AGENCY:

Department of Health and Human Services (HHS), Office of the Secretary (OS), Office of the National Coordinator for Health Information Technology (ONC).

ACTION:

Notice to establish a new system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, HHS/OS/ONC is establishing a new system of records, “ONC Health IT Dashboard,” to create datasets that will be used by ONC and its partners (including grantees in the Health IT Extension Center program and ONC program evaluation contractors) to assess, improve, and publicize the effectiveness of ONC health IT grants to States and State-designated entities. The datasets will enable ONC to (1) Evaluate the state of health IT implementation by parties registered to receive (i.e., who have received or could receive) electronic health record implementation assistance from ONC grantees, (2) compare the evaluations to grantees' progress reports in order to validate claims submitted for grant payments, (3) share the evaluations with the grantees to help improve grant performance, and (4) make aggregate data (e.g., national and State-level implementation estimates) publicly available on ONC's Web site at http://www.healthit.hhs.gov.

The parties receiving grants and health IT implementation assistance from ONC grantees include health care providers (not only provider-entities such as hospitals, but individual providers such as individual physicians), community colleges, State-designated entities, and other entities. Information about an individual provider (e.g., an individual physician as opposed to a hospital, corporation or other organization) is protected by the Privacy Act. Privacy Act-protected information about each individual provider will consist of the provider's health IT implementation information, demographic information, and contact information, retrieved by his or her National Provider Identifier (NPI). The system will not contain information about patients. The system of records is more thoroughly described in the Supplementary Information section and System of Records Notice (SORN), below.

DATES:

Effective Dates: Effective 30 days after publication. Written comments should be submitted on or before the effective date. HHS/OS/ONC may publish an amended System of Records Notice (SORN) in light of any comments received.

ADDRESSES:

The public should send written comments to: ONC Dashboard Administrator, ONCRequest@HHS.gov, 200 Independence Ave. SW., Washington, DC 20201.

FOR FURTHER INFORMATION CONTACT:

Email: ONCRequest@HHS.gov, Telephone: 1-(202) 690-7151, 200 Independence Ave. SW., Washington, DC 20201.

SUPPLEMENTARY INFORMATION:

I. ONC Health IT Dashboard

The Office of the National Coordinator is establishing the “ONC Health IT Dashboard” system as part of the U.S. Department of Health and Human Service's (HHS) implementation of the Open Government Directive issued by the Office of Management and Budget (OMB) on December 8, 2009 (OMB Memorandum M-10-06). The purpose of the system is to advance open government principles and facilitate three programmatic objectives: (1) Aggregate data to create national- and State-level estimates about health IT adoption, (2) identify participants in other HHS health IT-related programs that could be assisted by ONC grantees, and (3) verify the integrity of grant payments made to ONC grantees.

The Dashboard system will enable ONC to create datasets using data from two types of sources: (1) Data created during the administration of ONC grant programs or obtained from ONC partners administering other Federal IT-related grant programs, and (2) data procured from private vendors that monitor health IT adoption trends and activity. The Dashboard system is divided into two interfaces: an internal system used by ONC researchers to create and analyze said datasets, and a public-facing Open Government internet site that will contain de-identified State-level summary statistics derived from said datasets, and pre-configured graphs, charts, and maps displaying the summarized data.

Individually-identifying information in the Dashboard system will pertain to individual office-based health care providers who are enrolled with the ONC Health IT Regional Extension Centers (RECs) and/or participate in other Federal IT-related grant programs, such as the CMS Medicare and Medicaid EHR Incentive programs. Privacy Act-protected information in this system will consist of an individual provider's contact information, demographic information, and health IT implementation information, retrieved by the provider's National Provider Identifier (NPI). Examples of records from which this information will be obtained include:

• Records from private vendors that monitor health IT adoption trends and activity, which include provider-level information such as contact and demographic information and characteristics of the electronic health records (EHR) systems and functionalities in use at the provider's site.
• ONC REC Program grant administration records, which contains the NPI, contact information, and demographic information for providers that are enrolled with ONC RECs.Start Printed Page 79686
• Centers for Medicare & Mediaid Services (CMS) Electronic Health Records (EHR) Incentive Program grant administration records, which include registration and attestation records containing NPI, contact information, and demographic information for providers who register to participate in that program.

Some of the datasets to be created and used by ONC and shared with ONC grantees and partners will necessarily include identifying information pertaining to particular participants in ONC and other Federal IT-related grant programs (including individual health care providers, identified by NPI); however, datasets that will be made publicly available on the ONC Web site will contain only aggregated data that cannot be identified with particular participants. Examples of both types of datasets (identifiable and aggregate) are described below:

• The system will create datasets containing NPI for use by ONC researchers, to validate the accuracy of claims for grant payment by ONC grantees.
• ONC may share versions of the above datasets containing NPI with ONC partners and grantees, to help grantees better assist registered parties in implementing health IT. An ONC partner or ONC grantee will be able to access datasets created in the system via a secure login to an internet portal. Accordingly, ONC partners and ONC grantees will only have access to data specifically pertaining to the achievement of that entity's grant or contract purpose. Further, an ONC grantee will only receive or have access to individually-identifying data about health care providers who are within the grantee's geographic area.
• The system will enable ONC to create aggregated summary tables from the above datasets that examine patterns of grants participation and health IT implementation using summary categories deriving from the provider's geography (e.g., by state, region, urban/rural classification) or demographic data (e.g., health care provider type, such as office-based provider, hospital or pharmacy) and not by NPI, for posting to ONC's Web site.

II. The Privacy Act

The Privacy Act (5 U.S.C. 552a) governs the means by which the U.S. Government collects, maintains, and uses information about individuals in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about an individual is retrieved by the individual's name or other personal identifier. The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses information about individuals in the system, the routine uses for which the agency discloses such information outside the agency, and how individual record subjects can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

SYSTEM NUMBER:

09-90-1201

SYSTEM NAME:

ONC Health IT Dashboard, HHS/OS/ONC.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The server infrastructure for the system will be located at Managed Application Hosting Facility (MAHC Core Site), Reston Virginia.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system will contain information about individual office-based health care providers who are enrolled with the ONC Health IT Regional Extension Centers (REC) and/or participate in other Federal health IT-related grant programs, including the CMS EHR Incentive Programs.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system will contain the following records about individual health care providers:

• IT implementation information, such as the functionalities that are being used within a provider's electronic health record system;
• Demographic records, such as gender and ethnicity;
• Contact information, such as name, address, and phone number; and
• National Provider Identifier (NPI).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5), codified at 42 U.S.C. 300jj.

PURPOSE(S) OF THE SYSTEM:

HHS/ONC personnel will use the system to create and use datasets to assess, improve, and publicize the effectiveness of ONC health IT grants made to States and State-designated entities. Some of the datasets will contain individually identifying information about health care providers who are registered to receive health IT implementation assistance from ONC grantees. HHS/ONC personnel will use individually identifying information in the system, on a need to know basis, to (1) Evaluate the state of health IT implementation by parties registered to receive electronic health record implementation assistance from ONC grantees, (2) compare grantees' progress reports in order to validate claims submitted for grant payments, (3) share the evaluations with the grantees to help improve grant performance, and (4) make aggregate data (e.g., national and State-level implementation estimates) publicly available on ONC's Web site.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

The ONC Health IT Dashboard system will or may disclose datasets containing individually identifying information about providers to the following parties outside the agency, for the following routine uses:

1. To ONC grantees to help them improve grant performance and to ONC contractors that help evaluate the effectiveness of Federal health IT-related grants to States and State-designated entities. The group of ONC grantees with whom this data will be shared is available on the ONC Web site at http://www.healthit.gov. An ONC grantee will only receive individually identifying data about health care providers that are within the grantee's geographic service area.

2. To agency contractors, consultants, or HHS grantees who have been engaged by the agency to assist in accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS.

3. To another Federal or State agency, agency of a State government, agency established by State law, or its fiscal agent, pursuant to agreements with HHS, as necessary to enable such agency to:

• Contribute to the accuracy of HHS's reimbursements to grantees;
• Administer a Federal health benefits program or fulfill a requirement of a Federal statute or regulation that implements a health benefits program funded in whole or in part with Federal funds; and/or
• Assist Federal/State Medicaid programs which may require ONC Health IT Dashboard information for purposes related to this system.Start Printed Page 79687

4. To the Department of Justice (DOJ), a court or an adjudicatory body when:

• The agency or any component thereof, or
• Any employee of the agency in his or her official capacity, or
• Any employee of the agency in his or her individual capacity where the DOJ has agreed to represent the employee, or
• The United States Government, is a party to litigation or has an interest in such litigation and, by careful review, HHS determines that the records are both relevant and necessary to the litigation and that the use of such records by the DOJ, court or adjudicatory body is compatible with the purpose for which the agency collected the records.

5. To another Federal agency or an instrumentality of any governmental jurisdiction within or under the control of the United States (including any State or local governmental agency), that administers or has the authority to investigate potential fraud, waste or abuse in a health benefits program funded in whole or in part by Federal funds, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste or abuse in such programs.

6. To appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, when the information disclosed is relevant and necessary for that assistance.

7. To the Department of Justice (DOJ) and/or the Office of Government Information Services (OGIS) for the purposes of determining whether disclosure is required under the Freedom of Information Act (FOIA), resolving disputes between FOIA requesters and Federal agencies, and reviewing agencies' FOIA policies, procedures and compliance in order to recommend policy changes to Congress and the President.

8. To the National Archives and Records Administration (NARA) in records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM—

STORAGE:

Electronic records will be stored on an ONC infrastructure servers maintained at a contracted IT services unit of HHS. Electronic records containing source data, including individually identifiable information, can only be accessed from secure computer stations inside the HHS/ONC workspace by authorized users. Aggregated datasets including national and State-level EHR implementation estimates that do not include individually identifiable information will be available through the ONC Web site, http://healthIT.gov.

RETRIEVABILITY:

Records will be retrieved, compared and cross-checked using the National Provider Identifier (NPI).

SAFEGUARDS:

Appropriate physical, technical, and administrative safeguards will be in place to protect against unauthorized access to or disclosure of individually identifiable information from this system. The system will be secured and protected using standards established through the Federal Information Security Management Act of 2002 (44 U.S.C. 3541) and standards established by the National Institutes for Standards in Technology (NIST) for certifying and accrediting IT systems. Furthermore, access to the system's internal ONC interface (which provides the only available access to individually-identifying data) will be limited to a small group of authorized HHS/ONC researchers, and within that group, individual datasets will be micromanaged to ensure that access is restricted to the subset of ONC staff with the bona fide need to use the information. Access to any portion of the internal ONC system and or source datasets is predicated on successful user registration with the HHS IT help desk and the user's ability to abide by the HHS IT security terms of use.

Datasets created in the system for provided to an ONC grantee or contractor will contain only data specifically pertaining to that entities grant or contract purpose. Further, an ONC grantee or contractor will only receive or have access to individually-identifiable data about health care providers who are within the grantee's geographic area. An ONC partner or ONC grantee will be able to access datasets created in the system via a secure login to an internet portal. No records will be maintained in hard-copy files.

RETENTION AND DISPOSAL:

The records are currently unscheduled; the records disposition schedule will provide for records to be destroyed approximately two years after the completion of the applicable ONC health IT-related grant program that was evaluated using the records.

SYSTEM MANAGER AND ADDRESS:

ONC Dashboard Administrator, Office of the National Coordinator for Health IT, 200 Independence Avenue SW., Washington, DC 20201.

NOTIFICATION PROCEDURE:

An individual provider who wishes to know if this system contains records about him or her should write to the System Manager and include his or her National Provider Identifier (NPI).

RECORD ACCESS PROCEDURE:

An individual provider seeking access to records about him or her in this system should follow the same instructions indicated under “Notification Procedure.” The request should reasonably identify the record contents to which access is sought. (These procedures are in accordance with Department regulation 45 CFR 5b.5 (a)(2).)

CONTESTING RECORD PROCEDURES:

An individual provider seeking to contest the content of information about him or her in this system should follow the same instructions indicated under “Notification Procedure.” The request should reasonably identify the record, specify the information contested, state the corrective action sought, and provide the reasons for the correction, with supporting justification. (These procedures are in accordance with Department regulation 45 CFR 5b.7.) The right to contest records is limited to information that is incomplete, irrelevant, incorrect, or untimely (i.e., obsolete).

RECORD SOURCE CATEGORIES:

The system will use data procured from private vendors that monitor health IT adoption trends and activity and grant administrative data already collected or generated in administering ONC and other Federal health IT-related grant programs. Datasets created by this system, from those sources, will be cross-checked against certain data in other HHS systems (such as the PECOS system), to ensure the datasets are valid, accurate and reliable for use in evaluating ONC grants. Most of the data used will come from records collected Start Printed Page 79688directly from participants in the grant programs.

EXEMPTIONS CLAIMED FOR THIS SYSTEM:

None.