Skip to Content

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Feedback' button on the bottom right of each page!

Notice

Privacy Act of 1974; System of Records

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Office of the Assistant Secretary for Health, Department of Health and Human Services (HHS).

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is establishing a new system of records, 09-90-2002, “COVID-19 Insights Collaboration Records.” HHS will use the records in this system of records to create and maintain a new database to be used by HHS to understand, track, and respond to the novel coronavirus known as SARS-CoV-2 and the outbreak of COVID-19 (the disease caused by SARS-CoV-2) which the Secretary of Health and Human Services declared a public health emergency effective January 27, 2020, and the World Health Organization (WHO) declared a pandemic on March 11, 2020. Creating and maintaining the new database may include retrieving identifiable records about patients by the patients' personal identifiers in order to connect, combine, or de-duplicate records that are about the same individual; however, at this time, HHS does not plan to retrieve records by personal identifier when using the resulting database for research, analysis, or other public health activities.

DATES:

The new system of records is applicable July 16, 2020, subject to a 30-day period in which to comment on the routine uses.

ADDRESSES:

The public should address written comments by email to beth.kramer@hhs.gov or by mail to Beth Kramer, HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs, 200 Independence Ave. SW, Washington, DC 20201.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

General questions about the new system of records may be submitted by email to beth.kramer@hhs.gov or by mail to Beth Kramer, HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs, 200 Independence Ave. SW, Washington, DC 20201, (202) 690-6941.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The new system of records will cover any identifiable records about patients that are retrieved by personal identifier for the purpose of creating and maintaining a new database that HHS will use for research, analysis, or other public health activities to understand, track, and respond to the novel coronavirus, SARS-CoV-2, which causes the disease known as COVID-19. The Department of Energy (DOE) will create and maintain the database for HHS at DOE's Oak Ridge National Laboratory (ORNL).

HHS will create the new database using certain existing patient records at federal agencies, and potentially at state agencies and private sector entities, about patients who have and, for control purposes, have not, tested positive for COVID-19 or antibodies to same. The new database will also include geospatial records, population density records, and other types of existing records that are not individually identifiable but that HHS determines are useful to include. However, the Privacy Act system of records only governs individually identifiable records that are retrieved by a personal identifier.

Custodians of the records that HHS, as a public health authority, determines are useful for COVID-19-related public health activities will donate data to ORNL for inclusion in the new database. At the time of publication, HHS anticipates that the COVID Insights Collaboration Database will include records from the Department of Veterans Affairs' (DVA) Veterans Health Administration (VHA) Corporate Data Warehouse and from the Department of Defense's (DoD) Military Health Information System. Other sources of records may be added later.

HHS is relying on its status as a public health authority under 42 U.S.C. 241 and 247d to obtain, compile, and analyze these data. In the course of creating and maintaining the database, ORNL may retrieve identifiable records by patients' personal identifiers in order to connect, combine, or de-duplicate records that are about the same individual. At this time, HHS does not plan to retrieve records by personal identifier when using the resulting database for research, analysis, or other public health activities.

HHS provided advance notice of the new system of records to the Office of Management and Budget and Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

Start Signature

Beth Kramer,

HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs.

End Signature

SYSTEM NAME AND NUMBER:

COVID-19 Insights Collaboration Records, 09-90-2002.Start Printed Page 43244

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the HHS component responsible for this system of records is:

  • Office of the Assistant Secretary for Health (OASH), 200 Independence Ave. SW, Washington, DC 20201.

The address of the service provider that will create and maintain the database for HHS is:

  • Oak Ridge National Laboratory, P.O. Box 2008, Oak Ridge, TN 37831.

SYSTEM MANAGER(S):

The System Manager is:

  • Deputy Chief Information Officer, Office of the Assistant Secretary for Health (OASH), 200 Independence Ave. SW, Washington, DC 20201, (202) 821-5116, donald.burgess@hhs.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

42 U.S.C. 241, 247d.

PURPOSE(S) OF THE SYSTEM:

The purpose of the system of records is to create and maintain a single database for HHS to use for analysis, research, and other public health activities related to the study of COVID-19. The system of records will be composed of certain existing records about patients who have tested positive for the novel coronavirus, SARS-CoV-2, which causes the disease known as COVID-19, or for antibodies to same; and, for control purposes, about patients who have not tested positive for same. The Department of Energy (DOE) will create and maintain the database for HHS at DOE's Oak Ridge National Laboratory (ORNL). In the course of creating and maintaining the database, ORNL may retrieve identifiable records by patients' personal identifiers in order to connect, combine, or de-duplicate records from contributed datasets that are about the same individual. At this time, HHS does not plan to retrieve records from the resulting database by personal identifier when using the database for research, analysis, or other public health activities.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records are about patients identified as having tested positive for COVID-19 or antibodies to same, and, for control purposes, about patients who have not tested positive for same, in existing records at DVA, DoD, and other federal, state, local or tribal agencies or private sector entities which those custodians donate to HHS for inclusion in the COVID Insights Collaboration Database. Examples of such patients include:

  • Veterans and others who received care at VA facilities or through VA community care programs.
  • Uniformed service medical beneficiaries who received care at DoD facilities.

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records are existing datasets containing patient medical records and related records, which may include any of the following information about each patient, as applicable:

  • Patient identifying information (e.g., name, address, date of birth, social security number, medical record number) and family information (e.g., next of kin; family medical history information).
  • Service information (e.g., dates, branch and character of service, service number).
  • Occupational and environmental exposure data.
  • Medical and dental resources data.
  • Sociological, diagnostic, counseling, rehabilitation, drug and alcohol, dietetic, medical, surgical, dental, psychological, and/or psychiatric information compiled by health care providers.
  • Information pertaining to the individual's medical, surgical, psychiatric, dental, and/or psychological examination, evaluation, and/or treatment (e.g., diagnostic, therapeutic special examinations; clinical laboratory, pathology and x-ray findings; operations; medications; allergies; consultations), including COVID-19 illness or antibody status.

RECORD SOURCE CATEGORIES:

HHS will obtain the donated datasets from federal, state, and local agencies, and private sector entities. The datasets will contain patient data which the donating agencies and entities may have originally collected from the patient; a representative of the patient; the patient's treating physicians and other health care providers, laboratories, and treatment facilities; and program personnel at the donating agency or entity or at another agency.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), HHS may disclose records about an individual from this system of records to parties outside HHS as described in these routine uses, without the subject individual's prior written consent.

1. To HHS contractors, consultants, agents, or others (including DOE or another federal agency) engaged by HHS to assist with creating and maintaining the COVID-19 Insights Collaboration Database and who need to have access to the records to provide that assistance. Records that HHS discloses to another federal agency under this routine use may also be re-disclosed to contractors and others engaged by that agency that are assisting that agency with creating and maintaining the COVID-19 Insights Collaboration Database.

2. To student volunteers, individuals working under a personal services contract, and other individuals performing functions for HHS or its agent, DOE, who do not technically have the status of agency employees, if they are assisting HHS or DOE with creating and maintaining the COVID-19 Insights Collaboration Database and need access to the records to perform those agency functions.

3. To the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings when:

a. HHS or any of its component thereof, or

b. any employee of HHS acting in the employee's official capacity, or

c. any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or

d. the United States Government, is a party to the proceeding or has an interest in such proceeding and, by careful review, HHS determines that the records are both relevant and necessary to the proceeding.

4. To representatives of the National Archives and Records Administration in records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906.

5. To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

6. To another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) Start Printed Page 43245responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records will be stored on electronic media, but paper printouts may be generated.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

The records will be retrieved by the patient's name, Social Security number, or other assigned identification number, if any, or combination of identifiers, to disaggregate duplicate records and to combine records that are about the same individual.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The datasets used to create and maintain the COVID-19 Insights Collaboration Database will be retained in accordance with N1-514-92-001, Item 26, which provides for records of OASH program activities having significant historical and/or research value and relating to matters such as studies to be permanently retained.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards will conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/​ocio/​securityprivacy/​index.html, the HHS Information Security and Privacy Policy (IS2P), and security and privacy requirements specified in a services agreement between HHS and DOE. Agreements governing the data will ensure that information is safeguarded in accordance with applicable federal laws, rules, and policies, including: The E-Government Act of 2002, which includes the Federal Information Security Management Act of 2002 (FISMA); 44 U.S.C. 3541-3549, as amended by the Federal Information Security Modernization Act of 2014, 44 U.S.C. 3551-3558; all pertinent National Institutes of Standards and Technology (NIST) publications; and OMB Circular A-130, Managing Information as a Strategic Resource.

HHS and DOE will protect the records from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards will include protecting the facilities where records are stored or accessed with security guards, badges and cameras; securing any hard-copy records in locked file cabinets, file rooms or offices during off-duty hours; controlling access to physical locations where records are maintained and used by means of combination locks and identification badges issued only to authorized users; requiring contractors to maintain appropriate safeguards and comply with the Privacy Act with respect to the records; limiting authorized users' access to electronic records based on roles and either two-factor authentication or password protection; requiring passwords to be complex and to be changed frequently; using a secured operating system protected by encryption, firewalls, and intrusion detection systems; maintaining an activity log of users' access; requiring encryption for records stored on removable media; training personnel in Privacy Act and information security requirements; and reviewing security controls on an ongoing basis.

RECORD ACCESS PROCEDURES:

The records in this system of records will be used solely to create and maintain a database from which records will not be retrieved by personal identifiers but will be used to study patients' characteristics; therefore, no Privacy Act purpose would be served by allowing subject individuals access rights with respect to the records in this system of records. Nevertheless, an individual may request access to records about that individual in this system of records by submitting a written access request to the System Manager identified in the “System Manager” section of this SORN. The request must contain the requester's full name, address, and signature, and should also include helpful identifying particulars that may be in the records, such as: The requester's date of birth and any assigned identification number (if known). To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. HHS will direct any access request that HHS receives to the agency or entity that provided the extract to HHS, for consultation purposes; and HHS will respond to the request as the providing agency directs.

CONTESTING RECORD PROCEDURES:

The records in this system of records will be used solely to create and maintain a database from which records will not be retrieved by personal identifiers but will be used to study patients' characteristics; therefore, no Privacy Act purpose would be served by allowing subject individuals amendment rights with respect to the records in this system of records. Nevertheless, an individual may seek to amend a record about that individual in this system of records by submitting an amendment request to the System Manager identified in the “System Manager” section of this SORN, containing the same information required for an access request. The request must include verification of the requester's identity in the same manner required for an access request; must reasonably identify the record and specify the information contested, the corrective action sought, and the reasons for requesting the correction; and should include supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. HHS will direct any amendment request that HHS receives to the agency or entity that provided the extract to HHS, for consultation purposes; and HHS will respond to the request as the providing agency directs.

NOTIFICATION PROCEDURES:

The records in this system of records will be used solely to create and maintain a database from which records will not be retrieved by personal identifiers but will be used to study patients' characteristics; therefore, no Privacy Act purpose would be served by allowing subject notification rights with respect to the records in this system of records. Nevertheless, an individual who wishes to know if this system of records contains records about that individual should submit a notification request to the System Manager identified in the “System Manager” section of this SORN. The request must contain the same information required for an access request, and must include verification of the requester's identity in the same manner required for an access request. HHS will direct any notification request that HHS receives to the agency or entity that provided the extract to HHS, for consultation purposes; and HHS will respond to the request as the providing agency directs.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.Start Printed Page 43246

HISTORY:

None.

End Supplemental Information

[FR Doc. 2020-15380 Filed 7-15-20; 8:45 am]

BILLING CODE 4150-28-P