U.S. Office of Personnel Management (OPM).
Notice of a new system of records.
OPM proposes to add OPM/Central-15, Health Claims Data Warehouse, to its inventory of records systems subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended. This action is necessary to meet the requirements of the Privacy Act to publish in the Federal Register notice of the existence and character of records maintained by the agency. 5 U.S.C. 552a(e)(4). OPM first published a system of records notice pertaining to the Health Claims Data Warehouse on October 5, 2010 with the comment period closing November 15, 2010. On November 15, 2010, OPM extended the comment period to December 15, 2010 and indicated its intent to modify certain aspects of the system of records notice. On December 15, 2010, OPM published a notice closing the comment period. Based on the comments received during the comment period, OPM issues this revised notice that, among other things: limits the scope of the system to information pertaining to the Federal Employees Health Benefits Program; significantly narrows the circumstances under which routine use disclosures will be made from the system; clarifies that only de-identified data will be released outside of OPM; provides greater detail regarding OPM authorities for maintaining the system; and further describes systems security measures that will be taken to protect the records.
This action will be effective without further notice on July 15, 2011 unless comments are received that would result in a contrary determination.
Send written comments to the Office of Personnel Management, ATTN: Gary A. Lukowski, PhD, Manager, Data Analysis, U.S. Office of Personnel Management, 1900 E Street, NW., Room 7439, Washington, DC 20415 or to email@example.com.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Gary A. Lukowski, PhD, Manager, Data Analysis, 202-606-1449.End Further Info End Preamble Start Supplemental Information
The purpose of this system of records is to provide a central database from which OPM may analyze costs and utilization of services associated with the Federal Employees Health Benefits Program to ensure the best value for both enrollees and taxpayers. OPM will collect, manage, and analyze health services data that health insurers and administrators will provide through secure data transfer for the program. OPM's analyses of the data will include: The cost of care; utilization of services; and quality of care for specific population groups, geographic areas, health plans, health care providers, disease conditions, and other relevant categories. The information contained in the database will assist in improving the effectiveness and efficiency of care delivered by health care providers to the enrollees by facilitating robust contract negotiations, health plan accountability, performance management, and program evaluation. OPM will use identifiable data to create person-level longitudinal records, which are long-term health records that will allow us to examine individual health information over time. However, OPM analysts using the database for analysis purposes will only have access to de-identified data. Likewise, only de-identified data will be supplied to external analysts.
Information on enrollees in the Pre-Existing Condition Insurance Plan (PCIP) had been proposed to be included in this database. However, OPM and HHS have determined that it is unnecessary to include claims from the Federally-run PCIP in this System of Records. In its role administering the program as a whole, HHS intends to collect de-identified claims level data on the program. Because OPM manages the day-to-day operation of the Federally-run PCIP pursuant to an agreement with HHS under the Economy Act, 31 U.S.C. 1535, HHS intends to make these de-identified data available to OPM for monitoring and oversight activities. Additionally, the original notice proposed including in this database information on enrollees in the OPM-regulated Multi-State Plans (MSP) which will appear on state exchanges beginning January 1, 2014. OPM has determined that it is premature to establish a System of Records for a program that will not become operational until 2014.Start Signature
U.S. Office of Personnel Management.
Health Claims Data Warehouse (HCDW).
Office of Personnel Management, 1900 E Street, NW., Washington, DC 20415.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system will contain records on the Federal Employees Health Benefits Program (FEHBP. The FEHBP includes Federal employees, Postal employees, uniformed service members, retirees, and their family members who voluntarily participate in the Program.Start Printed Page 35051
CATEGORIES OF RECORDS IN THE SYSTEM:
The records in the system may contain the following types of information on participating enrollees and covered dependents:
a. Name, social security number, date of birth, gender.
b. Home address.
c. Covered dependent information (spouse, dependents)—name, social security number, date of birth, gender.
d. Enrollee's employing agency.
e. Name of health care provider.
f. Health care provider address.
g. Health care provider taxpayer identification number (TIN) or carrier identifier.
h. Health care coverage information regarding benefit coverage for the plan in which the person is enrolled.
i. Health care procedures performed on the individual in the form of ICD, CPT and other appropriate codes.
j. Health care diagnoses in the form of ICD codes, and treatments, including prescribed drugs, derived from clinical medical records.
k. Provider charges, amounts paid by the plan and amounts paid by the enrollee for the above coverage, procedures, and diagnoses.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Authority for requiring FEHBP carriers to allow OPM access to records and for requiring reports, as well as authority for OPM's maintenance of FEHBP health claims information, is provided by 5 U.S.C. 8901, et seq. Section 8910 of title 5 United States Code states, in relevant part: “(a) The Office of Personnel Management shall make a continuing study of the operation and administration of this chapter, including surveys and reports on health benefit plans available to employees and on the experience of the plans. (b) Each contract entered into under section 8902 of this title shall contain provisions requiring carriers to—(1) furnish such reasonable reports as the Office determines to be necessary to enable it to carry out its functions under this chapter; and (2) permit the Office and representatives of the Government Accountability Office to examine records of the carriers as may be necessary to carry out the purposes of this chapter.” As explained in greater detail in the “Purpose” section below, OPM plans to use the information collected in this system to assist in its administration of, and in carrying out its functions under 5 U.S.C. chapter 89.
The primary purpose of this system of records is to provide a central database from which OPM may analyze the FEHBP to support the management of the program to ensure the best value for the enrollees and taxpayers. OPM will collect, manage, and analyze health services data provided by health insurers and administrators through secure data transfer. OPM will analyze the data in order to evaluate: The cost of care; utilization of services; and quality of care for specific population groups, geographic areas, health plans, health care providers, disease conditions, and other relevant categories. Information contained in the database will assist in improving the effectiveness and efficiency of care delivered by health care providers to the enrollees by facilitating robust contract negotiations, health plan accountability, performance management, and program evaluation. OPM will use identifiable data to create person-level longitudinal records. However, OPM analysts using the database for analysis purposes will only have access to de-identified data. Only de-identified data will be released for all analysis purposes.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
1. To disclose FEHBP data to analysts inside and outside the Federal Government for the purpose of conducting analysis of health care and health insurance trends and topical health-related issues compatible with the purposes for which the records were collected and formulating health care program changes and enhancements to limit cost growth, improve outcomes, increase accountability, and improve efficiency in program administration. In all cases, analysts external to OPM will access a public use file that will be maintained for such purposes; will only contain de-identified data; and will be structured, where appropriate, to protect enrollee confidentiality where identities may be discerned because there are fewer records under certain demographic or other variables. In all disclosures to analysts under this routine use, only de-identified data will be disclosed.
POLICIES AND PRACTICES OF STORING, RETRIEVING, SAFEGUARDING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
These records will be maintained in electronic systems.
These records are retrieved by a unique identifier that will be based on identifying information (primarily name and social security number) of the individual.
OPM's Planning and Policy Analysis (PPA) Office will maintain HCDW within secured offices at OPM Headquarters. All employees and contractors are required to have an appropriate background investigation before they are allowed physical access to OPM and access to the HCDW system. The secured space is equipped with an electronic badge reader restricting access to authorized personnel only and has alarms to alert security personnel if unauthorized personnel are in the spaces. OPM employs armed physical security guards 365 days a year, 24 hours a day that patrol OPM Headquarters, to include every entry/exit point. Video cameras are strategically located on every floor and external to the facility. The HCDW will physically reside on the servers managed by OPM's Office of Inspector General (OIG), but PPA personnel will have sole control and responsibility for the operation, maintenance, access, and security of the HCDW. Computer firewalls are maintained in the HCDW to prevent access by unauthorized personnel. The HCDW employs National Institute of Standards and Technology (NIST) Security Controls identified in the most recent version of Special Publication SP 800-53. NIST 800-53 security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. The HCDW will perform Authorization and Assessment following the NIST 800-53 standard in order to obtain an Authority to Operate (ATO). The HCDW will employ role based access controls to further restrict access to data contained within HCDW and its virtual servers based on the functions that users are authorized to perform. The data warehouse will be fully compliant with all applicable provisions of the Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Records Act, Office of Management and Budget (OMB) guidance, and NIST guidance. As also explained below under “Record Source Categories,” the PPA receives the data from the OIG, which collects it from contract service providers (health plans) carrying out the program. The data is reviewed by the OIG for accuracy and adjusted to ensure a common format. Once data is adjusted into a common format it is then routed to the HCDW Start Printed Page 35052where longitudinal records are produced and the data is stripped of identifiers for analytic purposes. The PPA has determined that first running the data through OPM OIG's data processing environment will result in significant cost and efficiency savings because the OPM OIG has already developed, tested, and established technical protocols which will ensure that the records are put into a common technical format and checked for accuracy. A database administrator employed by PPA will handle the FEHBP data at this processing phase. The OPM OIG systems that will process the data will also be fully compliant with all applicable provisions of the Privacy Act, Federal Information Security Management Act (FISMA), and NIST guidance.
RETENTION AND DISPOSAL:
The records in this system will be retained for 7 years. Computer records will be destroyed by electronic erasure. A records retention schedule is currently being established with NARA.
SYSTEM MANAGERS AND ADDRESSES:
The system manager is Gary A. Lukowski, PhD, Manager, Data Analysis, U. S. Office of Personnel Management, 1900 E Street, NW., Room 7439, Washington, DC 20415, 202-606-1449.
NOTIFICATION AND RECORD ACCESS PROCEDURE:
Individuals wishing to determine whether this system of records contains information about them may do so by writing to the U.S. Office of Personnel Management, FOIA/PA Requester Service Center, 1900 E Street, NW., Room 5415, Washington, DC 20415-7900 or by e-mailing firstname.lastname@example.org.
Individuals must furnish the following information for their records to be located:
1. Full name.
2. Date and place of birth.
3. Social security number.
5. Available information regarding the type of information requested.
6. The reason why the individual believes this system contains information about him/her.
7. The address to which the information should be sent.
Individuals requesting access must also comply with OPM's Privacy Act regulations regarding verification of identity and access to records (5 CFR 297).
CONTESTING RECORD PROCEDURE:
Individuals wishing to request amendment of records about them should write to the Office of Personnel Management, FOIA/PA Requester Service Center, 1900 E Street, NW., Room 5415, Washington, DC 20415-7900. ATTN: Planning and Policy Analysis.
Individuals must furnish the following information in writing for their records to be located:
1. Full name.
2. Date and place of birth.
3. Social Security Number.
4. City, state, and zip code of their Federal Agency.
6. Precise identification of the information to be amended.
Individuals requesting amendment must also follow OPM's Privacy Act regulations regarding verification of identity and amendment to records (5 CFR 297).
RECORD SOURCE CATEGORIES:
OPM, which has the authority to obtain this information from health care insurers and administrators contracted by OPM to manage the FEHBP, will obtain the FEHBP records from health care insurers and administrators. The information will first be received by OPM's OIG, which will then process the data and provide it to PPA under an MOU between PPA and OIG. OPM's OIG will also maintain the FEHBP records in a separate system of records under its own authorities. OPM has determined that first running the records through technical protocols developed and established by the OIG will be more efficient, secure, and cost effective because the records will already have been checked for accuracy and adjusted to ensure a common format using a well tested process.
None.End Supplemental Information
[FR Doc. 2011-14839 Filed 6-14-11; 8:45 am]
BILLING CODE 6325-46-P