AGENCY:

Department of Health and Human Services.

ACTION:

Notice of a New System of Records, and Rescindment of a System of Records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, the Department of Health and Human Services (HHS) is establishing a new department-wide system of records, 09-90-2001, Records Used for Surveillance and Study of Epidemics, Preventable Diseases and Problems. The new system of records replaces, and is broader than, a similar system of records maintained by HHS' Centers for Disease Control and Prevention (CDC), which HHS is rescinding in this notice, 09-20-0113 Epidemic Investigation Case Records.

DATES:

The new department-wide system of records is applicable July 20, 2020, subject to a 30-day period in which to comment on the routine uses. The rescindment of the CDC system of records is applicable August 19, 2020. Submit any comments by August 19, 2020.

ADDRESSES:

The public should address written comments by email to beth.kramer@hhs.gov or by mail to Beth Kramer, HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs, 200 Independence Ave. SW, Washington, DC 20201.

FOR FURTHER INFORMATION CONTACT:

General questions about the new system of records and the related rescindments may be submitted by email to beth.kramer@hhs.gov or by mail to Beth Kramer, HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs, 200 Independence Ave. SW, Washington, DC 20201.

SUPPLEMENTARY INFORMATION:

In the winter and spring of 2020, spread of the novel coronavirus, SARS-CoV-2, which causes the disease known as COVID-19, required HHS to expand its recordkeeping in order to respond to the pandemic. Prior to 2020, CDC maintained records about epidemiological studies and surveillance of disease problems. However, HHS' experience during the COVID-19 pandemic made clear that other components, not just CDC, must collect epidemiologic and public health surveillance records about individuals to support the Department's response. For example, the Office of the Assistant Secretary for Health (OASH) is managing records about tests for COVID-19 or its antibodies, some of which are subject to the Privacy Act.

Therefore, the Department has decided to expand the existing system of records of the CDC, 09-20-0113 Epidemic Investigation Case Records, and re-establish it under a new system number and name as a department-wide system of records covering all parts of the Department that may maintain epidemiological and surveillance records necessary to support the Department's response to the pandemic.

The new department-wide system of records includes the records covered in CDC system of records 09-20-0113, which HHS rescinds in this notice, but is broader in that it covers records used for surveillance and investigation of epidemics, preventable diseases and health problems maintained by any component of HHS, not just CDC. This department-wide system of records notice (SORN) differs from the CDC SORN it is replacing in these additional respects:

• It is formatted to comply with OMB Circular A-108.
• The System Manager section includes updated contacts for CDC records, and adds contacts for OASH records and “records maintained by other HHS components.”
• The Authorities section includes one additional authority not included in the CDC SORN: 42 U.S.C. 247d-6d.
• The Purpose description is department-wide.
• The Categories of Individuals section uses different wording from, but identifies the same categories of individuals as, the CDC SORN.
• The Categories of Records section identifies the categories as “medical records and related documents,” including “case reports, lab requisition Start Printed Page 43860forms, patient consent forms, assurance statements, analytical testing data, questionnaires, and contact tracing reports.” The CDC SORN lists only medical histories and case reports.
• The Record Source Categories section includes these additional categories not listed in the CDC SORN: Subject individuals' family members or other caregivers; Tribal health departments; health care providers and laboratories; and contractors (for example, call centers) engaged by HHS.
• The Routine Uses section establishes these routine uses, similar versions of which are in the CDC SORN:

○ Routine use 3 (authorizing disclosures to state, local, and Tribal health departments and authorities and to patients' private health care providers); routine use 5 (authorizing disclosures to a congressional office in responding to constituent inquiries); routine use 6 (authorizing disclosures to the Department of Justice in litigation); and routine uses 8 and 9 (authorizing disclosures to relevant agencies in order to respond to a privacy or security incident experienced by HHS or another federal agency).

• The Routine Uses section also establishes these routine uses which are not in the CDC SORN:

○ Routine use 1 (authorizing disclosures to HHS contractors and agents);

○ Routine use 2 (authorizing disclosures to student volunteers and other non-employees functioning akin to HHS employees);

○ Routine use 4 (authorizing disclosures to researchers for research purposes); and

○ Routine use 7 (authorizing disclosures to the National Archives and Records Administration (NARA) in records management inspections).

• The Storage section describes the storage media as “hard copy files and electronic media.” The CDC SORN includes some now outdated forms of electronic storage media.
• The Retrieval section identifies not only name but “any assigned identification number” as the personal identifiers used for retrieval.
• The Retention section identifies several CDC records disposition schedules approved by NARA and one General Records Schedule applicable to other records, and makes clear that the Department will retain unscheduled records indefinitely until NARA approves schedules for the records. The CDC SORN describes one retention period (“maintained in agency for four years [and] destroyed. . .when 20 years old, unless needed for further study”).
• The Safeguards section describes department-wide procedures.
• The procedures for making an access request, amendment request, or notification request state that the request must be made in writing to the applicable System Manager, and list these additional identifying particulars to include in a request: Address; date of birth; and any assigned identification number (if known).

Because HHS is replacing CDC system of records 09-20-0113 with new HHS system of records 09-90-2001, HHS is rescinding CDC system of records 09-20-0113 as duplicative of 09-90-2001. The CDC records described in CDC SORN 09-20-0113 that are still maintained will, upon rescindment of that SORN, be maintained under new system of records 09-90-2001.

HHS provided advance notice of the new system of records and the related rescindment to the Office of Management and Budget and Congress as required by 5 U.S.C. 552a(r) and OMB Circular A-108.

SYSTEM NAME AND NUMBER:

Records Used for Surveillance and Study of Epidemics, Preventable Diseases and Problems, 09-90-2001.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The addresses of the HHS components responsible for this system of records are as shown in the System Manager(s) section, below.

SYSTEM MANAGER(S):

The System Managers are:

• For records maintained by the Centers for Disease Control and Prevention (CDC):

○ Information Systems Security Officer (ISSO), National Center for Emerging and Zoonotic Infectious Diseases (NCEZID), Mailstop H16-5, 1600 Clifton Rd. NE, Atlanta, GA 30333, (800) 232-4636 (800-CDC-INFO).

○ Information Systems Security Officer (ISSO), Center for Surveillance, Epidemiology, and Laboratory Services (CSELS), Mailstop V24-6, 2400 Century Pkwy., Atlanta, GA 30345, (800) 232-4636 (800-CDC-INFO).

• For records maintained by the Office of the Assistant Secretary for Health (OASH):

○ Deputy Chief Information Officer, Office of the Assistant Secretary for Health (OASH), 200 Independence Ave. SW, Washington, DC 20201, (202) 821-5116, donald.burgess@hhs.gov.

• For records maintained by other HHS components:

○ HHS Privacy Act Officer, FOIA/Privacy Act Division, Office of the Assistant Secretary for Public Affairs (ASPA), 200 Independence Ave. SW, Washington, DC 20201, (202) 690-7453, FOIARequest@hhs.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Public Health Service Act, sec. 301, Research and Investigation (42 U.S.C. 241); secs. 304, 306, and 308(d), which discuss authority to grant assurances of confidentiality for health research and related activities (42 U.S.C. 242b, 242k, and 242m(d)); sec. 361, Quarantine and Inspection, Control of Communicable Diseases (42 U.S.C. 264); and sec. 361F-3, Public Readiness and Emergency Preparedness Act (42 U.S.C. 247d-6d).

PURPOSE(S) OF THE SYSTEM:

The system of records enables HHS to understand disease patterns in the United States, develop programs for prevention and control of health problems, and communicate new knowledge to the health community.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The records are about these categories of individuals:

• Individuals who have been diagnosed with, are suspected of having, or are at risk of having a disease or preventable condition of public health significance, their contacts, and others with possible exposure.
• Individuals who are control group participants.

CATEGORIES OF RECORDS IN THE SYSTEM:

The categories of records are medical records and related documents, including: Case reports, lab requisition forms, patient consent forms, assurance statements, analytical testing data, questionnaires, and contact tracing reports.

RECORD SOURCE CATEGORIES:

The records or information in the records is obtained directly from the subject individuals or their family members or other caregivers, or is obtained from state, local, and Tribal health departments; physicians, laboratories, and other health care providers; or contractors (for example, call centers) engaged by HHS.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to other disclosures authorized directly in the Privacy Act at Start Printed Page 438615 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), HHS may disclose records about an individual from this system of records to parties outside HHS as described in these routine uses, without the subject individual's prior written consent.

Routine uses 3 through 9 do not apply to records maintained under an assurance of confidentiality provided under section 308(d) of the Public Health Service Act (42 U.S.C. 242m(d)); such disclosures would be made of such records only if expressly authorized in the individual's consent form or stipulated in the Assurance Statement.

1. Records may be disclosed to HHS contractors, consultants, agents, or others (including other federal agencies) engaged by HHS to assist with accomplishment of an HHS function relating to the purposes of this system of records and who need to have access to the records in order to assist HHS.

2. Records may be disclosed to student volunteers, individuals working under a personal services contract, and other individuals performing functions for HHS who do not technically have the status of agency employees, if they need the records in the performance of their agency functions.

3. Records may be disclosed to federal, state, local, and Tribal health departments, other cooperating medical authorities, or other appropriate entities or organizations assisting or coordinating with HHS, including patients' private health care providers, in order for them to take measures to control, prevent, or treat disease; to conduct follow-up activities with patients and others contacted, or tested during investigations; and to carry out program activities or collaborative efforts to deal more effectively with diseases and conditions of public health significance.

4. A record may be disclosed for a research purpose to a federal, state or Tribal agency or grantee organization, or a research entity (e.g., university, hospital, clinic, research foundation, national association or coordinating center), when HHS:

(A) Has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained.

(B) Has determined that the research purpose:

(1) Cannot be reasonably accomplished unless the record is provided in individually identifiable form, and

(2) warrants the risk to the privacy of the individual that additional exposure of the record might bring.

(C) Has required the recipient to:

(1) Establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record,

(2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and

(3) make no further use or disclosure of the record except:

(a) In emergency circumstances affecting the health or safety of any individual,

(b) for use in another research project, under these same conditions, and with written authorization of HHS,

(c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or

(d) when required by law; and

(D) Has secured a written statement attesting to the recipient's understanding of, and willingness to abide by these provisions.

5. Disclosure may be made to a congressional office from the record of an individual in response to a verified inquiry from the congressional office made at the written request of that individual.

6. Information may be disclosed to the Department of Justice (DOJ) or to a court or other adjudicative body in litigation or other proceedings when:

a. HHS or any of its components, or

b. any employee of HHS acting in the employee's official capacity, or

c. any employee of HHS acting in the employee's individual capacity where the DOJ or HHS has agreed to represent the employee, or

d. the United States Government, is a party to the proceeding or has an interest in the proceeding and, by careful review, HHS determines that the records are both relevant and necessary to the proceeding.

7. Records may be disclosed to representatives of the National Archives and Records Administration during records management inspections conducted pursuant to 44 U.S.C. 2904 and 2906.

8. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

9. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in hard copy files and electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by the individual record subject's name or assigned identification number, if any.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are retained and disposed of in accordance with applicable disposition schedules. Any unscheduled records will be retained indefinitely, until they have been scheduled with the National Archives and Records Administration and have become eligible for disposition under those schedules.

Disposition schedule applicable to certain short-term OASH records:

• Transitory Records, General Records Schedule 5.2, item 010: Destroyed when no longer needed for business use, or according to agency predetermined time period or business rule.

Disposition schedules applicable to CDC records:

• Passenger Manifest Records, N1-442-08-001: Maintained for one year after the records are retired or the investigation is no longer active, and destroyed in quarterly cycles.
• Scientific and Research Project Records, N1-442-09-001: Precedent-setting projects: Permanently retained. Significant and/or secondary projects: Start Printed Page 43862Retained for at least 11 years and not longer than 30 years after retired or no longer needed on-site.
• Survey Records, N1-442-88-001: Destroyed after nine years, or earlier. Pre-test questionnaires are destroyed two years after pre-test or after any analysis is complete, whichever is earlier. Research supporting documents are destroyed when no longer needed, or after five years.
• National Health and Nutrition Examination Survey (NHANES I) Epidemiological Follow Up Study Records (NHFES), N1-442-90-001: Source documents are retained for 30 years.
• Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/AIDS) Surveillance Database Records, N1-442-91-001: Permanently retained.
• Epidemiologic Databases, N1-442-91-002: Permanently retained.
• Specimen Handling for Testing Databases and Related Records, N1-442-91-005: Records used in answering inquiries about test results are destroyed when no longer needed for administrative purposes.
• Swine Flu Program Records, N1-442-91-006: Retained permanently or for 20 years.
• Poliomyelitis and Vaccine Files, N1-442-91-008: Destroyed when no longer needed for research or administrative purposes.
• Center for Infectious Diseases Electronic Systems and Related Records, N1-442-91-012: Depending on the nature of the record, records are permanently retained, or are destroyed when 10 years old, when 20 years old, or when no longer needed for administrative purposes.
• Acquired Immune Deficiency Syndrome (AIDS) Epidemic Charts, N1-442-94-001: Permanently retained.
• National Immunization Program Records, N1-442-97-001: Depending on the nature of the record, records are permanently retained or are destroyed when no longer needed for administrative, scientific, and legal purposes or when 30 years old.
• Smallpox Eradication Program Records, N1-442-99-001: Permanently retained.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Safeguards conform to the HHS Information Security and Privacy Program, http://www.hhs.gov/​ocio/​securityprivacy/​index.html. HHS safeguards these records in accordance with applicable laws, rules and policies, including the HHS Information Technology Security Program Handbook; the E-Government Act of 2002, which includes the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. 3541-3549, as amended by the Federal Information Security Modernization act of 2014, 44 U.S.C. 3551-3558; pertinent National Institutes of Standards and Technology (NIST) publications; and OMB Circular A-130, Managing Information as a Strategic Resource. HHS protects the records from unauthorized access through appropriate administrative, physical, and technical safeguards. These safeguards include protecting the facilities where records are stored or accessed with security guards, badges and cameras; securing hard-copy records in locked file cabinets, file rooms or offices during off-duty hours; controlling access to physical locations where records are maintained and used by means of combination locks and identification badges issued only to authorized users; limiting access to electronic databases to authorized users based on roles and either two-factor authentication or password protection; using a secured operating system protected by encryption, firewalls, and intrusion detection systems; requiring encryption for records stored on removable media; and training personnel in Privacy Act and information security requirements. Records that are eligible for destruction are disposed of using secure destruction methods prescribed by NIST SP 800-88.

RECORD ACCESS PROCEDURES:

An individual seeking access to records about that individual in this system of records must submit a written access request to the applicable System Manager identified in the “System Manager” section of this SORN. The request must contain the requester's full name, address, and signature, and should also include helpful identifying particulars, such as: The requester's date of birth, any assigned identification number (if known), and the approximate date, place, and nature of the questionnaire, test, study, or other activity in which the requester participated. So that HHS may verify the requester's identity, the requester's signature must be notarized or the request must include the requester's written certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000.

CONTESTING RECORD PROCEDURES:

An individual seeking to amend a record about that individual in this system of records must submit an amendment request to the applicable System Manager identified in the “System Manager” section of this SORN, containing the same information required for an access request. The request must include verification of the requester's identity in the same manner required for an access request; must reasonably identify the record and specify the information contested, the corrective action sought, and the reasons for requesting the correction; and should include supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

NOTIFICATION PROCEDURES:

An individual who wishes to know if this system of records contains records about that individual should submit a notification request to the applicable System Manager identified in the “System Manager” section of this SORN. The request must contain the same information required for an access request, and must include verification of the requester's identity in the same manner required for an access request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.

NOTICE OF RESCINDMENT:

For the reasons explained at the end of the Supplementary Information section, HHS rescinds the following system of records as duplicative of new system of records 09-90-2001:

SYSTEM NAME AND NUMBER:

Epidemic Investigation Case Records, 09-20-0113.

HISTORY:

51 FR 42449 (Nov. 24, 1986); updated in part at 54 FR 47904 (Nov. 17, 1989), 56 FR 66733 (Dec. 24, 1991), 57 FR 62811 (Dec. 31, 1992), 58 FR 69048 (Dec. 29, 1993), 76 FR 4452 (Jan. 25, 2011), 83 FR 6591 (Feb. 14, 2018).