2022-16344. Privacy Act of 1974; System of Records  

  • Start Preamble Start Printed Page 46967

    AGENCY:

    Health Resources and Services Administration (HRSA), Department of Health and Human Services (HHS).

    ACTION:

    Notice of a modified system of records.

    SUMMARY:

    In accordance with the requirements of the Privacy Act of 1974 as amended, HHS is publishing notice of modifications to system of records 09-15-0055, “Organ Procurement and Transplantation Network (OPTN)/Scientific Registry of Transplant Recipients (SRTR) Data System,” maintained by HRSA, Health Systems Bureau.

    DATES:

    In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable August 1, 2022, subject to a 30-day period in which to comment on the new routine uses, described below. Please submit any comments by August 31, 2022.”

    ADDRESSES:

    The public should address written comments on the system of records to Christopher McLaughlin, email address donation@hrsa.gov.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    General questions about the system of records may be submitted to Christopher McLaughlin, email donation@hrsa.gov, telephone (301) 443-7577. This is not a toll-free number.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    Explanation of Changes

    The revised system of records notice (SORN) for System No. 09-15-0055 includes these substantive changes:

    1. Updates the System Location and System Manager sections to reflect the responsible HRSA Bureau's current name (“Healthcare” Systems Bureau is now “Health” Systems Bureau) and to reflect a change in the contractor for the Scientific Registry of Transplant Recipients (SRTR).

    2. Updates the Authorities section, which previously cited 42 U.S.C. 274 as authorizing maintenance of network information, 42 U.S.C. 274a as authorizing maintenance of registry information, and implementing regulations at 42 CFR part 121, to now also indicate which specific subsections of 42 U.S.C. 274 are applicable and to add 42 U.S.C. 273a, which authorizes maintenance of information needed to evaluate long-term effects associated with living donations.

    3. Revises the Purpose(s) section to expand the purpose description at (2) to include “. . . OPTN bylaws and policies, including risks to the health of patients or to the public safety” in place of “. . . OPTN requirements” and to add two new purpose descriptions at (6) and (7).

    4. Expands the Categories of Individuals section to include four new categories at 4 through 7, to remove “deceased” persons from whom organs have been obtained from category 1, and to include a note stating that all categories are limited to living individuals (because only records about living individuals are governed by the Privacy Act and pertinent to the SORN).

    5. Revises the Categories of Records section to include an introductory statement that the records consist of all information needed for organ matching and placement and follow-up; to clarify that donor registration information is collected about prospective donors whether or not they become donors; to add “address” and change “gender” to “sex at birth” in the list of data elements; and to remove “living” and “deceased” from the descriptions.

    6. Updates the Record Source Categories section to include individuals' health care providers and CMS and other organizations as additional sources of information in the records.

    7. Adds three new routine uses and revises three existing routine uses authorizing disclosures to non-HHS parties:

    ○ New routine use 2 will allow disclosure of records to the OPTN Board of Directors, Committees, and Review Boards, in the event they need access to identifiable information about an individual for their deliberations, to do the work required of them.

    ○ Routine use 3 (formerly 2), which authorizes disclosures to transplant centers, histocompatibility laboratories, organ procurement organizations, and various other listed entities, has been revised to replace “organ donors” with “living individuals who are potential deceased or potential living organ donors;” to update the list of disclosure recipients to omit “the Transplant Transmission Sentinel Network” and shorten “NCI contractors, State cancer registries and other State health agencies” to “State registries and State health agencies;” and to remove redundant wording that repeats part of the definition of a routine use ( i.e., “provided that such disclosure is compatible with the purpose for which the records were collected”).

    ○ Routine use 4 (formerly 3), which authorizes disclosures to the Department of Justice (DOJ) in the event of litigation against HHS or against an HHS employee or the United States affecting HHS, has been revised to add “a court or other tribunal” as disclosure recipients.

    ○ New routine use 5 will allow disclosure of records to DOJ or to a court or other tribunal in the event of pending or potential litigation involving HHS or the United States as a plaintiff, intervenor, or amicus; the OPTN contractor or SRTR contractor as a defendant; or the OPTN.

    ○ Routine use 6 (formerly 4), which authorizes disclosures to congressional offices to facilitate responses to constituent requests, has been revised to change “verified inquiry” to “written inquiry.”

    ○ New routine use 10 will allow disclosure of records to health care professionals providing clinical treatment to subject individuals, subject to a list of conditions.

    8. The Storage section continues to state that records are maintained electronically and in hard copy files, but now omits “file folders” (as redundant of “hard copy files”) and omits “magnetic tapes” and “disc packs” (as obsolete forms of electronic storage media).

    9. The Retrieval section has been revised to omit “date of birth,” which, although used for retrieval, is not a personal identifier.

    10. The Retention section has been corrected to state that the records are currently unscheduled and retained indefinitely pending scheduling with the National Archives and Records Administration (NARA) (instead of stating that records are retained for no more than 25 years beyond the known death of the subject individual), and to remove shredding and degaussing descriptions, because secure destruction methods are addressed in the Safeguards section.

    11. Minor changes have been made to the Safeguards section, e.g., to change “HRSA Project Officer” to “HRSA Contracting Officer's Representative,” to change “automated and nonautomated documents” to “electronic and hard-copy files,” to remove references to magnetic tape and disk packs, and to change “records storage area” to “files storage area.”

    12. The Records Access Procedures section has been revised to omit references to provisions in the HHS Privacy Act regulations which are legally deficient. The provisions require a parent or legal guardian of a subject individual seeking access to medical records about the individual to designate a health professional to whom Start Printed Page 46968 HHS can release the requested records. The provisions fail to ensure that records released by HHS to the health professional will be fully disclosed by the health professional to the requesting parent or guardian, and they fail to ensure provision of administrative appeal rights to the requesting parent or guardian.

    Start Signature

    Diana Espinosa,

    Deputy Administrator.

    End Signature

    System Name and Number

    Organ Procurement and Transplantation Network (OPTN)/SRTR Data System, 09-15-0055.

    Security Classification

    Unclassified.

    System Location

    The address of the agency component responsible for the system of records is:

    • HRSA Division of Transplantation, Health Systems Bureau, 5600 Fishers Lane Rockville, Maryland 20857.

    Service provider addresses:

    • OPTN Contractor: United Network for Organ Sharing (UNOS), 700 N 4th Street, Richmond, VA 23219.
    • SRTR Contractor: Chronic Disease Research Group of the Hennepin Healthcare Research Institute, 701 Park Avenue, Suite S4-100, Minneapolis, MN 55415.

    System Manager(s)

    The system managers are as follows:

    • For OPTN records: United Network for Organ Sharing (UNOS), email address privacy@unos.org, telephone (888) 894-6361.

    • For SRTR records: Chronic Disease Research Group (CDRG), Hennepin Healthcare Research Institute, email address support@srtr.org, telephone (877) 970-7787.

    Contact information for HRSA Division of Transplantation: Division of Transplantation, Health Systems Bureau, HRSA, email address donation@hrsa.gov, telephone (301) 443-7577.

    Authority for Maintenance of the System

    42 U.S.C. 274 requires that the HHS Secretary, by contract, provide for the establishment and operation of an organ procurement and transplantation network, and 42 U.S.C. 274a requires that the Secretary, by grant or contract, develop and maintain a scientific registry of the recipients of organ transplants. 42 U.S.C. 274(b)(2)(H), 274(b)(2)(I), and 42 CFR part 121 authorize OPTN's and SRTR's collection of the information included in this system of records. In addition, 42 U.S.C. 273a authorizes HHS to establish and maintain mechanisms to evaluate the long-term effects associated with living donations. Federal regulations at 42 CFR 121.11 also authorize the OPTN and SRTR to collect information concerning living organ donors and prospective living organ donors as the Secretary deems appropriate.

    Purpose(s) of the System

    Records are used by the Department, the OPTN, the OPTN contractor, and the SRTR contractor to: (1) facilitate organ placement and match donor organs with recipients; (2) monitor compliance of member organizations with federal laws and regulations and with OPTN bylaws and policies, including risks to the health of patients or to the public safety; (3) review and report periodically to the public on the status of organ donation and transplantation in the United States; (4) provide data to researchers and government agencies to study the scientific and clinical status of organ donation and transplantation; (5) perform transplantation-related public health surveillance including possible transmission of donor disease; (6) provide data on individuals with records in the system to HHS' Centers for Medicare & Medicaid Services (CMS) and to contractors of CMS business associates, with appropriate limitations, data protections, and safeguards including execution of a written agreement attesting to the data recipient's understanding of, and willingness to abide by these provisions, for purposes including to monitor the individual's status in the OPTN system and to inform the individual's clinical care in order to assist in registering candidates on the waitlist and in facilitating organ placement and matching donor organs with recipients; and (7) provide data on individuals with records in the system to health care professionals providing clinical care to those individuals, for purposes including to monitor the individual's status in the OPTN system and to inform the individual's clinical care in order to assist in registering candidates on the waitlist and in facilitating organ placement and matching donor organs with recipients.

    Categories of Individuals Covered by the System

    Records pertain to the following categories of individuals (note that all categories are limited to living individuals):

    1. Individuals from whom organs have been obtained for transplantation.

    2. Individuals who are candidates for receiving organ transplantation.

    3. Individuals who have been recipients of transplanted organs.

    4. Individuals who are potential deceased organ donors.

    5. Individuals who are potential living organ donors or individuals who intend to become living organ donors (even if the donation does not occur).

    6. Individuals who donate organs for transplantation.

    7. Individuals being evaluated for transplant receipt.

    Categories of Records in the System

    The records consist of information about potential donors and transplant candidates required for organ matching and placement and follow-up. Categories of records include donor registration, transplant candidate registration, transplant recipient registration, histocompatibility, transplant recipient follow-up, donor follow-up, registration of prospective organ donors who did not become donors, forms, and other non-registry operational information. Data elements include: name, Social Security number, address, identifiers assigned by OPTN and SRTR contractors, hospital and hospital provider number, State and zip code of residence, citizenship, race/ethnicity, sex at birth, date and time of organ recovery, and transplantation, name of transplant center, histocompatibility information, donor medical information, recipient and donor medical information before and after transplantation, immunosuppressive medication, health care coverage, employment, and education level.

    Record Source Categories

    Individuals' records are provided to the OPTN contractor and SRTR contractor by organ procurement organizations, histocompatibility laboratories, organ transplant centers, and health care providers which obtain the information directly from individuals or their representatives. Records may also be supplemented with information from other sources of data, such as CMS and other organizations.

    Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses

    In addition to other disclosures authorized directly in the Privacy Act at 5 U.S.C. 552a(b)(1) and (2) and (b)(4) through (11), records about an individual may be disclosed from this system of records without the individual's prior written consent, to the following non-HHS parties for the following purposes:

    1. HRSA may disclose records to Departmental contractors and/or their Start Printed Page 46969 subcontractors who have been engaged by the Department to assist in accomplishment of a Departmental function relating to the purposes for this system of records and who require access to the records in order to assist the Department.

    2. HRSA, independently and through its contractor(s), may disclose records regarding potential deceased organ donors (who are still living), living and potential living organ donors, organ transplant candidates, and organ transplant recipients, to members of the OPTN Board of Directors, OPTN Committees, and OPTN Review Boards. Such disclosures will be shared only on a need to know basis in order for members of the OPTN Board of Directors, Committees, and Review Boards to do the work required of them for the operation of the OPTN relating to the purposes of this system of records, including matching donor organs with recipients, monitoring compliance of member organizations with Federal laws and regulations and OPTN bylaws and policies and for risks to the health of patients or for the public safety and transplantation-related public health surveillance. Generally, such information is not shared in a patient-identified or identifiable manner.

    3. HRSA, independently and through its contractor(s), may disclose records regarding living individuals who are potential deceased or potential living donors, potential organ transplant candidates, and organ transplant recipients, to transplant centers, histocompatibility laboratories, organ procurement organizations, and other public health agencies such as Surveillance Epidemiology and End Results Program registries, State registries, and State health agencies, for purposes including: matching donor organs with recipients, monitoring compliance of member organizations with federal laws and regulations and OPTN requirements, reviewing and reporting periodically to the public on the status of organ donation and transplantation in the United States, and transplantation-related public health surveillance. These records consist of Social Security numbers, other patient identification information, and pertinent medical information.

    4. HRSA may disclose records to the Department of Justice (DOJ) or to a court or other tribunal in litigation involving, as a defendant, (a) the Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to affect directly the operation of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the DOJ has agreed to represent such employee, for example, in defending a claim against the Public Health Service in connection with such individual, for the purpose of enabling DOJ to present an effective defense.

    5. HRSA may disclose records to DOJ or to a court or other tribunal in the event of pending or potential litigation involving the Department or the United States as a plaintiff, intervenor, or amicus, or involving the contractor for the OPTN or the SRTR as a defendant in connection with its role as a contractor for the OPTN or the SRTR, or involving the OPTN.

    6. HRSA may disclose records to a congressional office from the record of an individual in response to a written inquiry from the congressional office made at the written request of that individual.

    7. A record may be disclosed for a research purpose, when the Department, independently or through its contractor(s):

    a. has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained;

    b. has determined that a bona fide research/analysis purpose exists;

    c. has required the data recipient to: (1) establish strict limitations concerning the receipt and use of patient-identified or center-identified data; (2) establish reasonable administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent the unauthorized use or disclosure of the record; (3) remove, destroy, or return the information that identifies the individual or center at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the data recipient has presented adequate justification of a research or health nature for retaining such information; and (4) make no further use or disclosure of the record except as authorized by HRSA or its contractor(s) or when required by law;

    d. has determined that other applicable safeguards or protocols will be followed; and

    e. has secured a written statement attesting to the data recipient's understanding of, and willingness to abide by, these provisions.

    8. Records may be disclosed to appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records, (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the federal government, or national security, and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS' efforts to respond to the suspected or confirmed breach or to prevent, minimize or remedy such harm.

    9. Records may be disclosed to another federal agency or federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.

    10. A record may be disclosed to physicians or other health care professionals providing clinical treatment to such individuals, for clinical purposes, when the Department, independently or through its contractor(s):

    a. has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained;

    b. has required the data recipient to: (1) establish strict limitations concerning the receipt and use of patient-identified or center-identified data; (2) establish reasonable administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent the unauthorized use or disclosure of the record; (3) remove, destroy, or return the information that identifies the individual or center at the earliest time at which removal or destruction can be accomplished consistent with the clinical purpose of the project, unless the data recipient has presented adequate justification of a research or health nature for retaining such information; (4) make no further use or disclosure of the record except as authorized by HRSA or its contractor(s) or when required by law; and (5) require any business associates of the data recipient to which the data recipient is authorized to disclose the record and does disclose the record, whether in original or derivative form, and to prohibit such a business associate from Start Printed Page 46970 making any further use or disclosure of the record except as authorized by HRSA or its contractor(s) or when required by law; and

    c. has secured a written statement from the data recipient attesting to the data recipient's understanding of, and willingness to abide by these provisions.

    Policies and Practices for Storage of Records

    Records are maintained electronically and in hard-copy files.

    Policies and Practices for Retrieval of Records

    Records in the system are retrieved by more than one type of personal identifier, including name and social security number.

    Policies and Practices for Retention and Disposal of Records

    The records are currently unscheduled and retained indefinitely pending completion of a disposition schedule approved by the National Archives and Records Administration (NARA).

    Administrative, Technical, and Physical Safeguards

    a. Authorized users: Access is limited to authorized HRSA and contract personnel responsible for administering the program. Authorized personnel include the System Manager and HRSA Contracting Officer's Representative, and the HRSA Automated Information System (AIS) Systems Security Officer; and the program managers/program specialists who have responsibilities for implementing the program. Both HRSA and its contractor(s) are required to maintain current lists of authorized users.

    b. Physical safeguards: Computer equipment, electronic files, and hard-copy files are stored in areas where fire and life safety codes are strictly enforced. All electronic and hard-copy files are protected on a 24-hour basis. Security guards perform random checks on the physical security of the files storage area. The OPTN and SRTR contractors are required to maintain off-site a complete copy of the system and all necessary files to run the computer organ donor-recipient match and update software.

    c. Procedural safeguards: A password is required to access the terminal, and a data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. All authorized users must sign a nondisclosure statement. Access to records is limited to those staff members trained in accordance with the Privacy Act and Automated Data Processing (ADP) security procedures. The contractors are required to assure that the confidentiality safeguards of these records will be employed and that it complies with all provisions of the Privacy Act. All individuals who have access to these records must have the appropriate ADP security clearances. Privacy Act and ADP system security requirements are included in the contracts. The HRSA Contracting Officer's Representatives and the System Manager(s) oversee compliance with these requirements. The HRSA authorized users make visits to the contractors' facilities to assure security and Privacy Act compliance. The contractors are required to adhere to a HRSA approved system security plan.

    Record Access Procedures

    Individuals may request access to records about them in this system of records by submitting a written access request to the OPTN or SRTR contractor identified in the “System Manager(s)” section of this SORN at the email address provided in that section. The request must contain the individual's full name, address, date of birth, and signature; the name of the applicable transplant center; and a reasonable description of the records sought. To verify the requester's identity, the signature must be notarized or the request must include the requester's written certification that the requester is the individual who the requester claims to be and that the requester understands that the knowing and willful request for or acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a fine of up to $5,000. The individual may also request an accounting of disclosures that have been made of the records, if any.

    A parent or guardian who requests access to records about a minor or an individual with diminished capacity must verify his or her relationship to the minor or incompetent individual as well as his/her own identity.

    Contesting Record Procedures

    Individuals may seek to amend a record about them in this system of records by submitting a written amendment request to the OPTN contractor or SRTR contractor identified in the “System Manager(s)” section of this SORN at the email address provided in that section, with a copy to the HRSA Division of Transplantation at the email address indicated, containing the same information required for an access request. The request must include verification of the requester's identity in the same manner required for an access request and must reasonably identify the relevant record, specify the information being contested and the corrective action sought, and include reasons for requesting the correction, along with supporting documentation, to show how the record is inaccurate, incomplete, untimely, or irrelevant.

    Notification Procedures

    Individuals who wish to know if this system of records contains a record about them must submit a written notification request to the OPTN or SRTR contractor identified in the “System Manager(s)” section of this SORN, at the email address provided in that section. The request must contain the same information required for an access request and must include verification of the requester's identity in the same manner required for an access request.

    Exemptions Promulgated for the System

    None.

    History

    74 FR 57184 (Nov. 4, 2009), 83 FR 6591 (Feb. 14, 2018).

    End Supplemental Information

    [FR Doc. 2022-16344 Filed 7-29-22; 8:45 am]

    BILLING CODE 4160-15-P

Document Information

Published:
08/01/2022
Department:
Health Resources and Services Administration
Entry Type:
Notice
Action:
Notice of a modified system of records.
Document Number:
2022-16344
Dates:
In accordance with 5 U.S.C. 552a(e)(4) and (11), this notice is applicable August 1, 2022, subject to a 30-day period in which to comment on the new routine uses, described below. Please submit any comments by August 31, 2022.''
Pages:
46967-46970 (4 pages)
PDF File:
2022-16344.pdf