09-70-0522Home Health Agency Outcome and Assessment Information Set (OASIS)72 FR 63906, 11/13/2007
09-70-0526Common Working File (CWF)71 FR 64955, 11/06/2006
09-70-0528Long Term Care-Minimum Data Set (LTC MDS)72 FR 12801, 3/19/2007
09-70-0532Provider Enrollment Chain and Ownership System (PECOS)71 FR 60536, 10/13/2006
09-70-0536Medicare Beneficiary Database (MBD)71 FR 11420, 03/07/2006
09-70-0538Individuals Authorized Access to the CMS Computer Services (IACS)72 FR 63902, 11/13/2007
09-70-0541Medicaid Statistical Information System (MSIS)71 FR 65527, 11/08/2006
09-70-0550Retiree Drug Subsidy Program (RDSP)70 FR 41035, 7/15/2005
09-70-0553Medicare Drug Data Processing System (DDPS)70 FR 58436, 10/06/2005
09-70-0558National Claims History File (NCH)71 FR 67137, 11/20/2006
09-70-0568One Program Integrity Data Repository (ODR)71 FR64530, 11/02/2006
09-70-0569Post Acute Care Payment Reform/Continuity Assessment Report Demonstration and Evaluation (PAC-CARE)72 FR 55225, 09/28/2007
09-70-0571Medicare Integrated Data Repository (IDR)71 FR 64530, 11/02/2006
09-70-0573Chronic Condition Data Repository (CCDR)71 FR 54495, 09/15/2006
09-70-4001Medicare Advantage Prescription Drug (MARx)70 FR 60530, 10/18/2005
09-70-0575Organ Procurement Organizations System (OPOS)71 FR 29336, 05/22/2006
09-70-0594Minimum Data Set (MDS) for Home and Community Based Alternatives (CBA) to Psychiatric Residential Treatment) Facilities (PRTF) (CBA-PRTF)72 FR 72733, 12/21/2007
Start Printed Page 30608 End Supplemental Information

[FR Doc. E9-15192 Filed 6-25-09; 8:45 am]