Office of Consumer Information and Insurance Oversight: Privacy Act of 1974; Report of a New System of Records

Download PDF
Federal RegisterJul 2, 2010
75 Fed. Reg. 38526 (Jul. 2, 2010)

AGENCY:

Department of Health and Human Services (HHS).

ACTION:

Notice of a New System of Records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, the U.S. Department of Health and Human Services' (HHS) Office of Consumer Information and Insurance Oversight (OCIIO) is proposing to establish a new system of records (SOR) titled “Pre-Existing Condition Insurance Plan (PCIP),” System No. 09-90-0275. Section 1101 of Title I of the Patient Protection and Affordable Care Act of 2010 (Affordable Care Act) requires that the Secretary of Health and Human Services establish, either directly or through contracts with States and nonprofit private entities, a temporary high risk health insurance pool program to make health insurance coverage available at standard rates to uninsured individuals with pre-existing conditions. This program will continue until January 1, 2014, when American Health Benefit Exchanges established under sections 1311 and 1321 of the Affordable Care Act will be available for individuals to obtain health insurance coverage. HHS provided each State or its designated nonprofit entity the opportunity to contract with HHS to establish this program. However, to the extent that HHS does contract with a State to administer the program, HHS will make available a Pre-Existing Insurance Plan in such State under arrangements with the U.S. Office of Personnel Management, the U.S. Department of Agriculture's National Finance Center (NFC), and one or more nonprofit entities to serve as a third-party administrator (TPA) responsible for maintaining a network of health care providers and adjudicating claims for covered services.

The purpose of this system of records is to collect and maintain information on individuals who apply for enrollment in the program. This information will enable HHS acting through NFC, OPM, and any third-party administrator(s) to determine applicants' eligibility, enroll eligible individuals into the program, adjudicate appeals of eligibility and coverage determinations, bill and collect premium payments, and process and pay claims for covered health care items and services furnished to eligible individuals. Information maintained in this system will also be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed by an HHS contractor, consultant or grantee; (2) assist another Federal or State agency, agency of a State government, an agency established by State law, or its fiscal agent; (3) support litigation involving the Department; (4) combat fraud and abuse in certain health benefits programs; and (5) assist efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records. We have provided background information about the modified system in the “Supplementary Information” section below. Although the Privacy Act requires only that HHS provide an opportunity for interested persons to comment on the proposed routine uses, HHS invites comments on all portions of this notice. See EFFECTIVE DATES section for comment period.

DATES:

Effective: HHS filed a new system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on June 28, 2010. The system of records, except the routine uses, will become effective upon publication in the Federal Register. To ensure that all parties have adequate time in which to comment on the routine uses, the routine uses will become effective 30 days from the publication of the notice, or 40 days from the date it was submitted to OMB and Congress, whichever is later, unless HHS receives comments that require alterations to the routine uses.

ADDRESSES:

The public should address comments to: HHS Privacy Officer, Office of the Secretary, Office of the Assistant Secretary for Public Affairs (ASPA), Freedom of Information/Privacy Acts Division, 330 “C” Street, SW., Washington, DC 20201. Telephone number: (202) 690-7453. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m. e.t.

FOR FURTHER INFORMATION CONTACT:

Jill Gotts, Office of Consumer Information and Insurance Oversight (OCIIO), Office of the Secretary, Department of Health and Human Services. She can be reached at (202) 690-5894, or contact via e-mail at jill.gotts@cms.hhs.gov.

SUPPLEMENTARY INFORMATION:

Individuals who have a pre-existing condition are often unable to obtain insurance coverage in the individual market and in many cases are denied coverage entirely, are offered coverage with a rider that excludes coverage for the pre-existing condition, or are offered coverage at an unaffordable premium. The Pre-Existing Condition Insurance Plan will enable eligible individuals with pre-existing conditions to purchase coverage without any pre-existing condition coverage exclusions at standard individual insurance market rates. Section 1101 of the Act requires that the Secretary of the Department of Health and Human Services (HHS) establish, either directly or through contracts with States or nonprofit private entities, a temporary high risk pool program to provide access to affordable insurance for uninsured Americans with pre-existing conditions. This transitional program is intended to remain in place from the time of its establishment until the American Health Benefit Exchanges established under sections 1311 or 1321 of the Act go into effect on January 1, 2014.

Eligible individuals may access coverage through a Pre-Existing Condition Insurance Plan that will be established in each State by HHS, either directly or through a contract with the State or a non-profit entity. Individuals are eligible to enroll in a qualified high risk pool if they are citizens or nationals of the 50 States or District of Columbia, or are otherwise lawfully present; have not been covered under creditable coverage during the 6-month period prior to applying for coverage through this program; and have a pre-existing condition.

Individuals who enroll in qualified high risk pools are entitled under section 1101 of the Act to coverage that has an actuarial value of at least 65 percent of total allowed costs, and has a limit on enrollee out-of-pocket expenses that does not exceed the amount available to individuals with a high deductible health plan linked to a tax-preferred health savings account. The Pre-Existing Condition Insurance Plan will be available to eligible individuals for a premium that is no more than 100 percent of the standard individual market rate for that coverage. Premiums charged in the pool may vary only on the basis of the type of coverage (individual or family), age (by a factor no greater than 4 to 1).

The statute appropriates $5 billion in funding for the program, and specifies that these funds are available for the payment of claims and administrative costs that are in excess of the premiums collected from enrollees in the program. The Secretary is given broad authority to make adjustments needed to comply with this funding limitation, including limiting applications for participation in the program. The Secretary may carry out this program either directly or through contracts with eligible entities, including States and nonprofit private entities. To the extent that States meet the requirements described in the Act, HHS will contract with them to administer the new program. If a State declined to contract with HHS, or does not submit an application demonstrating the capability to meet the requirements of this program, HHS will administer that program in that State through a contract with a nonprofit private entity.

The Affordable Care Act also requires that the Secretary establish criteria to protect against “dumping risk” by insurers; the Act spells out criteria associated with these anti-dumping rules, and sets forth remedies when such situations occur. We are also required to establish oversight procedures, including appeals procedures and protections against fraud, waste, and abuse.

Finally, the statute specifies that coverage of eligible individuals under the high risk pool program will terminate on January 1, 2014. The Secretary is charged with developing procedures to transition qualified high risk pool enrollees to the American Health Benefit Exchanges, established under sections 1311 or 1321 of the Act, to ensure that there are no lapses in health coverage.

I. Description of the Proposed System of Records

A. Statutory and Regulatory Basis for System

Authority for the collection, maintenance, and disclosures from this system is given under provisions of Section 1101 of the Affordable Care Act.

B. Collection and Maintenance of Data in the System

Information in this system is maintained on individuals who apply to enroll in the Pre-Existing Condition Insurance Plan. Information maintained in this system includes, but is not limited to, the applicant's first name, last name, middle initial, address, date of birth, Social Security Number (SSN), gender, state of residence, information about prior coverage, information about the citizenship or lawful presence, and information about prior denials of insurance coverage or exclusions.

II. Agency Policies, Procedures, and Restrictions on Routine Uses

A. The Privacy Act permits us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such disclosure of data is known as a “routine use.” The government will only release PCIP information that can be associated with an individual as provided for under “Section III. Proposed Routine Use Disclosures of Data in the System.” Both identifiable and non-identifiable data may be disclosed under a routine use.

We will only disclose the minimum personal data necessary to achieve the purpose of PCIP. HHS has the following policies and procedures concerning disclosures of information that will be maintained in the system. In general, disclosure of information from the system will be approved only for the minimum information necessary to accomplish the purpose of the disclosure and only after HHS:

1. Determines that the use or disclosure is consistent with the reason that the data is being collected, e.g., to collect, maintain, and process information necessary to effectively and efficiently administer the PCIP;

2. Determines that:

a. The purpose for which the disclosure is to be made can only be accomplished if the record is provided in individually identifiable form;

b. The purpose for which the disclosure is to be made is of sufficient importance to warrant the effect and/or risk on the privacy of the individual that additional exposure of the record might bring; and

c. There is a strong probability that the proposed use of the data would in fact accomplish the stated purpose(s).

3. Requires the information recipient to:

a. Establish administrative, technical, and physical safeguards to prevent unauthorized use of disclosure of the record;

b. Remove or destroy at the earliest time all individually-identifiable information; and

c. Agree to not use or disclose the information for any purpose other than the stated purpose under which the information was disclosed.

4. Determines that the data are valid and reliable.

III. Proposed Routine Use Disclosures of Data in the System

A. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which HHS may release information from the PCIP without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system:

1. To support HHS contractors, consultants, or HHS grantees who have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes for this SOR and who need to have access to the records in order to assist HHS.

We contemplate disclosing information under this routine use only in situations in which HHS may enter into a contractual or similar agreement with a third party to assist in accomplishing an HHS function relating to purposes for this SOR. HHS occasionally contracts out certain of its functions when doing so would contribute to effective and efficient operations. HHS will give a contractor, consultant, or HHS grantee the information necessary for the contractor or consultant to fulfill its duties. In these situations, safeguards are provided in the contract prohibiting the contractor, consultant, or grantee from using or disclosing the information for any purpose other than that described in the contract and requires the contractor, consultant, or grantee to return or destroy all information at the completion of the contract. Contractors are also required to provide the appropriate management, operational, and technical controls to secure the data.

2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent pursuant to agreements with HHS to determine applicants' eligibility for the Pre-existing Condition Insurance Plan, enroll eligible individuals into the plan, adjudicate appeals of eligibility and coverage determinations, bill and collect premium payments, and process and pay claims for covered health care items and services furnished to eligible individuals.

Other Federal or state agencies in their administration of the Pre-existing Condition Insurance Plan may require PCIP information in order to carry out their functions pursuant to their agreements with HHS.

3. To support the Department of Justice (DOJ), court, or adjudicatory body when:

a. The Department or any component thereof, or

b. Any employee of HHS in his or her official capacity, or

c. Any employee of HHS in his or her individual capacity where the DOJ has agreed to represent the employee, or

d. The United States Government, is a party to litigation or has an interest in such litigation, and by careful review, HHS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.

Whenever HHS is involved in litigation, or occasionally when another party is involved in litigation and HHS's policies or operations could be affected by the outcome of the litigation, HHS would be able to disclose information to the DOJ, court, or adjudicatory body involved.

4. To assist an HHS contractor that assists in the administration of an HHS-administered health benefits program, or to a grantee of an HHS-administered grant program, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.

We contemplate disclosing information under this routine use only in situations in which HHS may enter into a contract or grant with a third party to assist in accomplishing HHS functions relating to the purpose of combating fraud, waste or abuse. HHS occasionally contracts out certain of its functions when doing so would contribute to effective and efficient operations. HHS must be able to give a contractor or grantee whatever information is necessary for the contractor or grantee to fulfill its duties. In these situations, safeguards are provided in the contract prohibiting the contractor or grantee from using or disclosing the information for any purpose other than that described in the contract and requiring the contractor or grantee to return or destroy all information.

5. To assist another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

Other agencies may require PCIP information for the purpose of combating fraud, waste or abuse in such Federally-funded programs.

6. To assist appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and unnecessary for the assistance. Other agencies may require PCIP information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records.

B. Additional Circumstances Affecting Routine Use Disclosures

Our policy will be to prohibit release even of data not directly identifiable, except pursuant to one of the routine uses or if required by law, if we determine there is a possibility that an individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals could, because of the small size, use this information to deduce the identity of the individual).

IV. Safeguards

HHS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

This system will conform to all applicable Federal laws and regulations and Federal and HHS policies and standards as they relate to information security and data privacy. These laws and regulations include but are not limited to: The Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the E-Government Act of 2002, and the Clinger-Cohen Act of 1996; OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal and HHS policies and standards include but are not limited to: all pertinent National Institute of Standards and Technology publications; and the HHS Information Systems Program Handbook.

V. Effects of the New System on the Rights of Individuals

HHS proposes to establish this system in accordance with the principles and requirements of the Privacy Act and will collect, use, and disseminate information only as prescribed therein. We will only disclose the minimum personal data necessary to achieve the purpose of PCIP. Disclosure of information from the system will be approved only to the extent necessary to accomplish the purpose of the disclosure.

HHS will take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other personal or property rights. HHS will collect only that information necessary to perform the system's functions. In addition, HHS will make disclosure from the proposed system only with consent of the subject individual, or his/her legal representative, or in accordance with an applicable exception provision of the Privacy Act.

HHS, therefore, does not anticipate an unfavorable effect on individual privacy as a result of the disclosure of information relating to individuals.

Dated: June 25, 2010.

Richard Popper,

Deputy Director.

SYSTEM NUMBER:

09-90-0275.

System Name:

“Pre-Existing Condition Insurance Plan (PCIP),” OCIIO, OS/HHS.

Security Classification:

None.

System Location:

Office of Consumer Information and Insurance Oversight, U.S. Department of Health & Human Services, 200 Independence Avenue, SW., Suite 738F, Washington, DC 20201.

Categories of Individuals Covered by the System:

Information in this system is maintained on individuals who apply to enroll in the Pre-Existing Condition Insurance Plan.

Categories of Records in the System:

Information in this system is maintained on individuals who enroll in the Pre-Existing Condition Insurance Plan. Information maintained in this system includes, but is not limited to, the applicant's first name, last name, middle initial, mailing address or permanent residential address (if different than the mailing address), date of birth, Social Security Number (if the applicant has one), gender, email address, telephone number. The system will also maintain information to make a decision about an applicant's eligibility. We collect and maintain information that the applicant submits pertaining to (1) his or her citizenship or immigration status, since only individuals who are citizens or nationals of the U.S. or lawfully present are eligible to enroll; (2) coverage an individual had during the prior twelve months from the date of application in order to establish that such individual has been without creditable coverage for at least six months are eligible to enroll and to assess whether insurers are discouraging an individual from remaining enrolled in prior coverage due to health status; and (3) an insurance company's denial of coverage, offer of coverage with a medical condition exclusion rider, or, for an applicant is guaranteed an offer of coverage, coverage that is medically underwritten. Information will also be maintained with respect to the applicant's premium amount and payment history.

Authority for Maintenance of the System:

Authority for the collection, maintenance, and disclosures from this system is given under provisions of Section 1101 of the Patient Protection and Affordable Care Act (Pub. L. 111-148).

Purpose(s) of the System:

The purpose of this system of records is to collect and maintain information on individuals who apply for enrollment in the program. This information will enable HHS acting through NFC, OPM, and any third-party administrator(s) to determine applicants' eligibility, enroll eligible individuals into the program, adjudicate appeals of eligibility and coverage determinations, bill and collect premium payments, and process and pay claims for covered health care items and services furnished to eligible individuals. Information maintained in this system will also be disclosed to: (1) Support regulatory, reimbursement, and policy functions performed by an HHS contractor, consultant or grantee; (2) assist another Federal or State agency, agency of a State government, an agency established by State law, or its fiscal agent; (3) support litigation involving the Department; (4) combat fraud and abuse in certain health benefits programs; and (5) assist efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records.

Routine Uses of Records Maintained in the System, Including Categories or Users and the Purposes of Such Uses:

B. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which HHS may release information from the PCIP without the consent of the individual to whom such information pertains. Each proposed disclosure of information under these routine uses will be evaluated to ensure that the disclosure is legally permissible, including but not limited to ensuring that the purpose of the disclosure is compatible with the purpose for which the information was collected. We propose to establish the following routine use disclosures of information maintained in the system:

1. To support HHS contractors, consultants, or HHS grantees who have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes for this SOR and who need to have access to the records in order to assist HHS.

2. To assist another Federal or state agency, agency of a state government, an agency established by state law, or its fiscal agent pursuant to agreements with HHS to determine applicants' eligibility for the Pre-existing Condition Insurance Plan, enroll eligible individuals into the plan, adjudicate appeals of eligibility and coverage determinations, bill and collect premium payments, and process and pay claims for covered health care items and services furnished to eligible individuals.

3. To support the Department of Justice (DOJ), court, or adjudicatory body when:

e. The Department or any component thereof, or

f. Any employee of HHS in his or her official capacity, or

g. Any employee of HHS in his or her individual capacity where the DOJ has agreed to represent the employee, or

h. The United States Government, is a party to litigation or has an interest in such litigation, and by careful review, HHS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.

4. To assist an HHS contractor that assists in the administration of an HHS-administered health benefits program, or to a grantee of an HHS-administered grant program, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such program.

5. To assist another Federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

6. To assist appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and unnecessary for the assistance.

C. Additional Circumstances Affecting Routine Use Disclosures

Our policy will be to prohibit release even of data not directly identifiable, except pursuant to one of the routine uses or if required by law, if we determine there is a possibility that an individual can be identified through implicit deduction based on small cell sizes (instances where the patient population is so small that individuals could, because of the small size, use this information to deduce the identity of the beneficiary).

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

We will be storing records in hardcopy files and various electronic storage media (including DB2, Oracle, and other relational data structures).

Retrievability:

Information is most frequently retrieved by first name, last name, middle initial, date of birth, or Social Security Number (SSN).

Safeguards:

HHS has safeguards in place for authorized users and monitors such users to ensure against unauthorized use. Personnel having access to the system have been trained in the Privacy Act and information security requirements. Employees who maintain records in this system are instructed not to release data until the intended recipient agrees to implement appropriate management, operational and technical safeguards sufficient to protect the confidentiality, integrity and availability of the information and information systems and to prevent unauthorized access.

This system will conform to all applicable Federal laws and regulations and Federal and HHS policies and standards as they relate to information security and data privacy. These laws and regulations include but are not limited to: the Privacy Act of 1974; the Federal Information Security Management Act of 2002; the Computer Fraud and Abuse Act of 1986; the E-Government Act of 2002, and the Clinger-Cohen Act of 1996; OMB Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources also applies. Federal and HHS policies and standards include but are not limited to: all pertinent National Institute of Standards and Technology publications; and the HHS Information Systems Program Handbook.

Retention and Disposal:

Records are maintained with identifiers for all transactions after they are entered into the system for a period of 10 years. Records are housed in both active and archival files in accordance with HHS data and document management policies and standards.

System Manager and Address:

Anthony Culotta, High Risk Pool Program Division, Office of Insurance Programs, Office of Consumer Information and Insurance Oversight, U.S. Department of Health & Human Services, 200 Independence Avenue, SW., Suite 738F, Washington, DC 20201.

Notification Procedure:

For purpose of notification, the subject individual should write to the system manager who will require the system name, and the retrieval selection criteria (e.g., name, SSN, etc.).

Record Access Procedure:

For purpose of access, use the same procedures outlined in Notification Procedures above. Requestors should also reasonably specify the record contents being sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5(a)(2)).

Contesting Record Procedures:

The subject individual should contact the system manager named above, and reasonably identify the record and specify the information to be contested. State the corrective action sought and the reasons for the correction with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7).

Record Source Categories:

Record source categories include applicants who voluntarily submit data and personal information for the PCIP program.

Systems Exempted From Certain Provisions of the Act:

None.

[FR Doc. 2010-16167 Filed 7-1-10; 8:45 am]

BILLING CODE 4150-65-P