AGENCY:

Office for Civil Rights (OCR), Department of Health and Human Services (HHS or the Department).

ACTION:

Notice of modified or altered System of Records (SOR).

SUMMARY:

In accordance with the Privacy Act, we are proposing to modify or alter an existing SOR, “Program Information Management System (PIMS),” System No. 09-90-0052, published at 67 FR 57011, September 6, 2002. First, we propose to add a new authority, the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), to those under which OCR collects information. Second, we propose to add three new purposes of the PIMS system. Third, we propose to add six new routine uses to the PIMS system. Fourth, we propose to expand the categories of information stored in the PIMS system to include information that covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates report to the Secretary with respect to a breach of protected health information. See Effective Dates section for comment period.

DATES:

Effective Dates: OCR filed a system report with the Chair of the House Committee on Government Reform and Oversight, the Chair of the Senate Committee on Homeland Security and Governmental Affairs, and the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget (OMB) on March 30, 2010. Comments on this SOR may be submitted within 40 days from the publication of the notice, or from the date it was submitted to OMB and the Congress, whichever is later. The SOR, including routine uses, will become effective at the end of the 40-day period, unless OCR receives comments that require alterations to this notice.

ADDRESSES:

You may submit comments by any of the following methods (please do not submit duplicate comments):

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Attachments should be in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
• Regular, Express, or Overnight Mail: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: PIMS System of Records, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please submit one original and two copies.
• Hand Delivery or Courier: Office for Civil Rights, Attention: PIMS System of Records, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please submit one original and two copies. (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the mail drop slots located in the main lobby of the building.)

Inspection of Public Comments: All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business information that is included in a comment. We will post all comments received before the close of the comment period at http://www.regulations.gov. Because Start Printed Page 18842comments will be made public, they should not include any sensitive personal information, such as a person's social security number; date of birth; driver's license number, state identification number or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information.

FOR FURTHER INFORMATION CONTACT:

For further information contact: PIMS Project Manager, Management Operations Division, Office for Civil Rights, 200 Independence Ave., SW., Room 509F, Washington, DC 20201. Telephone number: (202) 619-2888.

SUPPLEMENTARY INFORMATION:

The system of records (i.e., PIMS) described in the OCR's Privacy Act notice, 67 FR 57011 (Sept. 6, 2002), is used by OCR staff and consists of an electronic repository of information and documents, and supplementary paper document files. PIMS effectively combined and replaced OCR's two previous systems of records, (CIMS and the Complaint File and Log), into a single, integrated system with enhanced electronic storage, retrieval, and tracking capacities that allows OCR to manage more effectively the information that it collects. PIMS was modified to add a new authority, the Patient Safety and Quality Improvement Act of 2005, and altered to add two new routine uses in OCR's Privacy Act notice at 72 FR 8734 (Feb. 27, 2007).

The Privacy Act permits OCR to disclose information or records pertaining to an individual without that individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected, 5 U.S.C. 552a(b)(3). Any such disclosure is known as a “routine use.” The PIMS system conforms to applicable law and policy governing the privacy and security of Federal automated information systems. These include but are not limited to: The Privacy Act of 1974, Federal Information Security Management Act of 2002, Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix, III, “Security of Federal Automated Information Resources.”

OCR has prepared a system security plan as required by OMB Circular A-130, Appendix III. This plan conforms fully to guidance issued by the National Institute for Standards and Technology (NIST) in NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems.” The plan includes performance of a risk assessment that addresses the confidentiality and integrity of the data. Only authorized users have access to the information in the system.

Specific access is structured around need and is determined by the person's role in the organization. Access is managed through the use of electronic access control lists, which regulate the ability to read, change, and delete information in the system. Each OCR user has read access to designated information in the system, with the ability to modify only their own submissions or those of others within their region or group. Data identified as confidential is so designated and only specified individuals are granted access. The system maintains an audit trail of all actions against the data base. All electronic data is stored on servers maintained in locked facilities with computerized access control allowing access to only those support personnel with a demonstrated need for access. A database is kept of all individuals granted security card access to the room, and all visitors are escorted while in the room. The server facility has appropriate environmental security controls, including measures to mitigate damage to automated information system resources caused by fire, electricity, water, and inadequate climate controls. Access control to servers, individual computers and databases includes a required user log-on with a password, inactivity lockout to systems based on a specified period of time, legal notices and security warnings at log-on, and remote access security that allows user access for remote users (e.g., while on government travel) under the same terms and conditions as for users within the office. System administrators have appropriate security clearance. Printed materials are filed in secure cabinets in secure Federal buildings with access based on need as described above for the automated component of the PIMS system.

Section 13402(e)(3) of the HITECH Act requires HIPAA covered entities to provide notice to the Secretary of the Department of Health and Human Services (HHS or the Department) of a breach of unsecured protected health information. Notice to the Secretary is required immediately if a breach affects 500 or more individuals and annually for breaches affecting fewer than 500 individuals. Section 13402(e)(4) of the HITECH Act requires the Secretary to make available to the public on the HHS Web site a list that identifies each covered entity involved in a breach affecting more than 500 individuals. To implement these HITECH provisions, HHS published an interim final rule on August 24, 2009 (74 FR 42740). Section 164.408(a) of the regulations published in the interim final rule requires covered entities to notify the Secretary of breaches of unsecured protected health information. Section 164.408(b) requires breaches that affect 500 or more individuals to be reported to the Secretary contemporaneously with notice to the individual—that is, without unreasonable delay and in no case later than 60 calendar days after a covered entity discovers a breach (subject to a law enforcement delay as provided in section 164.412). Section 164.408(c) sets out the annual reporting for breaches affecting fewer than 500 individuals. Covered entities are required to report these breaches in the manner specified on the HHS Web site. A breach report form that has been approved by OMB for collection of this information can be found at http://transparency.cit.nih.gov/​breach/​index.cfm. A breach report must be filed through this Web site.

Accordingly, this notice modifies PIMS by adding a new authority for maintenance of the system, identifies three new purposes of the PIMS system, adds new routine uses of the PIMS system, and expands the categories of information stored in the PIMS system. In addition to the new routine uses proposed because of breach notification requirements under the HITECH Act, one proposed new routine use regards responding to breaches of personally identifiable information within the Department, consistent with Office of Management and Budget (OMB) Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007. Another proposed new routine use regards disclosing relevant personally identifiable information including the identity of covered entities and business associates to obtain information relevant and necessary to investigate violations and potential violations, as well as to conduct compliance reviews, of the Federal laws and regulations OCR has legal authority to enforce. The last new proposed routine use regards allowing OCR to disclose relevant information to the public to inform the public of the results of investigations and compliance reviews of the Federal laws and regulations that OCR has legal authority to enforce, after OCR determines that Start Printed Page 18843the disclosure would not constitute an unwarranted invasion of personal privacy. OCR expects these modifications will not result in any unwarranted invasion of personal privacy.

OCR proposes to add the following authority for maintenance of the PIMS system: section 13402 of the HITECH Act, part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).

OCR proposes to add the following three new purposes of the PIMS system: (1) To collect, maintain, and post on the HHS Web site a list of covered entities that experience breaches of unsecured protected health information affecting more than 500 individuals using information reported to the Secretary by covered entities (or a business associate on behalf of a covered entity) as required by section 13402(e) of the HITECH Act; (2) to develop an annual report to Congress, as required by section 13402(i) of the HITECH Act, regarding breach notification using information reported to the Secretary by covered entities (or a business associate on behalf of a covered entity) under section 13402(e) of the HITECH Act; and (3) to provide technical assistance, training, and guidance materials regarding breaches of protected health information.

OCR proposes to establish the following six new routine use disclosures of information for PIMS. Each routine use is compatible with a stated purpose of the system.

I. The first new routine use allows OCR to post on its Web site, as required by section 13402(e)(4) of the HITECH Act, information reported by a covered entity (or a business associate on behalf of a covered entity) to the Secretary pursuant to section 13402(e)(3) of the HITECH Act that identifies covered entities that experience breaches of unsecured protected health information affecting more than 500 individuals.

II. The second new routine use allows OCR to disclose information regarding breaches of unsecured protected health information in an annual report to Congress, as required by section 13402(i) of the HITECH Act, regarding the number and nature of the breaches reported to the Secretary and actions taken in response to such breaches.

III. The third new routine use allows OCR to disclose information regarding breaches of unsecured protected health information to the public and to appropriate Federal agencies and Department contractors to provide technical assistance, training, and guidance materials, after OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy.

IV. The fourth new routine use allows OCR to disclose information to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

V. The fifth new routine use allows OCR to disclose information to third party contacts, including public and private organizations, to investigate violations and potential violations, as well as to conduct compliance reviews, of the Federal laws and regulations that OCR has legal authority to enforce.

VI. The sixth new routine use allows OCR to disclose relevant information to the public to inform the public of the results of investigations and compliance reviews of the Federal laws and regulations that OCR has legal authority to enforce, after OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy.

OCR proposes to add the following category of information included in the PIMS system: Information that HIPAA covered entities (or a business associate on behalf of a covered entity) (defined in 45 CFR 160.103) are required to provide to HHS to fulfill their breach notification requirements to the Secretary pursuant to section 13402(e) of the HITECH Act. This information includes the name, address, and contact information of the covered entity or business associate, as well as the contact name of the individual at the covered entity or business associate that reported the breach of protected health information.

OCR will continue to collect only information that is necessary to perform the PIMS functions. We only disclose the minimum personal data necessary to achieve the purpose of PIMS. Disclosure of information from the system will be approved only to the extent necessary to accomplish the purpose of the disclosure. Further, OCR continues to take precautionary measures to minimize the risks of unauthorized access to the records and the potential harm to individual privacy or other individual rights. In addition, OCR makes disclosures from the PIMS system only with consent of the subject individual, or his/her legal representative, or in accordance with an applicable exception provision of the Privacy Act. OCR, therefore, believes that no unfavorable effect on individual privacy will result from the modifications and alterations to PIMS proposed herein.

The following notice is written in the present, rather than the future tense, to avoid the unnecessary expenditure of public funds to republish the notice after the system has become effective.

09-90-0052

SYSTEM NAME:

“Program Information Management System” (PIMS) (09-90-0052) HHS/OS/OCR.

SECURITY CLASSIFICATION:

None.

SYSTEM LOCATION:

The automated portion of the system is maintained at OCR Headquarters. Paper files are maintained in headquarters and regional offices as noted in Appendix I.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Covered individuals include persons who file complaints alleging discrimination or violation of their rights or other violations under the statutes identified below (Authority for Maintenance) and covered entities (e.g., health care providers) that are individuals and not organizations or institutions, investigated by OCR as a result of complaints filed or through reviews conducted by OCR. Covered individuals also include persons who submit correspondence to OCR related to other compliance activities (e.g., outreach and public education), and other correspondence unrelated to a complaint or review and requiring responses by OCR. Covered individuals also include covered entities and business associates (that are individuals and not organizations or institutions), as defined in 45 CFR 160.103, who report breaches of protected health information by submitting a breach report through the HHS Web site. In addition, OCR employees that use the system to record the status of their work are covered by the system.

CATEGORIES OF RECORDS IN THE SYSTEM:

The system encompasses a variety of records having to do with complaints, reviews, correspondence, and reports of breaches of protected health information. For example, the system includes records containing individual names, Social Security numbers (SSN), tax identification numbers (TIN), Start Printed Page 18844addresses, dates of birth, provider names and addresses, physicians' names, prescriber identification numbers, assigned provider numbers (facility, referring/servicing physician), and/or other identification numbers of HIPAA covered entities.

The complaint files and log include complaint allegations, information gathered during the complaint investigation, findings and results of the investigation, and correspondence relating to the investigation, as well as status information for all complaints. This component of PIMS is exempt from the notification, access, correction and amendment provisions of the Privacy Act (see below: Systems Exempted From Certain Provisions of the Act). Equivalent types of information are maintained for reviews and correspondence activities—namely, information gathered, findings, results, correspondence and status.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for the collection, maintenance, and disclosures from this system is given under Title VI of the 1964 Civil Rights Act; Sections 533, 542, 794, 855, 1947 and 1908 of the Public Health Service Act; Sections 504 and 508 of the Rehabilitation Act of 1973; Title II of the Americans with Disabilities Act of 1990; the Age Discrimination Act of 1975; the Equal Employment Opportunity Provisions of the Public Telecommunications Financing Act of 1978; Title VI and Title XVI of the Public Health Service Act (the “community services obligation” of facilities funded under the Act); Title IX of the 1972 Education Amendments; Section 407 of the Drug Abuse Office and Treatment Act; Section 321 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970; Section 508 of the Social Security Act; the Family Violence Prevention and Services Act; Low-Income Home Energy Assistance Act of 1981; Section 1808 of the Small Business Job Protection Act of 1996; the Health Insurance Portability and Accountability Act of 1996; the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act); and section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

PURPOSE(S) OF THE SYSTEM:

PIMS is used by OCR staff and consists of an electronic repository of information and documents, and supplementary paper document files. PIMS effectively combines and replaces OCR's two previous systems of records, the “Case Information Management System (CIMS), HHS/OS/OCR, 09-90-0050,” and the “Complaint File and Log, HHS/OS/OCR 09-00-0051,” into a single, integrated system with enhanced electronic storage, retrieval and tracking capacities that allows OCR to manage more effectively the information it collects.

The system is designed to allow OCR to integrate all of OCR's various business processes, including all its compliance activities, to allow for real time access and results reporting and other varied information management needs. PIMS provides: (1) A single, central, electronic repository of all significant OCR documents and information, including investigative files, correspondence, administrative records, policy and procedure manuals and other documents and information developed or maintained by OCR; (2) easy, robust capability to search all the information in OCR's repository; (3) better quality control at the front end with simplified data entry and stronger data validation; (4) tools to help staff work on and manage their casework, and (5) supplementary paper document files. The system has the capacity to generate reports concerning the status of all current and closed complaints, reviews, and correspondence; track outreach, training, and other activities; and to locate and retrieve information, and report results, in order to manage more efficiently OCR's work. In addition, PIMS allows for the tracking of work assignments to employees to facilitate workload balancing, timely response to complaints and completion of reviews, and outreach and public education initiatives focused on organizations and individuals.

PIMS also is used by OCR: (1) To collect, maintain, and post on the HHS Web site a list of covered entities that experience breaches of unsecured protected health information affecting more than 500 individuals using information reported to the Secretary by covered entities (or a business associate on behalf of a covered entity) as required by section 13402(e) of the HITECH Act; (2) to develop an annual report to Congress, as required by section 13402(i) of the HITECH Act, regarding breach notification using information reported to the Secretary by covered entities (or a business associate on behalf of a covered entity) pursuant to section 13402(e) of the HITECH Act; and (3) to provide technical assistance, training, and guidance regarding breaches of protected health information.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OR USERS AND THE PURPOSES OF SUCH USES:

The Privacy Act allows us to disclose information without an individual's consent if the information is to be used for a purpose that is compatible with the purpose(s) for which the information was collected. Any such compatible use of data is known as a “routine use.” The routine uses in this system meet the compatibility requirement of the Privacy Act. The following are the routine use disclosures of information maintained in the PIMS system:

I. The first routine use for this system, permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the request of the individual.

II. The second routine use allows disclosure to the Department of Justice or a court in the event of litigation.

III. The third routine use allows referral to the appropriate agency, in the event that a System of Records maintained by this agency to carry out its functions indicates a violation or potential violation of law.

IV. The fourth routine use allows disclosure of records to contractors for the purpose of processing or refining records in the system.

V. The fifth routine use allows records to be disclosed to student volunteers, individuals working under a personal services contract, and other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions.

VI. The sixth routine use allows referrals of Age Discrimination Act complaints to the Federal Mediation and Conciliation Service (FMCS) for purposes of mediation.

VII. The seventh routine use allows OCR to post on its Web site, as required by section 13402(e)(4) of the HITECH Act, information reported by a covered entity (or a business associate on behalf of a covered entity) to the Secretary pursuant to section 13402(e)(3) of the HITECH Act that identifies covered entities that experience breaches of unsecured protected health information affecting more than 500 individuals.

VIII. The eighth routine use allows OCR to disclose information regarding breaches of unsecured protected health information in an annual report to Congress, as required by section 13402(i) of the HITECH Act, regarding the number and nature of the breaches Start Printed Page 18845reported to the Secretary and actions taken in response to such breaches.

IX. The ninth routine use allows OCR to disclose information regarding breaches of unsecured protected health information to the public and to appropriate Federal agencies and Department contractors to provide technical assistance, training, and guidance materials, after OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy.

X. The tenth routine use allows OCR to disclose information to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

XI. The eleventh routine use allows OCR to disclose information to third party contacts, including public and private organizations, to investigate violations and potential violations, as well as to conduct compliance reviews, of the Federal laws and regulations that OCR has legal authority to enforce.

XII. The twelfth routine use allows OCR to disclose relevant information to the public to inform the public of the results of investigations and compliance reviews of the Federal laws and regulations that OCR has legal authority to enforce, after OCR determines that the disclosure would not constitute an unwarranted invasion of personal privacy.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:

STORAGE:

Automated records are maintained on magnetic disc and tape back-up. Paper records are kept in file folders.

RETRIEVABILITY:

Records are indexed by transaction number, but may be retrieved by name, street address, and other complainant, covered entity, or business associate characteristic (such as type of entity, city, state, and type of service provided).

SAFEGUARDS:

The PIMS system conforms to applicable law and policy governing the privacy and security of Federal automated information systems. These include but are not limited to: the Privacy Act of 1974, Federal Information Security Management Act of 2002, Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and OMB Circular A-130, Appendix, III, “Security of Federal Automated Information Resources.” OCR has prepared a system security plan as required by OMB Circular A-130, Appendix III. This plan conforms fully to guidance issued by the National Institute for Standards and Technology (NIST) in NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems.” The plan includes conduct of a risk assessment that addresses the confidentiality and integrity of the data. Only authorized users have access to the information in the system. Categories of users include: OCR investigators, regional and headquarters managers, team leaders, OCR budget and Government Performance and Results Act planning staff, program and policy staff, and data analysts. Specific access is structured around need and is determined by the person's role in the organization. Access is managed through the use of electronic access control lists, which regulate the ability to read, change, and delete information in the system. Each OCR user has read access to designated information in the system, with the ability to modify only their own submissions or those of others within their region or group. Data identified as confidential is so designated and only specified individuals are granted access. The system maintains an audit trail of all actions against the data base.

All electronic data is stored on servers maintained in locked facilities with computerized access control allowing access to only those support personnel with a demonstrated need for access. A database is kept of all individuals granted security card access to the room, and all visitors are escorted while in the room. The server facility has appropriate environmental security controls, including measures to mitigate damage to automated information system resources caused by fire, electricity, water, and inadequate climate controls.

Access control to servers, individual computers, and databases includes a required user log-on with a password, inactivity lockout to systems based on a specified period of time, legal notices and security warnings at log-on, and remote access security that allows user access for remote users (e.g., while on government travel) under the same terms and conditions as for users within the office. System administrators have appropriate security clearance. Printed materials are filed in secure cabinets in secure Federal buildings with access based on need as described above for the automated component of the PIMS system.

RETENTION AND DISPOSAL:

Documents related to breaches are retained at OCR for two years from the date the breach is reported and then are archived at the National Archives and Records Administration for 15 years. Correspondence is retained for one year following the end of the fiscal year in which processed.

SYSTEM MANAGER AND ADDRESS:

PIMS Project Manager, Management Operations Division, Office for Civil Rights, 200 Independence Ave., SW., Room 509F, Washington, DC 20201.

NOTIFICATION PROCEDURE:

Contact System Manager (above). Include name and address of complainant, and name of the recipient against which the allegation was filed. The Department is exempting all investigative records from this provision (see below: Records Exempted).

RECORD ACCESS PROCEDURE:

Same as notification procedures. Requesters also should reasonably specify the record contents being sought. Requests should be made to the system manager (above). The Department is exempting all investigative records from this provision. (See below: Records Exempted).

CONTESTING RECORD PROCEDURE:

Contact the official(s) at the address specified under System Manager, and reasonably identify the record and specify the information to be contested and corrective action sought with supporting justification. (These procedures are in accordance with Department Regulations (45 CFR 5b.7) The Department is exempting all investigative records from this provision (see below: Records Exempted).

RECORD SOURCE CATEGORIES:

Information is provided by complainants, covered entities, and business associates.

SYSTEM RECORDS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:

OCR investigative records maintained in PIMS, either as paper records or electronic documents, are records compiled for law enforcement purposes and are exempt under subsection (k)(2) from the notification, access, correction, and amendment provisions of the Privacy Act.Start Printed Page 18846

APPENDIX NUMBER 1—SYSTEM LOCATIONS:

This system is located at HHS offices in the following cities:

Headquarters, PIMS Project Manager, Management Operations Division, Office for Civil Rights, 200 Independence Ave., SW., Room 509F, Washington, DC 20201.

Region I, Regional Manager, OCR/HHS, J.F. Kennedy Federal Building—Room 1875 Boston, MA 02203.

Region II, Regional Manager, OCR/HHS, 26 Federal Plaza—Suite 3312, New York, NY 10278.

Region III, Regional Manager, OCR/HHS, 150 S. Independence Mall West, Suite 372, Public Ledger Building, Philadelphia, PA 19106-9111.

Region IV, Regional Manager, OCR/HHS, Atlanta Federal Center, Suite 3B70, 61 Forsyth Street, SW., Atlanta, GA 30303-8909.

Region V, Regional Manager, OCR/HHS, 233 N. Michigan Ave, Suite 240, Chicago, IL 60601.

Region VI, Regional Manager, OCR/HHS, 1301 Young Street, Suite 1169, Dallas, TX 75202.

Region VII, Regional Manager, OCR/HHS, 601 E. 12th Street—Room 248, Kansas City, MO 64106.

Region VIII, Regional Manager, OCR/HHS, Federal Office Building, 1961 Stout Street—Room 1426 FOB, Denver, CO 80294-3538.

Region IX, Regional Manager, OCR/HHS, 90 7th Street, Suite 4-100, San Francisco, CA 94103.

Region X, Regional Manager, OCR/HHS, 2201 Sixth Avenue— M/S: RX-11, Seattle, WA 98121-2290.