AGENCY:

Centers for Medicare & Medicaid Services (CMS), Department of Health and Human Services (HHS).

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is updating an existing system of records maintained by the Centers for Medicare & Medicaid Services (CMS), system No. 09-70-0550, titled “Medicare Retiree Drug Subsidy Program” (RDSP), and renaming it “Retiree Drug Subsidy (RDS), HHS/CMS/CM.” This system collects and maintains information about individuals who are qualifying covered retirees so that accurate and timely subsidy payments may be made to plan sponsors who continue to offer actuarially equivalent prescription drug coverage to the qualifying covered retirees.

DATES:

In accordance with 5 United States Code (U.S.C.) 552a(e)(4) and (11), this notice is applicable October 8, 2019, subject to a 30-day period in which to comment on the new and revised routine uses, described below. Please submit any comments by November 7, 2019.

ADDRESSES:

Written comments should be submitted by mail or email to: CMS Privacy Act Officer, Division of Security, Privacy Policy & Governance, Information Security & Privacy Group, Office of Information Technology, CMS, Location N1-14-56, 7500 Security Blvd., Baltimore, MD 21244-1870, or walter.stone@cms.hhs.gov.

FOR FURTHER INFORMATION CONTACT:

General questions may be submitted to: Ivan Iveljic, Health Insurance Specialist, Medicare Plan Payment Group, Center for Medicare, CMS, Mail Stop C1-13-07, 7500 Security Boulevard, Baltimore, Maryland 21244. He can be reached at 410-786-3312 or via email at Ivan.Iveljic@cms.hhs.gov.

SUPPLEMENTARY INFORMATION:

I. Background on Records Covered by System of Records 09-70-0550

This system of records covers records about individual retirees which are used in administering the Retiree Drug Subsidy, which is a program that offers sponsors of qualified retiree prescription drug plans financial assistance with a portion of their prescription drug costs and thereby helps employers retain and enhance their prescription drug coverage so that the current erosion in coverage will plateau or even improve. The program makes a subsidy for 28 percent of allowable prescription drug costs available to qualified retiree prescription drug plans, which significantly reduces financial liabilities associated with employers' retiree drug coverage and encourages employers to continue assisting their retirees with prescription drug coverage.

II. Explanation of Modifications to the System of Records Notice (SORN)

The modifications made to the system of records include the following substantive changes, in addition to reformatting the SORN to comply with OMB Circular A-108, issued December 23, 2016:

• The name of the system of records has changed from “Medicare Retiree Drug Subsidy Program (RDSP), HHS/CMS/CBC” to “Retiree Drug Subsidy (RDS), HHS/CMS/CM.”
• Address information in the System Location and System Manager(s) sections has been updated.
• The Security Classification section has been changed from “Level Three Privacy Act Sensitive Data” to “Unclassified.”
• The Authorities section has been revised to include 31 U.S.C. 7701(c) as authority to collect Social Security Numbers from individuals with whom CMS is “doing business,” as defined by the statute.
• The Purpose section has been revised to omit a summary of the routine uses;
• The Categories of Records section has been revised to identify the record categories as enrollment, beneficiary, and financial or payment-related records.
• The list of data elements in the Categories of Records section has been modified to include the Medicare Beneficiary Identifier (MBI), which is a new individual identifier in addition to the Health Insurance Claim Number (HICN).
• The Routine Uses section has been updated to revise three routine uses and add one new routine use:

○ Routine use 2, which authorizes disclosures to members of Congress and their staff for purposes of responding to their requests on behalf of constituents, has been revised to require that their requests be “written.”

○ Routine use 3, which authorizes disclosures to the Department of Justice (DOJ), court, or adjudicatory body, has been revised to omit unnecessary wording limiting the disclosures to uses “compatible with the purpose for which the agency collected the records.” (The wording is unnecessary because it restates the definition of a routine use.)

○ The fraud, waste, and abuse-related routine use added May 29, 2013 is now numbered as routine use 6. It has been revised to add “which are” before the words “defined for this purpose,” and to omit an unnecessary statement that “[d]isclosures may include provider and beneficiary-identifiable data.”

○ The two breach response-related routine uses added February 14, 2018 are now numbered as routine uses 7 and 8.

○ Routine use number 9 is new; it authorizes disclosures to the U.S. Department of Homeland Security (DHS) for cybersecurity monitoring purposes in the event that records from this system of records are captured in an intrusion detection system used by HHS and DHS.

• A note at the end of the Routine Uses section has been shortened to remove a portion referring to “complaints” and “complainants” (which are not involved in this system of records) and to releases of “not directly identifiable [information], except pursuant to one of the routine uses or if required by law” (which could create the misimpression that a disclosure required by law need not be authorized by a routine use or another exception to the consent requirement in 5 U.S.C. 552a(b)).
• The Retrieval section has been updated to include the Medicare Beneficiary Identifier (MBI) as an additional personal identifier used for retrieval, and to omit plan sponsor identifier and benefit option identifier, which are not personal identifiers.
• The Records Retention section now cites the applicable disposition authorities, which were revised in 2015, and corrects the retention period, which was previously 15 years and is now seven years (or longer) for enrollment records, ten years (or longer) for beneficiary records, and seven years (or longer) for financial or payment related records.
• In the Access Procedures section, the text has been modified to state that any identifying particulars included in a request would be used to distinguish between subject individuals with the same name, and to include the MBI as an example of an identifying particular.

SYSTEM NAME AND NUMBER:

Retiree Drug Subsidy (RDS), HHS/CMS/CM, System No. 09-70-0550.

SECURITY CLASSIFICATION:

This system of records does not include classified information.

SYSTEM LOCATION:

The address of the agency component responsible for the system of records is: Medicare Plan Payment Group, Center for Medicare, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

SYSTEM MANAGER:

The System Manager for the system of records is: Director, Medicare Plan Payment Group, Center for Medicare, Centers for Medicare & Medicaid Services, 7500 Security Blvd., Baltimore, MD 21244, (410) 786-7407.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for maintenance of this system is given under section 1860D-22 of the Social Security Act (Title 42 United States Code (U.S.C.) sections 1302, 1395w-101 through 1395w-152, and 1395hh), as amended by section 101 of the Medicare Modernization Act (MMA). The collection of Social Security Numbers is authorized by 31 U.S.C. 7701(c).

PURPOSE(S) OF THE SYSTEM:

The purpose of this system is to collect and maintain information about individuals who are qualifying covered retirees so that accurate and timely subsidy payments may be made to plan sponsors who continue to offer actuarially equivalent prescription drug coverage to the retirees.Start Printed Page 53736

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Information in this system is maintained on qualifying covered retirees who are Medicare Part D eligible individuals covered under a qualified retiree prescription drug plan.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records are enrollment, beneficiary, and financial or payment related records used to support and calculate the amount of subsidy payments to plan sponsors. They contain information such as the following about each retiree: Standard data for identification such as Plan Sponsor Identification Number, Application Identification Number, Benefit Option Identifier, Coverage Effective Date, Coverage Termination Date, Health Insurance Claim Number (HICN) or Medicare Beneficiary Identifier (MBI), Social Security Number (SSN), gender, first name, last name, middle initial, date of birth, relationship to member, and Medicare eligibility and enrollment status.

RECORD SOURCE CATEGORIES:

Records maintained in this system are derived from the Medicare Beneficiary Database (MBD) system of records, system No. 09-70-0536, and from plan sponsors.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

Records about an individual retiree may be disclosed from this system of records to parties outside the Department of Health and Human Services (HHS), without the individual's prior written consent, for the purposes indicated in these routine uses:

1. To agency contractors or consultants who have been engaged by the agency to assist in the performance of a service related to this system and who need to have access to the records in order to perform the activity.

2. To a member of Congress or to a congressional staff member in response to a written inquiry of the congressional office made at the written request of the constituent about whom the record is maintained.

3. To the Department of Justice (DOJ), court, or adjudicatory body when:

a. the agency or any component thereof, or

b. any employee of the agency in his or her official capacity, or

c. any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or

d. the United States Government, is a party to litigation or has an interest in such litigation and, by careful review, CMS determines that the records are both relevant and necessary to the litigation.

4. To a CMS contractor (including, but not necessarily limited to fiscal intermediaries and carriers) that assists in the administration of a CMS administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such program.

5. To another federal agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency), that administers, or that has the authority to investigate potential fraud or abuse in, a health benefits program funded in whole or in part by federal funds, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud or abuse in such programs.

6. To disclose to health plans, which are defined for this purpose as plans or programs that provide health benefits, whether directly, through insurance, or otherwise, and include—(1) a policy of health insurance; (2) a contract of a service benefit organization; and (3) a membership agreement with a health maintenance organization or other prepaid health plan when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such programs.

7. To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

8. To another federal agency or federal entity, when HHS determines that information from this system of record is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

9. To the U.S. Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents.

The disclosures authorized by publication of the above routine uses pursuant to 5 U.S.C. 552a(b)(3) are in addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11).

ADDITIONAL PROVISIONS AFFECTING ROUTINE USE DISCLOSURES:

This system contains protected health information as defined by Department of Health and Human Services (HHS) regulation “Standards for Privacy of Individually Identifiable Health Information” (45 Code of Federal Regulations (CFR) Parts 160 and 164, 65 Federal Register (FR) 82462 (12-28-00), Subparts A and E). Disclosures of Protected Health Information authorized by these routine uses may only be made if, and as, permitted or required by the “Standards for Privacy of Individually Identifiable Health Information.”

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records are stored in hard-copy files and/or electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Information is retrieved by the retiree's Health Insurance Claim Number (HICN), Medicare Beneficiary Identifier (MBI), or Social Security Number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The records are retained and disposed of in accordance with the following disposition schedules, which were approved by the National Archives and Records Administration (NARA):

• Financial or payment related records are governed by DAA-0440-2015-0004-0001 (Bucket 3). The records retention schedule states: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized.Start Printed Page 53737
• Enrollment Records are governed by DAA-0440-2015-0006 (Bucket 4). The records retention schedule states: Destroy no sooner than 7 year(s) after cutoff but longer retention is authorized.
• Beneficiary Records are governed by DAA-0440-2015-0007-0001 (Bucket 5). The records retention schedule states: Cutoff at the end of the calendar year. Destroy no sooner than 10 year(s) after cutoff but longer retention is authorized.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards conform to the CMS Information Security and Privacy Program, https://www.cms.gov/​Research-Statistics-Data-and-Systems/​CMS-Information-Technology/​InformationSecurity/​index.html. Information is safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information as a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and two-factor authentication (user ID and password), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, requiring encryption for records stored on removable media, and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction are disposed of using secure destruction methods prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:

An individual seeking access to a record about him/her in this system of records must submit a written request to the System Manager indicated above. The request must contain the individual's name and particulars necessary to distinguish between records on subject individuals with the same name, such as HICN, MBI or SSN, and should also reasonably specify the record(s) to which access is sought. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that he/she is the person he/she claims to be and that he/she understands that the knowing and willful request for or acquisition of records pertaining to an individual from an agency under false pretenses is a criminal offense subject to a $5,000 fine.

CONTESTING RECORD PROCEDURES:

Any subject individual may request that his/her record be corrected or amended if he/she believes that the record is not accurate, timely, complete, or relevant or necessary to accomplish a Department function. A subject individual making a request to amend or correct his record shall address his request to the-System Manager indicated, in writing, and must verify his/her identity in the same manner required for an access request. The subject individual shall specify in each request: (1) The system of records from which the record is retrieved; (2) The particular record and specific portion which he/she is seeking to correct or amend; (3) The corrective action sought (e.g., whether he/she is seeking an addition to or a deletion or substitution of the record); and, (4) His/her reasons for requesting correction or amendment of the record. The request should include any supporting documentation to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:

Individuals wishing to know if this system contains records about them should write to the System Manager indicated above and follow the same instructions under Record Access Procedures.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

70 FR 41035 (July 15, 2005), 78 FR 32257 (May 29, 2013), 83 FR 6591 (Feb. 14, 2018)