Skip to Content

Notice

Privacy Act of 1974: New System of Records

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

U.S. Office of Personnel Management (OPM).

ACTION:

Notice of amendment to system of records.

SUMMARY:

OPM has amended an existing system of records subject to the Privacy Act of 1974 (5 U.S.C. 552a) to reflect the fact that the Office of Planning and Policy Analysis (PPA) is receiving Federal Employees Health Benefits Program (FEHBP) Health Claims data directly from some FEHBP carriers, and processing and analyzing this data within OPM. PPA is developing the alternative data intake process to acquire data from plans and/or carriers that are outside of the scope of existing OPM systems.

DATES:

This action will be effective without further notice on May 20, 2013 unless comments are received that would result in a contrary determination.

ADDRESSES:

Send written comments by mail to the Office of Personnel Management, ATTN: Dennis Hardy, PMP, HCDW Project Manager, U. S. Office of Personnel Management, 1900 E Street NW., Room 2340A, Washington, DC 20415, or by email to dennis.hardy@opm.gov.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Dennis Hardy, PMP, HCDW Project Manager, 202-606-4281.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The Office of Planning and Policy Analysis, in cooperation with the OPM/Chief Information Officer (CIO), is implementing an alternate data intake and transformation infrastructure within the OPM environment to allow OPM to develop, process, and analyze this additional data in an expeditious manner. This alternate infrastructure, which is a scaled down version of the Health Claims Data Warehouse (HCDW) system, also provides a “hot site” disaster recovery capability should the primary environment be unavailable for data processing and/or analysis. This alternate infrastructure is easily scalable to support the demands of OPM. In addition to building the alternative data intake process, PPA will continue to receive carrier information from OPM's Office of Inspector General (OIG). The carrier data will be transmitted securely from the physically secured servers managed by OIG to the secure data intake infrastructure managed by OPM's OCIO. In total, PPA will be receiving data from nine plans and/or carriers. This action is necessary to meet the requirements of the Privacy Act to publish in the Federal Register notice of the existence and character of records maintained by the Agency (5 U.S.C. 552a(e)(4)). OPM first published a system of records notice pertaining to the Health Claims Data Warehouse on October 5, 2010, with the comment period closing November 15, 2010. On November 15, 2010, OPM extended the comment period to December 15, 2010, and indicated its intent to modify certain aspects of the system of records notice. On December 15, 2010, OPM published a notice closing the comment period. Based on the comments received during the comment period, OPM issued a revised notice that, among other things, limited the scope of the system to information pertaining to FEHBP, significantly narrowed the circumstances under which routine use disclosures will be made from the system, clarified that only de-identified data will be released outside of OPM, provided greater detail regarding OPM authorities for maintaining the system, and further described systems security measures that will be taken to protect the records.

The purpose of this system of records is to provide a central database from which OPM may analyze costs and utilization of services associated with FEHBP to ensure the best value for both enrollees and taxpayers. OPM collects, manages, and analyzes health services data that health insurers and administrators provide through secure data transfer for the program. OPM's analysis of the data includes the cost of care, utilization of services, and quality of care for specific population groups, geographic areas, health plans, health care providers, disease conditions, and Start Printed Page 23314other relevant categories. The information contained in the database assists in improving the effectiveness and efficiency of care delivered by health care providers to the enrollees by facilitating robust contract negotiations, health plan accountability, performance management, and program evaluation. OPM uses identifiable data to create person-level longitudinal records, which are long-term health records that allow us to examine individual health information over time. Access to personally identifiable information is highly restricted to personnel needed to create person-level longitudinal records and to select OPM analysts using the database for analytical purposes.

Start Signature

Office of Personnel Management.

John Berry,

Director.

End Signature

OPM CENTRAL—15

SYSTEM NAME:

Health Claims Data Warehouse (HCDW).

SYSTEM LOCATION:

Office of Personnel Management, 1900 E Street NW., Washington, DC 20415.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

This system contains records on the Federal Employees Health Benefits Program (FEHBP). The FEHBP includes Federal employees, Postal employees, uniformed service members, retirees, and their family members who voluntarily participate in the Program.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records in the system may contain the following types of information on participating enrollees and covered dependents:

a. Name, social security number, date of birth, gender.

b. Home address.

c. Covered dependent information (spouse, dependents)—name, social security number, date of birth, gender.

d. Enrollee's employing agency.

e. Name of health care provider.

f. Health care provider address.

g. Health care provider taxpayer identification number (TIN) or carrier identifier.

h. Health care coverage information regarding benefit coverage for the plan in which the person is enrolled.

i. Health care procedures performed on the individual in the form of ICD, CPT and other appropriate codes.

j. Health care diagnoses in the form of ICD codes, and treatments, including prescribed drugs, derived from clinical medical records.

k. Provider charges, amounts paid by the plan and amounts paid by the enrollee for the above coverage, procedures, and diagnoses.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for requiring FEHBP carriers to allow OPM access to records and for requiring reports, as well as authority for OPM's maintenance of FEHBP health claims information, is provided by 5 U.S.C. 8901, et seq. In particular, section 8910 states, in relevant part: “(a) The Office of Personnel Management shall make a continuing study of the operation and administration of this chapter, including surveys and reports on health benefit plans available to employees and on the experience of the plans. (b) Each contract entered into under section 8902 of this title shall contain provisions requiring carriers to—(1) furnish such reasonable reports as the Office determines to be necessary to enable it to carry out its functions under this chapter; and (2) permit the Office and representatives of the Government Accountability Office to examine records of the carriers as may be necessary to carry out the purposes of this chapter.” As explained in greater detail in the “Purpose” section below, OPM uses the information collected in this system to assist in its administration of, and in carrying out its functions under 5 U.S.C. chapter 89.

PURPOSE:

The primary purpose of this system of records is to provide a central database from which OPM may analyze the FEHBP to support the management of the program to ensure the best value for the enrollees and taxpayers. OPM collects, manages, and analyzes health services data provided by health insurers and administrators through secure data transfer. OPM analyzes the data in order to evaluate the cost of care, utilization of services, and quality of care for specific population groups, geographic areas, health plans, health care providers, disease conditions, and other relevant categories. Information contained in the database assists in improving the effectiveness and efficiency of care delivered by health care providers to the enrollees by facilitating robust contract negotiations, health plan accountability, performance management, and program evaluation. OPM uses identifiable data to create person-level longitudinal records. Access to PII is restricted to personnel needed to create person-level longitudinal records and to select OPM analysts using the database for the analytical purposes described in this notice. Only de-identified data will be released by OPM externally for all other research and analysis purposes.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

1. To disclose FEHBP data to analysts inside and outside the Federal Government for the purpose of conducting analysis of health care and health insurance trends and topical health-related issues compatible with the purposes for which the records were collected and formulating health care program changes and enhancements to limit cost growth, improve outcomes, increase accountability, and improve efficiency in program administration. In all disclosures to analysts external to OPM under this routine use, only de-identified data will be disclosed. A public use file that will be maintained will only contain de-identified data and will be structured, where appropriate, to protect enrollee confidentiality where identities may be discerned because there are fewer records under certain demographic or other variables.

POLICIES AND PRACTICES OF STORING, RETRIEVING, SAFEGUARDING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

These records are maintained in electronic systems.

RETRIEVABILITY:

These records are retrieved by a unique identifier that will be based on identifying information (primarily name and social security number) of the individual.

SAFEGUARDS:

The Health Claims Data Warehouse (HCDW), to include the new alternate data intake and transformation infrastructure, is operated within the OPM environment. All employees who have a need to access the information are required to have an appropriate background investigation consistent with the risk and sensitivity designation of that position. The investigation must be favorably adjudicated before they are allowed physical access to OPM and access to the HCDW system. Employees of contractors are required to have an appropriate background investigation consistent with the credentialing policy of the agency and/or the terms of the underlying contract. Again, the investigation must be favorably adjudicated before they are allowed physical access to OPM and access to the HCDW system. The OPM environment is equipped with electronic badge readers restricting Start Printed Page 23315access to authorized personnel only and has safeguards in place to alert security personnel if unauthorized personnel attempt to gain access to OPM's environment. OPM employs armed physical security guards 365 days a year, 24 hours a day that patrol OPM headquarters, to include entry and exit points. Computer firewalls are maintained to prevent access by unauthorized personnel. The HCDW employs National Institute of Standards and Technology (NIST) Physical and Environmental Security Controls identified in Special Publication SP 800-53 revision 3. The HCDW will perform a Security Assessment and Authorization (SA&A) following the NIST 800-53 rev 3 standard in order to obtain an Authority to Operate (ATO). Users within the Office of Planning and Policy Analysis (PPA) use the system to perform cost and quality analysis for health care plans. Two sub-groups of PPA users have been identified in the system, those who are permitted to view PII and those who are not. HCDW employs role based access controls (RBAC) to further restrict access to data contained within HCDW based on users' roles. The data warehouse is fully compliant with all applicable provisions of the Privacy Act, Health Insurance Portability and Accountability Act (HIPAA) as an oversight agency, Federal Information Security Management Act (FISMA), Records Act and National Institute of Standards and Technology (NIST) guidance.

RETENTION AND DISPOSAL:

The records in this system are retained for 7 years. Computer records will be destroyed by electronic erasure. The system has been approved by NARA to maintain a 7-year record retention.

SYSTEM MANAGERS AND ADDRESSES:

The system manager is Dennis Hardy, PMP, HCDW Project Manager, U. S. Office of Personnel Management, 1900 E Street NW., Room 2340A, Washington, DC 20415, 202-606-4281.

NOTIFICATION AND RECORD ACCESS PROCEDURE:

Individuals wishing to determine whether this system of records contains information about them may do so by writing to the U.S. Office of Personnel Management, FOIA/PA Requester Service Center, 1900 E Street NW., Room 5415, Washington, DC 20415-7900 or by emailing foia@opm.gov. Individuals must furnish the following information for their records to be located:

1. Full name.

2. Date and place of birth.

3. Social security number.

4. Signature.

5. Available information regarding the type of information requested.

6. The reason why the individual believes this system contains information about him/her.

7. The address to which the information should be sent.

Individuals requesting access must also comply with OPM's Privacy Act regulations regarding verification of identity and access to records (5 CFR 297).

CONTESTING RECORD PROCEDURE:

Individuals wishing to request amendment of records about them should write to the Office of Personnel Management, FOIA/PA Requester Service Center, 1900 E Street NW., Room 5415, Washington, DC 20415-7900. ATTN: Planning and Policy Analysis.

Individuals must furnish the following information in writing for their records to be located:

1. Full name.

2. Date and place of birth.

3. Social Security Number.

4. City, state, and zip code of their Federal Agency.

5. Signature.

6. Precise identification of the information to be amended.

Individuals requesting amendment must also follow OPM's Privacy Act regulations regarding verification of identity and amendment to records (5 CFR 297).

RECORD SOURCE CATEGORIES:

OPM, which has the authority to obtain this information from health care insurers and administrators contracted by OPM to manage the FEHBP, will obtain the FEHBP records from health care insurers and administrators. OPM's OIG also maintains the FEHBP records in a separate system of records under its own authorities.

SYSTEM EXEMPTIONS:

None.

End Supplemental Information

[FR Doc. 2013-09133 Filed 4-17-13; 8:45 am]

BILLING CODE 6325-63-P