AGENCY:

Office of the Secretary, HHS.

ACTION:

Final rule.

SUMMARY:

This final rule exempts four systems of records (SORs) from subsections (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2): The Automated Survey Processing Environment (ASPEN) Complaint/ Incidents Tracking System (ACTS), HHS/CMS, System No. 09-70-0565; the Health Insurance Portability and Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544; the Organ Procurement Organizations System (OPOS), HHS/CMS, System No. 09-70-0575; and the Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-0527.

DATES:

Effective Date: These regulations are effective on October 27, 2008.

FOR FURTHER INFORMATION CONTACT:

Walter Stone, (410) 786-5357.

SUPPLEMENTARY INFORMATION:

I. Background

The four systems of records (SORs) that are the subject of this final rule and the May 25, 2007 proposed rule are as follows:

A. The Automated Survey Processing Environment Complaints/Incidents Tracking System (ACTS), HHS/CMS, System No. 09-70-0565

In the August 22, 2003 Federal Register (68 FR 50795), we published a notice announcing a new SOR titled Automated Survey Processing Environment (ASPEN) Complaint/Incidents Tracking System (ACTS), HHS/CMS, System No. 09-70-0565.

In the May 23, 2006 Federal Register (71 FR 29643) we published a notice that modified the ACTS SOR. This notice included all modifications and the full text of this system of records. ACTS is a Windows-based program whose primary purpose is to track and process complaints and incidents reported against health care facilities regulated by CMS and State agencies. These facilities include Clinical Laboratory Improvement Amendment (CLIA)-certified laboratories, skilled nursing facilities (SNFs), nursing facilities, hospitals, home health agencies (HHAs), end stage renal disease (ESRD) facilities, hospices, rural health clinics (RHCs), comprehensive outpatient rehabilitation facilities (CORFs), outpatient physical therapy services, community mental health centers (CMHCs), ambulatory surgical centers (ASCs), suppliers of portable x-ray services, and intermediate care facilities for persons with mental retardation (ICF/MRs). ACTS contains identifiable information on individuals, who are complainants, residents, patients, clients, contacts or witnesses. It also may include alleged perpetrators, survey team members, laboratory directors, laboratory owners, and employees and directors of the health care facilities noted previously. ACTS is designed to manage all operations associated with complaint and incident tracking and processing, from initial intake and investigation through the final disposition.

B. The Health Insurance Portability and Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544.

In the July 6, 2005 Federal Register (70 FR 38944), we published a notice announcing a new SOR titled Health Insurance Portability and Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544

In general, HITS consists of an electronic repository of information, documents, and supplementary paper document files resulting from investigations of alleged violations of the transactions and code sets, security, and unique identifier provisions of HIPAA. HITS' purpose is to support investigations of complainants, determinations as to whether there were violations as charged in the original complaint, referral of violations to law enforcement entities as necessary, and maintenance and retrieval of records that contain the results of the complaint investigations. The system of records Start Printed Page 55773covers individuals who have submitted complaints alleging violations of the provisions of HIPAA. Investigative files maintained in HITS are received either as electronic documents or as paper records that are compiled for law enforcement purposes.

C. The Organ Procurement Organizations System (OPOS), HHS/CMS, System No. 09-70-0575

In the May 22, 2006 Federal Register (71 FR 29336), we published a notice announcing a new SOR titled Organ Procurement Organizations System (OPOS), HHS/CMS, System No. 09-70-0575. OPOS is a Windows based program whose purpose is to track and process complaints and incidents reported against Organ Procurement Organizations. Section 701 of the Organ Procurement Organization System Certification Act of 2000 (Pub. L. 106-505) gave the Department the authority to collect and maintain individually identifiable information pertaining to allegations filed by a complainant, beneficiary, or provider of services against Organ Procurement Organizations. This information includes information gathered during all aspects of an investigation, including initial complaints, findings, results, disposition, and relevant correspondence.

D. The Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-0527

In the October 28, 2002 Federal Register (70 FR 65795), we published a notice that modified, among other things, the name of a SOR entitled “CMS Utilization Review Investigatory Files, System No. 09-70-0527” to “CMS Fraud Investigation Database (FID).” The notice included the full text of the FID system of records. The FID system of records contains the name, work address, work phone number, social security number, Unique Provider Identification Number (UPIN), and other identifying demographics of individuals alleged to have violated provisions of the Social Security Act (the Act) related to Medicare, Medicaid, HMO/Managed Care, and the Children's Health Insurance Program. The FID system of records also contains the contact information and other identifying demographics of individuals alleged to have violated other criminal or civil statutes connected with the Act and the Act's programs. Here, individuals are persons alleged to have abused the Act's programs. (For example, an individual could be a person alleged to have rendered unnecessary services to Medicare beneficiaries or Medicaid recipients, over-used services, or engaged in improper billing.) They are persons whose activities have provided a substantial basis for criminal or civil prosecution, or who are identified as defendants in criminal prosecution cases.

II. Provisions of the Proposed Rule

In the May 25, 2007 Federal Register (72 FR 29289) we published a proposed rule that would exempt the ACTS, HITS, OPOS, and FID systems of records from subsection (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2). These exemptions would apply only to the extent that information in a record is subject to exemption pursuant to 5 U.S.C. 552a(k)(2). We proposed that the ACTS, HITS, OPOS, and FID systems of records would be exempted from the following subsections for the reasons set forth below:

• Subsection (c)(3). Release of an accounting of disclosures to an individual who is the subject of an investigation could reveal the nature and scope of the investigation and could result in the altering or destruction of evidence, improper influencing of witnesses, and other evasive actions that could impede or compromise the investigation.
• Subsection (d)(1). Release of investigative records to an individual who is the subject of an investigation could interfere with pending or prospective law enforcement proceedings, constitute an unwarranted invasion of the personal privacy of third parties, reveal the identity of confidential sources, or reveal sensitive investigative techniques and procedures.
• Subsections (d)(2) through (d)(4). Amendment or correction of investigative records could interfere with pending or prospective law enforcement proceedings, or could impose an impossible administrative and investigative burden by requiring us to continuously retrograde our investigations in an attempt to resolve questions of accuracy, relevance, timeliness, and completeness.
• Subsection (e)(4)(G) and (H). Notifying an individual who is the subject of an investigation or a witness that a system of records contains information about him or her could reveal the nature and scope of the investigation and could result in the altering or destruction of evidence, improper influencing of witnesses, and other evasive actions that could impede or compromise the investigation.
• Subsection (f). Establishing procedures for notification, inspection or amendment of records, or appeals of denials of access to records would interfere with pending or prospective law enforcement proceedings, constitute an unwarranted invasion of the personal privacy of third parties, reveal the identity of confidential sources, or reveal sensitive investigative techniques. Furthermore, these actions could impose an impossible administrative and investigative burden by requiring us to continuously retrograde our investigations in an attempt to resolve questions of accuracy, relevance, timeliness, and completeness.

Accordingly, we proposed to amend 45 CFR 5b.11(b)(2)(ii) of the Privacy Act regulations by adding the following:

• A new paragraph (H) that exempts investigative materials compiled for law enforcement purposes from ACTS.
• A new paragraph (I) that exempts investigative materials compiled for law enforcement purposes from HITS.
• A new paragraph (J) that exempts investigative materials compiled for law enforcement purposes from OPOS.
• A new paragraph (K) that exempts investigative materials compiled for law enforcement purposes from FID.

III. Analysis of and Responses to Public Comments

We solicited and received two timely public comments on the May 25, 2007 proposed rule. The following is a summary of the comments and our responses.

Comment: One commenter believed that 45 CFR 5b.11(d) seems to allow the Department of Health and Human Services to disclose identities of sources who furnished information under an express promise of confidentiality.

Response: We do not disclose information that would reveal the identities of sources who furnish information under an express promise of confidentiality because the promise of confidentiality made to a witness is an agreement with that individual, and such disclosure would be both a violation of that agreement and counterproductive to law enforcement efforts, as it would discourage individuals from coming forward to supply information about alleged misconduct. 45 CFR 5b.11(b) gives the responsible Department official discretion to grant notification of access to a record in a system of records which is exempt under 45 CFR 5b.11(b), unless disclosure to the general public is otherwise prohibited by law. The department does not intend to exercise its discretion to disclose identifying Start Printed Page 55774information about sources who furnish information under an express promise of confidentiality.

Comment: Commenters requested that the exemptions be narrowed or clarified by defining the terms “investigative materials” and “law enforcement purposes,” including differentiating among kinds of records within each system that constitute “investigatory materials,” as well as describing agency uses that are not consistent with “law enforcement purposes.” A commenter suggested that CMS implement regulatory definitions, criteria, guidelines or other means to effectuate a confidentiality promise to an informant and to recognize whether or not one has been effectuated for purposes of compliance with subsection (k)(2) of the Privacy Act.

Response: We believe that with respect to clarifying what constitutes a confidentiality promise, we continue to rely upon the following language in subsection (k)(2) of the Privacy Act (5 U.S.C 552a), which permits exemptions from certain subsections of the Privacy Act:

[I]nvestigatory material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2) of this section [the Privacy Act]: Provided, however, That if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, [September 27, 1975] under an implied promise that the identity of the source would be held in confidence;

The (k)(2) exemption covers: (1) Material compiled for criminal investigative law enforcement purposes by an entity that does not have as its principal function the enforcement of criminal law and (2) investigative material compiled for law enforcement purposes that does not fall into the scope of the exemption under 5 U.S.C. 552(j)(2). The material must be investigative and compiled for some “law enforcement” purpose, such as a civil investigation, or a criminal investigation by an agency that does not perform as its principal function the enforcement of criminal law.

Further, since the information in the SORs at issue was collected on or after September 27, 1975, we believe that, with respect to investigative material that would reveal the identity of a confidential source, only express promises to a source that his or her identity would not be revealed will be implicated here. An example of an express promise could occur when a source expressly requests that his or her identity not be revealed as a condition of furnishing the information, and CMS agrees to that condition and documents that promise in writing.

The four SORs at issue were established after September 27, 1975, the effective date of the Privacy Act, as follows:

• The CMS Fraud Investigation Database (FID) was published under its previous name, “HCFA Utilization Review Investigatory Files,” on December 29, 1988 (53 FR 52792) and republished under its current name on October 28, 2002 (67 FR 65795 ).
• The Automated Survey Processing Environment (ASPEN). Complaints/Incidents Tracking System (ACTS) was first established on August 22, 2003 (68 FR 50795).
• The Health Insurance Portability and Accountability Act(HIPAA) Information Tracking System (HITS) was first established on July 6, 2005 (70 FR 38944).
• The Organ Procurement Organizations System (OPOS) was first established on May 22, 2006 (71 FR 29336).

Further information about this exemption can be found in the Office of Management and Budget's Privacy Act Guidelines, (see the July 9, 1975 Federal Register (40 FR 28972 through 28973)).

IV. Provisions of the Final Rule

After review of the public comments, we are finalizing the provisions of the proposed rule with minor technical changes. We are revising the paragraphs in § 5b.11(b)(2)(ii) so that the SORs are listed in chronological order by the date established.

V. Collection of Information Requirements

This final rule does not impose information collection and recordkeeping requirements. Consequently, it need not be reviewed by the Office of Management and Budget under the authority of the Paperwork Reduction Act of 1995 (44 U.S.C. 35).

VI. Regulatory Impact Statement

We have examined the impact of this rule as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act (the Act), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for regulating actions with economically significant effects ($100 million or more in any one year or other substantial adverse economic effects) known as “major rules”. This rule does not meet the “major rule” criteria therefore we are not preparing an RIA.

The RFA requires agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. Most hospitals and most other providers and suppliers are small entities, either by nonprofit status or by having revenues of $6 million to $29 million in any one year. Individuals and States are not included in the definition of a small entity. We are not preparing an analysis for the RFA because we have determined that this rule will not have a significant economic impact on a substantial number of small entities.

In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area and has fewer than 100 beds. We are not preparing an analysis for section 1102(b) of the Act because we have determined that this rule will not have a significant impact on the operations of a substantial number of small rural hospitals.

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any one year of $100 million in 1995 dollars, updated annually for inflation. That threshold level is currently approximately $120 million. This final rule will have no consequential effect on State, local, or tribal governments or on the private sector.

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final Start Printed Page 55775rule) that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. Since this regulation does not impose any costs on State or local governments, the requirements of Executive Order 13132 are not applicable.

In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.

List of Subjects for 45 CFR Part 5b Privacy.

For the reasons set forth in the preamble, the Department of Health and Human Services amends 45 CFR part 5b as set forth below:

PART 5b—PRIVACY ACT REGULATIONS

1. The authority citation for part 5b continues to read as follows:

Authority: 5 U.S.C. 301, 5 U.S.C. 552a.

2. Section 5b.11 is revised by adding paragraphs (b)(2)(ii)(H), (I), (J), and (K) to read as follows:

Editorial Note:

This document was received at the Office of the Federal Register on September 16, 2008.