Office of Emergency Preparedness; Privacy Act of 1974; Report of New System: National Disaster Claims Processing System

AGENCY:

Office of the Secretary, Office of Public Health and Science, Office of Emergency Preparedness, DHHS.

ACTION:

Notification of a new system of records subject to the Privacy Act of 1974.

SUMMARY:

The Office of Emergency Preparedness (OEP), Department of Health and Human Services is responsible for the National Disaster Medical System (NDMS). The system includes hospitals that have agreed to provide medical services, when authorized, to victims of disasters in return for predetermined levels of reimbursement. OEP plans to provide this reimbursement by procuring stand-by claims processing and associated services should the NDMS hospital system be activated.

In accordance with the requirements of the Privacy Act, OEP is publishing a notice of the establishment of a National Disaster Claims Processing System that will provide stand-by claims processing and associated services should the NDMS hospital system be activated. The new system will collect limited data from individuals utilizing the NDMS as a result of illness or injury resulting from a disaster. Data on individuals will be submitted by NDMS hospitals and will include personal information, such as name, phone number (home phone number may be provided), address (home address may be provided), ethnic group, and medical information including laboratory tests performed, diagnosis, treatment provided, and other medical information required for appropriate reimbursement to the healthcare provider.

DATES:

OEP invites interested persons to submit comments on the proposed new system on or before October 2, 2001.

ADDRESSES:

Please address comments to the OEP Privacy Act Officer. Office of Emergency Preparedness, 12300 Twinbrook Parkway, Suite 360, Rockville, Maryland 20852. Comments will be made available for public inspection at the above address during normal business hours, 8:30 a.m.-5:00 p.m. by prior appointment only.

FOR FURTHER INFORMATION CONTACT:

Chief, National Disaster Medical System Branch, Office of Emergency Preparedness, 12300 Twinbrook Parkway, Suite 360, Rockville, MD 20857.

Report of Proposed New Privacy Act System of Records

System Number: 09-90-0039.

System Name: National Disaster Claims Processing System.

A. System Purpose and Background

Background

The Department of Health and Human Services (HHS) is the primary federal agency for health, medical and health-related social services under the Federal Response Plan. HHS provides for medical, mental health and other human services to victims of catastrophic disasters. The HHS Office of Emergency preparedness (OEP) is the office responsible for responding to requests for federal medical assistance for all national catastrophic disasters both natural and man-made.

OEP leads the National Disaster Medical System (NDMS) a partnership of four federal agencies—HHS, the Departments of Defense, Veterans Affairs and the Federal Emergency Management Agency. The NDMS was established in 1984 and has three components: direct medical care, patient movement, and definitive medical care. The definitive medical care is provided by hospitals that are part of the NDMS and agree to provide this service on an as needed basis. In order to provide expeditious processing and adjudication of medical claims from licensed providers and facilities arising from the treatment of disaster victims, a contractor for OEP will collect and process claims data, with OEP subsequently paying the claim.

System Purpose

The National Disaster Claims Processing System will justify and document reimbursement payments for services provided in connection to the NDMS. In order to provide this service and process claims, the contractor must collect data on individuals that includes Name, Social Security Number, Address, Dates of Care, Diagnostic Related Group/Current Procedure Terminology (DRG/CPT), Provider Name, Provider Address, Health Insurance Portability and Accountability Act (HIPAA) Provider Number, Amount Billed, Amount Allowed, Other Insurance Payment, and amount to be paid. In addition information from the providing hospital including the Employer Identification Number (EIN) and information for submitting electronic payment will be collected. The information collected is the minimal amount required to process and adjudicate claims from the providing hospitals.

B. Specific Authority

Authority for reimbursement of NDMS hospitals is found in 42 U.S.C. 243(c)(1). This provision authorizes the Secretary to develop and take such measures as necessary to implement a plan under which resources of the Public Health Service may effectively be used to meet health emergencies or problems resulting from disasters.

C. Probable Effects of Disclosure of Information

The records in this system are of a sensitive nature and are necessary for the processing and adjudication of medical care claims submitted by licensed providers and facilities as part of an NDMS response to a disaster. The information collected would include Name, Age, Sex, Address, and Medical Diagnostic information related only to injuries or conditions resulting from, or exacerbated by a disaster. Except as permitted by the Privacy Act or in accordance with the routine uses established for this system, the information on file will be utilized only for the purpose for which the file was created. Access to the system is restricted so as to protect the rights of individuals involved.

D. Safeguards

1. Authorized Users: Only HHS personnel or HHS contract personnel whose duties require the use of the system may access the data. In addition, such HHS personnel or contractors are advised that the information is confidential and the criminal sanctions for unauthorized disclosure of private information may be applied.

2. Physical Safeguards: Physical paper records are stored in locked file cabinets or secured areas.

3. Procedural Safeguards: Employees who maintain records in the system are instructed to grant regular access only to authorized users. Data stored in computers are accessed through the use of passwords known only to authorized personnel. Contractors who use records in this system are instructed to make no further disclosure of the records except as authorized by the system manager and permitted by the Privacy Act. Privacy Act language is in contracts related to this system.

4. These safeguards will be implemented in compliance with the standards of Guidelines: Chapter 45-10 and 45-13 of the HHS General Administration Manual; and the HHS Automated Information Systems Security Program Handbook (part 6 of the HHS Information Resources Management Manual).

E. Routine Use Compatibility

The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose, which is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a “routine use”. We are proposing to establish the following routine use disclosures of information, which will be maintained in the system:

1. Disclosure may be made to a Member of Congress or to a congressional staff member in response to inquiry of the congressional office made at the written request of the constituent about whom the record is maintained.

Beneficiaries as well as providers sometimes request the help of a Member of Congress in resolving some issue relating to a matter before the Public Health Service (PHS). The Member of Congress then writes to PHS, and PHS must be able to provide sufficient information to be responsive to the inquiry.

2. To the Department of Justice (DOJ), court or adjudicatory body when:

a. The agency or any component thereof; or

b. Any employee of the agency in his or her official capacity; or

c. Any employee of the agency in his or her official capacity where the DOJ has agreed to represent employee; or

d. The United States Government;

Is a party to litigation or has an interest in such litigation, and by careful review; PHS determines that the records are both relevant and necessary to the litigation and the use of such records by the DOJ, court, or adjudicatory body is therefore deemed by the agency to be a purpose that is compatible with the purpose for which the agency collected the records.

Whenever PHS is involved in litigation, or occasionally when another party is involved in litigation and PHS' policies or operations could be affected by the outcome of the litigation, PHS would be able to disclose information to the DOJ, court, or adjudicatory body involved. A determination would be made in each instance that, under the circumstances involved, the purposes served by the use of the information in the particular litigation is compatible with a purpose for which PHS collects the information.

3. To agency contractors who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).

The PHS occasionally contracts out certain of its functions when this could contribute to effective and efficient operations. PHS must be able to give a contractor whatever information is necessary for the contractor to fulfill its duties. In these situations, safeguards are provided in the contract prohibiting the contractor from using or disclosing the information for any purpose other than that described in the contract and to return or destroy all information at the completion of the contract.

F. Supporting Documentation

1. Proposed System Notice: Advance copies of the proposed system notice are attached.

2. HHS Rules: No change in agency rules is required as a result of the establishment of this system of records.

3. Exemptions Requested: No exemptions from the provisions of the Privacy Act are requested.

4. Computer Matching Notice: This new system will not involve any computer matching program, therefore, no public notice of computer matching has been prepared

Proposed System Notice

National Disaster Claims Processing System

SYSTEM NUMBER:

09-90-0039

SYSTEM NAME:

NATIONAL DISASTER CLAIMS PROCESSING SYSTEM

SYSTEM CLASSIFICATION:

None

SYSTEM LOCATION:

Office of Emergency Preparedness (OEP), 12300 Twinbrook Parkway, Rockville, MD 20852.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Individuals requiring definitive medical care at an NDMS hospital as the result of a medical condition caused by, or exacerbated by, a natural or technical disaster, or a terrorist act.

CATEGORIES OF RECORDS IN THE SYSTEM:

Medical claims data will be in uniform claim forms accepted by the Health Care Financing Administration (HCFA) for institutional and non-institutional claims. Records will include: Beneficiaries Name, Social Security Number, Address, Dates of Care, DRG/CPT, Provider Name, Provider Address, HIPAA Provider Number, Amount Billed, Amount Allowed, Other Insurance Payment, and Amount to be paid. In addition information from the providing hospital including the Employer Identification Number (EIN) and information for submitting electronic payment will be collected.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The authority for maintaining this system of records is from 42 U.S.C. 243(c)(1).

PURPOSE:

To justify and document reimbursement payments for services provided in connection with the National Disaster Medical System (NDMS).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USE:

1.To a Congressional Office from the records of an individual in response to an inquiry made from the Congressional Office made at the request of that individual.

2. To the Department of Justice (DOJ), court or other tribunal, or to another party before such tribunal, when:

a. HHS or any component thereof; or

b. Any HHS employee in his or her official capacity; or

c. Any HHS employee in his or her individual capacity where the Department of Justice (or HHS where it is authorized to do so) has agreed to represent employee; or

d. The United States or any Agency thereof, where HHS determines that the litigation is likely to affect HHS or any of it's components; is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or other party is relevant and necessary to the litigation and would help in the effective representation of the governmental party, however, that in each case, HHS determines that each disclosure is compatible with the purpose for which the records were collected.

3. To a contractor for the purpose of collating, analyzing, aggregating, or otherwise refining or processing records in this system, or for developing, modifying, and/or manipulating it with automatic data processing (ADP) software. Data would also be available to users incidental to consultation, programming, operation, user assistance, or maintenance for an ADP or telecommunications system containing or supporting records in the system.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Paper and computer form.

RETRIEVABILITY:

Information will be retrieved by beneficiary's name; and may be sorted by medical diagnosis, geographical area, or medical provider.

SAFEGUARDS:

1. Authorized Users: Only HHS personnel or HHS contract personnel whose duties require the use of the system may access the data. In addition, such HHS personnel or contractors are advised that the information is confidential and the criminal sanctions for unauthorized disclosure of private information may be applied.

2. Physical Safeguards: Physical paper records are stored in locked files cabinets or secured areas.

3. Procedural Safeguards: Employees who maintain records in the system are instructed to grant access only to authorized users. Data stored in computers are accessed through the use of passwords known only to authorized personnel. Contractors who use records in this system are instructed to make no further disclosure of the records except as authorized by the system manager and permitted by the Privacy Act. Privacy Act language is in contracts related to this system.

4. Implementation Guidelines: HHS Chapter 45-13 of the General Administration Manual, “Safeguarding Records Contained in Systems of Records and the HHS Automated Information Systems Security Program Handbook, Information Resources Management Manual.”

RETENTION AND DISPOSAL:

Disposition of records is according to the National Archives and Records Administration (NARA) guidelines, as set forth in the Office of Emergency Preparedness Records Management Manual.

SYSTEM MANAGER(S) AND ADDRESS(ES):

Chief, National Disaster Medical System Branch, Office of Emergency Preparedness, 12300 Twinbrook Parkway, Suite 360, Rockville, Maryland 20852.

NOTIFICATION PROCEDURE:

Inquiries and requests for system records should be addressed to the system manager at the address indicated above. The requestor must specify the name, address, and health insurance number.

RECORD ACCESS PROCEDURES:

Same as notification procedures. Requesters should also reasonably specify the record contents being sought. These procedures are in accordance with HHS Regulations at 45 CFR 5b.5(a)(2) and 45 CFR 5b.6

CONTESTING RECORD PROCEDURES:

Contact the system manager named above and reasonably identify the record and specify the information to be contested. State the reason for contesting the record (e.g., why it is inaccurate, irrelevant, incomplete, or not current), the corrective action being sought, and give any supporting justification. (These procedures are in accordance with HHS Regulations 45 CFR 5b.7.)

RECORD SOURCE CATEGORIES:

Information contained in these records will be obtained from NDMS hospitals seeking reimbursement for treatment provided to disaster victims.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

None.