ACTION:

Notice of modified or altered System of Records (SOR).

SUMMARY:

In accordance with the Privacy Act, we are proposing to modify or alter an existing SOR, “Program Information Management System (PIMS),” System No. 09-90-0052, published at 67 FR 57011, September 6, 2002.

First, we propose to add a new authority, the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act), to those under which OCR collects information. The Secretary of HHS has delegated to OCR the authority to enforce the confidentiality provisions of that statute.

Second, we propose a new routine use which allows referrals of Age Discrimination Act Complaints to the Federal Mediation and Conciliation Service (FMCS), for purposes of mediation.

Third, we give notice of a new routine use permitting disclosure of records to student volunteers, individuals working under a personal services contract, and other individuals performing functions for the Department but technically not having the status of OCR employees, if they need access to the records in order to perform their assigned agency functions. OCR invites interested parties to submit comments on the proposed additional authority and routine uses. See Effective Dates section for comment period.

EFFECTIVE DATES:

OCR filed a modified system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) February 15, 2007. To ensure that all parties have adequate time in which to comment, the modified SOR, including routine uses, will become effective 40 days from the publication of the notice, or from the date it was submitted to OMB and the Congress, whichever is later, unless OCR receives comments that require alterations to this notice.

ADDRESSES:

The public should address comments regarding: FMCS referrals to Richard Lopez, Civil Rights Division, the Patient Safety Act to Linda Sanches, Privacy Division, student volunteers to Sheila D. Marshall, of the Management Operations Division, Office for Civil Rights, Department of Health and Human Services, Room 553E, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201. Comments also may be sent via e-mail to OCRmail@hhs.gov. Comments received will be available for review at this location, by appointment, during regular business hours, Monday through Friday from 9 a.m.-3 p.m., Eastern Standard Time.

FOR FURTHER INFORMATION CONTACT:

For further information regarding FMCS referrals contact Richard Lopez, Civil Rights Division, telephone number (202) 260-1602, the Patient Safety Act contact Linda Sanches, Privacy Division, telephone number (202) 260-7106, student volunteers contact Sheila D. Marshall, of the Management Operations Division, telephone number (202) 619-2742, Office for Civil Rights, Department of Health and Human Services, Room 553E, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201.

SUPPLEMENTARY INFORMATION:

The system of records (i.e., PIMS) described in the OCR's September 6, 2002 Privacy Act notice is used by OCR staff and consists of an electronic repository of information and documents, and supplementary paper document files. PIMS effectively combined and replaced OCR's two previous systems of records, (CIMS and the Complaint File and Log), into a single integrated system with enhanced electronic storage, retrieval and tracking capacities. While the types of information collected and stored in PIMS is the same as the information collected in CIMS and the Complaint File and Log, PIMS allows OCR to manage more effectively the information that it does collect.

The Privacy Act permits the OCR to disclose information or records pertaining to an individual without that individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected, 5 U.S.C. 552a (b) (3). Any such disclosure is known as a “routine use.” This modified notice identifies two new routine uses for the OCR's system of Start Printed Page 8735records, as described below. The OCR expects that the routine use disclosures will not result in any unwarranted invasion of personal privacy.

The Office for Civil Rights (OCR) is responsible for enforcing Title VI of the Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 1973, the Age Discrimination Act of 1975 and other statutes which prohibit discrimination by programs or entities that receive Federal financial assistance. OCR also has jurisdiction over Federally conducted programs in cases involving disability-based discrimination under Section 504 of the Rehabilitation Act, over state and local public entities in cases involving disability-based discrimination under Title II of the Americans with Disabilities Act and over health plans, health care clearinghouses and certain health care providers with respect to enforcement of medical privacy obligations under the Health Insurance Portability and Accountability Act. We give notice that OCR now enforces the confidentiality provisions of a new authority, the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act).

The PIMS system conforms to applicable law and policy governing the privacy and security of Federal automated information systems. These include, but are not limited to: the Privacy Act of 1974, Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix, III, “Security of Federal Automated Information Resources.” OCR has prepared a system security plan as required by OMB Circular A-130, Appendix III. This plan conforms fully to guidance issued by the National Institute for Standards and Technology (NIST) in NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems.” The plan includes conduct of a risk assessment that addresses the confidentiality and integrity of the data.

Only authorized users whose official duties require the use of such information have regular access to the records in this system.

The routine uses for this system are compatible with the stated purpose of the system. The first routine use for this system, permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the request of the individual. The second routine use allows disclosure to the Department of Justice or a court in the event of litigation. The third routine use allows referral to the appropriate agency, in the event that a System of Records maintained by this agency to carry out its functions indicates a violation or potential violation of law. The fourth routine use allows disclosure of records to contractors for the purpose of processing or refining records in the system. OCR is proposing to add two new routine uses. The fifth and new routine use allows records to be disclosed to student volunteers, individuals working under a personal services contract, and other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions. The new sixth and final routine use allows referrals of Age Discrimination Act Complaints to the Federal Mediation and Conciliation Service (FMCS) for purposes of mediation.

The following amended notice is written in the present, rather than future tense, in order to avoid the unnecessary expenditure of public funds to modify the amended notice after the system has become effective.

09-90-0052

System Name:

“Program Information Management System (PIMS), HHS/OS/OCR.”

Security Classification:

None.

System Location:

The automated portion of the system is maintained at OCR Headquarters. Paper files are maintained in headquarters and regional offices as noted in Appendix I.

Categories of Individuals Covered by the System:

Covered individuals include persons who file complaints alleging discrimination or violation of their rights or other violations under the statutes identified below (Authority for Maintenance) and covered entities (e.g., service providers) that are individuals and not organization or institutions, investigated by OCR as a result of complaints filed or through reviews conducted by OCR. Covered individuals also include persons who submit correspondence to OCR related to other compliance activities, (e.g., outreach and public education) and other correspondence unrelated to a complaint or review and requiring responses by OCR. In addition, OCR employees who use the system to record the status of their work are covered.

Categories of Records in the System:

The system encompasses a variety of records having to do with complaints, reviews, and correspondence. The complaint files and log include complaint allegations, information gathered during the complaint investigation, findings and results of the investigation, and correspondence relating to the investigation, as well as status information for all complaints. This component of PIMS is exempt from the notification, access, correction and amendment provisions of the Privacy Act (see below: Systems Exempted From Certain Provisions of the Act). Equivalent types of information are maintained for reviews and correspondence activities—namely information gathered, findings, results, correspondence and status.

Authority for Maintenance of the System:

Title VI of the 1964 Civil Rights Act; Sections 533, 542, 794, 855, 1947 and 1908 of the Public Health Service Act; Sections 504 and 508 of the Rehabilitation Act of 1973: Title II of the Americans with Disabilities Act of 1990; the Age Discrimination Act of 1975; the Equal Employment Opportunity Provisions of the Public Telecommunications Financing Act of 1978; Title VI and Title XVI of the Public Health Service Act (the “community services obligation” of facilities funded under the Act); Title IX of the 1972 Education Amendments; Section 407 of the Drug Abuse Office and Treatment Act; Section 321 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970; Section 508 of the Social Security Act, the Family Violence Prevention and Services Act; Low-Income Home Energy Assistance Act of 1981; Section 1808 of the Small Business Job Protection Act of 1996; the Health Insurance Portability and Accountability Act of 1996; and the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act).

Purpose(s) of the System:

PIMS is used by OCR staff and consists of an electronic repository of information and documents, and supplementary paper document files. PIMS effectively combines and replaces OCR's two previous systems of records, the “Case Information Management System (CIMS), HHS/OS/OCR, 09-90-0050,” and the “Complaint File and Log, HHS/OS/OCR 09-00-0051,” into a single integrated system with enhanced Start Printed Page 8736electronic storage, retrieval and tracking capacities. While the types of information collected and stored in PIMS is the same as the information collected in CIMS and the Complaint File and Log, PIMS allows OCR to manage more effectively the information that it does collect. The system is designed to allow OCR to integrate all of OCR's various business processes, including all its compliance activities, to allow for real time access and results reporting and other varied information management needs. PIMS provides: (1) A single, central, electronic, repository of all significant OCR documents and information, including investigative files, correspondence, administrative records, policy and procedure manuals and other documents and information developed or maintained by OCR; (2) easy, robust capability to search all the information in OCR's repository; (3) better quality control at the front end with simplified data entry and stronger data validation; (4) tools to help staff work on and manage their casework, and (5) supplementary paper document files. The system has the capacity to generate reports concerning the status of all current and closed complaints, reviews and correspondence, and allows OCR to track outreach, training and other activities and to locate and retrieve information in order to manage more efficiently its work and report results. In addition, PIMS allows for the tracking of work assignments to employees to facilitate workload balancing, timely response to complaints and completion of reviews, and outreach and public education initiatives focused on organizations and individuals.

Routine Uses of Records Maintained in the System, Including Categories or Users and the Purposes of Such Uses:

The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a “routine use.” The routine uses in this system meet the compatibility requirement of the Privacy Act. We are establishing the following routine use disclosures of information maintained in the system:

I. The first routine use for this system, permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the request of the individual.

II. The second routine use allows disclosure to the Department of Justice or a court in the event of litigation.

III. The third routine use allows referral to the appropriate agency, in the event that a System of Records maintained by this agency to carry out its functions indicates a violation or potential violation of law.

IV. The fourth routine use allows disclosure of records to contractors for the purpose of processing or refining records in the system.

V. The fifth routine use allows records to be disclosed to student volunteers, individuals working under a personal services contract, and other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions.

VI. The sixth routine use allows referrals of Age Discrimination Act Complaints to the Federal Mediation and Conciliation Service (FMCS) for purposes of mediation.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

Automated records are maintained on magnetic disc and tape back-up. Paper records are kept in file folders.

Retrievability:

Records are indexed by transaction number, but may be retrieved by name, street address, and other complainant or covered entity characteristic (such as type of entity, city, state and type of service provided) by OCR staff engaged in compliance activities.

Safeguards:

The PIMS system conforms to applicable law and policy governing the privacy and security of Federal automated information systems. These include but are not limited to: the Privacy Act of 1974, Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix, III, “Security of Federal Automated Information Resources.” OCR has prepared a system security plan as required by OMB Circular A-130, Appendix III. This plan conforms fully to guidance issued by the National Institute for Standards and Technology (NIST) in NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems.” The plan includes conduct of a risk assessment that addresses the confidentiality and integrity of the data.

Only authorized users have access to the information in the system. Categories of users include: OCR investigators, regional and headquarters managers, team leaders, OCR budget and Government Performance and Results Act planning staff, program and policy staff, and data analysts. Specific access is structured around need and is determined by the person's role in the organization. Access is managed through the use of electronic access control lists, which regulate the ability to read, change and delete information in the system. Each OCR user has read access to designated information in the system, with the ability to modify only their own submissions or those of others within their region or group. Data identified as confidential is so designated and only specified individuals are granted access. The system maintains an audit trail of all actions against the data base.

All electronic data is stored on servers maintained in locked facilities with computerized access control allowing access to only those support personnel with a demonstrated need for access. A database is kept of all individuals granted security card access to the room, and all visitors are escorted while in the room. The server facility has appropriate environmental security controls, including measures to mitigate damage to automated information system resources caused by fire, electricity, water and inadequate climate controls.

Access control to servers, individual computers and databases includes a required user log-on with a password, inactivity lockout to systems based on a specified period of time, legal notices and security warnings at log-on, and remote access security that allows user access for remote users (e.g., while on government travel) under the same terms and conditions as for users within the office. System administrators have appropriate security clearance.

Printed materials are filed in secure cabinets in secure Federal buildings with access based on need as described above for the automated component of the PIMS system.

Retention And Disposal:

Documents related to complaints and reviews are retained at OCR for two years from the date the complaint is closed and then are archived at the National Archives and Records Administration for 15 years. Correspondence is retained for one year following the end of the fiscal year in which processed.

System Manager and Address:

PIMS Project Manager, Resource Management Division, Office for Civil Start Printed Page 8737Rights, 200 Independence Ave. SW., Room 509F, Washington, DC 20201.

Notification Procedure:

Contact System Manager (above). Include name and address of complainant, and name of the recipient against which the allegation was filed. The Department is exempting all investigative records from this provision (see below: Records Exempted).

Record Access Procedure:

Same as notification procedures. Requesters should also reasonably specify the record contents being sought. Requests should be made to the system manager (above). The Department is exempting all investigative records from this provision (see below: Records Exempted).

Contesting Record Procedure:

Contact the official(s) at the address specified under System Manager, and reasonably identify the record and specify the information to be contested and corrective action sought with supporting justification. (These procedures are in accordance with Department Regulations (45 CFR 5b.7) Federal Register, October 8, 1975, page 47411.) The Department is exempting all investigative records from this provision (see below: Records Exempted).

Record Source Categories:

Information is provided by complainants and covered entities.

System Records Exempted From Certain Provisions Of The Act:

OCR investigative records maintained in PIMS, either as paper records or electronic documents are records compiled for law enforcement purposes are exempt under subsection (k)(2) from the notification, access, correction and amendment provisions of the Privacy Act.

Appendix Number 1—System Locations:

This system is located at HHS offices in the following cities.

Headquarters, PIMS Project Manager, Resource Management Division, Office for Civil Rights, 200 Independence Ave., SW., Room 509F, Washington, DC 20201.

Region I, Regional Manager, OCR/HHS, J.F. Kennedy Federal Building—Room 1875 Boston, Massachusetts 02203.

Region II, Regional Manager, OCR/HHS, 26 Federal Plaza—Suite 3312, New York, NY 10278.

Region III, Regional Manager, OCR/HHS, 150 S. Independence Mall West, Suite 372, Public Ledger Building, Philadelphia, PA 19106.

Region IV, Regional Manager, OCR/HHS, Atlanta Federal Center, Suite 3B70, 61 Forsyth Street, SW., Atlanta, GA 30303.

Region V, Regional Manager, OCR/HHS, 233 N. Michigan Ave, Suite 240, Chicago, IL 60601.

Region VI, Regional Manager, OCR/HHS, 1301 Young Street, Suite 1169, Dallas, TX 75202.

Region VII, Regional Manager, OCR/HHS, 601 E. 12th Street—Room 248, Kansas City, MO 64106.

Region VIII, Regional Manager, OCR/HHS, Federal Office Building, 1961 Stout Street—Room 1185, Denver, CO 80294.

Region IX, Regional Manager, OCR/HHS, 50 United Nations Plaza—Room 322, San Francisco, CA 94102.

Region X, Regional Manager, OCR/HHS, 2201 Sixth Avenue—Suite 900, Seattle, WA 98121.