UPD Attachment 10 - HPMS SORN Mod 01-14-2008

2257

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices

No. of respondents

Type of respondents

Form name

Supervisor/Manager of EMS Personnel ..................................

Screening Script to Identify
Supervisor for Interview.
Local EMS Provider Survey ...
Topic Guide for Semi-Structured Telephone Interview.

Administrator/Director of Sub-state EMS Region ...................

Dated: January 7, 2008.
Maryam I. Daneshvar,
Acting Reports Clearance Officer, Centers for
Disease Control and Prevention.
[FR Doc. E8–425 Filed 1–11–08; 8:45 am]
BILLING CODE 4163–18–P

Dated: January 8, 2008.
Elaine L. Baker,
Director, Management Analysis and Services
Office, Centers for Disease Control and
Prevention.
[FR Doc. E8–480 Filed 1–11–08; 8:45 am]
BILLING CODE 4163–18–P

rmajette on PROD1PC64 with NOTICES

DEPARTMENT OF HEALTH AND
HUMAN SERVICES

DEPARTMENT OF HEALTH AND
HUMAN SERVICES

Centers for Disease Control and
Prevention

Centers for Medicare & Medicaid
Services

Disease, Disability, and Injury
Prevention and Control Special
Emphasis Panel (SEP): Field Trials to
Efficacy of Natural Products for the
Control of the Tick Vectors of Lyme
Disease Spirochetes, Program
Announcement (PA) CK08–001;
Evaluation of Reservoir-Targeted
Vaccine Formulations To Prevent
Enzootic Transmission of Borrelia
Burgdorferi (Lyme Borreliosis), PA
CK08–002

Privacy Act of 1974; Report of a
Modified or Altered System of Records

Correction: This notice was published
in the Federal Register on December 19,
2007, Volume 72, Number 243, page
71913–71914. The title and place
should read as follows:
Disease, Disability, and Injury
Prevention and Control Special
Emphasis Panel (SEP): Field Trials to
Efficacy of Natural Products for the
Control of the Tick Vectors of Lyme
Disease Spirochetes, Program
Announcement (PA) CK08–001;
Evaluation of Reservoir-Targeted
Vaccine Formulations To Prevent
Enzootic Transmission of Borrelia
Burgdorferi (Lyme Borreliosis), PA
CK08–002.
Place: Teleconference.
The Director, Management Analysis
and Services Office, has been delegated
the authority to sign Federal Register
notices pertaining to announcements of
meetings and other committee
management activities, for both CDC
and the Agency for Toxic Substances
and Disease Registry.

VerDate Aug<31>2005

15:22 Jan 11, 2008

Jkt 214001

Department of Health and
Human Services (HHS), Centers for
Medicare & Medicaid Services (CMS).
ACTION: Notice of a Modified or Altered
System of Records (SOR).
AGENCY:

SUMMARY: In accordance with the
Privacy Act of 1974, we are proposing
to modify or alter an existing SOR,
‘‘Health Plan Management System
(HPMS) ,’’ System No. 09–70–4004,
established at 63 Federal Register 43187
(August 12, 1998). We will broaden the
scope of this system by including a new
activity related to health plan and Part
D plan management referred to as the
Complaint Tracking Module (CTM).
CTM will collect and maintain
identifiable information on individuals
who are, but not limited to,
complainants, including beneficiaries,
relatives and caregivers,
Congresspersons and their staff, State
Health Insurance Program
representatives, and providers of service
and their staff. The CTM stores
complaint data, including, but not
limited to, the following: Date
complaint received; date of incident;
issue level; complainant and/or
beneficiary information; complaint
summary; complaint category;
complaint resolution summary; and
plan resolution summary. Plans use the
CTM to track the beneficiary complaints
assigned to their organization, enter
complaint case resolutions, and close
out complaints.
In addition, HPMS will collect
information from health plans and Part

PO 00000

Frm 00046

Fmt 4703

Sfmt 4703

Average burden per response
(in hours)

No. of responses per
respondent

2,250

1

2/60

1,800
10

1
1

15/60
45/60

D plan organizations pertaining to
individuals who market and/or sell
health insurance and prescription drug
plan products on behalf of these plan
organizations and who are licensed or
authorized by a State Insurance
Commissioner or other certifying
agencies. We are sharing data pertaining
to all agents/brokers to assist CMS and
State Insurance Commissioners in
improving oversight of the sales
marketplace and in avoiding fraudulent
sales practices that mislead and harm
Medicare beneficiaries. We propose to
assign a new CMS identification number
to this system to simplify the obsolete
and confusing numbering system
originally designed to identify the
Bureau, Office, or Center that
maintained information in the Health
Care Financing Administration systems
of records. The new assigned identifying
number for this system should read:
System No. 09–70–0500.
We will delete routine use number 1
authorizing disclosure to support
constituent requests made to a
congressional representative. If an
authorization for the disclosure has
been obtained from the data subject,
then no routine use is needed. The
Privacy Act allows for disclosures with
the ‘‘prior written consent’’ of the data
subject. We propose to delete published
routine use number 5 authorizing
disclosure to a contractor for the
purpose of collating, analyzing,
aggregating or otherwise refining or
processing records in this system or for
developing, modifying and/or
manipulating automated information
systems software. We also propose to
add a routine use for the release of
information that permits disclosure to
agency contractors, consultants, and
CMS grantees that perform a task for the
agency. CMS occasionally contracts out
certain of its functions when doing so
would contribute to effective and
efficient operations. CMS must be able
to give a contractor, consultant or
grantee whatever information is
necessary for the contractor, consultant,
or grantee to fulfill its duties.
We propose to delete published
routine use number 2 authorizing
disclosure to the Bureau of Census;

E:\FR\FM\14JAN1.SGM

14JAN1

rmajette on PROD1PC64 with NOTICES

2258

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices

published routine use number 7
authorizing disclosure to state Medicaid
agencies; number 8 authorizing
disclosure to an agency of a state
Government, or established by state law,
for purposes of determining the quality
of health care services provided in the
state; published routine use number 9
authorizing disclosure to another
Federal or state agency; published
routine use number 10 authorizing
disclosure to other Federal agencies or
states to support the administration of
other Federal or state health care
programs; and published routine use
number 11 authorizing disclosure to the
Social Security Administration. These
routine uses duplicate the intended
releases and as such will be combined
into a single routine use to ‘‘assist
another Federal or state agency, agency
of a state government, an agency
established by state law, or its fiscal
agent to: (a) Contribute to the accuracy
of CMS’s proper payment of Medicare
benefits, (b) enable such agency to
administer a Federal health benefits
program, or as necessary to enable such
agency to fulfill a requirement of a
Federal statute or regulation that
implements a health benefits program
funded in whole or in part with federal
funds; and (c) evaluate and monitor the
quality of health care in the program
and contribute to the accuracy of health
plan operations.’’
We will modify existing routine use
number 6 that permits disclosure to Peer
Review Organizations (PRO).
Organizations previously referred to as
PROs will be renamed to read: Quality
Improvement Organizations (QIO).
Information will be disclosed to QIOs
for health care quality improvement
projects. The modified routine use will
be renumbered as routine use number 4.
We propose to delete published routine
use number 14 authorizing disclosures
to any entity that makes payment for or
oversees administration of health care
services to combat fraud and abuse
against such entity or the program or
services administered by such entity.
This disclosure provision falls outside
the scope of the stated purpose for the
collection of data maintained in this
system.
We will broaden the scope of this
system by including the section titled
‘‘Additional Circumstances Affecting
Routine Use Disclosures,’’ that
addresses ‘‘Protected Health Information
(PHI)’’ and ‘‘small cell size.’’ The
requirement for compliance with HHS
regulation ‘‘Standards for Privacy of
Individually Identifiable Health
Information’’ apply when ever the
system collects or maintain PHI. This
system may contain PHI. In addition,

VerDate Aug<31>2005

15:22 Jan 11, 2008

Jkt 214001

our policy to prohibit release if there is
a possibility that an individual can be
identified through ‘‘small cell size’’ will
apply to the data disclosed from this
system.
The security classification previously
reported as ‘‘None’’ will be modified to
reflect that the data in this system is
considered to be ‘‘Level Three Privacy
Act Sensitive.’’ We are modifying the
language in the remaining routine uses
to provide a proper explanation as to the
need for the routine use and to provide
clarity to CMS’s intention to disclose
individual-specific information
contained in this system. The routine
uses will then be prioritized and
reordered according to their usage. We
will also take the opportunity to update
any sections of the system that were
affected by the impact of the Medicare
Prescription Drug, Improvement, and
Modernization Act of 2003 (MMA) (Pub.
L. 108–173) provisions and to update
language in the administrative sections
to correspond with language used in
other CMS SORs.
The primary purpose of this modified
system is to collect and maintain
information on Medicare beneficiaries
enrolled in Medicare Health Plans in
order to develop and disseminate
information required by the Balanced
Budget Act of 1997 that will inform
beneficiaries and the public of
indicators of health plan performance to
help beneficiaries choose among health
plans, support quality improvement
activities within the plans, monitor and
evaluate quality improvement activities
within the plans, monitor and evaluate
care provided by health plans; provide
guidance to program management and
policies, and provide a research data
base for CMS and other researchers. The
information retrieved from this system
of records will also be disclosed to: (1)
Support regulatory, reimbursement, and
policy functions performed within the
Agency or by a contractor or consultant;
(2) assist another Federal and/or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent, for evaluating and
monitoring the quality of home health
care and contribute to the accuracy of
health insurance operations; (3) support
research, evaluation, or epidemiological
projects related to the prevention of
disease or disability, or the restoration
or maintenance of health, and for
payment related projects; (4) support the
functions of Quality Improvement
Organizations (QIO); (5) support
litigation involving the Agency; (6)
combat fraud and abuse in certain
health care programs. We have provided
background information about the
modified system in the SUPPLEMENTARY

PO 00000

Frm 00047

Fmt 4703

Sfmt 4703

INFORMATION section below. Although
the Privacy Act requires only that CMS
provide an opportunity for interested
persons to comment on the modified or
altered routine uses, CMS invites
comments on all portions of this notice.
See EFFECTIVE DATES section for
comment period.
EFFECTIVE DATES: CMS filed a modified
or altered system report with the Chair
of the House Committee on Government
Reform and Oversight, the Chair of the
Senate Committee on Homeland
Security & Governmental Affairs, and
the Administrator, Office of Information
and Regulatory Affairs, Office of
Management and Budget (OMB) on
January 4, 2008. To ensure that all
parties have adequate time in which to
comment, the modified system,
including routine uses, will become
effective 30 days from the publication of
the notice, or 40 days from the date it
was submitted to OMB and Congress,
whichever is later, unless CMS receives
comments that require alterations to this
notice.
ADDRESSES: The public should address
comments to: CMS Privacy Officer,
Division of Privacy Compliance,
Enterprise Architecture and Strategy
Group, Office of Information Services,
CMS, Room N2–04–27, 7500 Security
Boulevard, Baltimore, Maryland 21244–
1850. Comments received will be
available for review at this location, by
appointment, during regular business
hours, Monday through Friday from 9
a.m.–3 p.m., eastern time zone.
FOR FURTHER INFORMATION CONTACT: Ms.
Lori Robinson, Director, Division of
Plan Data, Plan Oversight and
Accountability Group, Center for
Beneficiary Choices, Center for
Medicare & Medicaid Services, 7500
Security Boulevard, C4–14–21,
Baltimore, Maryland 21244–1850. Her
telephone number is (410) 786–1826 or
via e-mail at [email protected].
SUPPLEMENTARY INFORMATION: The
Health Plan Management System is a
database containing rates for selected
performance measures for each
Medicare health plan. The data are
compiled by HIC number, member
month contribution, and a flag to
indicate if the member was counted in
the rate’s numerator. The system will
collect rate information on categories
such as the following:
• ‘‘Use of Services’’ measures such as
the frequency of selected procedures
(e.g., percutaneous transluminal
coronary artery angioplasty,
prostatectomy, coronary artery bypass
with graft, hysterectomy,
cholecystectomy, cardiac
catheterization, reduction of fracture of

E:\FR\FM\14JAN1.SGM

14JAN1

rmajette on PROD1PC64 with NOTICES

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices
the femur, total hip and knee
replacement, partial excision of the
large intestine, carotid endarterectomy);
percentage of members receiving
inpatient, day/night and ambulatory
mental health and chemical dependency
services; readmission for chemical
dependency, and specified mental
health disorders.
• ‘‘Effectiveness of Care’’ measures
such as breast cancer screening, beta
blocker treatment after a heart attack,
eye exams for people with diabetes, and
follow-up after hospitalization for
mental illness.
• ‘‘Member Satisfaction’’ measures
related to quality, access, and general
satisfaction.
• ‘‘Functional Status’’ measures
which are patient centered and track
actual outcomes or results of care,
addressing both physical and mental
well-being over time.
The information from HPMS will be
augmented by being linked to other
CMS data and other administrative data
to provide validation and greater
analytic capacity. The HPMS will be
used to:
• Develop and disseminate summary
information required by the Balanced
Budget Act of 1997 that will inform
beneficiaries and the public of
indicators of health plan performance to
help beneficiaries choose among health
plans. The information will include
plan-to-plan comparisons of benefits
and co-payments supplemented with
consumer satisfaction information and
plan performance data.
• Support quality improvement
activities. Summary data will be useful
for health plans’ internal quality
improvement, as well as to CMS and
Quality Improvement Organizations in
monitoring and evaluating the care
provided by health plans.
• Conduct research and
demonstrations addressing managed
care quality, access, and satisfaction
issues.
• Provide guidance for program
management and policy development.
HPMS houses the results of the Health
Plan Employer Data and Information Set
(HEDIS) and the Consumer Assessment
of Health Plans Survey (CAHPS). The
system will contain information on
recipients of Medicare Part A and Part
B services who are enrolled in health
plans and Part D plans. The total
number of current enrollees in Medicare
Part C health plans is approximately 9
million.
HEDIS reflects a joint effort of public
and private purchasers, consumers,
labor unions, health plans, and
measurement experts to develop a
comprehensive set of performance

VerDate Aug<31>2005

15:22 Jan 11, 2008

Jkt 214001

measures for Medicare, Medicaid, and
commercial populations enrolled in
managed care plans. HEDIS measures
eight aspects of health care:
Effectiveness of care; access/availability
of care, satisfaction with the experience
of care, health plan stability, use of
services, cost of care, informed health
care choices, and health plan
descriptive information. In 1997, CMS is
requiring reporting of a number of
performance measures from HEDIS
relevant to the Medicare managed care
population. The HEDIS data is subject to
audit, to ensure that plans submit
accurate and complete data. Another
aspect of the audit is to assess the
reasonableness of the HEDIS measures.
For example, if all or most health plans
have problems with a particular
measure, the problem could be with the
measure, not the plans.
Included in HEDIS is a functional
status measure which tracks both
physical health and mental health status
over a 2-year period through a selfadministered instrument in which the
beneficiary indicates whether his/her
health status has improved, stayed the
same, or deteriorated. The measure is
risk adjusted for co-morbid conditions,
income, race, education, social support,
age, and gender. It will be used to
compare how well plans care for
seniors. It reflects the belief that high
quality health care can either improve
or at least slow the rate of decline in
senior members’ ability to lead active
and independent lives.
In concert with the Agency for Health
Care Policy and Research, CMS
sponsored the development of a
Medicare specific version of the CAHPS
consumer satisfaction survey. The
survey will collect information about
Medicare enrollees’ satisfaction, access,
and quality of care within managed care
plans. Beginning in 1997, CMS is
requiring all Medicare contracting plans
to participate in an independent third
party administration of an annual
member satisfaction survey.
All performance measures are subject
to modification as new performance
measurement sets are developed with a
stronger focus on outcomes and chronic
disease issues, including patient
satisfaction and quality of life measures
relevant to specific diseases.
The Privacy Act permits us to disclose
information without the consent of
individuals for ‘‘routine uses’’—that is,
disclosures that are compatible with the
purpose for which we collected the
information. The proposed routine uses
in the new system meet the
compatibility criteria since the
information is collected to produce
estimates of health care use and quality,

PO 00000

Frm 00048

Fmt 4703

Sfmt 4703

2259

and determinants thereof, by the aged
and disabled enrolled in group health
plans. We anticipate the disclosures
under the routine uses will not result in
any unwarranted adverse effects on
personal privacy.
The HPMS Complaints Tracking
Module (CTM) stores beneficiary
complaints related to the Medicare
Advantage (MA) and Part D programs.
This module contains beneficiary
complaints that have been collected by
1–800–Medicare as well as beneficiary
complaints entered directly into the
CTM by CMS staff. The CTM stores
complaint data, including, but not
limited to, the following: Date
complaint received; date of incident;
issue level; complainant and/or
beneficiary information; complaint
summary; complaint category;
complaint resolution summary; and
plan resolution summary. Plans use the
CTM to track the beneficiary complaints
assigned to their organization, enter
complaint case resolutions, and close
out complaints. CMS uses the CTM to
enter beneficiary complaints received
directly by the regional office, perform
casework for those complaints not
assigned to an organization, and to
monitor plan progress on resolving
complaints timely.
We are sharing data pertaining to all
marketing agents/brokers to assist CMS
and State Department of Insurance (DOI)
in improving oversight of the sales
marketplace and in avoiding fraudulent
sales practices that mislead and harm
Medicare beneficiaries. Beneficiaries
that are enrolled in a health plan or
prescription drug plan under false,
fraudulent pretense result in plan
organizations receiving payments to
which they are not entitled. As a result,
there is a payment policy component
involved. We will require contracted
health plans and prescription drug
plans, though contract or program
memorandum (or both) to notify all
agents/brokers that sell their Medicare
products that their information is being
shared with CMS, its contractors, and
State DOIs.
I. Description of the Modified or
Altered System of Records
A. Statutory and Regulatory Basis for
SOR
Authority for maintenance of the
system is given under section 1875 of
the Social Security Act (the Act) (42
U.S.C. 1395ll), entitled Studies and
Recommendations; section 1121 of the
Act (42 U.S.C. 1121), entitled Uniform
Reporting System for Health Services
Facilities and Organizations; and § 1876
of the Act (42 U.S.C. 1395mm), entitled

E:\FR\FM\14JAN1.SGM

14JAN1

2260

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices

Payments to Health Maintenance
Organizations and Competitive Medical
Plans. Authority for maintenance and
dissemination of Health Plan
information is also given under the
Balanced Budget Act of 1997 (Pub. L.
105–33).
B. Collection and Maintenance of Data
in the System.
Information is collected and
maintained on recipients of Medicare
Part A (Hospital Insurance) and Part B
(supplementary medical insurance)
services who are enrolled in Medicare
health plans and prescription drug
plans. CTM will collect and maintain
identifiable information on individuals
who are, but not limited to,
complainants, including beneficiaries,
relatives and caregivers,
Congresspersons and their staff, State
Health Insurance Program
representatives, and providers of service
and their staff. The system contains
demographic and identifying data, as
well as survey and deficiency data.
Identifying data includes, but is not
limited to: Name, title, address, city,
state, ZIP code, e-mail address,
telephone numbers, fax number,
licensure number, SSN, Federal tax
identification number, alias names, date
of birth, gender, date admitted and/or
date discharged. In addition, the CTM
stores complaint data, including, but not
limited to, the following: Date
complaint received; date of incident;
issue level; complainant and/or
beneficiary information; complaint
summary; complaint category;
complaint resolution summary; and
plan resolution summary.
II. Agency Policies, Procedures, and
Restrictions on the Routine Use

rmajette on PROD1PC64 with NOTICES

A. Agency Policies, Procedures, and
Restrictions on the Routine Use
The Privacy Act permits us to disclose
information without an individual’s
consent if the information is to be used
for a purpose that is compatible with the
purpose(s) for which the information
was collected. Any such disclosure of
data is known as a ‘‘routine use.’’ The
government will only release HPMS
information that can be associated with
an individual as provided for under
‘‘Section III. Proposed Routine Use
Disclosures of Data in the System.’’ Both
identifiable and non-identifiable data
may be disclosed under a routine use.
We will only collect the minimum
personal data necessary to achieve the
purpose of HPMS. CMS has the
following policies and procedures
concerning disclosures of information
that will be maintained in the system.

VerDate Aug<31>2005

15:22 Jan 11, 2008

Jkt 214001

Disclosure of information from this
system will be approved only to the
extent necessary to accomplish the
purpose of the disclosure and only after
CMS:
1. Determines that the use or
disclosure is consistent with the reason
that the data is being collected, e.g., to
collect and maintain information on
Medicare beneficiaries enrolled in
Medicare Health Plans.
2. Determines that:
a. The purpose for which the
disclosure is to collect and maintain
information on Medicare beneficiaries
enrolled in Medicare Health Plans in
order to develop and disseminate
information required by the Balanced
Budget Act of 1997 that will inform
beneficiaries and the public of
indicators of health plan performance to
help beneficiaries choose among health
plans, support quality improvement
activities within the plans, monitor and
evaluate quality improvement activities
within the plans, monitor and evaluate
care provided by health plans; provide
guidance to program management and
policies, and provide a research data
base for CMS and other researchers;
b. the purpose for which the
disclosure is to be made is of sufficient
importance to warrant the effect and/or
risk on the privacy of the individual that
additional exposure of the record might
bring; and
c. there is a strong probability that the
proposed use of the data would in fact
accomplish the stated purpose(s).
3. Requires the information recipient
to:
a. Establish administrative, technical,
and physical safeguards to prevent
unauthorized use of disclosure of the
record;
b. remove or destroy at the earliest
time all patient-identifiable information;
and
c. agree to not use or disclose the
information for any purpose other than
the stated purpose under which the
information was disclosed.
4. Determines that the data are valid
and reliable.
III. Proposed Routine Use Disclosures
of Data in the System
A. The Privacy Act allows us to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such compatible use of data is
known as a ‘‘routine use.’’ The proposed
routine uses in this system meet the
compatibility requirement of the Privacy
Act. We are proposing to establish the

PO 00000

Frm 00049

Fmt 4703

Sfmt 4703

following routine use disclosures of
information maintained in the system:
1. To agency contractors, or
consultants, or to a grantee of a CMSadministered grant program who have
been engaged by the agency to assist in
the accomplishment of a CMS function
relating to the purposes for this system
and who need to have access to the
records in order to assist CMS.
We contemplate disclosing this
information under this routine use only
in situations in which CMS may enter
into a contractual or similar agreement
with a third party to assist in
accomplishing a CMS function relating
to purposes for this system. CMS
occasionally contracts out certain of its
functions when doing so would
contribute to effective and efficient
operations. CMS must be able to give a
contractor, consultant or grantee
whatever information is necessary for
the contractor or consultant to fulfill its
duties. In these situations, safeguards
are provided in the contract prohibiting
the contractor, consultant or grantee
from using or disclosing the information
for any purpose other than that
described in the contract and requires
the contractor, consultant or grantee to
return or destroy all information at the
completion of the contract.
2. To another Federal and/or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent to:
a. Contribute to the accuracy of CMS’s
proper payment of Medicare benefits,
b. enable such agency to administer a
Federal health benefits program, or as
necessary to enable such agency to
fulfill a requirement of a Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds, and/or
c. assist Federal/state Medicaid
programs within the state.
Other Federal or state agencies in
their administration of a Federal health
program may require HPMS information
in order to support evaluations and
monitoring of Medicare claims
information of beneficiaries, including
proper reimbursement for services
provided;
To another agency or to an
instrumentality of any governmental
jurisdiction within or under the control
of the United States (including any State
or local law enforcement agencies) for a
civil or criminal law enforcement
activity (e.g. police, FBI, State Attorney
General’s office);
In addition, other state agencies in
their administration of a Federal health
program may require HPMS information
for the purpose of developing and
operating Medicaid reimbursement

E:\FR\FM\14JAN1.SGM

14JAN1

rmajette on PROD1PC64 with NOTICES

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices
systems; or for the purpose of
administration of Federal/State program
within the State. Data will be released
to the State only on those individuals
who are either patients within the State,
of are legal residents of the State,
regardless of the location of the facility
in which the patient is receiving
services;
To the agency of a State government,
or established by State law, for purposes
of determining, evaluating and/or
assessing overall or aggregate cost,
effectiveness, and/or the quality of
services provided in the State; and
State agencies may use HPMS data to
perform Federal certification and State
licensure functions, including the
investigation of complaints and entityreported incidents.
3. To assist an individual or
organization for research, evaluation or
epidemiological projects related to the
prevention of disease or disability, or
the restoration or maintenance of health,
and for payment related projects.
The collected data will provide the
research, evaluation and
epidemiological projects a broader,
longitudinal, national perspective of the
data. CMS anticipates that many
researchers will have legitimate requests
to use these data in projects that could
ultimately improve the care provided to
Medicare patients and the policy that
governs the care. CMS understands the
concerns about the privacy and
confidentiality of the release of data for
a research use. Disclosure of data for
research and evaluation purposes may
involve aggregate data rather than
individual-specific data.
4. To Quality Improvement
Organizations (QIO) in order to assist
the QIO to perform Title XI and Title
XVIII functions relating to assessing and
improving quality of care.
The QIO will work to implement
quality improvement programs, provide
consultation to CMS, its contractors,
and to state agencies. The QIO will
assist state agencies in related
monitoring and enforcement efforts,
assist CMS and intermediaries in
program integrity assessment, and
prepare summary information for
release to CMS.
5. To the Department of Justice (DOJ),
court or adjudicatory body when:
a. The agency or any component
thereof, or
b. any employee of the agency in his
or her official capacity, or
c. any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. the United States Government is a
party to litigation or has an interest in

VerDate Aug<31>2005

15:22 Jan 11, 2008

Jkt 214001

such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
Whenever CMS is involved in
litigation, and occasionally when
another party is involved in litigation
and CMS’ policies or operations could
be affected by the outcome of the
litigation, CMS would be able to
disclose information to the DOJ, court or
adjudicatory body involved.
6. To assist a CMS contractor
(including, but not necessarily limited
to fiscal intermediaries and carriers) that
assists in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such program.
We contemplate disclosing
information under this routine use only
in situations in which CMS may enter
into a contractual relationship or grant
with a third party to assist in
accomplishing CMS functions relating
to the purpose of combating fraud and
abuse.
CMS occasionally contracts out
certain of its functions and makes grants
when doing so would contribute to
effective and efficient operations. CMS
must be able to give a contractor or
grantee whatever information is
necessary for the contractor or grantee to
fulfill its duties. In these situations,
safeguards are provided in the contract
prohibiting the contractor or grantee
from using or disclosing the information
for any purpose other than that
described in the contract and requiring
the contractor or grantee to return or
destroy all information.
7. To assist another Federal agency or
to an instrumentality of any
governmental jurisdiction within or
under the control of the United States
(including any State or local
governmental agency), that administers,
or that has the authority to investigate
potential fraud or abuse in, a health
benefits program funded in whole or in
part by Federal funds, when disclosure
is deemed reasonably necessary by CMS
to prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such programs.

PO 00000

Frm 00050

Fmt 4703

Sfmt 4703

2261

Other agencies may require HPMS
information for the purpose of
combating fraud and abuse in such
Federally-funded programs.
B. Additional Provisions Affecting
Routine Use Disclosures
To the extent this system contains
Protected Health Information (PHI) as
defined by HHS regulation ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (45 CFR Parts 160
and 164, 65 FR 82462 (12–28–00),
Subparts A and E. Disclosures of such
PHI that are otherwise authorized by
these routine uses may only be made if,
and as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’
In addition, our policy will be to
prohibit release even of data not directly
identifiable, except pursuant to one of
the routine uses or if required by law,
if we determine there is a possibility
that an individual can be identified
through implicit deduction based on
small cell sizes (instances where the
patient population is so small that
individuals could, because of the small
size, use this information to deduce the
identity of the beneficiary).
IV. Safeguards
CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the system have been trained
in the Privacy Act and information
security requirements. Employees who
maintain records in this system are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations may apply
but are not limited to: the Privacy Act
of 1974; the Federal Information
Security Management Act of 2002; the
Computer Fraud and Abuse Act of 1986;
the Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002; the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003; and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources, also

E:\FR\FM\14JAN1.SGM

14JAN1

2262

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices

applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: all pertinent National
Institute of Standards and Technology
publications, the HHS Information
Systems Program Handbook, and the
CMS Information Security Handbook.
V. Effects of the Modified or Altered
System of Records on Individual Rights
CMS proposes to modify this system
in accordance with the principles and
requirements of the Privacy Act and will
collect, use, and disseminate
information only as prescribed therein.
Data in this system will be subject to the
authorized releases in accordance with
the routine uses identified in this
system of records.
CMS will take precautionary
measures to minimize the risks of
unauthorized access to the records and
the potential harm to individual privacy
or other personal or property rights of
patients whose data are maintained in
the system. CMS will collect only that
information necessary to perform the
system’s functions. In addition, CMS
will make disclosure from the proposed
system only with consent of the subject
individual, or his/her legal
representative, or in accordance with an
applicable exception provision of the
Privacy Act. CMS, therefore, does not
anticipate an unfavorable effect on
individual privacy as a result of
information relating to individuals.
Dated: January 3, 2008.
Charlene Frizzera,
Chief Operating Officer, Centers for Medicare
& Medicaid Services.
SYSTEM NO. 09–70–0500
SYSTEM NAME:

SECURITY CLASSIFICATION:

Level Three Privacy Act Sensitive
Data.
SYSTEM LOCATION:

The Centers for Medicare & Medicaid
Services (CMS) Data Center, 7500
Security Boulevard, North Building,
First Floor, Baltimore, Maryland 21244–
1850 and at various co-locations of CMS
agents.

rmajette on PROD1PC64 with NOTICES

CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:

Information is collected and
maintained on recipients of Medicare
Part A (Hospital Insurance) and Part B
(supplementary medical insurance)
services who are enrolled in Medicare
health plans and prescription drug
plans. Identifiable information will also
be collected on individuals who are, but

15:22 Jan 11, 2008

Jkt 214001

CATEGORIES OF RECORDS IN THE SYSTEM:

The system contains demographic and
identifying data, as well as survey and
deficiency data. Identifying data
includes, but is not limited to: name,
title, address, city, state, ZIP code, email address, telephone numbers, fax
number, licensure number, SSN,
Federal tax identification number, alias
names, date of birth, gender, date
admitted and/or date discharged. In
addition, the CTM stores complaint
data, including, but not limited to, the
following: date complaint received; date
of incident; issue level; complainant
and/or beneficiary information;
complaint summary; complaint
category; complaint resolution
summary; and plan resolution summary.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for maintenance of the
system is given under section 1875 of
the Social Security Act (the Act) (42
U.S.C. 1395ll), entitled Studies and
Recommendations; section 1121 of the
Act (42 U.S.C. 1121), entitled Uniform
Reporting System for Health Services
Facilities and Organizations; and § 1876
of the Act (42 U.S.C. 1395mm), entitled
Payments to Health Maintenance
Organizations and Competitive Medical
Plans. Authority for maintenance and
dissemination of Health Plan
information is also given under the
Balanced Budget Act of 1997 (Pub. L.
105–33).
PURPOSE(S) OF THE SYSTEM:

‘‘Health Plan Management System
(HPMS),’’ HHS/CMS/CBC.

VerDate Aug<31>2005

not limited to, complainants, including
beneficiaries, relatives and caregivers,
Congresspersons and their staff, State
Health Insurance Program
representatives, and providers of service
and their staff.

The primary purpose of this modified
system is to collect and maintain
information on Medicare beneficiaries
enrolled in Medicare Health Plans in
order to develop and disseminate
information required by the Balanced
Budget Act of 1997 that will inform
beneficiaries and the public of
indicators of health plan performance to
help beneficiaries choose among health
plans, support quality improvement
activities within the plans, monitor and
evaluate quality improvement activities
within the plans, monitor and evaluate
care provided by health plans; provide
guidance to program management and
policies, and provide a research data
base for CMS and other researchers. The
information retrieved from this system
of records will also be disclosed to: (1)
Support regulatory, reimbursement, and
policy functions performed within the
Agency or by a contractor or consultant;

PO 00000

Frm 00051

Fmt 4703

Sfmt 4703

(2) assist another Federal and/or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent, for evaluating and
monitoring the quality of home health
care and contribute to the accuracy of
health insurance operations; (3) support
research, evaluation, or epidemiological
projects related to the prevention of
disease or disability, or the restoration
or maintenance of health, and for
payment related projects; (4) support the
functions of Quality Improvement
Organizations (QIO); (5) support
litigation involving the Agency; (6)
combat fraud and abuse in certain
health care programs.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OR USERS AND
THE PURPOSES OF SUCH USES:

A. The Privacy Act allows us to
disclose information without an
individual’s consent if the information
is to be used for a purpose that is
compatible with the purpose(s) for
which the information was collected.
Any such compatible use of data is
known as a ‘‘routine use.’’ The proposed
routine uses in this system meet the
compatibility requirement of the Privacy
Act. We are proposing to establish the
following routine use disclosures of
information maintained in the system:
1. To agency contractors, or
consultants, or to a grantee of a CMSadministered grant program who have
been engaged by the agency to assist in
the accomplishment of a CMS function
relating to the purposes for this system
and who need to have access to the
records in order to assist CMS.
2. To another Federal and/or state
agency, agency of a state government, an
agency established by state law, or its
fiscal agent to:
a. Contribute to the accuracy of CMS’
proper payment of Medicare benefits,
b. Enable such agency to administer a
Federal health benefits program, or as
necessary to enable such agency to
fulfill a requirement of a Federal statute
or regulation that implements a health
benefits program funded in whole or in
part with Federal funds, and/or
c. Assist Federal/state Medicaid
programs within the state.
3. To assist an individual or
organization for research, evaluation or
epidemiological projects related to the
prevention of disease or disability, or
the restoration or maintenance of health,
and for payment related projects.
4. To Quality Improvement
Organizations (QIO) in order to assist
the QIO to perform Title XI and Title
XVIII functions relating to assessing and
improving quality of care.
5. To the Department of Justice (DOJ),
court or adjudicatory body when:

E:\FR\FM\14JAN1.SGM

14JAN1

rmajette on PROD1PC64 with NOTICES

Federal Register / Vol. 73, No. 9 / Monday, January 14, 2008 / Notices
a. The agency or any component
thereof, or
b. Any employee of the agency in his
or her official capacity, or
c. Any employee of the agency in his
or her individual capacity where the
DOJ has agreed to represent the
employee, or
d. The United States Government is a
party to litigation or has an interest in
such litigation, and by careful review,
CMS determines that the records are
both relevant and necessary to the
litigation and that the use of such
records by the DOJ, court or
adjudicatory body is compatible with
the purpose for which the agency
collected the records.
6. To assist a CMS contractor
(including, but not necessarily limited
to fiscal intermediaries and carriers) that
assists in the administration of a CMSadministered health benefits program,
or to a grantee of a CMS-administered
grant program, when disclosure is
deemed reasonably necessary by CMS to
prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such program.
7. To assist another Federal agency or
to an instrumentality of any
governmental jurisdiction within or
under the control of the United States
(including any State or local
governmental agency), that administers,
or that has the authority to investigate
potential fraud or abuse in, a health
benefits program funded in whole or in
part by Federal funds, when disclosure
is deemed reasonably necessary by CMS
to prevent, deter, discover, detect,
investigate, examine, prosecute, sue
with respect to, defend against, correct,
remedy, or otherwise combat fraud or
abuse in such programs.
B. Additional Provisions Affecting
Routine Use Disclosures
To the extent this system contains
Protected Health Information (PHI) as
defined by HHS regulation ‘‘Standards
for Privacy of Individually Identifiable
Health Information’’ (45 CFR Parts 160
and 164, 65 Fed. Reg. 82462 (12–28–00),
Subparts A and E. Disclosures of such
PHI that are otherwise authorized by
these routine uses may only be made if,
and as, permitted or required by the
‘‘Standards for Privacy of Individually
Identifiable Health Information.’’
In addition, our policy will be to
prohibit release even of data not directly
identifiable, except pursuant to one of
the routine uses or if required by law,
if we determine there is a possibility
that an individual can be identified
through implicit deduction based on
small cell sizes (instances where the

VerDate Aug<31>2005

15:22 Jan 11, 2008

Jkt 214001

patient population is so small that
individuals could, because of the small
size, use this information to deduce the
identity of the beneficiary).
POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:

2263

SYSTEM MANAGER(S) AND ADDRESS:

Director, Division of Plan Data, Plan
Oversight and Accountability Group,
Center for Beneficiary Choices, Center
for Medicare & Medicaid Services, 7500
Security Boulevard, C4–14–21,
Baltimore, Maryland 21244–1850.

STORAGE:

NOTIFICATION PROCEDURE:

All records are stored on the magnetic
disk sub-system of the Sun Solaris 10
Server. Furthermore, these records are
saved to magnetic tape backup on a
nightly basis.
The records are retrieved by health
insurance claims number or other
individually identifying numbers.

For purpose of access, the subject
individual should write to the system
manager who will require the system
name, HICN, address, date of birth, and
gender, and for verification purposes,
the subject individual’s name (woman’s
maiden name, if applicable), and SSN.
Furnishing the SSN is voluntary, but it
may make searching for a record easier
and prevent delay.

SAFEGUARDS:

RECORD ACCESS PROCEDURE:

CMS has safeguards in place for
authorized users and monitors such
users to ensure against excessive or
unauthorized use. Personnel having
access to the system have been trained
in the Privacy Act and information
security requirements. Employees who
maintain records in this system are
instructed not to release data until the
intended recipient agrees to implement
appropriate management, operational
and technical safeguards sufficient to
protect the confidentiality, integrity and
availability of the information and
information systems and to prevent
unauthorized access.
This system will conform to all
applicable Federal laws and regulations
and Federal, HHS, and CMS policies
and standards as they relate to
information security and data privacy.
These laws and regulations may apply
but are not limited to: the Privacy Act
of 1974; the Federal Information
Security Management Act of 2002; the
Computer Fraud and Abuse Act of 1986;
the Health Insurance Portability and
Accountability Act of 1996; the EGovernment Act of 2002, the ClingerCohen Act of 1996; the Medicare
Modernization Act of 2003, and the
corresponding implementing
regulations. OMB Circular A–130,
Management of Federal Resources,
Appendix III, Security of Federal
Automated Information Resources also
applies. Federal, HHS, and CMS
policies and standards include but are
not limited to: all pertinent National
Institute of Standards and Technology
publications; the HHS Information
Systems Program Handbook and the
CMS Information Security Handbook.

For purpose of access, use the same
procedures outlined in Notification
Procedures above. Requestors should
also specify the record contents being
sought. (These procedures are in
accordance with department regulation
45 CFR 5b.5(a)(2)).

RETRIEVABILITY:

RETENTION AND DISPOSAL:

CMS will retain identifiable HPMS
data for at least 10 years or as long as
needed for program research.

PO 00000

Frm 00052

Fmt 4703

Sfmt 4703

CONTESTING RECORDS PROCEDURES:

The subject individual should contact
the system manager named above, and
reasonably identify the records and
specify the information to be contested.
State the corrective action sought and
the reasons for the correction with
supporting justification. (These
Procedures are in accordance with
Department regulation 45 CFR 5b.7).
RECORDS SOURCE CATEGORIES:

The identifying information contained
in these records is obtained from the
health plan and Part D organizations
(which obtained the data from the
individual concerned) or the
individuals themselves. Also, these data
will be linked with CMS administrative
data, such as claims and enrollment.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS
OF THE ACT:

None.
[FR Doc. 08–72 Filed 1–11–08; 8:45 am]
BILLING CODE 4120–03–M

DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Administration for Children and
Families
Office of Head Start; Request for
Nominations for the Secretary’s
Advisory Committee on ReDesignation of Head Start Grantees
Administration for Children
and Families, Department of Health and
Human Services (HHS).

AGENCY:

E:\FR\FM\14JAN1.SGM

14JAN1