Privacy Act of 1974; System of Records

AGENCY:

Health Resources and Services Administration (HRSA), Department of Health and Human Services (HHS).

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the HHS is establishing a new system of records to be maintained by HHS's HRSA, 09-15-0093, “Provider Support Records.” The new system of records will include payment-related records containing information about any sole proprietor health care providers (including health care-practitioners and suppliers) who applied for payments or reimbursements, received a payment, attested to a payment, reported on the use of a payment, or otherwise participated in one of HRSA's provider support programs, and about patients identified in certain claims records submitted to HRSA for payment by entity providers and sole proprietor providers. The records are used to support the health care population and administer the programs.

DATES:

The new system of records is applicable November 26, 2021, subject to a 30-day period in which to comment on the routine uses. Submit any comments by December 27, 2021.

ADDRESSES:

The public should address written comments by email to OPSInformation.hrsa@hrsa.gov or by mail to Executive Officer, Provider Support, HRSA, 5600 Fishers Lane, Room 9N21, Rockville, MD, 20857.

FOR FURTHER INFORMATION CONTACT:

General questions about the new system of records may be submitted to Executive Officer, Provider Support, HRSA, 5600 Fishers Lane, Room 9N21, Rockville, MD, 20857, or to OPSInformation.hrsa@hrsa.gov.

SUPPLEMENTARY INFORMATION:

New system of records 09-15-0093 will cover records HRSA uses to reimburse claims and make payments to healthcare providers and to receive reports on the use of funds for activities under the following programs:

• COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment and Vaccine Administration for the Uninsured (Uninsured Program).
• COVID-19 Coverage Assistance Fund (CAF).
• Provider Relief Fund (PRF), including American Rescue Plan Act (ARPA) Rural Payments.

The records used by HRSA in these programs include patient and provider information needed to administer the programs. HHS provided advance notice of the new system of records to the Office of Management and Budget and Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

SYSTEM NAME AND NUMBER:

Provider Support Records, 09-15-0093.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The address of the HHS component responsible for this system of records ( i.e., HRSA) is shown in the System Manager(s) section, below.

SYSTEM MANAGER(S):

The System Manager is Executive Officer, Provider Support, HRSA, 5600 Fishers Lane, Rockville, MD, 20857, OPSInformation.hrsa@hrsa.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authorities include the following appropriations laws. Collection of participating providers' Taxpayer Identification Numbers is required by 31 U.S.C. 7701(c).

• Uninsured Program: “The Families First Coronavirus Response Act or FFCRA (P.L. 116-127) and the Paycheck Protection Program and Health Care Enhancement Act or PPPHCEA (P.L. 116-139), which each appropriated $1 billion to reimburse providers for conducting COVID-19 testing for uninsured individuals”

• Provider Relief Fund: “The Coronavirus Aid, Relief, and Economic Security (CARES) Act (P.L. 116-136), which provided $100 billion in relief funds, including to hospitals and other health care providers on the front lines of the COVID-19 response; the Paycheck Protection Program and Health Care Enhancement Act or PPPHCEA (P.L. 116-139), which appropriated an additional $75 billion in relief funds; and the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSA) (P.L. 116-260), which appropriated an additional $3 billion (collectively, the Provider Relief Fund).

• Uninsured program, continued: Within the Provider Relief Fund, a portion of the funding supports health care-related expenses attributable to COVID-19 testing for the uninsured and treatment of uninsured individuals with COVID-19. A portion of the funding is also used to reimburse providers for administering Food and Drug Administration (FDA)-authorized or licensed COVID-19 vaccines to uninsured individuals.

• Uninsured program, continued: The American Rescue Plan Act of 2021 (ARPA, P.L. 117-2), which allocated funding to reimburse providers for COVID-19 testing of the uninsured.

• ARPA Rural Payments: The American Rescue Plan Act of 2021 (ARPA, P.L. 117-2). ARPA amends the SSA. The citation to Section 1150C of ARPA can be found at 42 U.S.C. 1320b-26.

• Coverage Assistance Fund: The HRSA COVID-19 CAF is a program established by and administered by HRSA, using funds appropriated by Congress under the PRF.

PURPOSE(S) OF THE SYSTEM:

Relevant agency personnel and contractors use records about individuals from this system of records on a need to know basis to administer the provider support programs, which support the resilience of the healthcare population. Such programs include:

• COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment and Vaccine Administration for the Uninsured (Uninsured Program).
• COVID-19 CAF Program.
• Provider Relief Fund, including the ARPA Rural payments.

Specific purposes include:

1. To obtain marketing and communication information for providers who submitted applications to make them aware of policy and funding opportunities.

2. To make payments and reimburse claims to eligible healthcare providers under the above-identified programs.

3. To assist the HHS Program Support Center (PSC), the Department of Justice (DOJ), and other government entities in the collection of program debts.

4. To respond to inquiries from providers, their attorneys or other authorized representatives, and Congressional representatives.

5. To compile and generate managerial and statistical reports.

6. To perform program administrative activities, including, but not limited to, payment tracking, monitoring a provider's compliance with the Terms and Conditions of payment, receipt of provider reports on the use of funds, and other program requirements, and recoupment determinations.

7. To transfer information to the HHS central accounting system(s) covered by system of records 09-90-0024, HHS Financial Management System Records, maintained by the Office of the Assistant Secretary for Financial Resources, for purposes of effecting program payments and preparing and maintaining financial management and accounting documentation related to obligations and disbursements of funds (including providing required notifications to the Department of the Treasury) related to payments to, or on behalf of, healthcare providers. Information transferred to the Office of the Assistant Secretary for Financial Resources for these purposes is limited to the individual's name, address, SSN, and other information necessary for identification and processing of the payment.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records are about these categories of individuals:

• Sole proprietor providers who submit claims under the programs mentioned above.
• Patients identified in claims and claims-related records submitted to HRSA by entity providers and sole proprietor providers.
• Sole proprietor providers who applied for or who have received payments under the programs mentioned above.

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records are provider claims, claims-related records, payment applications, reports on the use of funds, and other records used by HRSA to process the claims, applications, and payments. Contents include the provider's name, address(es), telephone number(s), and email address(es); National Provider Identifier; Taxpayer Identification Number (TIN) (which could be a Social Security Number (SSN)); CMS Credentialing Number; tax, audit, and revenue data; banking information; payment data and supporting documentation; repayment/recoupment information; claims forms (including patient-related information, such as principal diagnosis code, admitting diagnosis code, procedure codes, date(s) of service and charges); and each applicable patient's name, control number, patient identification number; health insurance policy member identification number; gender, date of birth, zip code, state, and county.

RECORD SOURCE CATEGORIES:

The information in the system of records is obtained from payment applications, claims, reports on the use of funds, and other information submitted to HRSA by providers; from other HHS components; from commercial and other payers; and from any relevant federal, state, territorial, local, or tribal agencies. Other agencies and HHS components may provide information to HRSA needed to verify provider eligibility; validate provider- submitted information; determine payment distribution or claims reimbursement amounts; and approve payments and claims.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), HHS may disclose records about a subject individual (provider or patient) from this system of records to parties outside HHS as described in these routine uses, without the individual's prior written consent:

1. To any agent or contractor (including another federal agency) engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records, if the agent or contractor needs to have access to the records in order to provide the assistance. For example, HHS may disclose records consisting of a provider's or patient's name, SSN, TIN, mailing address, email address, or telephone number, to Department contractors and subcontractors who assist with the implementation of the above-identified programs, for the purposes of distributing funds; collecting, compiling, aggregating, analyzing, or refining records in the system of records; or improving program operations. Any agent or contractor will be required to comply with the requirements of the Privacy Act, as amended, with respect to the records, and to ensure that any subcontractors also maintain Privacy Act safeguards with respect to the records.

2. To another federal, state, or local agency about a provider who fails to return payments identified for recoupment at the direction of HHS, to ensure that the provider does not receive federal funds for which the provider is ineligible. Disclosure will be limited to the provider's name, address, SSN, TIN, inclusion on the Do Not Pay List, and any other information necessary to identify them.

3. To another federal, state, local, territorial, or Tribal agency to contribute to the accuracy of HHS' proper payment of health care providers' payment requests and claims (such as to determine a provider's eligibility for a distribution, validate a provider's tax identification number, or confirm a patient's uninsured status).

4. To another federal agency or an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state, local, or Tribal governmental agency) that administers, or that has the authority to investigate potential fraud or abuse in, a health care payment program funded in whole or in part by federal funds, when the disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs.

5. To a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of that individual. If a congressional inquiry on behalf of a patient seeks disclosure of any information about the patient's provider which is or could be proprietary information of that provider, the congressional request must be accompanied by an authorization form signed by the provider.

6. To DOJ or to a court or other adjudicative body in litigation or other proceedings when HHS or any of its components, or any employee of HHS acting in the employee's official capacity, or any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or the United States Government, is a party to the proceedings or has an interest in the proceedings and, by careful review, HHS determines that the records are both relevant and necessary to the proceedings.

7. To representatives of the National Archives and Records Administration (NARA) during records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906.

8. To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

9. To another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are maintained in electronic database servers and backup servers.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by a provider's or patient's name, TIN, or other identifying number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The records are not currently scheduled, so are retained indefinitely pending scheduling with the NARA. HRSA anticipates proposing a retention period of at least 6 years to NARA for the records, for consistency with General Records Schedule 1.1, Financial Management and Reporting Records, which provides for such records to be retained for 6 years after final payment or cancellation, or longer if required for business use.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards conform to the HHS Information Security and Privacy Program, https://www.hhs.gov/ocio/securityprivacy/index.html. HHS safeguards these records in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; the E-Government Act of 2002, which includes the Federal Information Security Management Act of 2002, 44 U.S.C. 3541-3549, as amended by the Federal Information Security Modernization act of 2014, 44 U.S.C. 3551-3558; pertinent National Institutes of Standards and Technology (NIST) publications; and OMB Circular A-130, Managing Information as a Strategic Resource. HHS protects the records from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras; controlling access to physical locations where records are maintained and used by means of combination locks and identification badges issued only to authorized users; limiting access to electronic databases to authorized users based on roles and either two-factor authentication or password protection; using a secured operating system protected by encryption, firewalls, and intrusion detection systems; and training personnel in Privacy Act and information security requirements. After the records have been scheduled with NARA, records that are eligible for destruction will be disposed of in accordance with the applicable schedule, using secure destruction methods prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:

An individual seeking access to records about that individual in this system of records must submit a written access request to the applicable System Manager identified in the “System Manager” section of this System of Records Notice (SORN). The request must contain the requester's full name, address, and signature. The request should also contain sufficient identifying particulars (such as, the provider's National Provider Identifier, TIN, or patient medical record number, or the patient's patient identifier or SSN to enable HHS to locate the requested records. So that HHS may verify the requester's identity, the requester's signature must be notarized or the request must include the requester's written certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000.

If an access request by a patient seeks disclosure of any information about the patient's provider which is or could be proprietary information of that provider, the request must be accompanied by a disclosure authorization form signed by the provider.

CONTESTING RECORD PROCEDURES:

An individual seeking to amend a record about that individual in this system of records must submit an amendment request to the applicable System Manager identified in the “System Manager” section of this SORN, containing the same information required for an access request. The request must include verification of the requester's identity in the same manner required for an access request; must reasonably identify the record and specify the information contested, the corrective action sought, and the reasons for requesting the correction; and should include supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:

An individual who wishes to know if this system of records contains records about that individual should submit a notification request to the applicable System Manager identified in in the “System Manager” section of this SORN. The request must contain the same information required for an access request and must include verification of the requester's identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.