AGENCY:

Office of the Secretary (OS), Department of Health and Human Services (HHS).

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, HHS is altering an existing department-wide system of records, “Records About Restricted Dataset Requesters,” System Number 09-90-1401. This system of records covers records about individuals within and outside HHS who request restricted datasets and software products from HHS (e.g., for health-related scientific research and study purposes), when HHS maintains the requester records in a system from which they are retrieved directly by an individual requester's name or other personal identifier. The system of records currently covers records maintained by three HHS Operating Divisions. It is being altered to include records maintained by a fourth Operating Division, the National Institutes of Health (NIH), and to include three revised and five new routine uses, some of which will apply to all records in the system and some of which will apply to only NIH's records. The alterations affect the System Locations, Legal Authorities, Purposes, Retention, System Manager, and Routine Uses sections of the System of Records Notice (SORN).

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable March 14, 2018, subject to a 30-day period in which to comment on the new and revised routine uses, described below. Please submit any comments by April 13, 2018.

ADDRESSES:

The public should submit written comments, by mail or email, to Beth Kramer, HHS Privacy Act Officer, 200 Independence Avenue SW, Suite 729H, Washington, DC 20201, or beth.kramer@hhs.gov. Comments received will be available for review at this location without redaction, unless otherwise advised by the commenter. To review comments in person, please contact Beth Kramer at beth.kramer@hhs.gov or (202) 690-6941.

FOR FURTHER INFORMATION CONTACT:

General questions about the system of records should be submitted by mail, email, or phone to Beth Kramer, HHS Privacy Act Officer, at 200 Independence Avenue SW, Suite 729H, Washington, DC 20201; beth.kramer@hhs.gov or (202) 690-6941.

SUPPLEMENTARY INFORMATION:

This department-wide system of records was established April 2015 (see 80 FR 17447) and has not been previously revised. It covers records about individuals within and outside HHS who request restricted datasets and software products from HHS, when HHS maintains the requester records in a system from which they are retrieved directly by an individual requester's name or other personal identifier. It currently includes records maintained by three HHS Operating Divisions. It is being revised to add records maintained by a fourth Operating Division, the National Institutes of Health (NIH), which NIH plans to begin retrieving directly by personal identifier, and to include three revised and five new routine uses, some of which will apply to all records in the system and some of which will apply to only NIH's records.

The alterations made to add NIH's records affect the System Location, Legal Authorities, Purposes, Retention, System Manager, and Routine Uses sections of the System of Records Notice (SORN). One new purpose was added to the “Purposes” section, which will apply to all records, not just NIH records, stating that records may be used to evaluate accomplishment of HHS functions related to the purposes of this system of records and to evaluate performance of contractors utilized by HHS to accomplish those functions. Minor wording and formatting changes have been made throughout the SORN to conform to the SORN template prescribed in OMB Circular A-108. The new and revised routine uses are as follows:

• Routine use 1 has been revised to add “including ancillary functions, such as compiling reports and evaluating program effectiveness and contractor performance.”
• Routine use 2 has been revised to add “including ancillary functions” and to add a last sentence stating: “For example, disclosure may be made to qualified experts not within the definition of HHS employees as prescribed in HHS regulations, for opinions as a part of the controlled data access process.”
• Routine use 10 has been revised to use wording prescribed in OMB Memorandum M-17-12 issued January 3, 2017.
• Routine uses 11 through 15 are new. Routine use 11 is a new routine use prescribed by OMB Memorandum M-17-12.

“Restricted” datasets and software products are those that HHS makes affirmatively available to qualified members of the public but provides subject to restrictions, because they contain identifiable data and/or anonymized data that has the potential, when combined with other data, to identify the particular individuals, such as patients or providers, whose information is represented in the data. The datasets and products are made available through an on-line or paper-based ordering and delivery system that provides them to qualified requesters electronically or by mail.

The restrictions are necessary to protect the privacy of individuals whose information is represented in the datasets or software products. The restrictions typically limit the data requester to using the data for research, analysis, study, and aggregate statistical reporting; prohibit any attempt to identify any individual or establishment represented in the data; and require specific security measures to safeguard the data from unauthorized access. HHS is required by law to impose, monitor, and enforce the restrictions (see, for example, provisions in the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), 44 U.S.C. 3501 at note). To impose and Start Printed Page 11214enforce the restrictions, it is necessary to collect information about the data requesters.

The altered system of records will cover requester records retrieved by requesters' personal identifiers in the following four systems or any successor systems, but only to the extent that the records pertain to requesters seeking restricted datasets:

• Agency for Healthcare Research and Quality (AHRQ) “Online Application Ordering for Products from the Healthcare Cost and Utilization Project (HCUP).” HCUP is an online system established in 2013; it makes restricted databases and software available for qualified applicants to purchase for scientific research and public health use. Applicants may be researchers, patients, consumers, practitioners, providers, policy makers, or educators. The HCUP databases are annual files containing anonymous information from hospital discharge records for inpatient care and certain components of outpatient care. The HCUP software tools enhance the use of the data. The online system supports AHRQ's mission of promoting improvements in health care quality.
• Centers for Medicare & Medicaid Services (CMS) DUA tracking system. A new data use agreement (DUA) tracking system went into production in 2015 and replaced the previous system, “Data Agreement & Data Shipping Tracking System (DADSS).” The DUA system tracks authorization, payment status, shipping status, and ownership of restricted and unrestricted data extracts between CMS, its contractors, and other authorized entities.
• National Institutes of Health (NIH) “Controlled Data Access Systems.” NIH supports “NIH-designated data repositories,” which archive and distribute controlled-access de-identified human data and results from scientific studies under the NIH Genomic Data Sharing Policy. Controlled-access data in NIH-designated data repositories are made available for secondary research only after investigators have obtained approval from NIH to use the requested data for a particular project. The National Center for Biotechnology Information database of Genotypes and Phenotypes (dbGaP) serves as a central portal to submit, locate, and request access to controlled-access human genomic (e.g., GWAS, sequencing, expression, epigenomic) data. The dbGaP's capacity and functionality are extended by repositories managed by public or private organizations through structured partnerships (“trusted partnerships”) established by NIH through a contract mechanism. Information about investigators, Institutional Signing Officials, and other users of NIH-designated controlled access repositories may be located and viewed by approved staff using the dbGaP or trusted partner-managed systems. Sharing research data supports the mission of the NIH and is essential to facilitate the translation of research results into knowledge, products, and procedures that improve human health.
• Substance Abuse and Mental Health Services Administration (SAMHSA) “Online Application for the Data Portal (SAMHDA).” This online data portal was established in 2013 to more efficiently make restricted datasets from SAMHSA available to designated, approved researchers. The Data Portal and all applications are maintained through the Substance Abuse and Mental Health Data Archive (SAMHDA). Currently, data from the Drug Abuse Warning Network (DAWN), DAWN Medical Examiner/Coroner component, National Survey on Drug Use and Health (NSDUH), and NSDUH Adult Clinical Interview data are available through the portal. Data recipients must complete a web-based application process and receive project approval from SAMHSA's Center for Behavioral Health and Statistics and Quality (CBHSQ), and can use the datasets for statistical purposes only. No fees are charged for the datasets. The online portal supports SAMHSA' s mission to make substance use and mental disorder information and research more accessible.

Note that this system of records does not include:

• Records about requesters who seek unrestricted datasets, publications, or other information products from an HHS on-line or paper-based ordering and delivery system. Unrestricted materials are also proactively made available to the public by HHS, but are released without restrictions (though some may be subject to terms or conditions of use and require registration for an account and payment of a fee). Because the requests or order forms collect minimal information about the requester (i.e., the requester's name, mailing address or email address, telephone number, or other contact or delivery information, and payment information if a fee is imposed) they would be adequately covered by other SORNs (for example, “Correspondence Tracking Management System (CTMS)” SORN #09-70-3005; “Consumer Mailing List” SORN #09-90-0041; and “HHS Financial Management System Records” SORN #09-90-0024 if a fee is involved), if a SORN is required (i.e., if the records are retrieved directly by an individual requester's name or other personal identifier). Examples include records about requesters who order materials online from AHRQ's Publications Online Store & Clearinghouse or by mail from AHRQ's Publications Clearinghouse, which provide only unrestricted publications and other information products; and records about requesters ordering unrestricted datasets from CMS's DUA tracking system, which processes orders for both restricted and unrestricted datasets.
• Records about data requesters that are not retrieved directly by an individual requester's name or other personal identifier. These records are not subject to the Privacy Act and are not required to be covered in a SORN, even when they are associated with a restricted dataset and include additional information about the requester (such as, the requester's intended research purpose, qualifications, signed Data Use Agreement, and confidentiality training certificate). An example would be requester records that are retrieved first by a dataset identifier and/or a requesting entity's name, and then by an individual researcher's or record custodian's name.

A report on the altered system of records has been sent to OMB and Congress in accordance with 5 U.S.C. 552a(r).

SYSTEM NAME AND NUMBER:

Records About Restricted Dataset Requesters, 09-90-1401

SECURITY CLASSIFICATION:

Unclassified

SYSTEM LOCATION:

The address of each agency component responsible for the system of records is:

• AHRQ: HCUP Project Officer, Center for Delivery, Organization, and Markets, 540 Gaither Road, Rockville, MD 20850.
• CMS: DUA tracking system, Division of Data and Information Dissemination, Data Development and Services Group, Office of Enterprise Data and Analytics, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Mailstop: B2-29-04, Office Location: B2-03-37, Baltimore, MD 21244-1870.
• NIH: Office of the Director, Office of Science Policy, Division of Scientific Start Printed Page 11215Data Sharing Policy, 6705 Rockledge Drive, Suite 750, Bethesda, MD 20817.
• SAMHSA: SAMHDA Project Officer, CBHSQ, 5600 Fisher's Lane, Rockville, MD 20857.

SYSTEM MANAGER(S):

• AHRQ: HCUP Project Officer, Center for Delivery, Organization, and Markets, 540 Gaither Road, Rockville, MD 20850; Telephone: 301-427-1410; HCUP@AHRQ.GOV.
• CMS: DUA tracking system, Division of Data and Information Dissemination, Data Development and Services Group, Office of Enterprise Data and Analytics, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Mailstop: B2-29-04, Office Location: B2-03-37, Baltimore, MD 21244-1870.
• NIH: Office of the Director, Office of Science Policy, Division of Scientific Data Sharing Policy, 6705 Rockledge Drive, Suite 750, Bethesda, MD 20817.
• SAMHSA: SAMHDA Project Officer, CBHSQ, 5600 Fisher's Lane, Rockville, MD 20857. (“SAMHDA” refers to Substance Abuse and Mental Health Data Archive.)

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The following legal authorities authorize the collection and maintenance of these records:

• AHRQ: 42 U.S.C. 299-299a; 42 U.S.C. 299c-2.
• CMS: 5 U.S.C. 552a(e)(10); 45 CFR 164.514(e); 44 U.S.C. 3544; 42 U.S.C. 1306.
• NIH: 42 U.S.C. 217a, 241, 281, 282, 284; 48 CFR Subpart 15.3; E.O. 13478.
• SAMHDA: 42 U.S.C. 290aa(d)(l); 44 U.S.C. 3501(8)

See also: CIPSEA, codified at 44 U.S.C. 3501 note.

PURPOSE(S) OF THE SYSTEM:

The purposes of this system of records are to provide restricted datasets and software products to qualified data requesters in a timely and efficient manner and consistent with applicable laws, and to enable HHS to enforce data requesters' compliance with use and security restrictions that apply to the data. Relevant HHS personnel use the records on a need-to-know basis for those purposes; specifically:

• Contact and user registration information is used to communicate with the requester, enable the requester to access requested data electronically (for example, the requester's email address would be used to register the requester to use a public access web portal or link, and to notify the requester when data has been delivered electronically to his registered account), locate the requester (e.g., for on-site inspections or to otherwise check compliance with the data use agreement), and deliver and track data provided by mail (e.g., to document receipt for enforcement purposes and report lost shipments to security personnel).
• Qualifications, planned use of the data, confidentiality training information, signed data use agreement, data receipt information, on-site inspection information, and information about data breaches or contract violations is used to grant the request (consistent with data use restrictions) or deny the request, bind the requester to the applicable data use restrictions and other security requirements, conduct on-site inspections or otherwise check the requester's compliance with the data use agreement, enforce the agreement if breached, and share information about data breaches and contract violations with other HHS components administering restricted dataset requests involving the same requesters.
• Payment information is used to collect any applicable fee. Any payment information shared with HHS accounting and debt collection systems is also covered under the accounting and debt collection systems' SORNs and is subject to the routine uses published in those SORNs (see, e.g., HHS Financial Management System Records, SORN #09-90-0024; and Debt Management and Collection System, SORN #09-40-0012).
• Any of the above records could be used to evaluate accomplishment of HHS functions related to the purposes of this system of records and to evaluate performance of contractors utilized by HHS to accomplish those functions.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Individuals within and outside HHS who request restricted datasets and software products that HHS makes proactively available to qualified members of the public, usually for health-related scientific research and study purposes. Examples include individual researchers and records custodians, project officers, or other representatives of entities such as universities, government agencies, and research organizations.

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records include:

• Request records, containing the requester's name and contact information (telephone number, mailing address, email address), affiliated entity (e.g., if making the request as a records custodian or other employee), and a description of the dataset requested.
• Order fulfillment records, containing user registration information such as email address and IP address (if the requester is provided access to the dataset electronically through a public access web portal or link) or mailing information (if the dataset is mailed to the requester on a disk or other media), and tracking information (providing proof of delivery).
• Data use restriction records, containing the requester's identification, contact, and affiliated entity information, qualifications, intended use of the data (e.g., study name, contract number), confidentiality training documentation (e.g., a coded number indicating the individual completed required confidentiality training), signed and notarized data use agreement documents (e.g., Affidavit of Nondisclosure; Declaration of Nondisclosure; Confidential Data Use and Nondisclosure Agreement (CDUNA); Individual Designations of Agent; DUA number and expiration date), tracking information, and any on-site inspection information.
• Payment records (if a fee is charged), consisting of the requester's credit card account name, number, and billing address, or bank routing number and checking account name, address, and number.

RECORD SOURCE CATEGORIES:

Information in this system of records is obtained directly from the individual data requester to whom it applies, or is derived from information supplied by the individual or provided by HHS officials.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

Information about an individual data requester may be disclosed to parties outside HHS, without the individual's prior, written consent, as provided in these routine uses:

1. Disclosures may be made to federal agencies and Department contractors that have been engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records (including ancillary functions, such as compiling reports and evaluating program effectiveness and contractor performance) and that have a need to have access to the records in order to assist HHS in performing the activity. Any contractor will be required to comply with the requirements of the Privacy Act.

2. Records may be disclosed to student volunteers, individuals working Start Printed Page 11216under a personal services contract, and other individuals performing functions (including ancillary functions) relating to the purposes of this system of records for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions. For example, disclosure may be made to qualified experts not within the definition of HHS employees as prescribed in HHS regulations, for opinions as a part of the controlled data access process.

3. CMS records may be disclosed to a CMS contractor (including but not limited to Medicare Administrative Contractors, fiscal intermediaries, and carriers) that assists in the administration of a CMS-administered health benefits program, or to a grantee of a CMS-administered grant program, when disclosure is deemed reasonably necessary by CMS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy, or otherwise combat fraud, waste, or abuse in such program.

4. Records may be disclosed to another federal agency or an instrumentality of any governmental jurisdiction within or under the control of the United States (including any state or local governmental agency) that administers federally funded programs, or that has the authority to investigate, potential fraud, waste or abuse in federally funded programs, when disclosure is deemed reasonably necessary by HHS to prevent, deter, discover, detect, investigate, examine, prosecute, sue with respect to, defend against, correct, remedy or otherwise combat fraud, waste or abuse in such programs.

5. When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether federal, foreign, state, local, tribal, or otherwise, responsible for enforcing, investigating or prosecuting the violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to the enforcement, regulatory, investigative, or prosecutorial responsibility of the receiving entity.

6. Information may be disclosed to the U.S. Department of Justice (DOJ) or to a court or other tribunal, when:

a. the agency or any component thereof, or

b. any employee of the agency in his or her official capacity, or

c. any employee of the agency in his or her individual capacity where DOJ has agreed to represent the employee, or

d. the United States Government,

is a party to litigation or has an interest in such litigation and, by careful review, HHS determines that the records are both relevant and necessary to the litigation and that, therefore, the use of such records by the DOJ, court or other tribunal is deemed by HHS to be compatible with the purpose for which the agency collected the records.

7. Records may be disclosed to a federal, foreign, state, local, tribal, or other public authority of the fact that this system of records contains information relevant to the hiring or retention of an employee, the retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant or other benefit. The other agency or licensing organization may then make a request supported by the written consent of the individual for further information if it so chooses. HHS will not make an initial disclosure unless the information has been determined to be sufficiently reliable to support a referral to another office within the agency or to another federal agency for criminal, civil, administrative, personnel, or regulatory action.

8. Information may be disclosed to a Member of Congress or Congressional staff member in response to a written inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained. The Congressional office does not have any greater authority to obtain records than the individual would have if requesting the records directly.

9. Records may be disclosed to the U.S. Department of Homeland Security (DHS) if captured in an intrusion detection system used by HHS and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent a variety of types of cybersecurity incidents.

10. Disclosures may be made to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

11. Disclosure may be made to another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

12. Disclosure of past performance information pertaining to contractors engaged by HHS to assist in accomplishment of an HHS function relating to the purposes of this system of records may be made to a federal agency upon request and may include information about dataset requesters.

13. NIH dataset requester records may be included in records disclosed to governmental or authorized non-governmental entities with a signed data access agreement for system data that includes records about individuals requesting and receiving restricted datasets, to use in compiling reports (such as, on the composition of biomedical and/or research workforce; authors of publications attributable to federally-funded research; information made available through third-party systems as permitted by applicants or awardees for agency grants or contracts; or grant payment information reported to federal databases).

14. When records about a requester of an NIH restricted dataset are related to an award or application for award under an NIH award program, the dataset requester records may be disclosed to the award applicant, principal investigator(s), institutional officials, trainees or others named in the application, or institutional service providers for purposes of application preparation, review, or award management, and to the public consistent with reporting and transparency standards and to the extent disclosure to the public would not cause an unwarranted invasion of personal privacy.

15. HHS may disclose records from this system of records to the National Archives and Records Administration (NARA), General Services Administration (GSA), or other relevant Start Printed Page 11217Federal Government agencies in connection with records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

Information about a dataset requester may also be disclosed from this system of records to parties outside HHS without the individual's consent for any of the uses authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(2) and (b)(4)-(11).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in electronic databases and hard-copy files. CMS's DUA tracking system records may also be stored on portable media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the data requester's name, registrant/user name, User ID Number, email address, or data use agreement (DUA) number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records needed to enforce data use restrictions are retained for 20 years by AHRQ (see DAA-0510-2013-0003-0001), 5 years by CMS (see Nl-440-10-04), and 3 years by NIH (see DAA-0443-2013-0004-0004) after the agreement is closed, and may be kept longer if necessary for enforcement, audit, legal, or other purposes. The equivalent SAMHSA records will be retained indefinitely until a disposition schedule is approved by the National Archives and Records Administration (NARA). SAMHSA anticipates proposing a 5 year retention period to NARA. Records of payments made electronically are transmitted securely to a Payment Card Industry-compliant payment gateway for processing and are not stored. Records of payments made by check, purchase order, or wire transfer are disposed of once the funds have been received. Records are disposed of using destruction methods prescribed by NIST SP 800-88.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Records are safeguarded in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook, all pertinent National Institutes of Standards and Technology (NIST) publications, and OMB Circular A-130, Managing Information as a Strategic Resource. Records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. Safeguards conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/​ocio/​securityprivacy/​.

The safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras, securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours, limiting access to electronic databases to authorized users based on roles and the principle of least privilege, and two-factor authentication (user ID and password), using a secured operating system protected by encryption, firewalls, and intrusion detection systems, using an SSL connection for secure encrypted transmissions, requiring encryption for records stored on removable media, and training personnel in Privacy Act and information security requirements.

RECORD ACCESS PROCEDURES:

An individual who wishes to know if this system of records contains records about him or her should submit a written request to the relevant System Manager at the address indicated above. The individual must verify his or her identity by providing either a notarized request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act, subject to a five thousand dollar fine.

CONTESTING RECORD PROCEDURES:

An individual seeking to amend the content of information about him or her in this system should contact the relevant System Manager and reasonably identify the record, specify the information contested, state the corrective action sought, and provide the reasons for the amendment, with supporting justification.

NOTIFICATION PROCEDURES:

An individual who wishes to know if this system of records contains records about him or her should submit a written request to the relevant System Manager at the address indicated above. The individual must verify his or her identity by providing either a notarized request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Privacy Act, subject to a five thousand dollar fine.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

80 FR 17447 (April 1, 2015).