Privacy Act of 1974; Report of a New Routine Use for Selected CMS Systems of Records

AGENCY:

Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION:

Altered Systems Notice, Adding a New Routine Use to Selected CMS Systems of Records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974 (5 U.S.C. 552a), CMS is adding a new routine use for emergency preparedness and response to eight CMS systems of records. The new routine use will authorize CMS to disclose beneficiary-identifiable records to public health authorities and entities acting under a delegation of authority of a public health authority requesting such information for the purpose of identifying vulnerable individuals who may need health assistance in the event of an incident, emergency or disaster, and for purposes of planning and providing such assistance. Disclosures made pursuant to the new routine use will be limited to the minimum data necessary to carry out statutorily-authorized public health-related emergency preparedness and response activities, as provided in Section 1106 of the Social Security Act (42 U.S.C. 1306) and the HIPAA Privacy Rule at 45 CFR §§ 154.502, 164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A). Requests and disclosures made pursuant to the routine use will be coordinated through HHS' Office of the Assistant Secretary for Preparedness and Response (ASPR). The eight systems of records that will include the new routine use are: the National Claims History (NCH), System No. 09-70-0558; Medicare Integrated Data Repository (IDR), System No. 09-70-0571; Common Working Files (CWF), System No. 09-70-0526; Enrollment Database (EDB), System No. 09-70-0502; Medicare Beneficiary Database (MBD), System No. 09-70-0536; Medicare Drug Data Processing System (DDPS), System No. 09-70-0553; Long Term Care-Minimum Data Set (MDS), System No. 09-70-0528; and Home Health Agency (HHA) Outcome and Assessment Information Set (OASIS), System No. 09-70-0522.

DATES:

Effective Date: The new routine use described in this notice will become effective without further notice 30 days after publication of this notice in the Federal Register, unless comments received on or before that date result in revisions to this notice.

ADDRESSES:

The public should send comments to: CMS Privacy Officer, Division of Privacy Policy, Privacy Policy and Compliance Group, Office of E-Health Standards & Services, Office of Enterprise Management, CMS, Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-1850. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9:00 a.m.-3:00 p.m., Eastern Time zone.

FOR FURTHER INFORMATION CONTACT:

Kristen P. Finne, Senior Program Analyst U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response (ASPR), Office of Policy and Planning, Division of Health System Policy (HSP), Patriots Plaza, 375 E Street SW., Office 11-1701, Washington DC 20024, Office telephone: 202-691-2013, Blackberry: 202-439-1140, Email: kristen.finne@hhs.gov.

SUPPLEMENTARY INFORMATION:

The new routine use will improve the ability of HHS' Assistant Secretary for Preparedness and Response (ASPR), in partnership with HHS' Centers for Medicare & Medicaid Services, to assist public health authorities and entities acting under a delegation of authority of a public health authority in identifying vulnerable individuals who may need health assistance prior to, during, and in the aftermath of an incident, emergency or disaster that poses an adverse health and/or public health impact, and in planning and providing such assistance. Disclosing beneficiary-identifiable records for public health-related emergency preparedness and response purposes is a necessary and proper use of the information in the systems of records being modified; the new routine use is compatible with the health care purposes for which the information was collected in the CMS systems of records. Disclosure purposes could include emergency planning for outreach to at-risk populations and individuals during a public health emergency. For example, a public health agency could match the records with publicly available power outage data from another department or agency. In the event of a public health emergency that involves power outages, the public health agency would then be able to use the results of the matched data to identify individuals in the affected community who are dependent on energy for meeting their medical needs, for example individuals living in the community who are dependent on dialysis. The term “public health authority” and the concepts of “public health activity” and “minimum necessary” disclosures are defined in the HIPAA Privacy Rule at 45 CFR §§ 154.502, 164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A).

For the reasons described above, the following routine use is added to the eight systems of records listed below:

To disclose beneficiary-identifiable information to public health authorities, and those entities acting under a delegation of authority from a public health authority, when requesting such information to carry out statutorily-authorized public health activities pertaining to emergency preparedness and response. Disclosures under this routine use will be limited to “public health authorities,” “public health activities,” and “minimum necessary data” as defined in the HIPAA Privacy Rule (45 CFR §§ 154.502, 164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A)).

1. National Claims History (NCH), System No. 09-70-0588, published at 71 Federal Register (Fed. Reg.), 67137 (November 20, 2006).

2. Medicare Integrated Data Repository (IDR), System No. 09-70-0571, published at 71 Fed. Reg., 74915 (December 13, 2006).

3. Common Working Files (CWF), System No. 09-70-0526, published at 71 Fed. Reg., 64955 (November 6, 2006).

4. Enrollment Database (EDB), System No. 09-70-0502, published at 73 Fed. Reg., 10249 (February 26, 2008).

5. Medicare Beneficiary Database (MBD), System No. 09-70-0536, published at 71 Fed. Reg., 70396 (December 4, 2006).

6. Medicare Drug Data Processing System (DDPS), System No. 09-70-0553, published at 73 Fed. Reg., 30943 (May 29, 2008).

7. Long Term Care (LTC)-Minimum Data Set (MDS), System No. 09-70-0528, published at 72 Fed. Reg., 12801 (March 19, 2007).

8. Home Health Agency (HHA) Outcome and Assessment Information Set (OASIS), System No. 09-70-0522, published at 72 Fed. Reg. 63906 (November 13, 2007).